Skip to content

Hide Navigation Hide TOC

Edit

Threat Actor

Known or estimated adversary groups targeting organizations and employees. Adversary groups are regularly confused with their initial operation or campaign. threat-actor-classification meta can be used to clarify the understanding of the threat-actor if also considered as operation, campaign or activity group.

Authors
Authors and/or Contributors
Alexandre Dulaunoy
Florian Roth
Thomas Schreck
Timo Steffens
Various

APT1

PLA Unit 61398 (Chinese: 61398部队, Pinyin: 61398 bùduì) is the Military Unit Cover Designator (MUCD)[1] of a People's Liberation Army advanced persistent threat unit that has been alleged to be a source of Chinese computer hacking attacks

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT1.

Known Synonyms
Brown Fox
Byzantine Candor
COMMENT PANDA
Comment Crew
Comment Group
G0006
GIF89a
Group 3
PLA Unit 61398
ShadyRAT
TG-8223
Internal MISP references

UUID 1cb7e1cc-d695-42b1-92f4-fd0112a3c9be which can be used as unique global reference for APT1 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor China
cfr-suspected-victims ['United States', 'Taiwan', 'Israel', 'Norway', 'United Arab Emirates', 'United Kingdom', 'Singapore', 'India', 'Belgium', 'South Africa', 'Switzerland', 'Canada', 'France', 'Luxembourg', 'Japan']
cfr-target-category ['Private sector', 'Government']
cfr-type-of-incident Espionage
country CN
Related clusters

To see the related clusters, click here.

Nitro

These attackers were the subject of an extensive report by Symantec in 2011, which termed the attackers Nitro and stated: 'The goal of the attackers appears to be to collect intellectual property such as design documents, formulas, and manufacturing processes. In addition, the same attackers appear to have a lengthy operation history including attacks on other industries and organizations. Attacks on the chemical industry are merely their latest attack wave. As part of our investigations, we were also able to identify and contact one of the attackers to try and gain insights into the motivations behind these attacks.' Palo Alto Networks reported on continued activity by the attackers in 2014.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Nitro.

Known Synonyms
Covert Grove
Internal MISP references

UUID 0b06fb39-ed3d-4868-ac42-12fff6df2c80 which can be used as unique global reference for Nitro in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country CN
targeted-sector ['Chemical']

Dust Storm

Threat actors behind the Operation Dust Storm have been active since at least 2010, the hackers targeted several organizations in Japan, South Korea, the US, Europe, and other Asian countries.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dust Storm.

Known Synonyms
G0031
Internal MISP references

UUID 9e71024e-817f-45b0-92a0-d886c30bc929 which can be used as unique global reference for Dust Storm in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

WET PANDA

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WET PANDA.

Known Synonyms
Red Chimera
Internal MISP references

UUID ba8973b2-fd97-4aa7-9307-ea4838d96428 which can be used as unique global reference for WET PANDA in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country CN

FOXY PANDA

Adversary group targeting telecommunication and technology organizations.

Internal MISP references

UUID 41c15f08-a646-49f7-a644-1bebbf7a4dcd which can be used as unique global reference for FOXY PANDA in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country CN
targeted-sector ['Technology', 'Telecoms']

PREDATOR PANDA

Internal MISP references

UUID 1969f622-d64a-4436-9a34-4c47fcb2535f which can be used as unique global reference for PREDATOR PANDA in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country CN

UNION PANDA

Internal MISP references

UUID 7195b51f-500e-4034-a851-bf34a2728dc8 which can be used as unique global reference for UNION PANDA in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country CN

SPICY PANDA

Internal MISP references

UUID 4959652d-72fa-46e4-be20-4ec686409bfb which can be used as unique global reference for SPICY PANDA in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country CN

ELOQUENT PANDA

Internal MISP references

UUID 432b0304-768f-4fb9-9762-e745ef524ec7 which can be used as unique global reference for ELOQUENT PANDA in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country CN

DIZZY PANDA

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DIZZY PANDA.

Known Synonyms
LadyBoyle
Internal MISP references

UUID 8a8f39df-74b3-4946-ab64-f84968bababe which can be used as unique global reference for DIZZY PANDA in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value

Grayling

Grayling activity was first observed in early 2023, when a number of victims were identified with distinctive malicious DLL side-loading activity. Grayling appears to target organisations in Asia, however one unknown organisation in the United States was also targeted. Industries targeted include Biomedical, Government and Information Technology. Grayling use a variety of tools during their attacks, including well known tools such as Cobalt Strike and Havoc and also some others.

Internal MISP references

UUID 6714de29-4dd8-463c-99a3-77c9e80fa47d which can be used as unique global reference for Grayling in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor China
cfr-suspected-victims ['Taiwan', 'United States', 'Vietnam', 'Solomon Islands']
cfr-target-category ['Biomedical', 'Government', 'Information technology']
country CN

APT2

Putter Panda were the subject of an extensive report by CrowdStrike, which stated: 'The CrowdStrike Intelligence team has been tracking this particular unit since2012, under the codename PUTTER PANDA, and has documented activity dating back to 2007. The report identifies Chen Ping, aka cpyy, and the primary location of Unit 61486.'

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT2.

Known Synonyms
4HCrew
G0024
MSUpdater
PLA Unit 61486
PUTTER PANDA
SULPHUR
SearchFire
TG-6952
Internal MISP references

UUID 0ca45163-e223-4167-b1af-f088ed14a93d which can be used as unique global reference for APT2 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor China
cfr-suspected-victims ['U.S. satellite and aerospace sector']
cfr-target-category ['Private sector', 'Government']
cfr-type-of-incident Espionage
country CN
Related clusters

To see the related clusters, click here.

APT3

Symantec described UPS in 2016 report as: 'Buckeye (also known as APT3, Gothic Panda, UPS Team, and TG-0110) is a cyberespionage group that is believed to have been operating for well over half a decade. Traditionally, the group attacked organizations in the US as well as other targets. However, Buckeyes focus appears to have changed as of June 2015, when the group began compromising political entities in Hong Kong.'

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT3.

Known Synonyms
BORON
BRONZE MAYFAIR
Boyusec
Buckeye
GOTHIC PANDA
Group 6
Red Sylvan
TG-0110
UPS
Internal MISP references

UUID d144c83e-2302-4947-9e24-856fbf7949ae which can be used as unique global reference for APT3 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor China
cfr-suspected-victims ['United States', 'United Kingdom', 'Hong Kong']
cfr-target-category ['Private sector']
cfr-type-of-incident Espionage
country CN
targeted-sector ['Political party']
Related clusters

To see the related clusters, click here.

DarkHotel

Kaspersky described DarkHotel in a 2014 report as: '... DarkHotel drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics. Moreover, this crews most unusual characteristic is that for several years the Darkhotel APT has maintained a capability to use hotel networks to follow and hit selected targets as they travel around the world.'

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DarkHotel.

Known Synonyms
APT-C-06
ATK52
DUBNIUM
Fallout Team
G0012
Karba
Luder
Nemim
Nemin
Pioneer
SIG25
Shadow Crane
T-APT-02
TUNGSTEN BRIDGE
Tapaoux
Zigzag Hail
Internal MISP references

UUID b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d which can be used as unique global reference for DarkHotel in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Korea (Republic of)
cfr-suspected-victims ['Japan', 'Russia', 'Taiwan', 'South Korea', 'China']
cfr-target-category ['Private sector']
cfr-type-of-incident Espionage
country KR
Related clusters

To see the related clusters, click here.

APT12

A group of China-based attackers, who conducted a number of spear phishing attacks in 2013.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT12.

Known Synonyms
BRONZE GLOBE
BeeBus
Calc Team
Crimson Iron
DNSCalc
DynCalc
Group 22
IXESHE
NUMBERED PANDA
TG-2754
Internal MISP references

UUID 48146604-6693-4db1-bd94-159744726514 which can be used as unique global reference for APT12 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor China
cfr-suspected-victims ['Taiwan', 'Japan']
cfr-target-category ['Private sector', 'Government']
cfr-type-of-incident Espionage
country CN
Related clusters

To see the related clusters, click here.

APT16

Between November 26, 2015, and December 1, 2015, known and suspected China-based APT groups launched several spear-phishing attacks targeting Japanese and Taiwanese organizations in the high-tech, government services, media and financial services industries. Each campaign delivered a malicious Microsoft Word document exploiting the aforementioned EPS dict copy use-after-free vulnerability, and the local Windows privilege escalation vulnerability CVE-2015-1701. The successful exploitation of both vulnerabilities led to the delivery of either a downloader that we refer to as IRONHALO, or a backdoor that we refer to as ELMER.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT16.

Known Synonyms
G0023
SVCMONDR
Internal MISP references

UUID 1f73e14f-b882-4032-a565-26dc653b0daf which can be used as unique global reference for APT16 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor China
cfr-suspected-victims ['Japan', 'Taiwan']
cfr-target-category ['Private sector']
cfr-type-of-incident Espionage
country CN

APT17

FireEye described APT17 in a 2015 report as: 'APT17, also known as DeputyDog, is a China based threat group that FireEye Intelligence has observed conducting network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations.'

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT17.

Known Synonyms
AURORA PANDA
Axiom
BRONZE KEYSTONE
Dogfish
G0001
G0025
Group 72
Group 8
HELIUM
Hidden Lynx
Tailgater Team
Internal MISP references

UUID 99e30d89-9361-4b73-a999-9e5ff9320bcb which can be used as unique global reference for APT17 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor China
cfr-suspected-victims ['United States', 'Netherlands', 'Italy', 'Japan', 'United Kingdom', 'Belgium', 'Russia', 'Indonesia', 'Germany', 'Switzerland', 'China']
cfr-target-category ['Government', 'Private sector', 'Civil society']
cfr-type-of-incident Espionage
country CN
targeted-sector ['Defense', 'Intelligence', 'Technology', 'Mining', 'Government, Administration', 'Justice']
Related clusters

To see the related clusters, click here.

APT18

Wekby was described by Palo Alto Networks in a 2015 report as: 'Wekby is a group that has been active for a number of years, targeting various industries such as healthcare, telecommunications, aerospace, defense, and high tech. The group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of HackingTeams Flash zero - day exploit.'

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT18.

Known Synonyms
DYNAMITE PANDA
G0026
PLA Navy
SCANDIUM
TG-0416
Wekby
Internal MISP references

UUID 9a683d9c-8f7d-43df-bba2-ad0ca71e277c which can be used as unique global reference for APT18 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor China
cfr-suspected-victims ['United States']
cfr-target-category ['Government', 'Private sector', 'Civil society']
cfr-type-of-incident Espionage
country CN
targeted-sector ['Aerospace', 'Defense', 'Health', 'High tech', 'Telecoms']
Related clusters

To see the related clusters, click here.

APT19

Adversary group targeting financial, technology, non-profit organisations.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT19.

Known Synonyms
BRONZE FIRESTONE
Black Vine
Codoso
DEEP PANDA
G0009
G0073
Group 13
KungFu Kittens
PinkPanther
Pupa
Shell Crew
Sunshop Group
TEMP.Avengers
WebMasters
Internal MISP references

UUID 066d25c1-71bd-4bd4-8ca7-edbba00063f4 which can be used as unique global reference for APT19 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor China
cfr-suspected-victims ['United States']
cfr-target-category ['Private sector', 'Military']
cfr-type-of-incident Espionage
country CN
targeted-sector ['Technology', 'Finance', 'Non-profit organisation']
Related clusters

To see the related clusters, click here.

Naikon

Kaspersky described Naikon in a 2015 report as: 'The Naikon group is mostly active in countries such as the Philippines, Malaysia, Cambodia, Indonesia, Vietnam, Myanmar, Singapore, and Nepal, hitting a variety of targets in a very opportunistic way.'

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Naikon.

Known Synonyms
BRONZE GENEVA
BRONZE STERLING
Camerashy
G0013
G0019
Naikon
OVERRIDE PANDA
PLA Unit 78020
Internal MISP references

UUID 2f1fd017-9df6-4759-91fb-e7039609b5ff which can be used as unique global reference for Naikon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor China
cfr-suspected-victims ['India', 'Saudi Arabia', 'Vietnam', 'Myanmar', 'Singapore', 'Thailand', 'Malaysia', 'Cambodia', 'China', 'Philippines', 'South Korea', 'United States', 'Indonesia', 'Laos']
cfr-target-category ['Government', 'Private sector']
cfr-type-of-incident Espionage
country CN
Related clusters

To see the related clusters, click here.

APT30

APT30 is a threat group suspected to be associated with the Chinese government. While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT30.

Known Synonyms
G0013
Internal MISP references

UUID d3881afe-f781-4c53-9f68-33487a119a59 which can be used as unique global reference for APT30 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor China
cfr-suspected-victims ['United States', 'South Korea', 'Saudi Arabia', 'Thailand', 'Vietnam', 'Malaysia', 'India']
cfr-target-category ['Government']
cfr-type-of-incident Espionage
country CN
Related clusters

To see the related clusters, click here.

LOTUS PANDA

Lotus Blossom is a threat group that has targeted government and military organizations in Southeast Asia.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LOTUS PANDA.

Known Synonyms
ATK1
BRONZE ELGIN
DRAGONFISH
G0030
Lotus BLossom
Red Salamander
ST Group
Spring Dragon
Internal MISP references

UUID 32fafa69-fe3c-49db-afd4-aac2664bcf0d which can be used as unique global reference for LOTUS PANDA in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor China
cfr-suspected-victims ['Japan', 'Philippines', 'Hong Kong', 'Indonesia', 'Taiwan', 'Vietnam']
cfr-target-category ['Military', 'Government']
cfr-type-of-incident Espionage
country CN
targeted-sector ['Military', 'Government, Administration']
Related clusters

To see the related clusters, click here.

HURRICANE PANDA

We have investigated their intrusions since 2013 and have been battling them nonstop over the last year at several large telecommunications and technology companies. The determination of this China-based adversary is truly impressive: they are like a dog with a bone. HURRICANE PANDA's preferred initial vector of compromise and persistence is a China Chopper webshell – a tiny and easily obfuscated 70 byte text file that consists of an ‘eval()’ command, which is then used to provide full command execution and file upload/download capabilities to the attackers. This script is typically uploaded to a web server via a SQL injection or WebDAV vulnerability, which is often trivial to uncover in a company with a large external web presence. Once inside, the adversary immediately moves on to execution of a credential theft tool such as Mimikatz (repacked to avoid AV detection). If they are lucky to have caught an administrator who might be logged into that web server at the time, they will have gained domain administrator credentials and can now roam your network at will via ‘net use’ and ‘wmic’ commands executed through the webshell terminal.

Internal MISP references

UUID 0286e80e-b0ed-464f-ad62-beec8536d0cb which can be used as unique global reference for HURRICANE PANDA in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country CN
targeted-sector ['Technology', 'Telecoms']

APT27

A China-based actor that targets foreign embassies to collect data on government, defence, and technology sectors.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT27.

Known Synonyms
BRONZE UNION
Budworm
EMISSARY PANDA
Earth Smilodon
G0027
GreedyTaotie
Group 35
Iron Taurus
Iron Tiger
Lucky Mouse
Red Phoenix
TEMP.Hippo
TG-3390
ZipToken
Internal MISP references

UUID 834e0acd-d92a-4e38-bb14-dc4159d7cb32 which can be used as unique global reference for APT27 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Unknown
cfr-suspected-victims ['United States', 'United Kingdom', 'France', 'Japan', 'Taiwan', 'India', 'Canada', 'China', 'Thailand', 'Israel', 'Australia', 'Republic of Korea', 'Russia', 'Iran', 'Turkey']
cfr-target-category ['Government', 'Private sector']
cfr-type-of-incident Espionage
country CN
targeted-sector ['Technology', 'Government, Administration', 'Defense']
Related clusters

To see the related clusters, click here.

APT10

menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT10.

Known Synonyms
ATK41
BRONZE RIVERSIDE
CVNX
Cloud Hopper
G0045
Granite Taurus
HOGFISH
Menupass Team
POTASSIUM
Red Apollo
STONE PANDAD
TA429
happyyongzi
Internal MISP references

UUID 56b37b05-72e7-4a89-ba8a-61ce45269a8c which can be used as unique global reference for APT10 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor China
cfr-suspected-victims ['Japan', 'India', 'South Africa', 'South Korea', 'Sweden', 'United States', 'Canada', 'Australia', 'France', 'Finland', 'United Kingdom', 'Brazil', 'Thailand', 'Switzerland', 'Norway']
cfr-target-category ['Private sector', 'Government']
cfr-type-of-incident Espionage
country CN
Related clusters

To see the related clusters, click here.

Hellsing

This threat actor uses spear-phishing techniques to compromise diplomatic targets in Southeast Asia, India, and the United States. It also seems to have targeted the APT 30. Possibly uses the same infrastructure as Mirage

Internal MISP references

UUID af482dde-9e47-48d5-9cb2-cf8f6d6303d3 which can be used as unique global reference for Hellsing in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor China
cfr-suspected-victims ['Malaysia', 'Indonesia', 'Philippines', 'United States', 'India']
cfr-target-category ['Government']
cfr-type-of-incident Espionage
country CN
targeted-sector ['Infrastructure', 'Diplomacy']

Night Dragon

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Night Dragon.

Known Synonyms
G0014
Internal MISP references

UUID b3714d59-b61e-4713-903a-9b4f04ae7f3d which can be used as unique global reference for Night Dragon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country CN
Related clusters

To see the related clusters, click here.

APT15

This threat actor uses phishing techniques to compromise the networks of foreign ministries of European countries for espionage purposes.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT15.

Known Synonyms
BRONZE DAVENPORT
BRONZE IDLEWOOD
BRONZE PALACE
G0004
Ke3Chang
Lurid
Metushy
Mirage
NICKEL
Nylon Typhoon
Playful Dragon
Red Vulture
Royal APT
Social Network Team
VIXEN PANDA
Internal MISP references

UUID 3501fbf2-098f-47e7-be6a-6b0ff5742ce8 which can be used as unique global reference for APT15 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor China
cfr-suspected-victims ['European Union', 'India', 'United Kingdom', 'Germany']
cfr-target-category ['Government']
cfr-type-of-incident Espionage
country CN
targeted-sector ['Government, Administration']
Related clusters

To see the related clusters, click here.

APT14

PLA Navy Anchor Panda is an adversary that CrowdStrike has tracked extensively over the last year targeting both civilian and military maritime operations in the green/brown water regions primarily in the area of operations of the South Sea Fleet of the PLA Navy. In addition to maritime operations in this region, Anchor Panda also heavily targeted western companies in the US, Germany, Sweden, the UK, and Australia, and other countries involved in maritime satellite systems, aerospace companies, and defense contractors. Not surprisingly, embassies and diplomatic missions in the region, foreign intelligence services, and foreign governments with space programs were also targeted.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT14.

Known Synonyms
ALUMINUM
ANCHOR PANDA
QAZTeam
Internal MISP references

UUID c82c904f-b3b4-40a2-bf0d-008912953104 which can be used as unique global reference for APT14 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor China
cfr-suspected-victims ['United States', 'United Kingdom', 'Germany', 'Australia', 'Sweden']
cfr-target-category ['Government', 'Military']
cfr-type-of-incident Espionage
country CN
motive Espionage
targeted-sector ['Other', 'Aerospace', 'Defense', 'Intelligence', 'Maritime', 'Military', 'Space']
Related clusters

To see the related clusters, click here.

APT21

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT21.

Known Synonyms
HAMMER PANDA
NetTraveler
TEMP.Zhenbao
Internal MISP references

UUID b80f4788-ccb2-466d-ae16-b397159d907e which can be used as unique global reference for APT21 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor China
cfr-suspected-victims ['Mongolia', 'Kazakhstan', 'Tajikistan', 'Germany', 'United Kingdom', 'India', 'Kyrgyzstan', 'South Korea', 'United States', 'Chile', 'Russia', 'China', 'Spain', 'Canada', 'Morocco']
cfr-target-category ['Government', 'Military']
cfr-type-of-incident Espionage
country CN

DAGGER PANDA

Operate since at least 2011, from several locations in China, with members in Korea and Japan as well. Possibly linked to Onion Dog. This threat actor targets government institutions, military contractors, maritime and shipbuilding groups, telecommunications operators, and others, primarily in Japan and South Korea.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DAGGER PANDA.

Known Synonyms
IceFog
PLA Unit 69010
Red Wendigo
RedFoxtrot
Trident
Internal MISP references

UUID 32c534b9-abec-4823-b223-a810f897b47b which can be used as unique global reference for DAGGER PANDA in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor China
cfr-suspected-victims ['South Korea', 'United States', 'Japan', 'Germany', 'China']
cfr-target-category ['Government', 'Military']
cfr-type-of-incident Espionage
country CN
targeted-sector ['Other', 'Maritime', 'Military', 'Government, Administration', 'Telecoms']

APT24

The Pitty Tiger group has been active since at least 2011. They have been seen using HeartBleed vulnerability in order to directly get valid credentials

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT24.

Known Synonyms
G0011
PITTY PANDA
Temp.Pittytiger
Internal MISP references

UUID 4d37813c-b8e9-4e58-a758-03168d8aa189 which can be used as unique global reference for APT24 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country CN
Related clusters

To see the related clusters, click here.

Roaming Tiger

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Roaming Tiger.

Known Synonyms
BRONZE WOODLAND
Rotten Tomato
Internal MISP references

UUID 1fb177c1-472a-4147-b7c4-b5269b11703d which can be used as unique global reference for Roaming Tiger in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Beijing Group

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Beijing Group.

Known Synonyms
Elderwood
Elderwood Gang
G0066
SIG22
SNEAKY PANDA
Internal MISP references

UUID da754aeb-a86d-4874-b388-d1d2028a56be which can be used as unique global reference for Beijing Group in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor China
cfr-suspected-victims ['United States', 'Canada', 'United Kingdom', 'Switzerland', 'Hong Kong', 'Australia', 'India', 'Taiwan', 'China', 'Denmark']
cfr-target-category ['Private sector', 'Civil society']
cfr-type-of-incident Espionage
country CN
Related clusters

To see the related clusters, click here.

RADIO PANDA

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RADIO PANDA.

Known Synonyms
Shrouded Crossbow
Internal MISP references

UUID c92d7d31-cfd9-4309-b6c4-b7eb1e85fa7e which can be used as unique global reference for RADIO PANDA in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
attribution-confidence 50
country CN

APT.3102

Internal MISP references

UUID f33fd440-93ee-41e5-974a-be9343e18cdf which can be used as unique global reference for APT.3102 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country CN

SAMURAI PANDA

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SAMURAI PANDA.

Known Synonyms
PLA Navy
Wisp Team
Internal MISP references

UUID 2fb07fa4-0d7f-43c7-8ff4-b28404313fe7 which can be used as unique global reference for SAMURAI PANDA in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor China
cfr-suspected-victims ['United States', 'United Kingdom', 'Hong Kong']
cfr-target-category ['Private sector', 'Military']
cfr-type-of-incident Espionage
country CN
Related clusters

To see the related clusters, click here.

IMPERSONATING PANDA

Internal MISP references

UUID b56ecbda-6b2a-4aa9-b592-d9a0bc810ec1 which can be used as unique global reference for IMPERSONATING PANDA in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
attribution-confidence 50
country CN

APT20

We’ve uncovered some new data and likely attribution regarding a series of APT watering hole attacks this past summer. Watering hole attacks are an increasingly popular component of APT campaigns, as many people are more aware of spear phishing and are less likely to open documents or click on links in unsolicited emails. Watering hole attacks offer a much better chance of success because they involve compromising legitimate websites and installing malware intended to compromise website visitors. These are often popular websites frequented by people who work in specific industries or have political sympathies to which the actors want to gain access. In contrast to many other APT campaigns, which tend to rely heavily on spear phishing to gain victims, “th3bug” is known for compromising legitimate websites their intended visitors are likely to frequent. Over the summer they compromised several sites, including a well-known Uyghur website written in that native language.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT20.

Known Synonyms
Crawling Taurus
TH3Bug
VIOLIN PANDA
Internal MISP references

UUID 8bcd855f-a4c1-453a-bede-ff36582f4f40 which can be used as unique global reference for APT20 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country CN

TOXIC PANDA

A group targeting dissident groups in China and at the boundaries.

Internal MISP references

UUID 1514546d-f6ea-4af3-bbea-24d6fd9e6761 which can be used as unique global reference for TOXIC PANDA in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country CN

TEMPER PANDA

China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors. This threat actor targets prodemocratic activists and organizations in Hong Kong, European and international financial institutions, and a U.S.-based think tank.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TEMPER PANDA.

Known Synonyms
Admin338
G0018
MAGNESIUM
Team338
admin@338
Internal MISP references

UUID ac4bce1f-b3ec-4c44-bd36-b6cc986b319b which can be used as unique global reference for TEMPER PANDA in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor China
cfr-suspected-victims ['Hong Kong', 'United States']
cfr-target-category ['Government', 'Private sector', 'Civil society']
cfr-type-of-incident Espionage
country CN
targeted-sector ['Activists', 'Trade', 'Finance', 'Political party']
Related clusters

To see the related clusters, click here.

APT23

TrendMicro described Tropic Trooper in a 2015 report as: 'Taiwan and the Philippines have become the targets of an ongoing campaign called Operation TropicTrooper. Active since 2012, the attackers behind the campaign haveset their sights on the Taiwanese government as well as a number of companies in the heavy industry. The same campaign has also targeted key Philippine military agencies.'

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT23.

Known Synonyms
BRONZE HOBART
Earth Centaur
G0081
KeyBoy
PIRATE PANDA
Red Orthrus
Tropic Trooper
Internal MISP references

UUID 7f16d1f5-04ee-4d99-abf0-87e1f23f9fee which can be used as unique global reference for APT23 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country CN
targeted-sector ['Military', 'Government, Administration']

Flying Kitten

Activity: defense and aerospace sectors, also interested in targeting entities in the oil/gas industry.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Flying Kitten.

Known Synonyms
Ajax Security Team
AjaxSecurityTeam
Group 26
Saffron Rose
SaffronRose
Sayad
Internal MISP references

UUID ba724df5-9aa0-45ca-8e0e-7101c208ae48 which can be used as unique global reference for Flying Kitten in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Iran (Islamic Republic of)
cfr-suspected-victims ['United States', 'Iranian internet activists']
cfr-target-category ['Military', 'Civil society']
cfr-type-of-incident Espionage
country IR
targeted-sector ['Aerospace', 'Defense', 'Gas', 'Oil']
Related clusters

To see the related clusters, click here.

Cutting Kitten

One of the threat actors responsible for the denial of service attacks against U.S in 2012–2013. Three individuals associated with the group—believed to be have been working on behalf of Iran’s Islamic Revolutionary Guard Corps—were indicted by the Justice Department in 2016.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cutting Kitten.

Known Synonyms
ITsecTeam
Internal MISP references

UUID 11e17436-6ede-4733-8547-4ce0254ea19e which can be used as unique global reference for Cutting Kitten in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Iran (Islamic Republic of)
cfr-suspected-victims ['United States', 'Bank of America', 'US Bancorp', 'Fifth Third Bank', 'Citigroup', 'PNC', 'BB&T', 'Wells Fargo', 'Capital One', 'HSBC', 'AT&T', 'NYSE']
cfr-type-of-incident ['Denial of service']
country IR

Charming Kitten

Charming Kitten (aka Parastoo, aka Newscaster) is an group with a suspected nexus to Iran that targets organizations involved in government, defense technology, military, and diplomacy sectors.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Charming Kitten.

Known Synonyms
CharmingCypress
G0058
Group 83
NewsBeef
Newscaster
Parastoo
iKittens
Internal MISP references

UUID f98bac6b-12fd-4cad-be84-c84666932232 which can be used as unique global reference for Charming Kitten in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Iran (Islamic Republic of)
cfr-suspected-victims ['U.S. government/defense sector websites', 'Saudi Arabia', 'Israel', 'Iraq', 'United Kingdom']
cfr-target-category ['Government', 'Military']
cfr-type-of-incident Espionage
country IR
targeted-sector ['Defense', 'Diplomacy', 'Military', 'Technology', 'Government, Administration']
Related clusters

To see the related clusters, click here.

APT33

Our analysis reveals that APT33 is a capable group that has carried out cyber espionage operations since at least 2013. We assess APT33 works at the behest of the Iranian government.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT33.

Known Synonyms
APT 33
ATK35
COBALT TRINITY
Elfin
G0064
HOLMIUM
MAGNALLIUM
Peach Sandstorm
Refined Kitten
TA451
Internal MISP references

UUID 4f69ec6d-cb6b-42af-b8e2-920a2aa4be10 which can be used as unique global reference for APT33 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
capabilities STONEDRILL wiper, variants of TURNEDUP malware
cfr-suspected-state-sponsor Iran (Islamic Republic of)
cfr-suspected-victims ['United States', 'Saudi Arabia', 'South Korea']
cfr-target-category ['Private sector']
cfr-type-of-incident Espionage
country IR
mode-of-operation IT network limited, information gathering against industrial orgs
victimology Petrochemical, Aerospace, Saudi Arabia
Related clusters

To see the related clusters, click here.

Magic Kitten

Earliest activity back to November 2008. An established group of cyber attackers based in Iran, who carried on several campaigns in 2013, including a series of attacks targeting political dissidents and those supporting Iranian political opposition.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Magic Kitten.

Known Synonyms
Group 42
VOYEUR
Internal MISP references

UUID 2e77511d-f72f-409e-9b64-e2a15efe9bf4 which can be used as unique global reference for Magic Kitten in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country IR
targeted-sector ['Opposition', 'Dissidents', 'Political party']

Rocket Kitten

Targets Saudi Arabia, Israel, US, Iran, high ranking defense officials, embassies of various target countries, notable Iran researchers, human rights activists, media and journalists, academic institutions and various scholars, including scientists in the fields of physics and nuclear sciences.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Rocket Kitten.

Known Synonyms
Operation Woolen Goldfish
Operation Woolen-Goldfish
TEMP.Beanie
Thamar Reservoir
Timberworm
Internal MISP references

UUID f873db71-3d53-41d5-b141-530675ade27a which can be used as unique global reference for Rocket Kitten in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Iran (Islamic Republic of)
cfr-suspected-victims ['Saudi Arabia', 'Venezuela', 'Afghanistan', 'United Arab Emirates', 'Iran', 'Israel', 'Iraq', 'Kuwait', 'Turkey', 'Canada', 'Yemen', 'United Kingdom', 'Egypt', 'Syria', 'Jordan']
cfr-target-category ['Government', 'Military']
cfr-type-of-incident Espionage
country IR
targeted-sector ['Activists', 'Defense', 'Journalist', 'Research - Innovation', 'Academia - University', 'Government, Administration']
Related clusters

To see the related clusters, click here.

Cleaver

A group of cyber actors utilizing infrastructure located in Iran have been conducting computer network exploitation activity against public and private U.S. organizations, including Cleared Defense Contractors (CDCs), academic institutions, and energy sector companies. This threat actor targets entities in the government, energy, and technology sectors that are located in or do business with Saudi Arabia.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cleaver.

Known Synonyms
Alibaba
Cobalt Gypsy
G0003
Op Cleaver
Operation Cleaver
TG-2889
Tarh Andishan
Internal MISP references

UUID 86724806-7ec9-4a48-a0a7-ecbde3bf4810 which can be used as unique global reference for Cleaver in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Iran (Islamic Republic of)
cfr-suspected-victims ['Canada', 'France', 'Israel', 'Mexico', 'Saudi Arabia', 'China', 'Germany', 'United States', 'Pakistan', 'South Korea', 'United Kingdom', 'India', 'Kuwait', 'Qatar', 'Turkey']
cfr-target-category ['Private sector', 'Government']
cfr-type-of-incident Espionage
country IR
targeted-sector ['Defense', 'Energy', 'Technology', 'Government, Administration', 'Academia - University']
Related clusters

To see the related clusters, click here.

Sands Casino

Internal MISP references

UUID 1de1a64e-ea14-4e79-9e41-6958bdb6c0ff which can be used as unique global reference for Sands Casino in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
attribution-confidence 50
country IR

Rebel Jackal

This is a pro-Islamist organization that generally conducts attacks motivated by real world events in which its members believe that members of the Muslim faith were wronged. Its attacks generally involve website defacements; however, the group did develop a RAT that it refers to as Fallaga RAT, but which appears to simply be a fork of the njRAT malware popular amongst hackers in the Middle East/North Africa region.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Rebel Jackal.

Known Synonyms
FallagaTeam
Internal MISP references

UUID 29af2812-f7fb-4edb-8cc4-86d0d9e3644b which can be used as unique global reference for Rebel Jackal in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
attribution-confidence 50
country TN
motive Hacktivists-Nationalists

Viking Jackal

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Viking Jackal.

Known Synonyms
Vikingdom
Internal MISP references

UUID 7f99ba32-421c-4905-9deb-006e8eda40c1 which can be used as unique global reference for Viking Jackal in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
attribution-confidence 50
country AE

APT28

The Sofacy Group (also known as APT28, Pawn Storm, Fancy Bear and Sednit) is a cyber espionage group believed to have ties to the Russian government. Likely operating since 2007, the group is known to target government, military, and security organizations. It has been characterized as an advanced persistent threat.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT28.

Known Synonyms
APT-C-20
ATK5
Blue Athena
FANCY BEAR
FROZENLAKE
Fighting Ursa
Forest Blizzard
G0007
Grizzly Steppe
Group 74
IRON TWILIGHT
ITG05
Pawn Storm
SIG40
SNAKEMACKEREL
STRONTIUM
Sednit
Sofacy
Swallowtail
T-APT-12
TA422
TG-4127
Tsar Team
UAC-0028
Internal MISP references

UUID 5b4ee3ea-eee3-4c8e-8323-85ae32658754 which can be used as unique global reference for APT28 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Russian Federation
cfr-suspected-victims ['Georgia', 'France', 'Jordan', 'United States', 'Hungary', 'World Anti-Doping Agency', 'Armenia', 'Tajikistan', 'Japan', 'NATO', 'Ukraine', 'Belgium', 'Pakistan', 'Asia Pacific Economic Cooperation', 'International Association of Athletics Federations', 'Turkey', 'Mongolia', 'OSCE', 'United Kingdom', 'Germany', 'Poland', 'European Commission', 'Afghanistan', 'Kazakhstan', 'China']
cfr-target-category ['Government', 'Military']
cfr-type-of-incident Espionage
country RU
targeted-sector ['Military', 'Government, Administration', 'Security Service']
Related clusters

To see the related clusters, click here.

APT29

A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes show unusual confidence in their ability to continue successfully compromising their targets, as well as in their ability to operate with impunity. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States;Asian, African, and Middle Eastern governments;organizations associated with Chechen extremism;and Russian speakers engaged in the illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large - scale spear - phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations. These campaigns utilize a smash - and - grab approach involving a fast but noisy breakin followed by the rapid collection and exfiltration of as much data as possible.If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long - term intelligence gathering. This threat actor targets government ministries and agencies in the West, Central Asia, East Africa, and the Middle East; Chechen extremist groups; Russian organized crime; and think tanks. It is suspected to be behind the 2015 compromise of unclassified networks at the White House, Department of State, Pentagon, and the Joint Chiefs of Staff. The threat actor includes all of the Dukes tool sets, including MiniDuke, CosmicDuke, OnionDuke, CozyDuke, SeaDuke, CloudDuke (aka MiniDionis), and HammerDuke (aka Hammertoss). '

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT29.

Known Synonyms
ATK7
Blue Kitsune
BlueBravo
COZY BEAR
Cloaked Ursa
G0016
Grizzly Steppe
Group 100
IRON HEMLOCK
ITG11
Minidionis
Nobelium
SeaDuke
TA421
The Dukes
UAC-0029
YTTRIUM
Internal MISP references

UUID b2056ff0-00b9-482e-b11c-c771daa5f28a which can be used as unique global reference for APT29 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Russian Federation
cfr-suspected-victims ['United States', 'China', 'New Zealand', 'Ukraine', 'Romania', 'Georgia', 'Japan', 'South Korea', 'Belgium', 'Kazakhstan', 'Brazil', 'Mexico', 'Turkey', 'Portugal', 'India', 'Germany']
cfr-target-category ['Government', 'Private sector']
cfr-type-of-incident Espionage
country RU
targeted-sector ['Think Tanks', 'Government, Administration']
Related clusters

To see the related clusters, click here.

Turla

A 2014 Guardian article described Turla as: 'Dubbed the Turla hackers, initial intelligence had indicated western powers were key targets, but it was later determined embassies for Eastern Bloc nations were of more interest. Embassies in Belgium, Ukraine, China, Jordan, Greece, Kazakhstan, Armenia, Poland, and Germany were all attacked, though researchers from Kaspersky Lab and Symantec could not confirm which countries were the true targets. In one case from May 2012, the office of the prime minister of a former Soviet Union member country was infected, leading to 60 further computers being affected, Symantec researchers said. There were some other victims, including the ministry for health of a Western European country, the ministry for education of a Central American country, a state electricity provider in the Middle East and a medical organisation in the US, according to Symantec. It is believed the group was also responsible for a much - documented 2008 attack on the US Central Command. The attackers - who continue to operate - have ostensibly sought to carry out surveillance on targets and pilfer data, though their use of encryption across their networks has made it difficult to ascertain exactly what the hackers took.Kaspersky Lab, however, picked up a number of the attackers searches through their victims emails, which included terms such as Nato and EU energy dialogue Though attribution is difficult to substantiate, Russia has previously been suspected of carrying out the attacks and Symantecs Gavin O’ Gorman told the Guardian a number of the hackers appeared to be using Russian names and language in their notes for their malicious code. Cyrillic was also seen in use.'

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Turla.

Known Synonyms
ATK13
Blue Python
G0010
Group 88
Hippo Team
IRON HUNTER
ITG12
KRYPTON
MAKERSMARK
Pacifier APT
Pfinet
Popeye
SIG23
SUMMIT
Secret Blizzard
Snake
TAG_0530
UAC-0003
UAC-0024
UAC-0144
UNC4210
Uroburos
VENOMOUS Bear
WRAITH
Waterbug
Internal MISP references

UUID fa80877c-f509-4daf-8b62-20aba1635f68 which can be used as unique global reference for Turla in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Russian Federation
cfr-suspected-victims ['France', 'Romania', 'Kazakhstan', 'Poland', 'Tajikistan', 'Russia', 'United States', 'Saudi Arabia', 'Germany', 'India', 'Belarus', 'Netherlands', 'Iran', 'Uzbekistan', 'Iraq']
cfr-target-category ['Government', 'Military']
cfr-type-of-incident Espionage
country RU
targeted-sector ['Government, Administration', 'Education', 'Electric', 'Energy', 'Health']
Related clusters

To see the related clusters, click here.

ENERGETIC BEAR

A Russian group that collects intelligence on the energy industry.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ENERGETIC BEAR.

Known Synonyms
ALLANITE
ATK6
BERSERK BEAR
BROMINE
Blue Kraken
CASTLE
Crouching Yeti
DYMALLOY
Dragonfly
G0035
Ghost Blizzard
Group 24
Havex
IRON LIBERTY
ITG15
Koala Team
TG-4192
Internal MISP references

UUID 64d6559c-6d5c-4585-bbf9-c17868f763ee which can be used as unique global reference for ENERGETIC BEAR in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 75
cfr-suspected-state-sponsor Russian Federation
cfr-suspected-victims ['United States', 'Germany', 'Turkey', 'China', 'Spain', 'France', 'Ireland', 'Japan', 'Italy', 'Poland']
cfr-target-category ['Private sector', 'Government']
cfr-type-of-incident Espionage
country RU
targeted-sector ['Energy']
Related clusters

To see the related clusters, click here.

Sandworm

This threat actor targets industrial control systems, using a tool called Black Energy, associated with electricity and power generation for espionage, denial of service, and data destruction purposes. Some believe that the threat actor is linked to the 2015 compromise of the Ukrainian electrical grid and a distributed denial of service prior to the Russian invasion of Georgia. Believed to be responsible for the 2008 DDoS attacks in Georgia and the 2015 Ukraine power grid outage

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sandworm.

Known Synonyms
APT44
Blue Echidna
ELECTRUM
FROZENBARENTS
G0034
IRIDIUM
IRON VIKING
Quedagh
Seashell Blizzard
TEMP.Noble
TeleBots
UAC-0082
UAC-0113
VOODOO BEAR
Internal MISP references

UUID f512de42-f76b-40d2-9923-59e7dbdfec35 which can be used as unique global reference for Sandworm in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Russian Federation
cfr-suspected-victims ['Russia', 'Lithuania', 'Kyrgyzstan', 'Israel', 'Ukraine', 'Belarus', 'Kazakhstan', 'Georgia', 'Poland', 'Azerbaijan', 'Iran']
cfr-target-category ['Private sector', 'Government']
cfr-type-of-incident Espionage
country RU
targeted-sector ['Electric', 'Energy', 'Industrial']
Related clusters

To see the related clusters, click here.

FIN7

Groups targeting financial organizations or people with significant financial assets.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FIN7.

Known Synonyms
ATK32
CARBON SPIDER
Calcium
Carbanak
Carbon Spider
Coreid
ELBRUS
G0008
G0046
GOLD NIAGARA
Sangria Tempest
Internal MISP references

UUID 00220228-a5a4-4032-a30d-826bb55aa3fb which can be used as unique global reference for FIN7 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country RU
motive Cybercrime
Related clusters

To see the related clusters, click here.

TeamSpy Crew

Researchers have uncovered a long-term cyber-espionage campaign that used a combination of legitimate software packages and commodity malware tools to target a variety of heavy industry, government intelligence agencies and political activists. Known as the TeamSpy crew because of its affinity for using the legitimate TeamViewer application as part of its toolset, the attackers may have been active for as long as 10 years, researchers say. The attack appears to be a years-long espionage campaign, but experts who have analyzed the victim profile, malware components and command-and-control infrastructure say that it’s not entirely clear what kind of data the attackers are going after. What is clear, though, is that the attackers have been at this for a long time and that they have specific people in mind as targets. Researchers at the CrySyS Lab in Hungary were alerted by the Hungarian National Security Authority to an attack against a high-profile target in the country and began looking into the campaign. They quickly discovered that some of the infrastructure being used in the attack had been in use for some time and that the target they were investigating was by no means the only one.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TeamSpy Crew.

Known Synonyms
Anger Bear
IRON LYRIC
Team Bear
TeamSpy
Internal MISP references

UUID 82c1c7fa-c67b-4be6-9be8-8aa400ef2445 which can be used as unique global reference for TeamSpy Crew in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Russian Federation
cfr-suspected-victims ['Hungary', 'Belarus']
cfr-target-category ['Government', 'Private sector']
cfr-type-of-incident Espionage
country RU
targeted-sector ['Activists', 'Intelligence', 'Government, Administration']
Related clusters

To see the related clusters, click here.

BuhTrap

Buhtrap has been active since 2014, however their first attacks against financial institutions were only detected in August 2015. Earlier, the group had only focused on targeting banking clients. At the moment, the group is known to target Russian and Ukrainian banks. From August 2015 to February 2016 Buhtrap managed to conduct 13 successful attacks against Russian banks for a total amount of 1.8 billion rubles ($25.7 mln). The number of successful attacks against Ukrainian banks has not been identified. Buhtrap is the first hacker group using a network worm to infect the overall bank infrastructure that significantly increases the difficulty of removing all malicious functions from the network. As a result, banks have to shut down the whole infrastructure which provokes delay in servicing customers and additional losses. Malicious programs intentionally scan for machines with an automated Bank-Customer system of the Central Bank of Russia (further referred to as BCS CBR). We have not identified incidents of attacks involving online money transfer systems, ATM machines or payment gates which are known to be of interest for other criminal groups.

Internal MISP references

UUID b737c51f-b579-49d5-a907-743b2e6d03cb which can be used as unique global reference for BuhTrap in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country RU
targeted-sector ['Bank', 'Payment', 'Finance']

WOLF SPIDER

FIN4 is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013. FIN4 is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WOLF SPIDER.

Known Synonyms
FIN4
G0085
Internal MISP references

UUID ff449346-aa9f-45f6-b482-71e886a5cf57 which can be used as unique global reference for WOLF SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country RO
targeted-sector ['Health', 'Finance', 'Pharmacy']

Boulder Bear

First observed activity in December 2013.

Internal MISP references

UUID 85b40169-3d1c-491b-9fbf-877ed57f32e0 which can be used as unique global reference for Boulder Bear in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
attribution-confidence 50
country RU

SHARK SPIDER

This group's activity was first observed in November 2013. It leverages a banking Trojan more commonly known as Shylock which aims to compromise online banking credentials and credentials related to Bitcoin wallets.

Internal MISP references

UUID 7dd7a8df-9012-4d14-977f-b3f9f71266b4 which can be used as unique global reference for SHARK SPIDER in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
attribution-confidence 50
country RU
targeted-sector ['Bank']

UNION SPIDER

Adversary targeting manufacturing and industrial organizations.

Internal MISP references

UUID db774b7d-a0ee-4375-b24e-fd278f5ab2fd which can be used as unique global reference for UNION SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country RU
targeted-sector ['Manufacturing', 'Industrial']

Silent Chollima

Andariel is a threat actor that primarily targets South Korean corporations and institutions. They are believed to collaborate with or operate as a subsidiary organization of the Lazarus threat group. WHOIS utilizes spear phishing attacks, watering hole attacks, and supply chain attacks for initial access. They have been known to exploit vulnerabilities and use malware such as Infostealer and TigerRAT.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Silent Chollima.

Known Synonyms
Andariel
GOP
Guardian of Peace
Onyx Sleet
OperationTroy
PLUTONIUM
Subgroup: Andariel
WHOis Team
Internal MISP references

UUID 245c8dde-ed42-4c49-b48b-634e3e21bdd7 which can be used as unique global reference for Silent Chollima in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country KP

Lazarus Group

Since 2009, HIDDEN COBRA actors have leveraged their capabilities to target and compromise a range of victims; some intrusions have resulted in the exfiltration of data while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace. Tools and capabilities used by HIDDEN COBRA actors include DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware. Variants of malware and tools used by HIDDEN COBRA actors include Destover, Duuzer, and Hangman.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Lazarus Group.

Known Synonyms
APT 38
APT-C-26
APT38
ATK117
ATK3
Andariel
Appleworm
BeagleBoyz
Bluenoroff
Bureau 121
COPERNICIUM
COVELLITE
Citrine Sleet
DEV-0139
DEV-1222
Dark Seoul
Diamond Sleet
G0032
G0082
Group 77
Hastati Group
Hidden Cobra
Labyrinth Chollima
Lazarus group
NICKEL GLADSTONE
NewRomanic Cyber Army Team
Nickel Academy
Operation AppleJeus
Operation DarkSeoul
Operation GhostSecret
Operation Troy
Sapphire Sleet
Stardust Chollima
Subgroup: Bluenoroff
TA404
Unit 121
Whois Hacking Team
ZINC
Zinc
Internal MISP references

UUID 68391641-859f-4a9a-9a1e-3e5cf71ec376 which can be used as unique global reference for Lazarus Group in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Korea (Democratic People's Republic of)
cfr-suspected-victims ['South Korea', 'Bangladesh Bank', 'Sony Pictures Entertainment', 'United States', 'Thailand', 'France', 'China', 'Hong Kong', 'United Kingdom', 'Guatemala', 'Canada', 'Bangladesh', 'Japan', 'India', 'Germany', 'Brazil', 'Thailand', 'Australia', 'Cryptocurrency exchanges in South Korea']
cfr-target-category ['Government', 'Private sector']
cfr-type-of-incident ['Espionage', 'Sabotage']
country KP
Related clusters

To see the related clusters, click here.

VICEROY TIGER

VICEROY TIGER is an adversary with a nexus to India that has historically targeted entities throughout multiple sectors. Older activity targeted multiple sectors and countries; however, since 2015 this adversary appears to focus on entities in Pakistan with a particular focus on government and security organizations. This adversary consistently leverages spear phishing emails containing malicious Microsoft Office documents, malware designed to target the Android mobile platform, and phishing activity designed to harvest user credentials. In March 2017, the 360 Chasing Team found a sample of targeted attacks that confirmed the previously unknown sample of APT's attack actions, which the organization can now trace back at least in April 2016. The chasing team named the attack organization APT-C-35. In June 2017, the 360 Threat Intelligence Center discovered the organization’s new attack activity, confirmed and exposed the gang’s targeted attacks against Pakistan, and analyzed in detail. The unique EHDevel malicious code framework used by the organization.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular VICEROY TIGER.

Known Synonyms
APT-C-35
Donot Team
OPERATION HANGOVER
Orange Kala
SectorE02
Internal MISP references

UUID e2b87f81-a6a1-4524-b03f-193c3191d239 which can be used as unique global reference for VICEROY TIGER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-victims ['Germany']
country IN
targeted-sector ['Government, Administration', 'Security Service']
Related clusters

To see the related clusters, click here.

PIZZO SPIDER

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PIZZO SPIDER.

Known Synonyms
Ambiorx
DD4BC
Internal MISP references

UUID dd9806a9-a600-48f8-81fb-07f0f1b7690d which can be used as unique global reference for PIZZO SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country US

Corsair Jackal

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Corsair Jackal.

Known Synonyms
TunisianCyberArmy
Internal MISP references

UUID 59d63dd6-f46f-4334-ad15-30d2e1ee0623 which can be used as unique global reference for Corsair Jackal in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country TN

SNOWGLOBE

In 2014, researchers at Kaspersky Lab discovered and reported on three zero-days that were being used in cyberattacks in the wild. Two of these zero-day vulnerabilities are associated with an advanced threat actor we call Animal Farm. Over the past few years, Animal Farm has targeted a wide range of global organizations. The group has been active since at least 2009 and there are signs that earlier malware versions were developed as far back as 2007.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SNOWGLOBE.

Known Synonyms
ATK8
Animal Farm
Snowglobe
Internal MISP references

UUID 3b8e7462-c83f-4e7d-9511-2fe430d80aab which can be used as unique global reference for SNOWGLOBE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor France
cfr-suspected-victims ['Syria', 'United States', 'Netherlands', 'Russia', 'Spain', 'Iran', 'China', 'Germany', 'Algeria', 'Norway', 'Malaysia', 'Turkey', 'United Kingdom', 'Ivory Coast', 'Greece']
cfr-target-category ['Government', 'Private sector']
cfr-type-of-incident Espionage
country FR

Deadeye Jackal

The Syrian Electronic Army (SEA) is a group of computer hackers which first surfaced online in 2011 to support the government of Syrian President Bashar al-Assad. Using spamming, website defacement, malware, phishing, and denial of service attacks, it has targeted political opposition groups, western news organizations, human rights groups and websites that are seemingly neutral to the Syrian conflict. It has also hacked government websites in the Middle East and Europe, as well as US defense contractors. As of 2011 the SEA has been the first Arab country to have a public Internet Army hosted on its national networks to openly launch cyber attacks on its enemies. The precise nature of SEA's relationship with the Syrian government has changed over time and is unclear

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Deadeye Jackal.

Known Synonyms
SEA
SyrianElectronicArmy
Internal MISP references

UUID 4265d44e-8372-4ed0-b428-b331a5443d7d which can be used as unique global reference for Deadeye Jackal in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country SY
targeted-sector ['Country', 'Defense', 'Opposition', 'Political party', 'News - Media', 'Government, Administration']

Operation C-Major

Group targeting Indian Army or related assets in India, as well as activists and civil society in Pakistan. Attribution to a Pakistani connection has been made by TrendMicro and others.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Operation C-Major.

Known Synonyms
APT 36
APT36
C-Major
COPPER FIELDSTONE
Earth Karkaddan
Green Havildar
Mythic Leopard
ProjectM
TMP.Lapis
Transparent Tribe
Internal MISP references

UUID acbb5cad-ffe7-4b0e-a57a-2dbc916e8905 which can be used as unique global reference for Operation C-Major in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Pakistan
cfr-target-category ['Civil society', 'Military', 'Government']
country PK
targeted-sector ['Activists', 'Civil society', 'Military']
Related clusters

To see the related clusters, click here.

Stealth Falcon

This threat actor targets civil society groups and Emirati journalists, activists, and dissidents.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Stealth Falcon.

Known Synonyms
FruityArmor
G0038
Internal MISP references

UUID dab75e38-6969-4e78-9304-dc269c3cbcf0 which can be used as unique global reference for Stealth Falcon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor United Arab Emirates
cfr-suspected-victims ['United Arab Emirates', 'United Kingdom']
cfr-target-category ['Civil society']
cfr-type-of-incident Espionage
country AE
targeted-sector ['Activists', 'Dissidents', 'Journalist', 'Civil society']
Related clusters

To see the related clusters, click here.

HummingBad

This group created a malware that takes over Android devices and generates $300,000 per month in fraudulent ad revenue. The group effectively controls an arsenal of over 85 million mobile devices around the world. With the potential to sell access to these devices to the highest bidder

Internal MISP references

UUID 12ab5c28-5f38-4a2f-bd40-40e9c500f4ac which can be used as unique global reference for HummingBad in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country CN

QUILTED TIGER

Dropping Elephant (also known as “Chinastrats” and “Patchwork“) is a relatively new threat actor that is targeting a variety of high profile diplomatic and economic targets using a custom set of attack tools. Its victims are all involved with China’s foreign relations in some way, and are generally caught through spear-phishing or watering hole attacks.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular QUILTED TIGER.

Known Synonyms
APT-C-09
ATK11
Chinastrats
Dropping Elephant
G0040
Monsoon
Orange Athos
Patchwork
Sarit
Thirsty Gemini
ZINC EMERSON
Internal MISP references

UUID 18d473a5-831b-47a5-97a1-a32156299825 which can be used as unique global reference for QUILTED TIGER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor India
cfr-suspected-victims ['Bangladesh', 'Sri Lanka', 'Pakistan']
cfr-target-category ['Private sector', 'Military']
cfr-type-of-incident Espionage
country IN
targeted-sector ['Finance', 'Diplomacy']
Related clusters

To see the related clusters, click here.

Scarlet Mimic

Scarlet Mimic is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group’s motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by Scarlet Mimic and Putter Panda, APT 2, it has not been concluded that the groups are the same. The attacks began over four years ago and their targeting pattern suggests that this adversary’s primary mission is to gather information about minority rights activists. We do not have evidence directly linking these attacks to a government source, but the information derived from these activities supports an assessment that a group or groups with motivations similar to the stated position of the Chinese government in relation to these targets is involved. The attacks we attribute to Scarlet Mimic have primarily targeted Uyghur and Tibetan activists as well as those who are interested in their causes. Both the Tibetan community and the Uyghurs, a Turkic Muslim minority residing primarily in northwest China, have been targets of multiple sophisticated attacks in the past decade. Both also have history of strained relationships with the government of the People’s Republic of China (PRC), though we do not have evidence that links Scarlet Mimic attacks to the PRC. Scarlet Mimic attacks have also been identified against government organizations in Russia and India, who are responsible for tracking activist and terrorist activities. While we do not know the precise target of each of the Scarlet Mimic attacks, many of them align to the patterns described above.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Scarlet Mimic.

Known Synonyms
G0029
Golfing Taurus
Internal MISP references

UUID 0da10682-85c6-4c0b-bace-ba1f7adfb63e which can be used as unique global reference for Scarlet Mimic in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country CN
targeted-sector ['Activists']
Related clusters

To see the related clusters, click here.

Poseidon Group

Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Poseidon Group.

Known Synonyms
G0033
Internal MISP references

UUID 5fc09923-fcff-4e81-9cae-4518ef31cf4d which can be used as unique global reference for Poseidon Group in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country BR
Related clusters

To see the related clusters, click here.

DragonOK

Threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. 2223 It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DragonOK.

Known Synonyms
BRONZE OVERBROOK
G0002
G0017
Moafee
Shallow Taurus
Internal MISP references

UUID a9b44750-992c-4743-8922-129880d277ea which can be used as unique global reference for DragonOK in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor China
cfr-suspected-victims ['United States']
cfr-target-category ['Private sector']
cfr-type-of-incident Espionage
country CN
Related clusters

To see the related clusters, click here.

ProjectSauron

ProjectSauron is the name for a top level modular cyber-espionage platform, designed to enable and manage long-term campaigns through stealthy survival mechanisms coupled with multiple exfiltration methods. Technical details show how attackers learned from other extremely advanced actors in order to avoid repeating their mistakes. As such, all artifacts are customized per given target, reducing their value as indicators of compromise for any other victim. Usually APT campaigns have a geographical nexus, aimed at extracting information within a specific region or from a given industry. That usually results in several infections in countries within that region, or in the targeted industry around the world. Interestingly, ProjectSauron seems to be dedicated to just a couple of countries, focused on collecting high value intelligence by compromising almost all key entities it could possibly reach within the target area. The name, ProjectSauron reflects the fact that the code authors refer to ‘Sauron’ in the Lua scripts.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ProjectSauron.

Known Synonyms
G0041
Project Sauron
Sauron
Strider
Internal MISP references

UUID f3179cfb-9c86-4980-bd6b-e4fa74adaaa7 which can be used as unique global reference for ProjectSauron in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor United States
cfr-suspected-victims ['Russia', 'Iran', 'Belgium', 'China', 'Sweden', 'Rwanda']
cfr-target-category ['Government', 'Military']
cfr-type-of-incident Espionage
country US
targeted-sector ['Intelligence']
Related clusters

To see the related clusters, click here.

TA530

TA530, who we previously examined in relation to large-scale personalized phishing campaigns

Internal MISP references

UUID 4b79d1f6-8333-44b6-ac32-d1ea7e47e77f which can be used as unique global reference for TA530 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country CN

GCMAN

GCMAN is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GCMAN.

Known Synonyms
G0036
Internal MISP references

UUID d93889de-b4bc-4a29-9ce7-d67717c140a0 which can be used as unique global reference for GCMAN in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country RU
targeted-sector ['Bank']
Related clusters

To see the related clusters, click here.

APT22

Suckfly is a China-based threat group that has been active since at least 2014

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT22.

Known Synonyms
BRONZE OLIVE
G0039
Group 46
Suckfly
Internal MISP references

UUID 5abb12e7-5066-4f84-a109-49a037205c76 which can be used as unique global reference for APT22 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country CN
Related clusters

To see the related clusters, click here.

FIN6

FIN is a group targeting financial assets including assets able to do financial transaction including PoS.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FIN6.

Known Synonyms
ATK88
Camouflage Tempest
G0037
GOLD FRANKLIN
ITG08
MageCart Group 6
SKELETON SPIDER
White Giant
Internal MISP references

UUID 647894f6-1723-4cba-aba4-0ef0966d5302 which can be used as unique global reference for FIN6 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Libyan Scorpions

Libyan Scorpions is a malware operation in use since September 2015 and operated by a politically motivated group whose main objective is intelligence gathering, spying on influentials and political figures and operate an espionage campaign within Libya.

Internal MISP references

UUID 815cbe98-e157-4078-9caa-c5a25dd64731 which can be used as unique global reference for Libyan Scorpions in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
attribution-confidence 50
country LY
targeted-sector ['Intelligence']

TeamXRat

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TeamXRat.

Known Synonyms
CorporacaoXRat
CorporationXRat
Internal MISP references

UUID 43ec65d1-a334-4c44-9a44-0fd21f27249d which can be used as unique global reference for TeamXRat in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

OilRig

OilRig is an Iranian threat group operating primarily in the Middle East by targeting organizations in this region that are in a variety of different industries; however, this group has occasionally targeted organizations outside of the Middle East as well. It also appears OilRig carries out supply chain attacks, where the threat group leverages the trust relationship between organizations to attack their primary targets.

OilRig is an active and organized threat group, which is evident based on their systematic targeting of specific organizations that appear to be carefully chosen for strategic purposes. Attacks attributed to this group primarily rely on social engineering to exploit the human rather than software vulnerabilities; however, on occasion this group has used recently patched vulnerabilities in the delivery phase of their attacks. The lack of software vulnerability exploitation does not necessarily suggest a lack of sophistication, as OilRig has shown maturity in other aspects of their operations. Such maturities involve:

-Organized evasion testing used the during development of their tools. -Use of custom DNS Tunneling protocols for command and control (C2) and data exfiltration. -Custom web-shells and backdoors used to persistently access servers.

OilRig relies on stolen account credentials for lateral movement. After OilRig gains access to a system, they use credential dumping tools, such as Mimikatz, to steal credentials to accounts logged into the compromised system. The group uses these credentials to access and to move laterally to other systems on the network. After obtaining credentials from a system, operators in this group prefer to use tools other than their backdoors to access the compromised systems, such as remote desktop and putty. OilRig also uses phishing sites to harvest credentials to individuals at targeted organizations to gain access to internet accessible resources, such as Outlook Web Access.

Since at least 2014, an Iranian threat group tracked by FireEye as APT34 has conducted reconnaissance aligned with the strategic interests of Iran. The group conducts operations primarily in the Middle East, targeting financial, government, energy, chemical, telecommunications and other industries. Repeated targeting of Middle Eastern financial, energy and government organizations leads FireEye to assess that those sectors are a primary concern of APT34. The use of infrastructure tied to Iranian operations, timing and alignment with the national interests of Iran also lead FireEye to assess that APT34 acts on behalf of the Iranian government.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular OilRig.

Known Synonyms
APT 34
APT34
ATK40
Cobalt Gypsy
Crambus
EUROPIUM
Evasive Serpens
G0049
Hazel Sandstorm
Helix Kitten
IRN2
TA452
Twisted Kitten
Internal MISP references

UUID 42be2a84-5a5c-4c6d-9864-3f09d75bb0ba which can be used as unique global reference for OilRig in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Iran (Islamic Republic of)
cfr-suspected-victims ['Israel', 'Kuwait', 'United States', 'Turkey', 'Saudi Arabia', 'Qatar', 'Lebanon', 'Middle East']
cfr-target-category ['Government', 'Private sector', 'Civil society']
cfr-type-of-incident Espionage
country IR
targeted-sector ['Chemical', 'Energy', 'Engineering', 'Finance', 'Government, Administration', 'Telecoms', 'Other']
Related clusters

To see the related clusters, click here.

Volatile Cedar

Beginning in late 2012, a carefully orchestrated attack campaign we call Volatile Cedar has been targeting individuals, companies and institutions worldwide. This campaign, led by a persistent attacker group, has successfully penetrated a large number of targets using various attack techniques, and specifically, a custom-made malware implant codenamed Explosive.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Volatile Cedar.

Known Synonyms
DeftTorero
Lebanese Cedar
Internal MISP references

UUID cf421ce6-ddfe-419a-bc65-6a9fc953232a which can be used as unique global reference for Volatile Cedar in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country LB
suspected-victims ['Middle East', 'Israel', 'Lebanon', 'Saudi Arabia']
Related clusters

To see the related clusters, click here.

Dancing Salome

Dancing Salome is the Kaspersky codename for an APT actor with a primary focus on ministries of foreign affairs, think tanks, and Ukraine. What makes Dancing Salome interesting and relevant is the attacker’s penchant for leveraging HackingTeam RCS implants compiled after the public breach.

Internal MISP references

UUID 3d5192f2-f235-46fd-aa68-dd00cc17d632 which can be used as unique global reference for Dancing Salome in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
suspected-victims ['Ukraine']
targeted-sector ['Think Tanks', 'Government, Administration']

TERBIUM

Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.

Internal MISP references

UUID 46670c51-fea4-45d6-bdd4-62e85a5c7404 which can be used as unique global reference for TERBIUM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
targeted-sector ['Energy']
Related clusters

To see the related clusters, click here.

Molerats

In October 2012, malware attacks against Israeli government targets grabbed media attention as officials temporarily cut off Internet access for its entire police force and banned the use of USB memory sticks. Security researchers subsequently linked these attacks to a broader, yearlong campaign that targeted not just Israelis but Palestinians as well. and as discovered later, even the U.S. and UK governments. Further research revealed a connection between these attacks and members of the so-called “Gaza Hackers Team.” We refer to this campaign as “Molerats.”

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Molerats.

Known Synonyms
ALUMINUM SARATOGA
BLACKSTEM
Extreme Jackal
G0021
Gaza Cybergang
Gaza Hackers Team
Gaza cybergang
Moonlight
Operation Molerats
Internal MISP references

UUID f7c2e501-73b1-400f-a5d9-2e2e07b7dfde which can be used as unique global reference for Molerats in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-state-sponsor Palestine
cfr-suspected-victims ['United States', 'Israel', 'Palestine', 'Middle East', 'Europe']
cfr-target-category ['Government', 'Defense', 'Energy', 'Finance', 'Healthcare', 'Pharmaceuticals', 'Education', 'Media', 'NGOs', 'Civil Society', 'Legal', 'Military']
cfr-type-of-incident Espionage
country PS
Related clusters

To see the related clusters, click here.

PROMETHIUM

PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PROMETHIUM.

Known Synonyms
G0056
StrongPity
Internal MISP references

UUID 43894e2a-174e-4931-94a8-2296afe8f650 which can be used as unique global reference for PROMETHIUM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country TR
Related clusters

To see the related clusters, click here.

NEODYMIUM

NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoor’s characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NEODYMIUM.

Known Synonyms
G0055
Internal MISP references

UUID ada08ea8-4517-4eea-aff1-3ad69e5466bb which can be used as unique global reference for NEODYMIUM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Packrat

A threat group that has been active for at least seven years has used malware, phishing and disinformation tactics to target activists, journalists, politicians and public figures in various Latin American countries. The threat actor, dubbed Packrat based on its preference for remote access Trojans (RATs) and because it has used the same infrastructure for several years, has been analyzed by Citizen Lab researchers John Scott-Railton, Morgan Marquis-Boire, and Claudio Guarnieri, and Cyphort researcher Marion Marschalek, best known for her extensive analysis of state-sponsored threats.

Internal MISP references

UUID fe344665-d153-4d31-a32a-1509efde1ca7 which can be used as unique global reference for Packrat in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
targeted-sector ['Activists', 'Journalist', 'Political party']

Cadelle

Symantec telemetry identified Cadelle and Chafer activity dating from as far back as July 2014, however, it’s likely that activity began well before this date. Command-and-control (C&C) registrant information points to activity possibly as early as 2011, while executable compilation times suggest early 2012. Their attacks continue to the present day. Symantec estimates that each team is made up of between 5 and 10 people.

Internal MISP references

UUID 03f13462-003c-4296-8784-bccea16710a9 which can be used as unique global reference for Cadelle in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country IR

PassCV

The PassCV group continues to be one of the most successful and active threat groups that leverage a wide array of stolen Authenticode-signing certificates. Snorre Fagerland of Blue Coat Systems first coined the term PassCV in a blog post. His post provides a good introduction to the group and covers some of the older infrastructure, stolen code-signing certificate reuse, and other connections associated with the PassCV malware. There are several clues alluding to the possibility that multiple groups may be utilizing the same stolen signing certificates, but at this time SPEAR believes the current attacks are more likely being perpetrated by a single group employing multiple publicly available Remote Administration Tools (RATs). The PassCV group has been operating with continued success and has already started to expand their malware repertoire into different off-the-shelf RATs and custom code. SPEAR identified eighteen previously undisclosed stolen Authenticode certificates. These certificates were originally issued to companies and individuals scattered across China, Taiwan, Korea, Europe, the United States and Russia. In this post we expand the usage of the term ‘PassCV’ to encompass the malware mentioned in the Blue Coat Systems report, as well as the APT group behind the larger C2 infrastructure and stolen Authenticode certificates. We’d like to share some of our findings as they pertain to the stolen certificates, command and control infrastructure, and some of the newer custom RATs they’ve begun development on.

Internal MISP references

UUID ceae0bc4-eb5f-4184-b949-a6f7d6f0f965 which can be used as unique global reference for PassCV in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country CN

Sath-ı Müdafaa

A Turkish hacking group, Sath-ı Müdafaa, is encouraging individuals to join its DDoS-for-Points platform that features points and prizes for carrying out distributed denial-of-service (DDoS) attacks against a list of predetermined targets. Their DDoS tool also contains a backdoor to hack the hackers. So the overarching motivation and allegiance of the group is not entirely clear.

Internal MISP references

UUID a03e2b4b-617f-4d28-ac4b-9943f792aa22 which can be used as unique global reference for Sath-ı Müdafaa in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
attribution-confidence 50
country TR
motive Hacktivists-Nationalists

Aslan Neferler Tim

Turkish nationalist hacktivist group that has been active for roughly one year. According to Domaintools, the group’s site has been registered since December 2015, with an active Twitter account since January 2016. The group carries out distributed denial-of-service (DDoS) attacks and defacements against the sites of news organizations and governments perceived to be critical of Turkey’s policies or leadership, and purports to act in defense of Islam

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Aslan Neferler Tim.

Known Synonyms
Lion Soldiers Team
Phantom Turk
Internal MISP references

UUID 23410d3f-c359-422d-9a4e-45f8fdf0c84a which can be used as unique global reference for Aslan Neferler Tim in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
attribution-confidence 50
country TR
motive Hacktivists-Nationalists
targeted-sector ['Government, Administration', 'News - Media']

Ayyıldız Tim

Ayyıldız (Crescent and Star) Tim is a nationalist hacking group founded in 2002. It performs defacements and DDoS attacks against the websites of governments that it considers to be repressing Muslim minorities or engaged in Islamophobic policies.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ayyıldız Tim.

Known Synonyms
Crescent and Star
Internal MISP references

UUID ab1771de-25bb-4688-b132-eabb5d6452a1 which can be used as unique global reference for Ayyıldız Tim in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
attribution-confidence 50
country TR
motive Hacktivists-Nationalists
targeted-sector ['Government, Administration']

TurkHackTeam

Founded in 2004, Turkhackteam is one of Turkey’s oldest and most high-profile hacking collectives. According to a list compiled on Turkhackteam’s forum, the group has carried out almost 30 highly publicized hacking campaigns targeting foreign government and commercial websites, including websites of international corporations.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TurkHackTeam.

Known Synonyms
Turk Hack Team
Internal MISP references

UUID 7ae74dc6-ded3-4873-a803-abb4160d10c0 which can be used as unique global reference for TurkHackTeam in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
attribution-confidence 50
country TR
motive Hacktivists-Nationalists

Equation Group

The Equation Group is a highly sophisticated threat actor described by its discoverers at Kaspersky Labs as one of the most sophisticated cyber attack groups in the world, operating alongside but always from a position of superiority with the creators of Stuxnet and Flame

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Equation Group.

Known Synonyms
EQGRP
G0020
Tilded Team
Internal MISP references

UUID 7036fb3d-86b7-4d9c-bc66-1e1ead8b7840 which can be used as unique global reference for Equation Group in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor United States
cfr-suspected-victims ['Iran', 'Afghanistan', 'Syria', 'Yemen', 'Kenya', 'Russia', 'India', 'Mali', 'Algeria', 'United Kingdom', 'Pakistan', 'China', 'Lebanon', 'United Arab Emirates', 'Libya']
cfr-target-category ['Government', 'Military']
cfr-type-of-incident Espionage
country US
Related clusters

To see the related clusters, click here.

Greenbug

Greenbug was discovered targeting a range of organizations in the Middle East including companies in the aviation, energy, government, investment, and education sectors.

Internal MISP references

UUID 47204403-34c9-4d25-a006-296a0939d1a2 which can be used as unique global reference for Greenbug in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country IR
targeted-sector ['Education', 'Energy', 'Investment', 'Aerospace', 'Government, Administration']
Related clusters

To see the related clusters, click here.

Gamaredon Group

Unit 42 threat researchers have recently observed a threat group distributing new, custom developed malware. We have labelled this threat group the Gamaredon Group and our research shows that the Gamaredon Group has been active since at least 2013. In the past, the Gamaredon Group has relied heavily on off-the-shelf tools. Our new research shows the Gamaredon Group have made a shift to custom-developed malware. We believe this shift indicates the Gamaredon Group have improved their technical capabilities.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Gamaredon Group.

Known Synonyms
ACTINIUM
Actinium
Aqua Blizzard
Blue Otso
BlueAlpha
DEV-0157
G0047
IRON TILDEN
PRIMITIVE BEAR
Shuckworm
Trident Ursa
UAC-0010
Winterflounder
Internal MISP references

UUID 1a77e156-76bc-43f5-bdd7-bd67f30fbbbb which can be used as unique global reference for Gamaredon Group in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Ukraine', 'Germany']
cfr-target-category ['Government']
Related clusters

To see the related clusters, click here.

Infy

Infy is a group of suspected Iranian origin. Since early 2013, we have observed activity from a unique threat actor group, which we began to investigate based on increased activities against human right activists in the beginning of 2015. In line5with other research on the campaign, released prior to publication of this document, we have adopted the name “Infy”, which is based on labels used in the infrastructure and its two families of malware agents. Thanks to information we have been able to collect during the course of our research, such as characteristics of the group’s malware and development cycle, our research strongly supports the claim that the Infy group is of Iranian origin and potentially connected to the Iranian state. Amongst a backdrop of other incidents, Infy became one of the most frequently observed agents for attempted malware attacks against Iranian civil society beginning in late 2014, growing in use up to the February 2016 parliamentary election in Iran. After the conclusion of the parliamentary election, the rate of attempted intrusions and new compromises through the Infy agent slowed, but did not end. The trends witnessed in reports from recipients are reinforced through telemetry provided by design failures in more recent versions of the Infy malware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Infy.

Known Synonyms
Foudre
Operation Mermaid
Prince of Persia
Internal MISP references

UUID 1671be1b-c844-48f5-84c8-54ac4fe4d71e which can be used as unique global reference for Infy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Iran (Islamic Republic of)
cfr-suspected-victims ['Israel', 'Iran', 'France', 'China', 'Sweden', 'United States', 'United Kingdom', 'Germany', 'Syria', 'Italy', 'Denmark', 'Canada', 'Russia', 'Saudi Arabia', 'Bahrain']
cfr-target-category ['Government', 'Private sector']
cfr-type-of-incident Espionage
country IR
targeted-sector ['Activists', 'Civil society']

Sima

Sima is a group of suspected Iranian origin targeting Iranians in diaspora. In February 2016, Iran-focused individuals received messages purporting to be from Human RightsWatch's (HRW) Emergencies Director, requesting that they read an article about Iran pressing Afghanr efugees to fight in Syria. While referencing a real report published by HRW, the links provided for the Director’s biography and article directed the recipient to malware hosted elsewhere. These spear-phishing attempts represent an evolution of Iranian actors based on their social engineering tactics and narrow targeting. Although the messages still had minor grammatical and stylistic errors that would be obvious to a native speaker, the actors demonstrated stronger English-language proficiency than past intrusion sets and a deeper investment in background research prior to the attempt. The actors appropriated a real identity that would be expected to professionally interact with the subject, then offered validation through links to their biography and social media, the former of which itself was malware as well. The bait documents contained a real article relevant to their interests and topic referenced, and the message attempted to address to how it aligned with their professional research or field of employment. The referenced documents sent were malware binaries posing as legitimate files using the common right-to-left filenames tactic in order to conceal the actual file extension. All of these techniques, while common pretexting mechanisms, are a refinement compared to a tendency amongst other groups to simply continually send different forms of generic malware or phishing, in the hopes that one would eventually be successful.

Internal MISP references

UUID 80f9184d-1df3-4ad0-a452-cdb90fe57216 which can be used as unique global reference for Sima in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country IR

Blue Termite

Blue Termite is a group of suspected Chinese origin active in Japan.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Blue Termite.

Known Synonyms
Cloudy Omega
Emdivi
Internal MISP references

UUID a250af72-f66c-4d02-9f36-ab764ce9fe85 which can be used as unique global reference for Blue Termite in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Unknown
cfr-suspected-victims ['Japan']
cfr-target-category ['Government', 'Private sector']
cfr-type-of-incident Espionage
country CN

Groundbait

Groundbait is a group targeting anti-government separatists in the self-declared Donetsk and Luhansk People’s Republics.

Internal MISP references

UUID 8ed5e3f0-ed30-4eb8-bbee-4e221bd76d73 which can be used as unique global reference for Groundbait in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country UA
targeted-sector ['Separatists']

Longhorn

Longhorn has been active since at least 2011. It has used a range of back door Trojans in addition to zero-day vulnerabilities to compromise its targets. Longhorn has infiltrated governments and internationally operating organizations, in addition to targets in the financial, telecoms, energy, aerospace, information technology, education, and natural resources sectors. All of the organizations targeted would be of interest to a nation-state attacker. Longhorn has infected 40 targets in at least 16 countries across the Middle East, Europe, Asia, and Africa. On one occasion a computer in the United States was compromised but, following infection, an uninstaller was launched within hours, which may indicate this victim was infected unintentionally. According to cfr, this threat actor compromises governments, international organizations, academic institutions, and financial, telecommunications, energy, aerospace, information technology, and natural resource industries for espionage purposes. Some of the tools used by this threat actor were released by Wikileaks under the name "Vault 7."

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Longhorn.

Known Synonyms
APT-C-39
Lamberts
PLATINUM TERMINAL
the Lamberts
Internal MISP references

UUID 2f3311cd-8476-4be7-9005-ead920afc781 which can be used as unique global reference for Longhorn in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor United States
cfr-suspected-victims ['Global']
cfr-target-category ['Private sector', 'Government']
cfr-type-of-incident Espionage
country US
targeted-sector ['Telecoms', 'Aerospace', 'Energy', 'Education', 'Government, Administration', 'Finance', 'News - Media']
Related clusters

To see the related clusters, click here.

Callisto

The Callisto Group is an advanced threat actor whose known targets include military personnel, government officials, think tanks, and journalists in Europe and the South Caucasus. Their primary interest appears to be gathering intelligence related to foreign and security policy in the Eastern Europe and South Caucasus regions.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Callisto.

Known Synonyms
BlueCharlie
COLDRIVER
GOSSAMER BEAR
SEABORGIUM
Star Blizzard
TA446
Internal MISP references

UUID fbd279ab-c095-48dc-ba48-4bece3dd5b0f which can be used as unique global reference for Callisto in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country RU
targeted-sector ['Government, Administration', 'Military', 'Think Tanks', 'Journalist']
Related clusters

To see the related clusters, click here.

APT32

Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT32.

Known Synonyms
APT 32
APT-32
APT-C-00
ATK17
BISMUTH
Canvas Cyclone
Cobalt Kitty
G0050
Ocean Buffalo
Ocean Lotus
OceanLotus
OceanLotus Group
POND LOACH
Sea Lotus
SeaLotus
TIN WOODLAWN
Internal MISP references

UUID aa29ae56-e54b-47a2-ad16-d3ab0242d5d7 which can be used as unique global reference for APT32 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Vietnam
cfr-suspected-victims ['China', 'Germany', 'United States', 'Vietnam', 'Philippines', 'Association of Southeast Asian Nations']
cfr-target-category ['Government', 'Private sector', 'Civil society']
cfr-type-of-incident Espionage
country VN
targeted-sector ['Dissidents', 'Government, Administration', 'Journalist']
Related clusters

To see the related clusters, click here.

SilverTerrier

As these tools rise and fall in popularity (and more importantly, as detection rates by antivirus vendors improve), SilverTerrier actors have consistently adopted new malware families and shifted to the latest packing tools available.

Internal MISP references

UUID acbfd9e4-f78c-4ae0-9b52-c35ed679e546 which can be used as unique global reference for SilverTerrier in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country NG

WildNeutron

A corporate espionage group has compromised a string of major corporations over the past three years in order to steal confidential information and intellectual property. The gang, which Symantec calls Butterfly, is not-state sponsored, rather financially motivated. It has attacked multi-billion dollar companies operating in the internet, IT software, pharmaceutical, and commodities sectors. Twitter, Facebook, Apple, and Microsoft are among the companies who have publicly acknowledged attacks. Butterfly is technically proficient and well resourced. The group has developed a suite of custom malware tools capable of attacking both Windows and Apple computers, and appears to have used at least one zero-day vulnerability in its attacks. It keeps a low profile and maintains good operational security. After successfully compromising a target organization, it cleans up after itself before moving on to its next target. This group operates at a much higher level than the average cybercrime gang. It is not interested in stealing credit card details or customer databases and is instead focused on high-level corporate information. Butterfly may be selling this information to the highest bidder or may be operating as hackers for hire. Stolen information could also be used for insider-trading purposes.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WildNeutron.

Known Synonyms
Butterfly
Morpho
Sphinx Moth
Internal MISP references

UUID e7df3572-0c96-4968-8e5a-803ef4219762 which can be used as unique global reference for WildNeutron in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

PLATINUM

PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The group’s persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PLATINUM.

Known Synonyms
ATK33
G0068
TwoForOne
Internal MISP references

UUID 1fc5671f-5757-43bf-8d6d-a9a93b03713a which can be used as unique global reference for PLATINUM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
targeted-sector ['Defense', 'Government, Administration', 'Diplomacy', 'Intelligence', 'Telecoms']
Related clusters

To see the related clusters, click here.

RASPITE

Dragos has identified a new activity group targeting access operations in the electric utility sector. We call this activity group RASPITE. Analysis of RASPITE tactics, techniques, and procedures (TTPs) indicate the group has been active in some form since early- to mid-2017. RASPITE targeting includes entities in the US, Middle East, Europe, and East Asia. Operations against electric utility organizations appear limited to the US at this time. RASPITE leverages strategic website compromise to gain initial access to target networks. RASPITE uses the same methodology as DYMALLOY and ALLANITE in embedding a link to a resource to prompt an SMB connection, from which it harvests Windows credentials. The group then deploys install scripts for a malicious service to beacon back to RASPITE-controlled infrastructure, allowing the adversary to remotely access the victim machine.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RASPITE.

Known Synonyms
LeafMiner
Raspite
Internal MISP references

UUID 2c8994ba-367c-46f6-bfb0-390c8760dd9e which can be used as unique global reference for RASPITE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
since 2017
targeted-sector ['Electric']
victimology Electric utility sector

FIN8

FIN8 is a financially motivated group targeting the retail, hospitality and entertainment industries. The actor had previously conducted several tailored spearphishing campaigns using the downloader PUNCHBUGGY and POS malware PUNCHTRACK.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FIN8.

Known Synonyms
ATK113
G0061
Internal MISP references

UUID a78ae9fe-71cd-4563-9213-7b6260bd9a73 which can be used as unique global reference for FIN8 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
targeted-sector ['Entertainment', 'Hospitality', 'Retail']
Related clusters

To see the related clusters, click here.

El Machete

El Machete is one of these threats that was first publicly disclosed and named by Kaspersky here. We’ve found that this group has continued to operate successfully, predominantly in Latin America, since 2014. All attackers simply moved to new C2 infrastructure, based largely around dynamic DNS domains, in addition to making minimal changes to the malware in order to evade signature-based detection.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular El Machete.

Known Synonyms
APT-C-43
G0095
Machete
machete-apt
Internal MISP references

UUID 827c17e0-c3f5-4ad1-a4f4-30a40ed0a2d3 which can be used as unique global reference for El Machete in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Unknown
cfr-suspected-victims ['Venezuela', 'Russia', 'Cuba', 'China', 'Belgium', 'Ecuador', 'Brazil', 'Spain', 'Germany', 'France', 'Colombia', 'Peru', 'Sweden', 'United States', 'Malaysia']
cfr-target-category ['Military', 'Government']
cfr-type-of-incident Espionage
Related clusters

To see the related clusters, click here.

Cobalt

A criminal group dubbed Cobalt is behind synchronized ATM heists that saw machines across Europe, CIS countries (including Russia), and Malaysia being raided simultaneously, in the span of a few hours. The group has been active since June 2016, and their latest attacks happened in July and August.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cobalt.

Known Synonyms
COBALT SPIDER
Cobalt Gang
Cobalt Group
G0080
GOLD KINGSWOOD
Mule Libra
Internal MISP references

UUID 01967480-c49b-4d4a-a7fa-aef0eaf535fe which can be used as unique global reference for Cobalt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

TA459

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TA459.

Known Synonyms
G0062
Internal MISP references

UUID c6472ae1-c6ad-4cf1-8d6e-8c94b94fe314 which can be used as unique global reference for TA459 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country CN
Related clusters

To see the related clusters, click here.

Cyber Berkut

Internal MISP references

UUID 4d9f68ba-cb2b-40bf-ba4b-6a5a9f2e1cf8 which can be used as unique global reference for Cyber Berkut in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country RU

Tonto Team

Tonto Team is a Chinese-speaking APT group that has been active since at least 2013. They primarily target military, diplomatic, and infrastructure organizations in Asia and Eastern Europe. The group has been observed using various malware, including the Bisonal RAT and ShadowPad. They employ spear-phishing emails with malicious attachments as their preferred method of distribution.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Tonto Team.

Known Synonyms
BRONZE HUNTLEY
COPPER
CactusPete
Earth Akhlut
G0131
KARMA PANDA
PLA Unit 65017
Red Beifang
TAG-74
Internal MISP references

UUID 0ab7c8de-fc23-4793-99aa-7ee336199e26 which can be used as unique global reference for Tonto Team in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor China
cfr-suspected-victims ['Eastern Europe', 'Japan', 'South Korea', 'Taiwan', 'US']
cfr-target-category ['Military', 'Government', 'Private sector']
country CN

Danti

Internal MISP references

UUID fb745fe1-5478-4d47-ad3d-7389fa4a6f77 which can be used as unique global reference for Danti in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

APT5

We have observed one APT group, which we call APT5, particularly focused on telecommunications and technology companies. More than half of the organizations we have observed being targeted or breached by APT5 operate in these sectors. Several times, APT5 has targeted organizations and personnel based in Southeast Asia. APT5 has been active since at least 2007. It appears to be a large threat group that consists of several subgroups, often with distinct tactics and infrastructure. APT5 has targeted or breached organizations across multiple industries, but its focus appears to be on telecommunications and technology companies, especially information about satellite communications. APT5 targeted the network of an electronics firm that sells products for both industrial and military applications. The group subsequently stole communications related to the firm’s business relationship with a national military, including inventories and memoranda about specific products they provided. In one case in late 2014, APT5 breached the network of an international telecommunications company. The group used malware with keylogging capabilities to monitor the computer of an executive who manages the company’s relationships with other telecommunications companies

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT5.

Known Synonyms
BRONZE FLEETWOOD
KEYHOLE PANDA
MANGANESE
Mulberry Typhoon
Poisoned Flight
TEMP.Bottle
Internal MISP references

UUID a47b79ae-7a0c-4308-9efc-294af19cc795 which can be used as unique global reference for APT5 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
targeted-sector ['Electronic', 'Telecoms', 'Technology']
Related clusters

To see the related clusters, click here.

Tick

Tick is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group appears to have close ties to the Chinese National University of Defense and Technology, which is possibly linked to the PLA. This threat actor targets organizations in the critical infrastructure, heavy industry, manufacturing, and international relations sectors for espionage purposes. The attacks appear to be centered on political, media, and engineering sectors. STALKER PANDA has been observed conducting targeted attacks against Japan, Taiwan, Hong Kong, and the United States.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Tick.

Known Synonyms
BRONZE BUTLER
G0060
Nian
PLA Unit 61419
REDBALDKNIGHT
STALKER PANDA
Stalker Taurus
Internal MISP references

UUID add6554a-815a-4ac3-9b22-9337b9661ab8 which can be used as unique global reference for Tick in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor China
cfr-suspected-victims ['Japan', 'China', 'Korea (Republic of)', 'Russian Federation']
cfr-target-category ['Private sector']
cfr-type-of-incident Espionage
country CN
targeted-sector ['Infrastructure', 'Industrial', 'Manufacturing', 'Diplomacy', 'News - Media', 'Political party', 'Engineering']
Related clusters

To see the related clusters, click here.

APT26

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT26.

Known Synonyms
BRONZE EXPRESS
JerseyMikes
TECHNETIUM
TURBINE PANDA
Internal MISP references

UUID c097471c-2405-4393-b6d7-afbcb5f0cd11 which can be used as unique global reference for APT26 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country CN
Related clusters

To see the related clusters, click here.

SABRE PANDA

Internal MISP references

UUID 67adfa07-869f-4052-9d56-b88a51489902 which can be used as unique global reference for SABRE PANDA in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country CN

BIG PANDA

Internal MISP references

UUID 06e89270-ca1b-4cd4-85f3-940d23c76766 which can be used as unique global reference for BIG PANDA in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country CN

POISONUS PANDA

Internal MISP references

UUID 5bc7382d-ddc6-46d3-96f5-1dbdadbd601c which can be used as unique global reference for POISONUS PANDA in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country CN

Ghost Jackal

Internal MISP references

UUID 7ad01582-d6a7-4a40-a0ee-7727e268cd15 which can be used as unique global reference for Ghost Jackal in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

TEMP.Hermit

Internal MISP references

UUID 73c636ae-e55c-4167-bf40-315789698adb which can be used as unique global reference for TEMP.Hermit in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country KP

Mofang

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mofang.

Known Synonyms
BRONZE WALKER
Superman
Internal MISP references

UUID 999f3008-2b2f-467d-ab4d-c5a2fd80b344 which can be used as unique global reference for Mofang in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor China
cfr-suspected-victims ['Myanmar', 'Germany', 'Singapore', 'Canada', 'India', 'United States', 'South Korea']
cfr-target-category ['Government', 'Private sector']
cfr-type-of-incident Espionage
country CN

CopyKittens

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CopyKittens.

Known Synonyms
G0052
Slayer Kitten
Internal MISP references

UUID 8cca9a1d-66e4-4bc4-ad49-95f759f4c1ae which can be used as unique global reference for CopyKittens in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Iran (Islamic Republic of)
cfr-suspected-victims ['Israel', 'Jordan', 'Saudi Arabia', 'Germany', 'United States']
cfr-target-category ['Government', 'Private sector', 'Civil society']
cfr-type-of-incident Espionage
country IR
Related clusters

To see the related clusters, click here.

EvilPost

Internal MISP references

UUID 9035bfbf-a73f-4948-9df2-bd893e9cafef which can be used as unique global reference for EvilPost in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

TEST PANDA

Internal MISP references

UUID cd6ac640-9ae9-4aa9-89cd-89b95be1a3ab which can be used as unique global reference for TEST PANDA in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country CN

Madi

Kaspersky Lab and Seculert worked together to sinkhole the Madi Command & Control (C&C) servers to monitor the campaign. Kaspersky Lab and Seculert identified more than 800 victims located in Iran, Israel and select countries across the globe connecting to the C&Cs over the past eight months. Statistics from the sinkhole revealed that the victims were primarily business people working on Iranian and Israeli critical infrastructure projects, Israeli financial institutions, Middle Eastern engineering students, and various government agencies communicating in the Middle East. Common applications and websites that were spied on include accounts on Gmail, Hotmail, Yahoo! Mail, ICQ, Skype, Google+, and Facebook. Surveillance is also performed over integrated ERP/CRM systems, business contracts, and financial management systems.

Internal MISP references

UUID d5dacda0-12c2-4e80-bdf2-1c5019ec40e2 which can be used as unique global reference for Madi in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Iran (Islamic Republic of)
cfr-suspected-victims ['Iran', 'Pakistan', 'Israel', 'United States']
cfr-target-category ['Government', 'Private sector']
cfr-type-of-incident Espionage
country IR
targeted-sector ['Infrastructure', 'Engineering', 'Government, Administration', 'Finance']

ELECTRIC PANDA

Internal MISP references

UUID 69059ec9-45c9-4961-a07e-6b2f2228f0ce which can be used as unique global reference for ELECTRIC PANDA in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country CN

APT4

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT4.

Known Synonyms
BRONZE EDISON
MAVERICK PANDA
PLA Navy
SODIUM
Salmon Typhoon
Internal MISP references

UUID 8e28dbee-4e9e-4491-9a6c-ee9c9ec4b28b which can be used as unique global reference for APT4 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor China
cfr-suspected-victims ['United States', 'United Kingdom', 'Hong Kong']
cfr-target-category ['Private sector', 'Military']
cfr-type-of-incident Espionage
country CN

Kimsuky

This threat actor targets South Korean think tanks, industry, nuclear power operators, and the Ministry of Unification for espionage purposes.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kimsuky.

Known Synonyms
APT43
Black Banshee
Emerald Sleet
G0086
Operation Stolen Pencil
THALLIUM
Thallium
Velvet Chollima
Internal MISP references

UUID bcaaad6f-0597-4b89-b69b-84a6be2b7bc3 which can be used as unique global reference for Kimsuky in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Korea (Democratic People's Republic of)
cfr-suspected-victims ['Ministry of Unification', 'Sejong Institute', 'Korea Institute for Defense Analyses', 'Germany']
cfr-target-category ['Government', 'Private sector']
cfr-type-of-incident Espionage
country KP
targeted-sector ['Research - Innovation', 'Energy', 'Defense', 'Diplomacy', 'Academia - University ', 'News - Media']
Related clusters

To see the related clusters, click here.

Snake Wine

While investigating some of the smaller name servers that APT28/Sofacy routinely use to host their infrastructure, Cylance discovered another prolonged campaign that appeared to exclusively target Japanese companies and individuals that began around August 2016. The later registration style was eerily close to previously registered APT28 domains, however, the malware used in the attacks did not seem to line up at all. During the course of our investigation, JPCERT published this analysis of one of the group’s backdoors. Cylance tracks this threat group internally as ‘Snake Wine’. The Snake Wine group has proven to be highly adaptable and has continued to adopt new tactics in order to establish footholds inside victim environments. The exclusive interest in Japanese government, education, and commerce will likely continue into the future as the group is just starting to build and utilize their existing current attack infrastructure.

Internal MISP references

UUID 7b6ba207-94de-4f94-bc7f-52cd0dafade5 which can be used as unique global reference for Snake Wine in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Careto

This threat actor targets governments, diplomatic missions, private companies in the energy sector, and academics for espionage purposes. The Mask is an advanced threat actor that has been involved in cyber-espionage operations since at least 2007. The name "Mask" comes from the Spanish slang word "Careto" ("Ugly Face" or “Mask”) which the authors included in some of the malware modules. More than 380 unique victims in 31 countries have been observed to date.What makes “The Mask” special is the complexity of the toolset used by the attackers. This includes an extremely sophisticated malware, a rootkit, a bootkit, 32-and 64-bit Windows versions, Mac OS X and Linux versions and possibly versions for Android and iPad/iPhone (Apple iOS).

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Careto.

Known Synonyms
Mask
The Mask
Ugly Face
Internal MISP references

UUID 069ba781-b2d9-4403-9d9d-c599f5e0181d which can be used as unique global reference for Careto in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Spain
cfr-suspected-victims ['Morocco', 'France', 'Libya', 'Venezuela', 'Poland', 'Brazil', 'Spain', 'United States', 'South Africa', 'Tunisia', 'United Kingdom', 'Switzerland', 'Iran', 'Germany']
cfr-target-category ['Government', 'Private sector']
cfr-type-of-incident Espionage
country ES

GIBBERISH PANDA

Internal MISP references

UUID b07cf296-7ab9-4b85-a07e-421607c212b0 which can be used as unique global reference for GIBBERISH PANDA in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country CN

OnionDog

This threat actor targets the South Korean government, transportation, and energy sectors.

Internal MISP references

UUID 5898e11e-a023-464d-975c-b36fb1639e69 which can be used as unique global reference for OnionDog in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Unknown
cfr-suspected-victims ['South Korea']
cfr-target-category ['Government', 'Private sector']
cfr-type-of-incident Espionage
country KP

Clever Kitten

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Clever Kitten.

Known Synonyms
Group 41
Internal MISP references

UUID d56c99fa-4710-472c-81a6-41b7a84ea4be which can be used as unique global reference for Clever Kitten in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country IR
Related clusters

To see the related clusters, click here.

ANDROMEDA SPIDER

Internal MISP references

UUID e85ab78c-5e86-403c-b444-9cdcc167fb77 which can be used as unique global reference for ANDROMEDA SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Cyber Caliphate Army

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cyber Caliphate Army.

Known Synonyms
CCA
CyberCaliphate
Islamic State Hacking Division
UUC
United Cyber Caliphate
Internal MISP references

UUID 76f6ad4e-2ff3-4ccb-b81d-18162f290af0 which can be used as unique global reference for Cyber Caliphate Army in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

MAGNETIC SPIDER

Internal MISP references

UUID 430ba885-cd24-492e-804c-815176ed9b1e which can be used as unique global reference for MAGNETIC SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country RU

SINGING SPIDER

Internal MISP references

UUID 769bf551-ff39-4f84-b7f2-654a28df1e50 which can be used as unique global reference for SINGING SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Cyber fighters of Izz Ad-Din Al Qassam

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cyber fighters of Izz Ad-Din Al Qassam.

Known Synonyms
Fraternal Jackal
Internal MISP references

UUID 22c2b363-5d8f-4b04-96db-1b6cf4d7e8db which can be used as unique global reference for Cyber fighters of Izz Ad-Din Al Qassam in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country IR

APT6

The FBI issued a rare bulletin admitting that a group named Advanced Persistent Threat 6 (APT6) hacked into US government computer systems as far back as 2011 and for years stole sensitive data. The FBI alert was issued in February and went largely unnoticed. Nearly a month later, security experts are now shining a bright light on the alert and the mysterious group behind the attack. “This is a rare alert and a little late, but one that is welcomed by all security vendors as it offers a chance to mitigate their customers and also collaborate further in what appears to be an ongoing FBI investigation,” said Deepen Desai, director of security research at the security firm Zscaler in an email to Threatpost. Details regarding the actual attack and what government systems were infected are scant. Government officials said they knew the initial attack occurred in 2011, but are unaware of who specifically is behind the attacks. “Given the nature of malware payload involved and the duration of this compromise being unnoticed – the scope of lateral movement inside the compromised network is very high possibly exposing all the critical systems,”Deepen said.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT6.

Known Synonyms
1.php Group
Internal MISP references

UUID 1a2592a3-eab7-417c-bf2d-9c0558c2b3e7 which can be used as unique global reference for APT6 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country CN

AridViper

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular AridViper.

Known Synonyms
APT-C-23
Arid Viper
DESERTVARNISH
Desert Falcon
Renegade Jackal
UNC718
Internal MISP references

UUID 0cfff0f4-868c-40a1-b9b4-0d153c0b33b6 which can be used as unique global reference for AridViper in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-state-sponsor Palestine
cfr-suspected-victims ['United States', 'Israel', 'Palestine', 'Middle East', 'Europe']
cfr-target-category ['Government', 'Defense', 'Energy', 'Finance', 'Education', 'High-Tech', 'Telecoms', 'Transportation', 'Media', 'NGOs', 'Civil Society', 'Legal', 'Military']
cfr-type-of-incident Espionage
country PS

DEXTOROUS SPIDER

Internal MISP references

UUID 445c7b62-028b-455e-9d65-74899b7006a4 which can be used as unique global reference for DEXTOROUS SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Unit 8200

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Unit 8200.

Known Synonyms
Duqu Group
Internal MISP references

UUID e9a6cbd7-ca27-4894-ae20-9d11c06fdc02 which can be used as unique global reference for Unit 8200 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Israel
cfr-suspected-victims ['Iran', 'Sudan']
cfr-target-category ['Military', 'Government', 'Private sector']
cfr-type-of-incident Espionage
country IL

White Bear

As a part of our Kaspersky APT Intelligence Reporting subscription, customers received an update in mid-February 2017 on some interesting APT activity that we called WhiteBear. Much of the contents of that report are reproduced here. WhiteBear is a parallel project or second stage of the Skipper Turla cluster of activity documented in another private intelligence report “Skipper Turla – the White Atlas framework” from mid-2016. Like previous Turla activity, WhiteBear leverages compromised websites and hijacked satellite connections for command and control (C2) infrastructure. As a matter of fact, WhiteBear infrastructure has overlap with other Turla campaigns, like those deploying Kopiluwak, as documented in “KopiLuwak – A New JavaScript Payload from Turla” in December 2016. WhiteBear infected systems maintained a dropper (which was typically signed) as well as a complex malicious platform which was always preceded by WhiteAtlas module deployment attempts. However, despite the similarities to previous Turla campaigns, we believe that WhiteBear is a distinct project with a separate focus. We note that this observation of delineated target focus, tooling, and project context is an interesting one that also can be repeated across broadly labeled Turla and Sofacy activity. From February to September 2016, WhiteBear activity was narrowly focused on embassies and consular operations around the world. All of these early WhiteBear targets were related to embassies and diplomatic/foreign affair organizations. Continued WhiteBear activity later shifted to include defense-related organizations into June 2017. When compared to WhiteAtlas infections, WhiteBear deployments are relatively rare and represent a departure from the broader Skipper Turla target set. Additionally, a comparison of the WhiteAtlas framework to WhiteBear components indicates that the malware is the product of separate development efforts. WhiteBear infections appear to be preceded by a condensed spearphishing dropper, lack Firefox extension installer payloads, and contain several new components signed with a new code signing digital certificate, unlike WhiteAtlas incidents and modules.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular White Bear.

Known Synonyms
Skipper Turla
Internal MISP references

UUID dc6c6cbc-9dc6-4ace-a2d2-fadefe45cce6 which can be used as unique global reference for White Bear in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Russian Federation
cfr-suspected-victims ['United States', 'South Korea', 'United Kingdom', 'Uzbekistan']
cfr-target-category ['Government', 'Private sector']
cfr-type-of-incident Espionage
country RU

PALE PANDA

Internal MISP references

UUID 43992f81-fd29-4228-94e0-c3aa3e65aab7 which can be used as unique global reference for PALE PANDA in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country CN

Mana Team

Internal MISP references

UUID 110792e8-38d2-4df2-9ea3-08b60321e994 which can be used as unique global reference for Mana Team in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country CN

Sowbug

Sowbug has been conducting highly targeted cyber attacks against organizations in South America and Southeast Asia and appears to be heavily focused on foreign policy institutions and diplomatic targets. Sowbug has been seen mounting classic espionage attacks by stealing documents from the organizations it infiltrates.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sowbug.

Known Synonyms
G0054
Internal MISP references

UUID 1ca3b039-404e-4132-88c2-4e41235cd2f5 which can be used as unique global reference for Sowbug in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Unknown
cfr-suspected-victims ['Argentina', 'Ecuador', 'Brazil', 'Brunei', 'Peru', 'Malaysia']
cfr-target-category ['Government']
cfr-type-of-incident Espionage
Related clusters

To see the related clusters, click here.

MuddyWater

The MuddyWater attacks are primarily against Middle Eastern nations. However, we have also observed attacks against surrounding nations and beyond, including targets in India and the USA. MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call “POWERSTATS”. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MuddyWater.

Known Synonyms
ATK51
Boggy Serpens
COBALT ULSTER
Earth Vetala
G0069
MERCURY
Mango Sandstorm
Seedworm
Static Kitten
TA450
TEMP.Zagros
Internal MISP references

UUID a29af069-03c3-4534-b78b-7d1a77ea085b which can be used as unique global reference for MuddyWater in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Iran (Islamic Republic of)
cfr-suspected-victims ['Saudi Arabia', 'Georgia', 'Turkey', 'Iraq', 'Israel', 'India', 'United Arab Emirates', 'Pakistan', 'United States']
cfr-target-category ['Government']
cfr-type-of-incident Espionage
country IR
Related clusters

To see the related clusters, click here.

MoneyTaker

In less than two years, this group has conducted over 20 successful attacks on financial institutions and legal firms in the USA, UK and Russia. The group has primarily been targeting card processing systems, including the AWS CBR (Russian Interbank System) and purportedly SWIFT (US). Given the wide usage of STAR in LATAM, financial institutions in LATAM could have particular exposure to a potential interest from the MoneyTaker group.

Internal MISP references

UUID 7d78ec00-dfdc-4a80-a4da-63f1ae63bd7f which can be used as unique global reference for MoneyTaker in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Dark Caracal

Lookout and Electronic Frontier Foundation (EFF) have discovered Dark Caracal, a persistent and prolific actor, who at the time of writing is believed to be administered out of a building belonging to the Lebanese General Security Directorate in Beirut. At present, we have knowledge of hundreds of gigabytes of exfiltrated data, in 21+ countries, across thousands of victims. Stolen data includes enterprise intellectual property and personally identifiable information.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Dark Caracal.

Known Synonyms
G0070
Internal MISP references

UUID 3d449c83-4426-431a-b06a-cb4f8a0fca94 which can be used as unique global reference for Dark Caracal in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country LB

Nexus Zeta

Nexus Zeta is no stranger when it comes to implementing SOAP related exploits. The threat actor has already been observed in implementing two other known SOAP related exploits, CVE-2014–8361 and CVE-2017–17215 in his Satori botnet project. A third SOAP exploit, TR-069 bug has also been observed previously in IoT botnets. This makes EDB 38722 the fourth SOAP related exploit which is discovered in the wild by IoT botnets.

Internal MISP references

UUID 8c21ce09-33c3-412c-bb55-323765e89a60 which can be used as unique global reference for Nexus Zeta in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

APT37

APT37 has likely been active since at least 2012 and focuses on targeting the public and private sectors primarily in South Korea. In 2017, APT37 expanded its targeting beyond the Korean peninsula to include Japan, Vietnam and the Middle East, and to a wider range of industry verticals, including chemicals, electronics, manufacturing, aerospace, automotive and healthcare entities

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT37.

Known Synonyms
APT 37
ATK4
G0067
Group 123
Group123
InkySquid
Moldy Pisces
Operation Daybreak
Operation Erebus
Reaper
Reaper Group
Red Eyes
Ricochet Chollima
ScarCruft
Venus 121
Internal MISP references

UUID 50cd027f-df14-40b2-aa22-bf5de5061163 which can be used as unique global reference for APT37 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Korea (Democratic People's Republic of)
cfr-suspected-victims ['Republic of Korea', 'Japan', 'Vietnam']
cfr-target-category ['Government', 'Private sector']
country KP
Related clusters

To see the related clusters, click here.

APT40

Leviathan is an espionage actor targeting organizations and high-value targets in defense and government. Active since at least 2014, this actor has long-standing interest in maritime industries, naval defense contractors, and associated research institutions in the United States and Western Europe.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT40.

Known Synonyms
ATK29
BRONZE MOHAWK
G0065
GADOLINIUM
Gingham Typhoon
ISLANDDREAMS
ITG09
KRYPTONITE PANDA
Leviathan
MUDCARP
Red Ladon
TA423
TEMP.Jumper
TEMP.Periscope
Internal MISP references

UUID 5b4b6980-3bc7-11e8-84d6-879aaac37dd9 which can be used as unique global reference for APT40 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor China
cfr-suspected-victims ['United States', 'Hong Kong', 'The Philippines', 'Asia Pacific Economic Cooperation', 'Cambodia', 'Belgium', 'Germany', 'Philippines', 'Malaysia', 'Norway', 'Saudi Arabia', 'Switzerland', 'United Kingdom']
cfr-target-category ['Government', 'Private sector']
cfr-type-of-incident Espionage
country CN
Related clusters

To see the related clusters, click here.

APT35

FireEye has identified APT35 operations dating back to 2014. APT35, also known as the Newscaster Team, is a threat group sponsored by the Iranian government that conducts long term, resource-intensive operations to collect strategic intelligence. APT35 typically targets U.S. and the Middle Eastern military, diplomatic and government personnel, organizations in the media, energy and defense industrial base (DIB), and engineering, business services and telecommunications sectors.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT35.

Known Synonyms
COBALT MIRAGE
G0059
Magic Hound
Mint Sandstorm
Newscaster Team
Phosphorus
TunnelVision
Internal MISP references

UUID b8967b3c-3bc9-11e8-8701-8b1ead8c099e which can be used as unique global reference for APT35 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country IR
Related clusters

To see the related clusters, click here.

Orangeworm

Symantec has identified a previously unknown group called Orangeworm that has been observed installing a custom backdoor called Trojan.Kwampirs within large international corporations that operate within the healthcare sector in the United States, Europe, and Asia. First identified in January 2015, Orangeworm has also conducted targeted attacks against organizations in related industries as part of a larger supply-chain attack in order to reach their intended victims. Known victims include healthcare providers, pharmaceuticals, IT solution providers for healthcare and equipment manufacturers that serve the healthcare industry, likely for the purpose of corporate espionage.

Internal MISP references

UUID 35d71626-4794-11e8-b74d-bbcbe48fee3c which can be used as unique global reference for Orangeworm in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

ALLANITE

Adversaries abusing ICS (based on Dragos Inc adversary list). ALLANITE accesses business and industrial control (ICS) networks, conducts reconnaissance, and gathers intelligence in United States and United Kingdom electric utility sectors. Dragos assesses with moderate confidence that ALLANITE operators continue to maintain ICS network access to: (1) understand the operational environment necessary to develop disruptive capabilities, (2) have ready access from which to disrupt electric utilities. ALLANITE uses email phishing campaigns and compromised websites called watering holes to steal credentials and gain access to target networks, including collecting and distributing screenshots of industrial control systems. ALLANITE operations limit themselves to information gathering and have not demonstrated any disruptive or damaging capabilities. ALLANITE conducts malware-less operations primarily leveraging legitimate and available tools in the Windows operating system.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ALLANITE.

Known Synonyms
Allanite
Palmetto Fusion
Internal MISP references

UUID a9000eaf-2b75-4ec7-8dcf-fe1bb5c77470 which can be used as unique global reference for ALLANITE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
capabilities Powershell scripts, THC Hydra, SecretsDump, Inveigh, PSExec
mode-of-operation Watering-hole and phishing leading to ICS recon and screenshot collection
since 2017
victimology Electric utilities, US and UK
Related clusters

To see the related clusters, click here.

CHRYSENE

Adversaries abusing ICS (based on Dragos Inc adversary list). This threat actor targets organizations involved in oil, gas, and electricity production, primarily in the Gulf region, for espionage purposes. According to one cybersecurity company, the threat actor “compromises a target machine and passes it off to another threat actor for further exploitation.”

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular CHRYSENE.

Known Synonyms
Greenbug
OilRig
Internal MISP references

UUID a0082cfa-32e2-42b8-92d8-5c7a7409dcf1 which can be used as unique global reference for CHRYSENE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
capabilities Watering holes, 64-bit malware, covert C2 via IPv6 DNS, ISMDOOR
cfr-suspected-state-sponsor Unknown
cfr-suspected-victims ['Iraq', 'United Kingdom', 'Pakistan', 'Israel']
cfr-target-category ['Private sector']
cfr-type-of-incident Espionage
mode-of-operation IT compromise, information gathering and recon against industrial orgs
since 2017
victimology Oil and Gas, Manufacturing, Europe, MENA, North America
Related clusters

To see the related clusters, click here.

ZooPark

ZooPark is a cyberespionage operation that has been focusing on Middle Eastern targets since at least June 2015. The threat actors behind ZooPark infect Android devices using several generations of malware we label from v1-v4, with v4 being the most recent version deployed in 2017.

Internal MISP references

UUID 4defbf2e-4f73-11e8-807f-578d61da7568 which can be used as unique global reference for ZooPark in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

RANCOR

The Rancor group’s attacks use two primary malware families which are naming DDKONG and PLAINTEE. DDKONG is used throughout the campaign and PLAINTEE appears to be new addition to these attackers’ toolkit. Countries Unit 42 has identified as targeted by Rancor with these malware families include, but are not limited to Singapore and Cambodia.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RANCOR.

Known Synonyms
G0075
Rancor
Rancor Group
Rancor Taurus
Rancor group
Internal MISP references

UUID 79c7c7e0-79d5-11e8-9b9c-1ff96be20c0b which can be used as unique global reference for RANCOR in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor China
cfr-suspected-victims ['Singapore', 'Cambodia']
cfr-target-category ['Government', 'Civil society']
cfr-type-of-incident Espionage
country CN

The Big Bang

While it is not clear exactly what the attacker is looking for, what is clear is that once he finds it, a second stage of the attack awaits, fetching additional modules and/or malware from the Command and Control server. This then is a surveillance attack in progress and has been dubbed ‘Big Bang’ due to the attacker’s fondness for the ‘Big Bang Theory’ TV show, after which some of the malware’s modules are named.

Internal MISP references

UUID a3cc5105-3bc6-498b-8d53-981e12d86909 which can be used as unique global reference for The Big Bang in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

The Gorgon Group

Unit 42 researchers have been tracking Subaat, an attacker, since 2017. Recently Subaat drew our attention due to renewed targeted attack activity. Part of monitoring Subaat included realizing the actor was possibly part of a larger crew of individuals responsible for carrying out targeted attacks against worldwide governmental organizations. Technical analysis on some of the attacks as well as attribution links with Pakistan actors have been already depicted by 360 and Tuisec, in which they found interesting connections to a larger group of attackers Unit 42 researchers have been tracking, which we are calling Gorgon Group.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular The Gorgon Group.

Known Synonyms
ATK92
G0078
Gorgon Group
Pasty Gemini
Subaat
Internal MISP references

UUID e47c2c4d-706b-4098-92a2-b93e7103e131 which can be used as unique global reference for The Gorgon Group in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

DarkHydrus

In July 2018, Unit 42 analyzed a targeted attack using a novel file type against at least one government agency in the Middle East. It was carried out by a previously unpublished threat group we track as DarkHydrus. Based on our telemetry, we were able to uncover additional artifacts leading us to believe this adversary group has been in operation with their current playbook since early 2016. This attack diverged from previous attacks we observed from this group as it involved spear-phishing emails sent to targeted organizations with password protected RAR archive attachments that contained malicious Excel Web Query files (.iqy).

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DarkHydrus.

Known Synonyms
G0079
LazyMeerkat
Obscure Serpens
Internal MISP references

UUID ce2c2dfd-2445-4fbc-a747-9e7092e383f9 which can be used as unique global reference for DarkHydrus in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

RedAlpha

Recorded Future’s Insikt Group has identified two new cyberespionage campaigns targeting the Tibetan Community over the past two years. The campaigns, which we are collectively naming RedAlpha, combine light reconnaissance, selective targeting, and diverse malicious tooling. We discovered this activity as the result of pivoting off of a new malware sample observed targeting the Tibetan community based in India.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RedAlpha.

Known Synonyms
DeepCliff
Red Dev 3
Internal MISP references

UUID 71a3b962-9a36-11e8-88f8-b31d20c6fa2a which can be used as unique global reference for RedAlpha in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

TempTick

This threat actor targets organizations in the finance, defense, aerospace, technology, health-care, and automotive sectors and media organizations in East Asia for the purpose of espionage. Believed to be responsible for the targeting of South Korean actors prior to the meeting of Donald J. Trump and Kim Jong-un

Internal MISP references

UUID 3f3ff6de-a6a7-11e8-92b4-3743eb1c7762 which can be used as unique global reference for TempTick in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor China
cfr-suspected-victims ['South Korea', 'Japan']
cfr-target-category ['Government', 'Private sector']
country CN

Operation Parliament

This threat actor uses spear-phishing techniques to target parliaments, government ministries, academics, and media organizations, primarily in the Middle East, for the purpose of espionage. Based on our findings, we believe the attackers represent a previously unknown geopolitically motivated threat actor. The campaign started in 2017, with the attackers doing just enough to achieve their goals. They most likely have access to additional tools when needed and appear to have access to an elaborate database of contacts in sensitive organizations and personnel worldwide, especially of vulnerable and non-trained staff. The victim systems range from personal desktop or laptop systems to large servers with domain controller roles or similar. The nature of the targeted ministries varied, including those responsible for telecommunications, health, energy, justice, finance and so on. Operation Parliament appears to be another symptom of escalating tensions in the Middle East region. The attackers have taken great care to stay under the radar, imitating another attack group in the region. They have been particularly careful to verify victim devices before proceeding with the infection, safeguarding their command and control servers. The targeting seems to have slowed down since the beginning of 2018, probably winding down when the desired data or access was obtained. The targeting of specific victims is unlike previously seen behavior in regional campaigns by Gaza Cybergang or Desert Falcons and points to an elaborate information-gathering exercise that was carried out before the attacks (physical and/or digital). With deception and false flags increasingly being employed by threat actors, attribution is a hard and complicated task that requires solid evidence, especially in complex regions such as the Middle East.

Internal MISP references

UUID e20e8eb8-a6b4-11e8-8a92-6ba6e7540c6d which can be used as unique global reference for Operation Parliament in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Unknown
cfr-suspected-victims ['Palestine', 'United Arab Emirates', 'Qatar', 'Somalia', 'Syria', 'Canada', 'Germany', 'Serbia', 'Kuwait', 'Egypt', 'Saudi Arabia', 'Chile', 'Iraq', 'India', 'United States', 'Israel', 'Russia', 'South Korea', 'Jordan', 'Djibouti', 'Lebonon', 'Morocco', 'Iran', 'United Kingdom', 'Afghanistan', 'Oman', 'Denmark']
cfr-target-category ['Government', 'Civil society']
cfr-type-of-incident Espionage

Inception Framework

This threat actor uses spear-phishing techniques to target private-sector energy, defense, aerospace, research, and media organizations and embassies in Africa, Europe, and the Middle East, for the purpose of espionage.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Inception Framework.

Known Synonyms
ATK116
Blue Odin
Clean Ursa
Cloud Atlas
G0100
OXYGEN
Internal MISP references

UUID 71ef51ca-a791-11e8-a026-07980ca910ca which can be used as unique global reference for Inception Framework in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Russian Federation
cfr-suspected-victims ['Afghanistan', 'Armenia', 'Azerbaijan', 'Belarus', 'Belgium', 'Czech Republic', 'Greece', 'India', 'Iran', 'Italy', 'Kazakhstan', 'Kenya', 'Malaysia', 'Russia', 'South Africa', 'Suriname', 'Turkmenistan', 'Ukraine', 'United Kingdom', 'United States', 'Vietnam']
cfr-target-category ['Government', 'Private sector']
cfr-type-of-incident Espionage
country RU

HenBox

This threat actor targets Uighurs—a minority ethnic group located primarily in northwestern China—and devices from Chinese mobile phone manufacturer Xiaomi, for espionage purposes.

Internal MISP references

UUID 36ee04f4-a9df-11e8-b92b-d7ddfd3a8896 which can be used as unique global reference for HenBox in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor China
cfr-suspected-victims ['Uighurs']
cfr-target-category ['Civil society']
cfr-type-of-incident Espionage
country CN

MUSTANG PANDA

This threat actor targets nongovernmental organizations using Mongolian-themed lures for espionage purposes. In April 2017, CrowdStrike Falcon Intelligence observed a previously unattributed actor group with a Chinese nexus targeting a U.S.-based think tank. Further analysis revealed a wider campaign with unique tactics, techniques, and procedures (TTPs). This adversary targets non-governmental organizations (NGOs) in general, but uses Mongolian language decoys and themes, suggesting this actor has a specific focus on gathering intelligence on Mongolia. These campaigns involve the use of shared malware like Poison Ivy or PlugX. Recently, Falcon Intelligence observed new activity from MUSTANG PANDA, using a unique infection chain to target likely Mongolia-based victims. This newly observed activity uses a series of redirections and fileless, malicious implementations of legitimate tools to gain access to the targeted systems. Additionally, MUSTANG PANDA actors reused previously-observed legitimate domains to host files.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MUSTANG PANDA.

Known Synonyms
BASIN
BRONZE PRESIDENT
Earth Preta
HoneyMyte
LuminousMoth
Polaris
Red Lich
Stately Taurus
TA416
TANTALUM
TEMP.HEX
Twill Typhoon
Internal MISP references

UUID 78bf726c-a9e6-11e8-9e43-77249a2f7339 which can be used as unique global reference for MUSTANG PANDA in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor China
cfr-suspected-victims ['United States', 'Germany']
cfr-target-category ['Civil society']
cfr-type-of-incident Espionage
country CN

Thrip

This threat actor targets organizations in the satellite communications, telecommunications, geospatial-imaging, and defense sectors in the United States and Southeast Asia for espionage purposes.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Thrip.

Known Synonyms
ATK78
G0076
Internal MISP references

UUID 98be4300-a9ef-11e8-9a95-bb9221083cfc which can be used as unique global reference for Thrip in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Unknown
cfr-suspected-victims ['United States']
cfr-target-category ['Private sector']
cfr-type-of-incident Espionage

Stealth Mango and Tangelo

This threat actor targets organizations in the satellite communications, telecommunications, geospatial-imaging, and defense sectors in the United States and Southeast Asia for espionage purposes.

Internal MISP references

UUID f82b352e-a9f8-11e8-8be8-fbcf6eddd58c which can be used as unique global reference for Stealth Mango and Tangelo in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Pakistan
cfr-suspected-victims ['Pakistan', 'Iraq', 'Australia', 'Afghanistan', 'United Arab Emirates', 'Germany', 'India', 'United States']
cfr-target-category ['Government', 'Civil society']
cfr-type-of-incident Espionage
country PK

PowerPool

Malware developers have started to use the zero-day exploit for Task Scheduler component in Windows, two days after proof-of-concept code for the vulnerability appeared online.

A security researcher who uses the online name SandboxEscaper on August 27 released the source code for exploiting a security bug in the Advanced Local Procedure Call (ALPC) interface used by Windows Task Scheduler.

More specifically, the problem is with the SchRpcSetSecurity API function, which fails to properly check user's permissions, allowing write privileges on files in C:\Windows\Task.

The vulnerability affects Windows versions 7 through 10 and can be used by an attacker to escalate their privileges to all-access SYSTEM account level.

A couple of days after the exploit code became available (source and binary), malware researchers at ESET noticed its use in active malicious campaigns from a threat actor they call PowerPool, because of their tendency to use tools mostly written in PowerShell for lateral movement.

The group appears to have a small number of victims in the following countries: Chile, Germany, India, the Philippines, Poland, Russia, the United Kingdom, the United States, and Ukraine.

The researchers say that PowerPool developers did not use the binary version of the exploit, deciding instead to make some subtle changes to the source code before recompiling it.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PowerPool.

Known Synonyms
IAmTheKing
Internal MISP references

UUID abd89986-b1b0-11e8-b857-efe290264006 which can be used as unique global reference for PowerPool in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Bahamut

Bahamut is a threat actor primarily operating in Middle East and Central Asia, suspected to be a private contractor to several state sponsored actors. They were observed conduct phishing as well as desktop and mobile malware campaigns.

Internal MISP references

UUID dc3edacc-bb24-11e8-81fb-8c16458922a7 which can be used as unique global reference for Bahamut in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Iron Group

Iron group has developed multiple types of malware (backdoors, crypto-miners, and ransomware) for Windows, Linux and Android platforms. They have used their malware to successfully infect, at least, a few thousand victims.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Iron Group.

Known Synonyms
Iron Cyber Group
Internal MISP references

UUID 6a0ea861-229a-45a6-98f5-228f69b43905 which can be used as unique global reference for Iron Group in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Operation BugDrop

This threat actor targets critical infrastructure entities in the oil and gas sector, primarily in Ukraine. The threat actors deploy the BugDrop malware to remotely access the microphones in their targets' computers to eavesdrop on conversations.

Internal MISP references

UUID 75ae52b2-bca3-11e8-af90-a78f33eee6c1 which can be used as unique global reference for Operation BugDrop in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Russian Federation
cfr-suspected-victims ['Ukraine', 'Austria', 'Russia', 'Saudi Arabia']
cfr-target-category ['Private sector']
cfr-type-of-incident Espionage
country RU

Unnamed Actor

This threat actor compromises civil society groups the Chinese Communist Party views as hostile to its interests, such as Tibetan, Uyghur, Hong Kong, and Taiwanese activist. The threat actor also targeted the Myanmar electoral commission.

Internal MISP references

UUID bea5e256-bcc0-11e8-a478-bbf7e7585a1e which can be used as unique global reference for Unnamed Actor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor China
cfr-suspected-victims ['China', 'Myanmar', 'Hong Kong', 'Taiwan']
cfr-target-category ['Civil society', 'Government']
cfr-type-of-incident Espionage
country CN

MageCart

Digital threat management company RiskIQ tracks the activity of MageCart group and reported their use of web-based card skimmers since 2016.

Internal MISP references

UUID 0768fd50-c547-11e8-9aa5-776183769eab which can be used as unique global reference for MageCart in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Domestic Kitten

An extensive surveillance operation targets specific groups of individuals with malicious mobile apps that collect sensitive information on the device along with surrounding voice recordings. Researchers with CheckPoint discovered the attack and named it Domestic Kitten. The targets are Kurdish and Turkish natives, and ISIS supporters, all Iranian citizens.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Domestic Kitten.

Known Synonyms
APT-C-50
Bouncing Golf
Internal MISP references

UUID dda1b28e-c558-11e8-8666-27cf61d1d7ee which can be used as unique global reference for Domestic Kitten in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country IR

FASTCash

Treasury has identified a sophisticated cyber-enabled ATM cash out campaign we are calling FASTCash. FASTCash has been active since late 2016 targeting banks in Africa and Asia to remotely compromise payment switch application servers within banks to facilitate fraudulent transactions, primarily involving ATMs, to steal cash equivalent to tens of millions of dollars. FBI has attributed malware used in this campaign to the North Korean government. We expect FASTCash to continue targeting retail payment systems vulnerable to remote exploitation.

Internal MISP references

UUID e38d32a2-c708-11e8-8785-472c4cfccd85 which can be used as unique global reference for FASTCash in MISP communities and other software using the MISP galaxy

Roaming Mantis

According to new research by Kaspersky's GReAT team, the online criminal activities of the Roaming Mantis Group have continued to evolve since they were first discovered in April 2018. As part of their activities, this group hacks into exploitable routers and changes their DNS configuration. This allows the attackers to redirect the router user's traffic to malicious Android apps disguised as Facebook and Chrome or to Apple phishing pages that were used to steal Apple ID credentials. Recently, Kaspersky has discovered that this group is testing a new monetization scheme by redirecting iOS users to pages that contain the Coinhive in-browser mining script rather than the normal Apple phishing page. When users are redirected to these pages, they will be shown a blank page in the browser, but their CPU utilization will jump to 90% or higher.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Roaming Mantis.

Known Synonyms
Roaming Mantis Group
Internal MISP references

UUID b27beb94-ce25-11e8-8e11-2f1a59bd0e91 which can be used as unique global reference for Roaming Mantis in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
threat-actor-classification ['campaign']

GreyEnergy

ESET research reveals a successor to the infamous BlackEnergy APT group targeting critical infrastructure, quite possibly in preparation for damaging attacks

Internal MISP references

UUID d52ca4c4-d214-11e8-8d29-c3e7cb78acce which can be used as unique global reference for GreyEnergy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

The Shadow Brokers

The Shadow Brokers (TSB) is a hacker group who first appeared in the summer of 2016. They published several leaks containing hacking tools from the National Security Agency (NSA, including several zero-day exploits.[1] Specifically, these exploits and vulnerabilities targeted enterprise firewalls, antivirus software, and Microsoft products. The Shadow Brokers originally attributed the leaks to the Equation Group threat actor, who have been tied to the NSA's Tailored Access Operations unit.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular The Shadow Brokers.

Known Synonyms
Shadow Brokers
ShadowBrokers
TSB
The ShadowBrokers
Internal MISP references

UUID d5e90854-d5c9-11e8-98b9-1f98eb80d30a which can be used as unique global reference for The Shadow Brokers in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

EvilTraffic

Malware experts at CSE Cybsec uncovered a massive malvertising campaign dubbed EvilTraffic leveraging tens of thousands compromised websites. Crooks exploited some CMS vulnerabilities to upload and execute arbitrary PHP pages used to generate revenues via advertising.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular EvilTraffic.

Known Synonyms
Operation EvilTraffic
Internal MISP references

UUID c2d5a052-dc30-11e8-9643-d76f3b9c94fa which can be used as unique global reference for EvilTraffic in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

HookAds

HookAds is a malvertising campaign that purchases cheap ad space on low quality ad networks commonly used by adult web sites, online games, or blackhat seo sites. These ads will include JavaScript that redirects a visitor through a serious of decoy sites that look like pages filled with native advertisements, online games, or other low quality pages. Under the right circumstances, a visitor will silently load the Fallout exploit kit, which will try and install its malware payload.

Internal MISP references

UUID dce617eb-a3b6-4a9a-bd76-575c424f9761 which can be used as unique global reference for HookAds in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

INDRIK SPIDER

INDRIK SPIDER is a sophisticated eCrime group that has been operating Dridex since June 2014. In 2015 and 2016, Dridex was one of the most prolific eCrime banking trojans on the market and, since 2014, those efforts are thought to have netted INDRIK SPIDER millions of dollars in criminal profits. Throughout its years of operation, Dridex has received multiple updates with new modules developed and new anti-analysis features added to the malware. In August 2017, a new ransomware variant identified as BitPaymer was reported to have ransomed the U.K.’s National Health Service (NHS), with a high ransom demand of 53 BTC (approximately $200,000 USD). The targeting of an organization rather than individuals, and the high ransom demands, made BitPaymer stand out from other contemporary ransomware at the time. Though the encryption and ransom functionality of BitPaymer was not technically sophisticated, the malware contained multiple anti-analysis features that overlapped with Dridex. Later technical analysis of BitPaymer indicated that it had been developed by INDRIK SPIDER, suggesting the group had expanded its criminal operation to include ransomware as a monetization strategy.

Internal MISP references

UUID 658314bc-3bb8-48d2-913a-c528607b75c8 which can be used as unique global reference for INDRIK SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country RU
Related clusters

To see the related clusters, click here.

DNSpionage

Cisco Talos recently discovered a new campaign targeting Lebanon and the United Arab Emirates (UAE) affecting .gov domains, as well as a private Lebanese airline company. Based on our research, it's clear that this adversary spent time understanding the victims' network infrastructure in order to remain under the radar and act as inconspicuous as possible during their attacks. Based on this actor's infrastructure and TTPs, we haven't been able to connect them with any other campaign or actor that's been observed recently. This particular campaign utilizes two fake, malicious websites containing job postings that are used to compromise targets via malicious Microsoft Office documents with embedded macros. The malware utilized by this actor, which we are calling "DNSpionage," supports HTTP and DNS communication with the attackers. In a separate campaign, the attackers used the same IP to redirect the DNS of legitimate .gov and private company domains. During each DNS compromise, the actor carefully generated Let's Encrypt certificates for the redirected domains. These certificates provide X.509 certificates for TLS free of charge to the user. We don't know at this time if the DNS redirections were successful. In this post, we will break down the attackers' methods and show how they used malicious documents to attempt to trick users into opening malicious websites that are disguised as "help wanted" sites for job seekers. Additionally, we will describe the malicious DNS redirection and the timeline of the events.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DNSpionage.

Known Synonyms
COBALT EDGEWATER
Internal MISP references

UUID 608a903a-8145-4fd1-84bc-235e278480bf which can be used as unique global reference for DNSpionage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

DarkVishnya

Dubbed DarkVishnya, the attacks targeted at least eight banks using readily-available gear such as netbooks or inexpensive laptops, Raspberry Pi mini-computers, or a Bash Bunny - a USB-sized piece hardware for penetration testing purposes that can pose as a keyboard, flash storage, network adapter, or as any serial device.

Internal MISP references

UUID db7fd7dd-28f7-4e8d-a807-8405e4b0f4e2 which can be used as unique global reference for DarkVishnya in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Operation Poison Needles

What’s noteworthy is that according to the introduction on the compromised website of the polyclinic (http://www.p2f.ru), the institution was established in 1965 and it was founded by the Presidential Administration of Russia. The multidisciplinary outpatient institution mainly serves the civil servants of the highest executive, legislative, judicial authorities of the Russian Federation, as well as famous figures of science and art. Since it is the first detection of this APT attack by 360 Security on a global scale, we code-named it as “Operation Poison Needles”, considering that the target was a medical institution. Currently, the attribution of the attacker is still under investigation. However, the special background of the polyclinic and the sensitiveness of the group it served both indicate the attack is highly targeted. Simultaneously, the attack occurred at a very sensitive timing of the Kerch Strait Incident, so it also aroused the assumption on the political attribution of the attack.

Internal MISP references

UUID 08ff3cb6-c292-4360-a978-6f05775881ed which can be used as unique global reference for Operation Poison Needles in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

GC01

From November 2017 to October 2018, we attributed 14 campaigns to the GC threat actors that used a specific MaaS provider (hereinafter “the Provider”) offered by a known individual (hereinafter “the Provider Operator”).

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GC01.

Known Synonyms
Golden Chickens
Golden Chickens 01
Golden Chickens01
Internal MISP references

UUID 6bd7c91a-fdf5-11e8-95a8-e712ad4b0a9d which can be used as unique global reference for GC01 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

GC02

From November 2017 to October 2018, we attributed 14 campaigns to the GC threat actors that used a specific MaaS provider (hereinafter “the Provider”) offered by a known individual (hereinafter “the Provider Operator”).

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GC02.

Known Synonyms
Golden Chickens
Golden Chickens 02
Golden Chickens02
Internal MISP references

UUID 6d50a8a2-fdf5-11e8-9db3-833f231caac8 which can be used as unique global reference for GC02 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Operation Sharpshooter

The McAfee Advanced Threat Research team and McAfee Labs Malware Operations Group have discovered a new global campaign targeting nuclear, defense, energy, and financial companies, based on McAfee® Global Threat Intelligence. This campaign, Operation Sharpshooter, leverages an in-memory implant to download and retrieve a second-stage implant—which we call Rising Sun—for further exploitation. According to our analysis, the Rising Sun implant uses source code from the Lazarus Group’s 2015 backdoor Trojan Duuzer in a new framework to infiltrate these key industries. Operation Sharpshooter’s numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags. Our research focuses on how this actor operates, the global impact, and how to detect the attack. We shall leave attribution to the broader security community.

Internal MISP references

UUID b06c3af1-0243-4428-88da-b3451c345e1e which can be used as unique global reference for Operation Sharpshooter in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

TA505

TA505, the name given by Proofpoint, has been in the cybercrime business for at least four years. This is the group behind the infamous Dridex banking trojan and Locky ransomware, delivered through malicious email campaigns via Necurs botnet. Other malware associated with TA505 include Philadelphia and GlobeImposter ransomware families.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TA505.

Known Synonyms
ATK103
CHIMBORAZO
Dudear
G0092
GOLD TAHOE
GRACEFUL SPIDER
Hive0065
SectorJ04
SectorJ04 Group
Spandex Tempest
Internal MISP references

UUID 03c80674-35f8-4fe0-be2b-226ed0fcd69f which can be used as unique global reference for TA505 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Australia', 'Canada', 'Czech Republic', 'Germany', 'Hungary', 'India', 'Japan', 'Romania', 'Serbia', 'Singapore', 'South Korea', 'Spain', 'Thailand', 'Turkey', 'United Kingdom', 'United States']
cfr-target-category ['Education', 'Finance', 'Health', 'Retail', 'Hospitality']
country RU
Related clusters

To see the related clusters, click here.

GRIM SPIDER

GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past. Similar to Samas and BitPaymer, Ryuk is specifically used to target enterprise environments. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release. Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors. However, Ryuk is only used by GRIM SPIDER and, unlike Hermes, Ryuk has only been used to target enterprise environments. Since Ryuk’s appearance in August, the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD. Grim Spider is reportedly associated with Lunar Spider and Wizard Spider.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GRIM SPIDER.

Known Synonyms
GOLD ULRICK
Internal MISP references

UUID 3cf6dbb5-bf9e-47d4-a8d5-b6d76f5a791f which can be used as unique global reference for GRIM SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

WIZARD SPIDER

Wizard Spider is reportedly associated with Grim Spider and Lunar Spider. The WIZARD SPIDER threat group is the Russia-based operator of the TrickBot banking malware. This group represents a growing criminal enterprise of which GRIM SPIDER appears to be a subset. The LUNAR SPIDER threat group is the Eastern European-based operator and developer of the commodity banking malware called BokBot (aka IcedID), which was first observed in April 2017. The BokBot malware provides LUNAR SPIDER affiliates with a variety of capabilities to enable credential theft and wire fraud, through the use of webinjects and a malware distribution function. GRIM SPIDER is a sophisticated eCrime group that has been operating the Ryuk ransomware since August 2018, targeting large organizations for a high-ransom return. This methodology, known as “big game hunting,” signals a shift in operations for WIZARD SPIDER, a criminal enterprise of which GRIM SPIDER appears to be a cell. The WIZARD SPIDER threat group, known as the Russia-based operator of the TrickBot banking malware, had focused primarily on wire fraud in the past.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WIZARD SPIDER.

Known Synonyms
DEV-0193
DEV-0237
FIN12
GOLD BLACKBURN
Periwinkle Tempest
Pistachio Tempest
Storm-0193
TEMP.MixMaster
Trickbot LLC
UNC2053
Internal MISP references

UUID bdf4fe4f-af8a-495f-a719-cf175cecda1f which can be used as unique global reference for WIZARD SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-state-sponsor Russian Federation
cfr-suspected-victims ['Australia', 'Bahamas', 'Canada', 'Costa Rica', 'France', 'Germany', 'India', 'Ireland', 'Italy', 'Japan', 'Mexico', 'New Zealand', 'Spain', 'Switzerland', 'Taiwan', 'United Kingdom', 'Ukraine', 'United States']
cfr-target-category ['Defense', 'Financial', 'Government', 'Healthcare', 'Telecommunications']
country RU
Related clusters

To see the related clusters, click here.

MUMMY SPIDER

MUMMY SPIDER is a criminal entity linked to the core development of the malware most commonly known as Emotet or Geodo. First observed in mid-2014, this malware shared code with the Bugat (aka Feodo) banking Trojan. However, MUMMY SPIDER swiftly developed the malware’s capabilities to include an RSA key exchange for command and control (C2) communication and a modular architecture. MUMMY SPIDER does not follow typical criminal behavioral patterns. In particular, MUMMY SPIDER usually conducts attacks for a few months before ceasing operations for a period of between three and 12 months, before returning with a new variant or version. After a 10 month hiatus, MUMMY SPIDER returned Emotet to operation in December 2016 but the latest variant is not deploying a banking Trojan module with web injects, it is currently acting as a ‘loader’ delivering other malware packages. The primary modules perform reconnaissance on victim machines, drop freeware tools for credential collection from web browsers and mail clients and a spam plugin for self-propagation. The malware is also issuing commands to download and execute other malware families such as the banking Trojans Dridex and Qakbot. MUMMY SPIDER advertised Emotet on underground forums until 2015, at which time it became private. Therefore, it is highly likely that Emotet is operate

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MUMMY SPIDER.

Known Synonyms
GOLD CRESTWOOD
TA542
Internal MISP references

UUID c93281be-f6cd-4cd0-a5a3-defde9d77d8b which can be used as unique global reference for MUMMY SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

STARDUST CHOLLIMA

Open-source reporting has claimed that the Hermes ransomware was developed by the North Korean group STARDUST CHOLLIMA (activities of which have been public reported as part of the “Lazarus Group”), because Hermes was executed on a host during the SWIFT compromise of FEIB in October 2017.

Internal MISP references

UUID d8e1762a-0063-48c2-9ea1-8d176d14b70f which can be used as unique global reference for STARDUST CHOLLIMA in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Cold River

In short, “Cold River” is a sophisticated threat (actor) that utilizes DNS subdomain hijacking, certificate spoofing, and covert tunneled command and control traffic in combination with complex and convincing lure documents and custom implants.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cold River.

Known Synonyms
Nahr Elbard
Nahr el bared
Internal MISP references

UUID 7d99d2f7-adf0-44e4-9044-d18ff6842a16 which can be used as unique global reference for Cold River in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Silence group

a relatively new threat actor that’s been operating since mid-2016 Group-IB has exposed the attacks committed by Silence cybercriminal group. While the gang had previously targeted Russian banks, Group-IB experts also have discovered evidence of the group's activity in more than 25 countries worldwide. Group-IB has published its first detailed report on tactics and tools employed by Silence. Group-IB security analysts' hypothesis is that at least one of the gang members appears to be a former or current employee of a cyber security company. The confirmed damage from Silence activity is estimated at 800 000 USD. Silence is a group of Russian-speaking hackers, based on their commands language, the location of infrastructure they used, and the geography of their targets (Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan). Although phishing emails were also sent to bank employees in Central and Western Europe, Africa, and Asia). Furthermore, Silence used Russian words typed on an English keyboard layout for the commands of the employed backdoor. The hackers also used Russian-language web hosting services.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Silence group.

Known Synonyms
Silence
WHISPER SPIDER
Internal MISP references

UUID 0d5e17fd-7a71-47fd-b4bc-867cdb833726 which can be used as unique global reference for Silence group in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
spoken-language ['rus']

APT39

APT39 was created to bring together previous activities and methods used by this actor, and its activities largely align with a group publicly referred to as "Chafer." However, there are differences in what has been publicly reported due to the variances in how organizations track activity. APT39 primarily leverages the SEAWEED and CACHEMONEY backdoors along with a specific variant of the POWBAT backdoor. While APT39's targeting scope is global, its activities are concentrated in the Middle East. APT39 has prioritized the telecommunications sector, with additional targeting of the travel industry and IT firms that support it and the high-tech industry.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT39.

Known Synonyms
COBALT HICKMAN
Chafer
G0087
REMIX KITTEN
Radio Serpens
TA454
Internal MISP references

UUID c2c64bd3-a325-446f-91a8-b4c0f173a30b which can be used as unique global reference for APT39 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
country IR

Siesta

FireEye recently looked deeper into the activity discussed in TrendMicro’s blog and dubbed the “Siesta” campaign. The tools, modus operandi, and infrastructure used in the campaign present two possibilities: either the Chinese cyber-espionage unit APT1 is perpetrating this activity, or another group is using the same tactics and tools as the legacy APT1. The Siesta campaign reinforces the fact that analysts and network defenders should remain on the lookout for known, public indicators and for shared attributes that allow security experts to detect multiple actors with one signature.

Internal MISP references

UUID 27c97181-b8e9-43e1-93c0-f953cac45326 which can be used as unique global reference for Siesta in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Gallmaker

Symantec researchers have uncovered a previously unknown attack group that is targeting government and military targets, including several overseas embassies of an Eastern European country, and military and defense targets in the Middle East. This group eschews custom malware and uses living off the land (LotL) tactics and publicly available hack tools to carry out activities that bear all the hallmarks of a cyber espionage campaign. The group, which we have given the name Gallmaker, has been operating since at least December 2017, with its most recent activity observed in June 2018.

Internal MISP references

UUID c79dab01-3f9f-491e-8a5f-6423339c9f76 which can be used as unique global reference for Gallmaker in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

BOSS SPIDER

Throughout 2018, CrowdStrike Intelligence tracked BOSS SPIDER as it regularly updated Samas ransomware and received payments to known Bitcoin (BTC) addresses. This consistent pace of activity came to an abrupt halt at the end of November 2018 when the U.S. DoJ released an indictment for Iran-based individuals Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri, alleged members of the group.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BOSS SPIDER.

Known Synonyms
GOLD LOWELL
Internal MISP references

UUID d6a13387-4c98-4a0c-a516-6c36c081b64c which can be used as unique global reference for BOSS SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

PINCHY SPIDER

First observed in January 2018, GandCrab ransomware quickly began to proliferate and receive regular updates from its developer, PINCHY SPIDER, which over the course of the year established a RaaS operation with a dedicated set of affiliates. CrowdStrike Intelligence has recently observed PINCHY SPIDER affiliates deploying GandCrab ransomware in enterprise environments, using lateral movement techniques and tooling commonly associated with nation-state adversary groups and penetration testing teams. This change in tactics makes PINCHY SPIDER and its affiliates the latest eCrime adversaries to join the growing trend of targeted, low-volume/high-return ransomware deployments known as “big game hunting.” PINCHY SPIDER is the criminal group behind the development of the ransomware most commonly known as GandCrab, which has been active since January 2018. PINCHY SPIDER sells access to use GandCrab ransomware under a partnership program with a limited number of accounts. The program is operated with a 60-40 split in profits (60 percent to the customer), as is common among eCrime actors, but PINCHY SPIDER is also willing to negotiate up to a 70-30 split for “sophisticated” customers.

Internal MISP references

UUID 80f07c15-cad3-44a2-a8a4-dd14490b5117 which can be used as unique global reference for PINCHY SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

GURU SPIDER

Early in 2018, CrowdStrike Intelligence observed GURU SPIDER supporting the distribution of multiple crimeware families through its flagship malware loader, Quant Loader.

Internal MISP references

UUID 0a667713-bc31-4a72-9ea3-34fc094a9dde which can be used as unique global reference for GURU SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

SALTY SPIDER

Beginning in January 2018 and persisting through the first half of the year, CrowdStrike Intelligence observed SALTY SPIDER, developer and operator of the long-running Sality botnet, distribute malware designed to target cryptocurrency users.

Internal MISP references

UUID 7e37be6b-5a94-45f3-bdeb-f494c520eee3 which can be used as unique global reference for SALTY SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

NOMAD PANDA

In the first quarter of 2018, CrowdStrike Intelligence identified NOMAD PANDA activity targeting Central Asian nations with exploit documents built with the 8.t tool.

Internal MISP references

UUID 4b7df353-fbcc-4f00-a54f-5121c5edb9be which can be used as unique global reference for NOMAD PANDA in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Flash Kitten

This suspected Iran-based adversary conducted long-running SWC campaigns from December 2016 until public disclosure in July 2018. Like other Iran-based actors, the target scope for FLASH KITTEN appears to be focused on the MENA region.

Internal MISP references

UUID 6e899dd4-f95e-42a0-a5a3-e57249f017cf which can be used as unique global reference for Flash Kitten in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

TINY SPIDER

According to CrowdStrike, this actor is using TinyLoader and TinyPOS, potentially buying access through Dridex infections.

Internal MISP references

UUID 89a05f9f-a6dc-4426-8c15-a8d5ef6d8524 which can be used as unique global reference for TINY SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

LUNAR SPIDER

According to CrowdStrike, this actor is using BokBok/IcedID, potentially buying distribution through Emotet infections. On March 17, 2019, CrowdStrike Intelligence observed the use of a new BokBot (developed and operated by LUNAR SPIDER) proxy module in conjunction with TrickBot (developed and operated by WIZARD SPIDER), which may provide WIZARD SPIDER with additional tools to steal sensitive information and conduct fraudulent wire transfers. This activity also provides further evidence to support the existence of a flourishing relationship between these two actors. Lunar Spider is reportedly associated withGrim Spider and Wizard Spider.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LUNAR SPIDER.

Known Synonyms
GOLD SWATHMORE
Internal MISP references

UUID 0db4c708-f33d-4d46-906d-12fdf7415f62 which can be used as unique global reference for LUNAR SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

RATPAK SPIDER

In July 2018, the source code of Pegasus, RATPAK SPIDER’s malware framework, was anonymously leaked. This malware has been linked to the targeting of Russia’s financial sector. Associated malware, Buhtrap, which has been leaked previously, was observed this year in connection with SWC campaigns that also targeted Russian users.

Internal MISP references

UUID ec3fda76-8c1c-4019-8109-3f92e6b15633 which can be used as unique global reference for RATPAK SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Operation Kabar Cobra

Internal MISP references

UUID 9ba291f2-b107-402d-9083-3128395ff26e which can be used as unique global reference for Operation Kabar Cobra in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

APT-C-36

Since April 2018, an APT group (Blind Eagle, APT-C-36) suspected coming from South America carried out continuous targeted attacks against Colombian government institutions as well as important corporations in financial sector, petroleum industry, professional manufacturing, etc.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT-C-36.

Known Synonyms
Blind Eagle
Internal MISP references

UUID ae1c64ff-5a37-4291-97f8-ea402c63efd0 which can be used as unique global reference for APT-C-36 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Ecuador', 'Colombia', 'Spain', 'Panama', 'Chile']
cfr-target-category ['Petroleum', 'Manufacturing', 'Financial', 'Private sector', 'Government']
cfr-type-of-incident Espionage

IRIDIUM

Resecurity’s research indicates that the attack on Parliament is a part of a multi-year cyberespionage campaign orchestrated by a nation-state actor whom we are calling IRIDIUM. This actor targets sensitive government, diplomatic, and military resources in the countries comprising the Five Eyes intelligence alliance (which includes Australia, Canada, New Zealand, the United Kingdom and the United States)

Internal MISP references

UUID 29cfe970-5446-4cfc-a2da-00e9f49e02ba which can be used as unique global reference for IRIDIUM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 10
country IR
Related clusters

To see the related clusters, click here.

SandCat

SandCat, on the other hand, is a group that was discovered more recently by Kaspersky. One of the Windows vulnerabilities patched by Microsoft in December had been exploited by both FruityArmor and SandCat in attacks targeting the Middle East and Africa. SandCat has been using FinFisher/FinSpy spyware and CHAINSHOT, a piece of malware analyzed earlier this year by Palo Alto Networks. The group has also used the CVE-2018-8589 and CVE-2018-8611 Windows vulnerabilities in its attacks, both of which had a zero-day status when Microsoft released fixes.

Internal MISP references

UUID dc15f388-a353-4185-b28e-015745f708ba which can be used as unique global reference for SandCat in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Operation Comando

Operation Comando is a pure cybercrime campaign, possibly with Brazilian origin, with a concrete and persistent focus on the hospitality sector, which proves how a threat actor can be successful in pursuing its objectives while maintaining a cheap budget. The use of DDNS services, publicly available remote access tools, and having a minimum knowledge on software development (in this case VB.NET) has been enough for running a campaign lasting month, and potentially gathering credit card information and other possible data.

Internal MISP references

UUID 35c40ce2-57c0-479e-8a56-efbb8695e395 which can be used as unique global reference for Operation Comando in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

APT-C-27

A threat actor which is ac tive since at least November 2014. This group launched long-term at tacks against organizations in the Syrian region using Android and Windows malwares. Its objective is the theft of sensitive information.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT-C-27.

Known Synonyms
ATK80
GoldMouse
Golden RAT
Internal MISP references

UUID ee7f535d-cc3e-40f3-99f3-c97963cfa250 which can be used as unique global reference for APT-C-27 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country SY
since 2014
suspected-victims ['Middle East', 'Syria']

Operation ShadowHammer

Newly discovered supply chain attack that leveraged ASUS Live Update software. The goal of the attack was to surgically target an unknown pool of users, which were identified by their network adapters’ MAC addresses. To achieve this, the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation. We were able to extract more than 600 unique MAC addresses from over 200 samples used in this attack. Of course, there might be other samples out there with different MAC addresses in their list.

Internal MISP references

UUID 401c30c7-4317-458a-9b0a-379a44d63457 which can be used as unique global reference for Operation ShadowHammer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Whitefly

In July 2018, an attack on Singapore’s largest public health organization, SingHealth, resulted in a reported 1.5 million patient records being stolen. Until now, nothing was known about who was responsible for this attack. Symantec researchers have discovered that this attack group, which we call Whitefly, has been operating since at least 2017, has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information.

Internal MISP references

UUID 943f490e-ac7f-40fe-b6f3-33e2623649d2 which can be used as unique global reference for Whitefly in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Sea Turtle

This blog post discusses the technical details of a state-sponsored attack manipulating DNS systems. While this incident is limited to targeting primarily national security organizations in the Middle East and North Africa, and we do not want to overstate the consequences of this specific campaign, we are concerned that the success of this operation will lead to actors more broadly attacking the global DNS system. DNS is a foundational technology supporting the Internet. Manipulating that system has the potential to undermine the trust users have on the internet. That trust and the stability of the DNS system as a whole drives the global economy. Responsible nations should avoid targeting this system, work together to establish an accepted global norm that this system and the organizations that control it are off-limits, and cooperate in pursuing those actors who act irresponsibly by targeting this system.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sea Turtle.

Known Synonyms
COSMIC WOLF
Marbled Dust
SILICON
Teal Kurma
UNC1326
Internal MISP references

UUID ce7bba52-5ae8-44ea-9979-68502d832ab7 which can be used as unique global reference for Sea Turtle in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Germany']
country TR
Related clusters

To see the related clusters, click here.

Silent Librarian

Last Friday, Deputy Attorney General Rod Rosenstein announced the indictment of nine Iranians who worked for an organization named the Mabna Institute. According to prosecutors, the defendants stole more than 31 terabytes of data from universities, companies, and government agencies around the world. The cost to the universities alone reportedly amounted to approximately $3.4 billion. The information stolen from these universities was used by the Islamic Revolutionary Guard Corps (IRGC) or sold for profit inside Iran. PhishLabs has been tracking this same threat group since late-2017, designating them Silent Librarian. Since discovery, we have been working with the FBI, ISAC partners, and other international law enforcement agencies to help understand and mitigate these attacks.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Silent Librarian.

Known Synonyms
COBALT DICKENS
Mabna Institute
TA407
TA4900
Yellow Nabu
Internal MISP references

UUID 5059b44d-2753-4977-b987-4922f09afe6b which can be used as unique global reference for Silent Librarian in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country IR

APT31

FireEye characterizes APT31 as an actor specialized on intellectual property theft, focusing on data and projects that make a particular organization competetive in its field. Based on available data (April 2016), FireEye assesses that APT31 conducts network operations at the behest of the Chinese Government. Also according to Crowdstrike, this adversary is suspected of continuing to target upstream providers (e.g., law firms and managed service providers) to support additional intrusions against high-profile assets. In 2018, CrowdStrike observed this adversary using spear-phishing, URL “web bugs” and scheduled tasks to automate credential harvesting.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT31.

Known Synonyms
BRONZE VINEWOOD
JUDGMENT PANDA
Red keres
TA412
Violet Typhoon
ZIRCONIUM
Zirconium
Internal MISP references

UUID 6bf7e6b6-5917-45a6-9567-f0baba79768c which can be used as unique global reference for APT31 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN
Related clusters

To see the related clusters, click here.

Blackgear

BLACKGEAR is an espionage campaign which has targeted users in Taiwan for many years. Multiple papers and talks have been released covering this campaign, which used the ELIRKS backdoor when it was first discovered in 2012. It is known for using blogs and microblogging services to hide the location of its actual command-and-control (C&C) servers. This allows an attacker to change the C&C server used quickly by changing the information in these posts. Like most campaigns, BLACKGEAR has evolved over time. Our research indicates that it has started targeting Japanese users. Two things led us to this conclusion: first, the fake documents that are used as part of its infection routines are now in Japanese. Secondly, it is now using blogging sites and microblogging services based in Japan for its C&C activity.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Blackgear.

Known Synonyms
BLACKGEAR
Comnie
Topgear
Internal MISP references

UUID 8b62b20a-5b1c-48af-8424-e8220cd2fbd7 which can be used as unique global reference for Blackgear in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

BlackOasis

BlackOasis is a Middle Eastern threat group that is believed to be a customer of Gamma Group. The group has shown interest in prominent figures in the United Nations, as well as opposition bloggers, activists, regional news correspondents, and think tanks. A group known by Microsoft as NEODYMIUM is reportedly associated closely with BlackOasis operations, but evidence that the group names are aliases has not been identified.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BlackOasis.

Known Synonyms
G0063
Internal MISP references

UUID 8fbd195f-5e03-4e85-8ca5-4f1dff300bec which can be used as unique global reference for BlackOasis in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

BlackTech

BlackTech is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong. Based on the mutexes and domain names of some of their C&C servers, BlackTech’s campaigns are likely designed to steal their target’s technology. Following their activities and evolving tactics and techniques helped us uncover the proverbial red string of fate that connected three seemingly disparate campaigns: PLEAD, Shrouded Crossbow, and of late, Waterbear. PLEAD is an information theft campaign with a penchant for confidential documents. Active since 2012, it has so far targeted Taiwanese government agencies and private organizations. PLEAD’s toolset includes the self-named PLEAD backdoor and the DRIGO exfiltration tool. PLEAD uses spear-phishing emails to deliver and install their backdoor, either as an attachment or through links to cloud storage services. Some of the cloud storage accounts used to deliver PLEAD are also used as drop off points for exfiltrated documents stolen by DRIGO. PLEAD actors use a router scanner tool to scan for vulnerable routers, after which the attackers will enable the router’s VPN feature then register a machine as virtual server. This virtual server will be used either as a C&C server or an HTTP server that delivers PLEAD malware to their targets.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BlackTech.

Known Synonyms
CIRCUIT PANDA
Earth Hundun
G0098
HUAPI
Manga Taurus
Palmerworm
Red Djinn
T-APT-03
Temp.Overboard
Internal MISP references

UUID 320c42f7-eab7-4ef9-b09a-74396caa6c3e which can be used as unique global reference for BlackTech in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

FIN5

FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FIN5.

Known Synonyms
G0053
Internal MISP references

UUID 44dc2f9c-8c28-11e9-9b9a-7fdced8cbf70 which can be used as unique global reference for FIN5 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

FIN1

FireEye first identified this activity during a recent investigation at an organization in the financial industry. They identified the presence of a financially motivated threat group that they track as FIN1, whose activity at the organization dated back several years. The threat group deployed numerous malicious files and utilities, all of which were part of a malware ecosystem referred to as ‘Nemesis’ by the malware developer(s), and used this malware to access the victim environment and steal cardholder data. FIN1, which may be located in Russia or a Russian-speaking country based on language settings in many of their custom tools, is known for stealing data that is easily monetized from financial services organizations such as banks, credit unions, ATM operations, and financial transaction processing and financial business services companies.

Internal MISP references

UUID 13289552-596e-4592-9c81-eeb4db6baf3c which can be used as unique global reference for FIN1 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country RU

FIN10

FireEye has observed multiple targeted intrusions occurring in North America — predominately in Canada — dating back to at least 2013 and continuing through at least 2016, in which the attacker(s) have compromised organizations’ networks and sought to monetize this illicit access by exfiltrating sensitive data and extorting victim organizations. In some cases, when the extortion demand was not met, the attacker(s) destroyed production Windows systems by deleting critical operating system files and then shutting down the impacted systems. Based on near parallel TTPs used by the attacker(s) across these targeted intrusions, we believe these clusters of activity are linked to a single, previously unobserved actor or group that we have dubbed FIN10.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FIN10.

Known Synonyms
G0051
Internal MISP references

UUID f2d02410-8c2c-11e9-8df1-a31c1fb33d79 which can be used as unique global reference for FIN10 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

GhostNet

Cyber espionage is an issue whose time has come. In this second report from the Information Warfare Monitor, we lay out the findings of a 10-month investigation of alleged Chinese cyber spying against Tibetan institutions. The investigation, consisting of fieldwork, technical scouting, and laboratory analysis, discovered a lot more. The investigation ultimately uncovered a network of over 1,295 infected hosts in 103 countries. Up to 30% of the infected hosts are considered high-value targets and include computers located at ministries of foreign affairs, embassies, international organizations, news media, and NGOs. The Tibetan computer systems we manually investigated, and from which our investigations began, were conclusively compromised by multiple infections that gave attackers unprecedented access to potentially sensitive information. Attacks on the Dalai Lama’s Private Office The OHHDL started to suspect it was under surveillance while setting up meetings be-tween His Holiness and foreign dignitaries. They sent an email invitation on behalf of His Holiness to a foreign diplomat, but before they could follow it up with a courtesy telephone call, the diplomat’s office was contacted by the Chinese government and warned not to go ahead with the meeting. The Tibetans wondered whether a computer compromise might be the explanation; they called ONI Asia who called us. (Until May 2008, the first author was employed on a studentship funded by the OpenNet Initiative and the second author was a principal investigator for ONI.)

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GhostNet.

Known Synonyms
Snooping Dragon
Internal MISP references

UUID cacf2ffc-8c49-11e9-895e-7f5bf9c2ff6d which can be used as unique global reference for GhostNet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

GozNym

IBM X-Force Research uncovered a Trojan hybrid spawned from the Nymaim and Gozi ISFB malware. It appears that the operators of Nymaim have recompiled its source code with part of the Gozi ISFB source code, creating a combination that is being actively used in attacks against more than 24 U.S. and Canadian banks, stealing millions of dollars so far. X-Force named this new hybrid GozNym. The new GozNym hybrid takes the best of both the Nymaim and Gozi ISFB malware to create a powerful Trojan. From the Nymaim malware, it leverages the dropper’s stealth and persistence; the Gozi ISFB parts add the banking Trojan’s capabilities to facilitate fraud via infected Internet browsers. The end result is a new banking Trojan in the wild.

Internal MISP references

UUID 7803b380-8c4c-11e9-90a1-f3880ab3aaa0 which can be used as unique global reference for GozNym in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Group5

A threat actor using Iranian-language tools, Iranian hosting companies, operating from the Iranian IP space at times was observed targeting the Syrian opposition in an elaborately staged malware operation, Citizen Lab researchers reveal. The operation was first noticed in late 2015, when a member of the Syrian opposition flagged a suspicious email containing a PowerPoint slideshow, which led researchers to a watering hole website with malicious programs, malicious PowerPoint files, and Android malware. The threat actor was targeting Windows and Android devices of well-connected individuals in the Syrian opposition, researchers discovered. They called the actor Group5, because it targets Syrian opposition after regime-linked malware groups, the Syrian Electronic Army, ISIS (also known as the Islamic State or ISIL), and a group linked to Lebanon did the same in the past

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Group5.

Known Synonyms
G0043
Internal MISP references

UUID bc8390aa-8c4e-11e9-a9cb-e37c361210af which can be used as unique global reference for Group5 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Honeybee

McAfee Advanced Threat Research analysts have discovered a new operation targeting humanitarian aid organizations and using North Korean political topics as bait to lure victims into opening malicious Microsoft Word documents. Our analysts have named this Operation Honeybee, based on the names of the malicious documents used in the attacks. Advanced Threat Research analysts have also discovered malicious documents authored by the same actor that indicate a tactical shift. These documents do not contain the typical lures by this actor, instead using Word compatibility messages to entice victims into opening them. The Advanced Threat Research team also observed a heavy concentration of the implant in Vietnam from January 15–17.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Honeybee.

Known Synonyms
G0072
Internal MISP references

UUID 2d82a18e-8c53-11e9-b0ec-536b62fa3d86 which can be used as unique global reference for Honeybee in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Lucky Cat

A series of attacks, targeting both Indian military research and south Asian shipping organizations, demonstrate the minimum level of effort required to successfully compromise a target and steal sensitive information. The attackers use very simple malware, which required little development time or skills, in conjunction with freely available Web hosting, to implement a highly effective attack. It is a case of the attackers obtaining a maximum return on their investment. The attack shows how an intelligent attacker does not need to be particularly technically skilled in order to steal the information they are after. The attack begins, as is often the case, with an email sent to the victim. A malicious document is attached to the email, which, when loaded, activates the malware. The attackers use tailored emails to encourage the victim to open the email. For example, one email sent to an academic claimed to be a call for papers for a conference (CFP). The vast majority of the victims were based in India, with some in Malaysia. The victim industry was mostly military research and also shipping based in the Arabian and South China seas. In some instances the attackers appeared to have a clear goal, whereby specific files were retrieved from certain compromised computers. In other cases, the attackers used more of a ‘shotgun’ like approach, copying every file from a computer. Military technologies were obviously the focus of one particular attack with what appeared to be source code stolen. 45 different attacker IP addresses were observed. Out of those, 43 were within the same IP address range based in Sichuan province, China. The remaining two were based in South Korea. The pattern of attacker connections implies that the IP addresses are being used as a VPN, probably in an attempt to render the attackers anonymous.ænThe attacks have been active from at least April 2011 up to February 2012. The attackers are intelligent and focused, employing the minimum amount of work necessary for the maximum gain. They do not use zero day exploits or complicated threats, instead they rely on effective social engineering and lax security measures on the part of the victims.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Lucky Cat.

Known Synonyms
TA413
White Dev 9
Internal MISP references

UUID e502802e-8d0a-11e9-bd72-9f046529b3fd which can be used as unique global reference for Lucky Cat in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

RTM

There are several groups actively and profitably targeting businesses in Russia. A trend that we have seen unfold before our eyes lately is these cybercriminals’ use of simple backdoors to gain a foothold in their targets’ networks. Once they have this access, a lot of the work is done manually, slowly getting to understand the network layout and deploying custom tools the criminals can use to steal funds from these entities. Some of the groups that best exemplify these trends are Buhtrap, Cobalt and Corkow. The group discussed in this white paper is part of this new trend. We call this new group RTM; it uses custom malware, written in Delphi, that we cover in detail in later sections. The first trace of this tool in our telemetry data dates back to late 2015. The group also makes use of several different modules that they deploy where appropriate to their targets. They are interested in users of remote banking systems (RBS), mainly in Russia and neighboring countries.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RTM.

Known Synonyms
G0048
Internal MISP references

UUID 88100602-8e8b-11e9-bb7c-1bf20b58e305 which can be used as unique global reference for RTM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Shadow Network

Shadows in the Cloud documents a complex ecosystem of cyber espionage that systematically compromised government, business, academic, and other computer network systems in India, the Offices of the Dalai Lama, the United Nations, and several other countries. The report also contains an analysis of data which were stolen from politically sensitive targets and recovered during the course of the investigation. These include documents from the Offices of the Dalai Lama and agencies of the Indian national security establishment. Data containing sensitive information on citizens of numerous third-party countries, as well as personal, financial, and business information, were also exfiltrated and recovered during the course of the investigation. The report analyzes the malware ecosystem employed by the Shadows’ attackers, which leveraged multiple redundant cloud computing systems, social networking platforms, and free web hosting services in order to maintain persistent control while operating core servers located in the People’s Republic of China (PRC). Although the identity and motivation of the attackers remain unknown, the report is able to determine the location (Chengdu, PRC) as well as some of the associations of the attackers through circumstantial evidence. The investigation is the product of an eight month, collaborative activity between the Information Warfare Monitor (Citizen Lab and SecDev) and the Shadowserver Foundation. The investigation employed a fusion methodology, combining technical interrogation techniques, data analysis, and field research, to track and uncover the Shadow cyber espionage network.

Internal MISP references

UUID ef800f1c-8e90-11e9-972c-53e01614f101 which can be used as unique global reference for Shadow Network in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Slingshot

While analysing an incident which involved a suspected keylogger, we identified a malicious library able to interact with a virtual file system, which is usually the sign of an advanced APT actor. This turned out to be a malicious loader internally named ‘Slingshot’, part of a new, and highly sophisticated attack platform that rivals Project Sauron and Regin in complexity. While for most victims the infection vector for Slingshot remains unknown, we were able to find several cases where the attackers got access to MikroTik routers and placed a component downloaded by Winbox Loader, a management suite for MikroTik routers. In turn, this infected the administrator of the router. We believe this cluster of activity started in at least 2012 and was still active at the time of this analysis (February 2018).

Internal MISP references

UUID 4fcbd08a-8ea6-11e9-8bf2-970182ab6bb5 which can be used as unique global reference for Slingshot in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Taidoor

The Taidoor attackers have been actively engaging in targeted attacks since at least March 4, 2009. Despite some exceptions, the Taidoor campaign often used Taiwanese IP addresses as C&C servers and email addresses to send out socially engineered emails with malware as attachments. One of the primary targets of the Taidoor campaign appeared to be the Taiwanese government. The attackers spoofed Taiwanese government email addresses to send out socially engineered emails in the Chinese language that typically leveraged Taiwan-themed issues. The attackers actively sent out malicious documents and maintained several IP addresses for command and control. As part of their social engineering ploy, the Taidoor attackers attach a decoy document to their emails that, when opened, displays the contents of a legitimate document but executes a malicious payload in the background. We were only able to gather a limited amount of information regarding the Taidoor attackers’ activities after they have compromised a target. We did, however, find that the Taidoor malware allowed attackers to operate an interactive shell on compromised computers and to upload and download files. In order to determine the operational capabilities of the attackers behind the Taidoor campaign, we monitored a compromised honeypot. The attackers issued out some basic commands in an attempt to map out the extent of the network compromise but quickly realized that the honeypot was not an intended targeted and so promptly disabled the Taidoor malware running on it. This indicated that while Taidoor malware were more widely distributed compared with those tied to other targeted campaigns, the attackers could quickly assess their targets and distinguish these from inadvertently compromised computers and honeypots.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Taidoor.

Known Synonyms
Earth Aughisky
G0015
Internal MISP references

UUID e6669606-91ad-11e9-b6f5-374843911989 which can be used as unique global reference for Taidoor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

TEMP.Veles

TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TEMP.Veles.

Known Synonyms
ATK91
G0088
Xenotime
Internal MISP references

UUID 90abfc42-91c6-11e9-89b1-af58de8f7ec2 which can be used as unique global reference for TEMP.Veles in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
capabilities TRISIS, custom credential harvesting
mode-of-operation Focused on physical destruction and long-term persistence
since 2014
victimology Oil and Gas, Middle East

WindShift

In August of 2018, DarkMatter released a report entitled “In the Trails of WINDSHIFT APT”, which unveiled a threat actor with TTPs very similar to those of Bahamut. Subsequently, two additional articles were released by Objective-See which provide an analysis of some validated WINDSHIFT samples targeting OSX systems. Pivoting on specific file attributes and infrastructure indicators, Unit 42 was able to identify and correlate additional attacker activity and can now provide specific details on a targeted WINDSHIFT attack as it unfolded at a Middle Eastern government agency.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular WindShift.

Known Synonyms
Windy Phoenix
Internal MISP references

UUID cbbbfc82-9294-11e9-8e19-2bc14137b25b which can be used as unique global reference for WindShift in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

[Unnamed group]

Over the last few weeks, several significant leaks regarding a number of Iranian APTs took place. After analyzing and investigating the documents we conclude that they are authentic. Consequently, this causes considerable harm to the groups and their operation. The identity of the actor behind the leak is currently unknown, however based on the scope and the quality of the exposed documents and information, it appears that they are professional and highly capable. This leak will likely hamstring the groups' operation in the near future. Accordingly, in our assessment this will minimize the risk of potential attacks in the next few months and possibly even year. Note -most of the leaks are posted on Telegram channels that were created specifically for this purpose. Below are the three main Telegram groups on which the leaks were posted: Lab Dookhtegam pseudonym ("The people whose lips are stitched and sealed" –translation from Persian) –In this channel attack tools attributed to the group 'OilRig' were leaked; including a webshell that was inserted into the Technion, various tools that were used for DNS attacks, and more. Green Leakers–In this channel attack tools attributed to the group 'MuddyWatter' were leaked. The group's name and its symbol are identified with the "green movement", which led the protests in Iran after the Presidential elections in 2009. These protests were heavily repressed by the revolutionary guards (IRGC) Black Box–Unlike the previous two channels this has been around for a long time. On Friday May 5th, dozens of confidential documents labeled as "secret" (a high confidentiality level in Iran, one before the highest -top secret) were posted on this channel. The documents were related to Iranian attack groups' activity.

Internal MISP references

UUID f50a5f64-9296-11e9-9b46-a331d01a008d which can be used as unique global reference for [Unnamed group] in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

DUNGEON SPIDER

DUNGEON SPIDER is a criminal group operating the ransomware most commonly known as Locky, which has been active since February 2016 and was last observed in late 2017. Locky is a ransomware tool that encrypts files using a combination of cryptographic algorithms: RSA with a key size of 2,048 bits, and AES with a key size of 128 bits. Locky targets a large number of file extensions and is able to encrypt data on shared network drives. In an attempt to further impact victims and prevent file recovery, Locky deletes all of the Shadow Volume Copies on the machine. DUNGEON SPIDER primarily relies on broad spam campaigns with malicious attachments for distribution. Locky is the community/industry name associated with this actor.

Internal MISP references

UUID f1da463c-9297-11e9-875a-d327fc8282f2 which can be used as unique global reference for DUNGEON SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Fxmsp

Throughout 2017 and 2018, Fxmsp established a network of trusted proxy resellers to promote their breaches on the criminal underground. Some of the known Fxmsp TTPs included accessing network environments via externally available remote desktop protocol (RDP) servers and exposed active directory. Most recently, the actor claimed to have developed a credential-stealing botnet capable of infecting high-profile targets in order to exfiltrate sensitive usernames and passwords. Fxmsp has claimed that developing this botnet and improving its capabilities for stealing information from secured systems is their main goal.

Internal MISP references

UUID 686f4fe0-9298-11e9-b02a-af9595918956 which can be used as unique global reference for Fxmsp in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Gnosticplayers

The hacker said that he put up the data for sale mainly because these companies had failed to protect passwords with strong encryption algorithms like bcrypt. Most of the hashed passwords the hacker put up for sale today can cracked with various levels of difficulty --but they can be cracked. "I got upset because I feel no one is learning," the hacker told ZDNet in an online chat earlier today. "I just felt upset at this particular moment, because seeing this lack of security in 2019 is making me angry." In a conversation with ZDNet last month, the hacker told us he wanted to hack and put up for sale more than one billion records and then retire and disappear with the money. But in a conversation today, the hacker says this is not his target anymore, as he learned that other hackers have already achieved the same goal before him. Gnosticplayers also revealed that not all the data he obtained from hacked companies had been put up for sale. Some companies gave into extortion demands and paid fees so breaches would remain private. "I came to an agreement with some companies, but the concerned startups won't see their data for sale," he said. "I did it that's why I can't publish the rest of my databases or even name them."

Internal MISP references

UUID f32e3682-9298-11e9-8dcb-639156d97cd1 which can be used as unique global reference for Gnosticplayers in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Hacking Team

The many 0-days that had been collected by Hacking Team and which became publicly available during the breach of their organization in 2015, have been used by several APT groups since. Since being founded in 2003, the Italian spyware vendor Hacking Team gained notoriety for selling surveillance tools to governments and their agencies across the world. The capabilities of its flagship product, the Remote Control System (RCS), include extracting files from a targeted device, intercepting emails and instant messaging, as well as remotely activating a device’s webcam and microphone. The company has been criticized for selling these capabilities to authoritarian governments – an allegation it has consistently denied. When the tables turned in July 2015, with Hacking Team itself suffering a damaging hack, the reported use of RCS by oppressive regimes was confirmed. With 400GB of internal data – including the once-secret list of customers, internal communications, and spyware source code – leaked online, Hacking Team was forced to request its customers to suspend all use of RCS, and was left facing an uncertain future. Following the hack, the security community has been keeping a close eye on the company’s efforts to get back on its feet. The first reports suggesting Hacking Team’s resumed operations came six months later – a new sample of Hacking Team’s Mac spyware was apparently in the wild. A year after the breach, an investment by a company named Tablem Limited brought changes to Hacking Team’s shareholder structure, with Tablem Limited taking 20% of Hacking Team’s shareholding. Tablem Limited is officially based in Cyprus; however, recent news suggests it has ties to Saudi Arabia.

Internal MISP references

UUID d7f0d2a8-9329-11e9-851e-dbfc1c517e4e which can be used as unique global reference for Hacking Team in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

OurMine

OurMine is known for celebrity internet accounts, often causing cyber vandalism, to advertise their commercial services. (Trend Micro) In light of the recent report detailing its willingness to pay US$250,000 in exchange for the 1.5 terabytes’ worth of data swiped by hackers from its servers, HBO finds itself dealing with yet another security breach. Known for hijacking prominent social media accounts, the self-styled white hat hacking group OurMine took over a number of verified Twitter and Facebook accounts belonging to the cable network. These include accounts for HBO shows, such as “Game of Thrones,” “Girls,” and “Ballers.” This is not the first time that OurMine has claimed responsibility for hacking high- profile social networking accounts. Last year, the group victimized Marvel, The New York Times, and even the heads of some of the biggest technology companies in the world. Mark Zuckerberg, Jack Dorsey, Sundar Pichai, and Daniel Ek — the CEOs of Facebook, Twitter, Google and Spotify, respectively — have also fallen victim to the hackers, dispelling the notion that a career in software and technology exempts one from being compromised.

Internal MISP references

UUID 2c9e1964-9357-11e9-ad8f-5f422851e912 which can be used as unique global reference for OurMine in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Pacha Group

Antd is a miner found in the wild on September 18, 2018. Recently we discovered that the authors from Antd are actively delivering newer campaigns deploying a broad number of components, most of them completely undetected and operating within compromised third party Linux servers. Furthermore, we have observed that some of the techniques implemented by this group are unconventional, and there is an element of sophistication to them. We believe the authors behind this malware are from Chinese origin. We have labeled the undetected Linux.Antd variants, Linux.GreedyAntd and classified the threat actor as Pacha Group.

Internal MISP references

UUID aa469d96-9357-11e9-bd7d-df125c7cba53 which can be used as unique global reference for Pacha Group in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Rocke

This threat actor initially came to our attention in April 2018, leveraging both Western and Chinese Git repositories to deliver malware to honeypot systems vulnerable to an Apache Struts vulnerability. In late July, we became aware that the same actor was engaged in another similar campaign. Through our investigation into this new campaign, we were able to uncover more details about the actor.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Rocke.

Known Synonyms
Aged Libra
Internal MISP references

UUID 53583c40-935e-11e9-b4fc-d7e217a306d2 which can be used as unique global reference for Rocke in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

[Vault 7/8]

An unnamed source leaked almost 10,000 documents describing a large number of 0-day vulnerabilities, methodologies and tools that had been collected by the CIA. This leaking was done through WikiLeaks, since March 2017. In weekly publications, the dumps were said to come from Vault 7 and later Vault 8, until his arrest in 2018. Most of the published vulnerabilities have since been fixed by the respective vendors, by many have been used by other threat actors. This actor turned out to be a former CIA software engineer. (WikiLeaks) Today, Tuesday 7 March 2017, WikiLeaks begins its new series of leaks on the U.S. Central Intelligence Agency. Code-named "Vault 7" by WikiLeaks, it is the largest ever publication of confidential documents on the agency. The first full part of the series, "Year Zero", comprises 8,761 documents and files from an isolated, high-security network situated inside the CIA's Center for Cyber Intelligence in Langley, Virgina. It follows an introductory disclosure last month of CIA targeting French political parties and candidates in the lead up to the 2012 presidential election. Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized "zero day" exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive. "Year Zero" introduces the scope and direction of the CIA's global covert hacking program, its malware arsenal and dozens of "zero day" weaponized exploits against a wide range of U.S. and European company products, include Apple's iPhone, Google's Android and Microsoft's Windows and even Samsung TVs, which are turned into covert microphones.

Internal MISP references

UUID 9f133738-935f-11e9-aa5e-bbf8d91abb46 which can be used as unique global reference for [Vault 7/8] in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

ZOMBIE SPIDER

On April 7, 2017, Pytor Levashov — who predominantly used the alias Severa or Peter Severa and whom Falcon Intelligence tracks as ZOMBIE SPIDER — was arrested in an international law enforcement operation led by the FBI. ZOMBIE SPIDER’s specialty was large-scale spam distribution, a fundamental component of cybercrime operations. Levashov was the primary threat actor behind a botnet known as Kelihos and its predecessors, Waledac and Storm. In addition to Levashov’s arrest, there was a technical operation conducted by Falcon Intelligence to seize control of the Kelihos botnet.

Internal MISP references

UUID e01b8f3a-9366-11e9-9c6f-17ba128aa4b6 which can be used as unique global reference for ZOMBIE SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

ViceLeaker

In May 2018, we discovered a campaign targeting dozens of mobile Android devices belonging to Israeli citizens. Kaspersky spyware sensors caught the signal of an attack from the device of one of the victims; and a hash of the APK involved (Android application) was tagged in our sample feed for inspection. Once we looked into the file, we quickly found out that the inner-workings of the APK included a malicious payload, embedded in the original code of the application. This was an original spyware program, designed to exfiltrate almost all accessible information. During the course of our research, we noticed that we were not the only ones to have found the operation. Researchers from Bitdefender also released an analysis of one of the samples in a blogpost. Although something had already been published, we decided to do something different with the data we acquired. The following month, we released a private report on our Threat Intelligence Portal to alert our clients about this newly discovered operation and began writing YARA rules in order to catch more samples. We decided to call the operation “ViceLeaker”, because of strings and variables in its code.

Internal MISP references

UUID f676fcd1-cde9-4d0a-8958-221f2abb56e9 which can be used as unique global reference for ViceLeaker in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

SWEED

Cisco Talos recently identified a large number of ongoing malware distribution campaigns linked to a threat actor we're calling "SWEED," including such notable malware as Formbook, Lokibot and Agent Tesla. Based on our research, SWEED — which has been operating since at least 2017 — primarily targets their victims with stealers and remote access trojans. SWEED remains consistent across most of their campaigns in their use of spear-phishing emails with malicious attachments. While these campaigns have featured a myriad of different types of malicious documents, the actor primarily tries to infect its victims with a packed version of Agent Tesla — an information stealer that's been around since at least 2014. The version of Agent Tesla that SWEED is using differs slightly from what we've seen in the past in the way that it is packed, as well as how it infects the system. In this post, we'll run down each campaign we're able to connect to SWEED, and talk about some of the actor's tactics, techniques and procedures (TTPs).

Internal MISP references

UUID 64ac8827-89d9-4738-9df3-cd955c628bee which can be used as unique global reference for SWEED in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

TA428

Proofpoint researchers have identified a targeted APT campaign that utilized malicious RTF documents to deliver custom malware to unsuspecting victims. We dubbed this campaign “Operation LagTime IT” based on entities that were targeted and the distinctive domains registered to C&C IP infrastructure. Beginning in early 2019, these threat actors targeted a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development, and political processes. We determined that the infection vector observed in this campaign was spear phishing, with emails originating from both free email accounts and compromised user accounts. Attackers relied on Microsoft Equation Editor exploit CVE-2018-0798 to deliver a custom malware that Proofpoint researchers have dubbed Cotx RAT. Additionally, this APT group utilizes Poison Ivy payloads that share overlapping command and control (C&C) infrastructure with the newly identified Cotx campaigns. Based on infrastructure overlaps, post-exploitation techniques, and historic TTPs utilized in this operation, Proofpoint analysts attribute this activity to the Chinese APT group tracked internally as TA428. Researchers believe that this activity has an operational and tactical resemblance to the Maudi Surveillance Operation which was previously reported in 2013.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TA428.

Known Synonyms
BRONZE DUDLEY
Colourful Panda
Internal MISP references

UUID 5533d062-18ab-4c70-9472-0eac03f95a1d which can be used as unique global reference for TA428 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

LYCEUM

Lyceum is an Iranian APT group that has been active since at least 2014. They primarily target Middle Eastern governments and organizations in the energy and telecommunications sectors. Lyceum is known for using cyber espionage techniques and has been linked to other Iranian threat groups such as APT34. They have developed and deployed malware families like Shark and Milan, and have been observed using DNS tunneling and HTTPfor command and control communication.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LYCEUM.

Known Synonyms
COBALT LYCEUM
Chrono Kitten
HEXANE
MYSTICDOME
Spirlin
Storm-0133
UNC1530
siamesekitten
Internal MISP references

UUID e1b95185-8db6-4f3c-9ffd-1749087d934a which can be used as unique global reference for LYCEUM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Iran (Islamic Republic of)
cfr-suspected-victims ['Israel', 'Middle East']
cfr-target-category ['Government', 'Energy', 'High-Tech', 'Telecomms', 'Education', 'Military', 'Defense']
cfr-type-of-incident Espionage
country IR

APT41

APT41 is a prolific cyber threat group that carries out Chinese state-sponsored espionage activity in addition to financially motivated activity potentially outside of state control.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT41.

Known Synonyms
Amoeba
BARIUM
BRONZE ATLAS
BRONZE EXPORT
Blackfly
Brass Typhoon
Earth Baku
Earth Freybug
G0044
G0096
Grayfly
HOODOO
LEAD
Red Kelpie
TA415
WICKED PANDA
WICKED SPIDER
Internal MISP references

UUID 9c124874-042d-48cd-b72b-ccdc51ecbbd6 which can be used as unique global reference for APT41 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-state-sponsor People's Republic of China
cfr-suspected-victims ['China', 'France', 'Hong Kong', 'India', 'Italy', 'Japan', 'Myanmar', 'Netherlands', 'Singapore', 'South Korea', 'South Africa', 'Switzerland', 'Thailand', 'Turkey', 'United Kingdom', 'United States']
cfr-target-category ['Automotive', 'Business', 'Services', 'Cryptocurrency', 'Education', 'Energy', 'Financial', 'Healthcare', 'High-Tech', 'Intergovernmental', 'Media and Entertainment', 'Pharmaceuticals', 'Private sector', 'Retail', 'Telecommunications', 'Travel']
country CN
Related clusters

To see the related clusters, click here.

Tortoiseshell

A previously undocumented attack group is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers’ customers. The group, which we are calling Tortoiseshell, has been active since at least July 2018. Symantec has identified a total of 11 organizations hit by the group, the majority of which are based in Saudi Arabia. In at least two organizations, evidence suggests that the attackers gained domain admin-level access.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Tortoiseshell.

Known Synonyms
Crimson Sandstorm
DUSTYCAVE
IMPERIAL KITTEN
Imperial Kitten
TA456
Yellow Liderc
Internal MISP references

UUID 5f108484-db7f-11e9-aaa4-fb0176425734 which can be used as unique global reference for Tortoiseshell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Iran (Islamic Republic of)
cfr-suspected-victims ['United States', 'Israel', 'Middle East', 'Europe']
cfr-target-category ['Defense', 'Government', 'Military', 'Finance', 'Energy', 'Healthcare', 'Pharmaceuticals', 'Telecoms', 'High-Tech', 'Media', 'NGOs', 'Civil Society', 'Legal', 'Rail', 'Transportation']
cfr-type-of-incident Espionage
country IR

POISON CARP

Between November 2018 and May 2019, senior members of Tibetan groups received malicious links in individually tailored WhatsApp text exchanges with operators posing as NGO workers, journalists, and other fake personas. The links led to code designed to exploit web browser vulnerabilities to install spyware on iOS and Android devices, and in some cases to OAuth phishing pages. This campaign was carried out by what appears to be a single operator that we call POISON CARP.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular POISON CARP.

Known Synonyms
Earth Empusa
Evil Eye
Red Dev 16
Internal MISP references

UUID 7aa99279-4255-4d26-bb95-12e7156555a0 which can be used as unique global reference for POISON CARP in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

TA410

Early in August 2019, Proofpoint described what appeared to be state-sponsored activity targeting the US utilities sector with malware that we dubbed “Lookback”. Between August 21 and August 29, 2019, several spear phishing emails were identified targeting additional US companies in the utilities sector. The phishing emails originated from what appears to be an actor-controlled domain: globalenergycertification[.]net. This domain, like those used in previous campaigns, impersonated a licensing body related to the utilities sector. In this case, it masqueraded as the legitimate domain for Global Energy Certification (“GEC”). The emails include a GEC examination-themed body and a malicious Microsoft Word attachment that uses macros to install and run LookBack. (Note confusion between Malware, Campaign and ThreatActor)

Internal MISP references

UUID 5cd95926-0098-435e-892d-9c9f61763ad7 which can be used as unique global reference for TA410 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Operation Soft Cell

In 2018, the Cybereason Nocturnus team identified an advanced, persistent attack targeting global telecommunications providers carried out by a threat actor using tools and techniques commonly associated with Chinese-affiliated threat actors, such as APT10. This multi-wave attacks focused on obtaining data of specific, high-value targets and resulted in a complete takeover of the network.

Internal MISP references

UUID 8dda51ef-9a30-48f7-b0fd-5b6f0a62262d which can be used as unique global reference for Operation Soft Cell in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
threat-actor-classification ['operation']
Related clusters

To see the related clusters, click here.

Operation WizardOpium

We are calling these attacks Operation WizardOpium. So far, we have been unable to establish a definitive link with any known threat actors. There are certain very weak code similarities with Lazarus attacks, although these could very well be a false flag. The profile of the targeted website is more in line with earlier DarkHotel attacks that have recently deployed similar false flag attacks.

Internal MISP references

UUID 75db4269-924b-4771-8f62-0de600a43634 which can be used as unique global reference for Operation WizardOpium in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
threat-actor-classification ['operation']

Calypso

For the first time, the activity of the Calypso group was detected by specialists of PT Expert Security Center in March 2019, during the work to detect cyber threats. As a result, many malware samples of this group were obtained, affected organizations and control servers of intruders were identified. According to our data, the group has been active since at least September 2016. The main goal of the group is to steal confidential data, the main victims are government agencies from Brazil, India, Kazakhstan, Russia, Thailand, Turkey. Our data suggest that the group has Asian roots. Description translated from Russian.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Calypso.

Known Synonyms
BRONZE MEDLEY
Internal MISP references

UUID 200d04c8-a11f-45c4-86fd-35bb5de3f7a3 which can be used as unique global reference for Calypso in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
targeted-sector ['Government, Administration']

TA2101

Proofpoint researchers detected campaigns from a relatively new actor, tracked internally as TA2101, targeting German companies and organizations to deliver and install backdoor malware. The actor initiated their campaigns impersonating the Bundeszentralamt fur Steuern, the German Federal Ministry of Finance, with lookalike domains, verbiage, and stolen branding in the emails. For their campaigns in Germany, the actor chose Cobalt Strike, a commercially licensed software tool that is generally used for penetration testing and emulates the type of backdoor framework used by Metasploit, a similar penetration testing tool. Proofpoint researchers have also observed this actor distributing Maze ransomware, employing similar social engineering techniques to those it uses for Cobalt Strike, while also targeting organizations in Italy and impersonating the Agenzia Delle Entrate, the Italian Revenue Agency. We have also recently observed the actor targeting organizations in the United States using the IcedID banking Trojan while impersonating the United States Postal Service (USPS).

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TA2101.

Known Synonyms
DEV-0216
GOLD VILLAGE
Maze Team
Storm-0216
TWISTED SPIDER
Twisted Spider
Internal MISP references

UUID 39925aa0-c7bf-4b9b-97d6-7d600329453d which can be used as unique global reference for TA2101 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country RU

APT-C-34

As reported by ZDNet, Chinese cyber-security vendor Qihoo 360 published a report on 2019-11-29 exposing an extensive hacking operation targeting the country of Kazakhstan. Targets included individuals and organizations involving all walks of life, such as government agencies, military personnel, foreign diplomats, researchers, journalists, private companies, the educational sector, religious figures, government dissidents, and foreign diplomats alike. The campaign, Qihoo 360 said, was broad, and appears to have been carried by a threat actor with considerable resources, and one who had the ability to develop their private hacking tools, buy expensive spyware off the surveillance market, and even invest in radio communications interception hardware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT-C-34.

Known Synonyms
Golden Falcon
Internal MISP references

UUID feb0cfef-0472-4108-83d7-1a322d8ab86b which can be used as unique global reference for APT-C-34 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

luoxk

Luoxk is a malware campaign targeting web servers throughout Asia, Europe and North America.

Internal MISP references

UUID 69e11692-691e-4bfb-9557-4e2a271684ed which can be used as unique global reference for luoxk in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
since 2017

RAZOR TIGER

An actor mainly targeting Pakistan military targets, active since at least 2012. We have low confidence that this malware might be authored by an Indian company. To spread the malware, they use unique implementations to leverage the exploits of known vulnerabilities (such as CVE-2017-11882) and later deploy a Powershell payload in the final stages.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RAZOR TIGER.

Known Synonyms
APT-C-17
Rattlesnake
SideWinder
T-APT-04
Internal MISP references

UUID c4ce1174-9462-47e9-8038-794f40a184b3 which can be used as unique global reference for RAZOR TIGER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Operation Wocao

Operation Wocao (我操, “Wǒ cāo”, used as “shit” or “damn”) is the name that Fox-IT uses to describe the hacking activities of a Chinese based hacking group. This report details the profile of a publicly underreported threat actor that Fox-IT has dealt with over the past two years. Fox-IT assesses with high confidence that the actor is a Chinese group and that they are likely working to support the interests of the Chinese government and are tasked with obtaining information for espionage purposes. With medium confidence, Fox-IT assesses that the tools, techniques and procedures are those of the actor referred to as APT20 by industry partners. We have identified victims of this actor in more than 10 countries, in government entities, managed service providers and across a wide variety of industries, including Energy, Health Care and High-Tech.

Internal MISP references

UUID c432d032-ce2b-4eb8-ba87-312b2a43fb7a which can be used as unique global reference for Operation Wocao in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Budminer

Based on the evidence we have presented Symantec attributed the activity involving theDripion malware to the Budminer advanced threat group. While we have not seen newcampaigns using Taidoor malware since 2014, we believe the Budminer group has changedtactics to avoid detection after being outed publicly in security white papers and blogs over thepast few years.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Budminer.

Known Synonyms
Budminer cyberespionage group
Internal MISP references

UUID 2eb0dc7a-cef6-4744-92ac-2fe269dacb95 which can be used as unique global reference for Budminer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN
suspected-victims Taiwan

Attor

Adversary group targeting diplomatic missions and governmental organisations.

Internal MISP references

UUID 947a450a-df6c-4c2e-807b-0da8ecea1d26 which can be used as unique global reference for Attor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-target-category ['Private sector', 'Government']
cfr-type-of-incident Espionage

APT-C-12

According to 360 TIC the actor has carried out continuous cyber espionage activities since 2011 on key units and departments of the Chinese government, military industry, scientific research, and finance. The organization focuses on information related to the nuclear industry and scientific research. The targets were mainly concentrated in mainland China...[M]ore than 670 malware samples have been collected from the group, including more than 60 malicious plugins specifically for lateral movement; more than 40 C2 domain names and IPs related to the organization have also been discovered.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT-C-12.

Known Synonyms
Blue Mushroom
NuclearCrisis
Sapphire Mushroom
Internal MISP references

UUID 53771ca5-f1cb-47b6-a92a-53a485307cf7 which can be used as unique global reference for APT-C-12 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-target-category ['Private sector', 'Government', 'Military', 'Scientific Research', 'Finance']
cfr-type-of-incident Espionage
suspected-victims China

InvisiMole

Adversary group targeting diplomatic missions, governmental and military organisations, mainly in Ukraine.

Internal MISP references

UUID 87af83a4-ced4-4e7c-96a6-86612dc095b1 which can be used as unique global reference for InvisiMole in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Ukraine']
cfr-target-category ['Government']
cfr-type-of-incident Espionage

ANTHROPOID SPIDER

Publicly known as 'EmpireMonkey', ANTHROPOID SPIDER conducted phishing campaigns in February and March 2019, spoofing French, Norwegian and Belizean financial regulators and institutions. These campaigns used macro-enabled Microsoft documents to deliver the PowerShell Empire post-exploitation framework. ANTHROPOID SPIDER likely enabled a breach that allegedly involved fraudulent transfers over the SWIFT network.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ANTHROPOID SPIDER.

Known Synonyms
CobaltGoblin
Empire Monkey
Internal MISP references

UUID 559a64d8-8657-4a93-9208-060d52efdec4 which can be used as unique global reference for ANTHROPOID SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
targeted-sector ['Finance']

CLOCKWORK SPIDER

Opportunistic actor that installs custom root certificate on victim to support man-in-the-middle network monitoring.

Internal MISP references

UUID 2d2f3b53-c544-4823-a65f-da53ff8f594e which can be used as unique global reference for CLOCKWORK SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

DOPPEL SPIDER

In June 2019, CrowdStrike Intelligence observed a source code fork of BitPaymer and began tracking the new ransomware strain as DoppelPaymer. Further technical analysis revealed an increasing divergence between two versions of Dridex, with the new version dubbed DoppelDridex. Based on this evidence, CrowdStrike Intelligence assessed with high confidence that a new group split off from INDRIK SPIDER to form the adversary DOPPEL SPIDER. Following DOPPEL SPIDER’s inception, CrowdStrike Intelligence observed multiple BGH incidents attributed to the group, with the largest known ransomware demand being 250 BTC. Other demands were not nearly as high, suggesting that the group conducts network reconnaissance to determine the value of the victim organization.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DOPPEL SPIDER.

Known Synonyms
GOLD HERON
Internal MISP references

UUID 2154b183-c5c5-418f-8e47-f6e999b64e30 which can be used as unique global reference for DOPPEL SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

MONTY SPIDER

Spambots continued to decline in 2019, with MONTY SPIDER’s CraP2P spambot falling silent in April.

Internal MISP references

UUID 168a9e38-70e3-4542-b78f-afa2414436bb which can be used as unique global reference for MONTY SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

NARWHAL SPIDER

NARWHAL SPIDER’s operation of Cutwail v2 was limited to country-specific spam campaigns, although late in 2019 there appeared to be an effort to expand by bringing in INDRIK SPIDER as a customer.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NARWHAL SPIDER.

Known Synonyms
GOLD ESSEX
TA544
Internal MISP references

UUID fda9cdea-0017-495e-879d-0f348db2aa07 which can be used as unique global reference for NARWHAL SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

NOCTURNAL SPIDER

Mentioned as MaaS operator in CrowdStrike's 2020 Report.

Internal MISP references

UUID c042c592-25f6-4887-8a1b-6b8e3bfdcf0c which can be used as unique global reference for NOCTURNAL SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

SCULLY SPIDER

Mentioned as operator of DanaBot in CrowdStrike's 2020 Report.

Internal MISP references

UUID 7fb1662e-0257-4606-b3a2-bf294c64c098 which can be used as unique global reference for SCULLY SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

SMOKY SPIDER

Mentioned as operator of SmokeLoader in CrowdStrike's 2020 Report.

Internal MISP references

UUID e27796eb-624a-4e41-aa40-52d47c764b07 which can be used as unique global reference for SMOKY SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

VENOM SPIDER

VENOM SPIDER is the developer of a large toolset that includes SKID, VenomKit and Taurus Loader. Under the moniker 'badbullzvenom', the adversary has been an active member of Russian underground forums since at least 2012, specializing in the identification of vulnerabilities and the subsequent development of tools for exploitation, as well as for gaining and maintaining access to victim machines and carding services. Recent advertisements for the malware indicate that VENOM SPIDER limits the sale and use of its tools, selling modules only to trusted affiliates. This preference can be seen in the fact that adversaries observed using the tools include the targeted criminal adversary COBALT SPIDER and BGH adversaries WIZARD SPIDER and PINCHY SPIDER.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular VENOM SPIDER.

Known Synonyms
badbullz
badbullzvenom
Internal MISP references

UUID 86b4e2f3-8bbf-48fd-9d27-034d3ac3b187 which can be used as unique global reference for VENOM SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Operation Shadow Force

Operation Shadow Force is a group of malware that is representative of Shadow Force and Wgdrop from 2013 to 2020, and is a group activity that attacks Korean companies and organizations. The group's first confirmed attack was in March 2013, but considering the date of malware creation, it is likely to have been active before 2012. Since the malware used mainly by them is Shadow Force, it was named Operation Shadow Force, and it has not been confirmed whether the attacker is associated with a known group.

Internal MISP references

UUID f628b544-48b6-44e2-b794-950713353cf1 which can be used as unique global reference for Operation Shadow Force in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

NOTROBIN

Researchers at FireEye report finding a hacking group (dubbed NOTROBIN) that has been bundling mitigation code for NetScaler servers with its exploits. In effect, the hackers exploit the flaw to get access to the server, kill any existing malware, set up their own backdoor, then block off the vulnerable code from future exploit attempts by mitigation.

Internal MISP references

UUID 21d08f2c-97b2-444e-be49-8457093b841a which can be used as unique global reference for NOTROBIN in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

ItaDuke

ItaDuke is an actor known since 2013. It used PDF exploits for dropping malware and Twitter accounts to store C2 server urls. On 2018, an actor named DarkUniverse, which was active between 2009 to 2017, was attributed to this ItaDuke by Kaspersky.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ItaDuke.

Known Synonyms
DarkUniverse
SIG27
Internal MISP references

UUID d0b900fa-84b4-11ea-bc55-0242ac130003 which can be used as unique global reference for ItaDuke in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Nazar

This actor was identified by Juan Andres Guerrero-Saade from the SIG37 cluster as published in the ShadowBrokers' 'Lost in Translation' leak. Earliest known sighting potentially dates back to as far as 2008 with a confirmed center of activity around 2010-2013. The actor name is derived from a PDB debug string fragment: 'khzer'. Victimology indicates targeting of Iran, assessed with low confidence based on VT file submission locations. Nazar employs a modular toolkit where a main dropper silently registers multiple DLLs as OLE controls in the Windows registry. Functionality includes keylogging, sound and screen grabbing, as well as traffic capture using the MicroOlap Packet Sniffer library.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Nazar.

Known Synonyms
SIG37
Internal MISP references

UUID 169187c5-9fbe-42df-ae92-6e35846db021 which can be used as unique global reference for Nazar in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Higaisa

The organization often uses important North Korean time nodes such as holidays and North Korea to conduct fishing activities. The bait includes New Year blessings, Lantern blessings, North Korean celebrations, and important news, overseas personnel contact lists and so on. In addition, the attack organization also has the attack capability of the mobile terminal. The targets of the attack also include diplomatic entities related to North Korea (such as embassy officials in various places), government officials, human rights organizations, North Korean residents abroad, and traders. The victim countries currently monitored include China, North Korea, Japan, Nepal, Singapore, Russia, Poland, Switzerland, etc.

Internal MISP references

UUID a9df6cb7-74ff-482f-b23b-ac40e975a31a which can be used as unique global reference for Higaisa in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-state-sponsor Korea (Republic of)
cfr-suspected-victims ['China', 'North Korea', 'Japan', 'Nepal', 'Singapore', 'Russia', 'Poland', 'Switzerland']
cfr-target-category ['Government']
country KR

COBALT JUNO

COBALT JUNO has operated since at least 2013 and focused on targets located in the Middle East including Iran, Jordan, Egypt & Lebanon. COBALT JUNO custom spyware families SABER1 and SABER2, include surveillance functionality and masquerade as legitimate software utilities such as Adobe Updater, StickyNote and ASKDownloader. CTU researchers assess with moderate confidence that COBALT JUNO operated the ZooPark Android spyware since at least mid-2015. ZooPark was publicly exposed in 2018 in both vendor reporting and a high profile leak of C2 server data. COBALT JUNO is linked to a private security company in Iran and outsources aspects of tool development work to commercial software developers. CTU researchers have observed the group using strategic web compromises to deliver malware. CTU researchers’ discovery of new C2 domains in 2019 suggest the group is still actively performing operations.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular COBALT JUNO.

Known Synonyms
APT-C-38 (QiAnXin)
SABER LION
TG-2884 (SCWX CTU)
Internal MISP references

UUID 4687e1ab-a361-4165-b142-00845f4b2c62 which can be used as unique global reference for COBALT JUNO in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

COBALT KATANA

COBALT KATANA has been active since at least March 2018, and it focuses many of its operations on organizations based in or associated with Kuwait. The group has targeted government, logistics, and shipping organizations. The threat actors gain initial access to targets using DNS hijacking, strategic web compromise with SMB forced authentication, and password brute force attacks. COBALT KATANA operates a custom platform referred to as the Sakabota Framework, also referred to as Sakabota Core, with a complimentary set of modular backdoors and accessory tools including Gon, Hisoka, Hisoka Netero, Killua, Diezen, and Eye. The group has implemented DNS tunnelling in its malware and malicious scripts and also operates the HyphenShell web shell to strengthen post-intrusion access. CTU researchers assess with moderate confidence that COBALT KATANA operates on behalf of Iran, and elements of its operations such as overlapping infrastructure, use of DNS hijacking, implementation of DNS-based C2 channels in malware and web shell security mechanisms suggest connections to COBALT GYPSY and COBALT EDGEWATER.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular COBALT KATANA.

Known Synonyms
Hive0081 (IBM)
Hunter Serpens
SectorD01 (NHSC)
xHunt campaign (Palo Alto)
Internal MISP references

UUID d1c25b0e-e4c5-4b7c-b790-2e185cb2f07e which can be used as unique global reference for COBALT KATANA in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Dark Basin

Dark Basin is a hack-for-hire group that has targeted thousands of individuals and hundreds of institutions on six continents. Targets include advocacy groups and journalists, elected and senior government officials, hedge funds, and multiple industries. Dark Basin extensively targeted American nonprofits, including organisations working on a campaign called #ExxonKnew, which asserted that ExxonMobil hid information about climate change for decades. We also identify Dark Basin as the group behind the phishing of organizations working on net neutrality advocacy, previously reported by the Electronic Frontier Foundation. We link Dark Basin with high confidence to an Indian company, BellTroX InfoTech Services, and related entitie

Internal MISP references

UUID 3cbc52d5-fe4d-4d7a-a5e9-641b7c073d62 which can be used as unique global reference for Dark Basin in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

GALLIUM

GALLIUM, is a threat actor believed to be targeting telecommunication providers over the world, mostly South-East Asia, Europe and Africa. To compromise targeted networks, GALLIUM target unpatched internet-facing services using publicly available exploits and have been known to target vulnerabilities in WildFly/JBoss.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GALLIUM.

Known Synonyms
Alloy Taurus
Granite Typhoon
Red Dev 4
Internal MISP references

UUID e400b6c5-77cf-453d-ba0f-44575583ac6c which can be used as unique global reference for GALLIUM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN
Related clusters

To see the related clusters, click here.

Evilnum

ESET has analyzed the operations of Evilnum, the APT group behind the Evilnum malware previously seen in attacks against financial technology companies. While said malware has been seen in the wild since at least 2018 and documented previously, little has been published about the group behind it and how it operates. The group’s targets remain fintech companies, but its toolset and infrastructure have evolved and now consist of a mix of custom, homemade malware combined with tools purchased from Golden Chickens, a Malware-as-a-Service (MaaS) provider whose infamous customers include FIN6 and Cobalt Group.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Evilnum.

Known Synonyms
DeathStalker
EvilNum
Jointworm
KNOCKOUT SPIDER
TA4563
Internal MISP references

UUID b6f3150f-2240-4c57-9dda-5144c5077058 which can be used as unique global reference for Evilnum in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Fox Kitten

PIONEER KITTEN is an Iran-based adversary that has been active since at least 2017 and has a suspected nexus to the Iranian government. This adversary appears to be primarily focused on gaining and maintaining access to entities possessing sensitive information of likely intelligence interest to the Iranian government. According to DRAGOS, they also targeted ICS-related entities using known VPN vulnerabilities. They are widely known to use open source penetration testing tools for reconnaissance and to establish encrypted communications.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Fox Kitten.

Known Synonyms
Lemon Sandstorm
PARISITE
PIONEER KITTEN
RUBIDIUM
UNC757
Internal MISP references

UUID bfb0bc20-5bdf-47ff-b07f-dbd9a3cb9772 which can be used as unique global reference for Fox Kitten in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country IR
Related clusters

To see the related clusters, click here.

XDSpy

Rare is the APT group that goes largely undetected for nine years, but XDSpy is just that; a previously undocumented espionage group that has been active since 2011. It has attracted very little public attention, with the exception of an advisory from the Belarusian CERT in February 2020. In the interim, the group has compromised many government agencies and private companies in Eastern Europe and the Balkans.

Internal MISP references

UUID b205584e-db93-433a-b97a-7f2e19d8c188 which can be used as unique global reference for XDSpy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
targeted-sector ['Government, Administration']

Evil Corp

Evil Corp is an internaltional cybercrime network. In December of 2019 the US Federal Government offered a $5M bounty for information leading to the arrest and conviction of Maksim V. Yakubets for allegedly orchestrating Evil Corp operations. Responsible for stealing over $100M from businesses and consumers. The Evil Corp organization is known for utilizing custom strains of malware such as JabberZeus, Bugat and Dridex to steal banking credentials.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Evil Corp.

Known Synonyms
GOLD DRAKE
Internal MISP references

UUID c30fbdc8-b66d-4242-a02a-e01946bc86d8 which can be used as unique global reference for Evil Corp in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

TRACER KITTEN

In April 2020, Crowstrike Falcon OverWatch discovered Iran-based adversary TRACER KITTEN conducting malicious interactive activity against multiple hosts at a telecommunications company in the Europe, Middle East and Africa (EMEA) region. The actor was found operating under valid user accounts, using custom backdoors in combination with SSH tunnels for C2. The adversary leveraged their foothold to conduct a variety of reconnaissance activities, undertake credential harvesting and prepare for data exfiltration.

Internal MISP references

UUID 6cc574c0-3dfa-459c-933a-4c63490c4e93 which can be used as unique global reference for TRACER KITTEN in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country IR
targeted-sector ['Telecoms']

FIN11

FIN11 is a well-established financial crime group that has recently focused its operations on ransomware and extortion. The group has been active since 2017 and has been tracked under UNC902 and later on as TEMP.Warlok. In some ways, FIN11 is reminiscent of APT1; they are notable not for their sophistication, but for their sheer volume of activity.(FireEye) Mandiant has also responded to numerous FIN11 intrusions, but we’ve only observed the group successfully monetize access in few instances. This could suggest that the actors cast a wide net during their phishing operations, then choose which victims to further exploit based on characteristics such as sector, geolocation or perceived security posture. Recently, FIN11 has deployed CLOP ransomware and threatened to publish exfiltrated data to pressure victims into paying ransom demands. The group’s shifting monetization methods—from point-of-sale (POS) malware in 2018, to ransomware in 2019, and hybrid extortion in 2020—is part of a larger trend in which criminal actors have increasingly focused on post-compromise ransomware deployment and data theft extortion. Notably, FIN11 includes a subset of the activity security researchers call TA505, Graceful Spider, Gold Evergreen, but we do not attribute TA505’s early operations to FIN11 and caution against using the names interchangeably. Attribution of both historic TA505 activity and more recent FIN11 activity is complicated by the actors’ use of criminal service providers. Like most financially motivated actors, FIN11 doesn’t operate in a vacuum. We believe that the group has used services that provide anonymous domain registration, bulletproof hosting, code signing certificates, and private or semi-private malware. Outsourcing work to these criminal service providers likely enables FIN11 to increase the scale and sophistication of their operations.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FIN11.

Known Synonyms
TEMP.Warlock
UNC902
Internal MISP references

UUID c01aadc6-1087-4e8e-8d5c-a27eba409fe3 which can be used as unique global reference for FIN11 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

UNC1878

UNC1878 is a financially motivated threat actor that monetizes network access via the deployment of RYUK ransomware. Earlier this year, Mandiant published a blog on a fast-moving adversary deploying RYUK ransomware, UNC1878. Shortly after its release, there was a significant decrease in observed UNC1878 intrusions and RYUK activity overall almost completely vanishing over the summer. But beginning in early fall, Mandiant has seen a resurgence of RYUK along with TTP overlaps indicating that UNC1878 has returned from the grave and resumed their operations.

Internal MISP references

UUID 3c2bb7d7-a085-4594-adc7-4a20cf724abb which can be used as unique global reference for UNC1878 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Red Charon

Throughout 2019, multiple companies in the Taiwan high-tech ecosystem were victims of an advanced persistent threat (APT) attack. Due to these APT attacks having similar behavior profiles (similar adversarial techniques, tactics, and procedures or TTP) with each other and previously documented cyberattacks, CyCraft assess with high confidence these new attacks were conducted by the same foreign threat actor. During their investigation, they dubbed this threat actor Chimera. “Chimera” stands for the synthesis of hacker tools that they’ve seen the group use, such as the skeleton key malware that contained code extracted from both Dumpert and Mimikatz — hence Chimera. Their operation — the entirety of the new attacks utilizing the Skeleton Key attack (described below) from late 2018 to late 2019, CyCraft have dubbed Operation Skeleton Key.

Internal MISP references

UUID c8b961fe-3698-41ac-aba1-002ee3c19531 which can be used as unique global reference for Red Charon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

UNC2452

Reporting regarding activity related to the SolarWinds supply chain injection has grown quickly since initial disclosure on 13 December 2020. A significant amount of press reporting has focused on the identification of the actor(s) involved, victim organizations, possible campaign timeline, and potential impact. The US Government and cyber community have also provided detailed information on how the campaign was likely conducted and some of the malware used. MITRE’s ATT&CK team — with the assistance of contributors — has been mapping techniques used by the actor group, referred to as UNC2452/Dark Halo by FireEye and Volexity respectively, as well as SUNBURST and TEARDROP malware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular UNC2452.

Known Synonyms
DarkHalo
Midnight Blizzard
NOBELIUM
Solar Phoenix
StellarParticle
Internal MISP references

UUID 2ee5ed7a-c4d0-40be-a837-20817474a15b which can be used as unique global reference for UNC2452 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 100
country RU
Related clusters

To see the related clusters, click here.

TeamTNT

In early Febuary, 2021 TeamTNT launched a new campaign against Docker and Kubernetes environments. Using a collection of container images that are hosted in Docker Hub, the attackers are targeting misconfigured docker daemons, Kubeflow dashboards, and Weave Scope, exploiting these environments in order to steal cloud credentials, open backdoors, mine cryptocurrency, and launch a worm that is looking for the next victim. They're linked to the First Crypto-Mining Worm to Steal AWS Credentials and Hildegard Cryptojacking malware. TeamTNT is a relatively recent addition to a growing number of threats targeting the cloud. While they employ some of the same tactics as similar groups, TeamTNT stands out with their social media presence and penchant for self-promotion. Tweets from the TeamTNT’s account are in both English and German although it is unknown if they are located in Germany.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TeamTNT.

Known Synonyms
Adept Libra
Internal MISP references

UUID 27de6a09-844b-4dcb-9ff9-7292aad826ba which can be used as unique global reference for TeamTNT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

HAFNIUM

HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to HAFNIUM, a group assessed to be state-sponsored and operating out of China, based on observed victimology, tactics and procedures. HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA.In campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments. HAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HAFNIUM.

Known Synonyms
ATK233
G0125
Operation Exchange Marauder
Red Dev 13
Silk Typhoon
Internal MISP references

UUID 4f05d6c1-3fc1-4567-91cd-dd4637cc38b5 which can be used as unique global reference for HAFNIUM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 100
country CN
Related clusters

To see the related clusters, click here.

RedEcho

RedEcho: The group made heavy use of AXIOMATICASYMPTOTE — a term we use to track infrastructure that comprises ShadowPad C2s, which is shared between several Chinese threat activity groups

Internal MISP references

UUID 986fcc3f-5f36-4975-bf5f-c42524466bbd which can be used as unique global reference for RedEcho in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Ghostwriter

Ghostwriter is referred as an 'activity set', with various incidents tied together by overlapping behavioral characteristics and personas, rather than as an actor or group in itself.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ghostwriter.

Known Synonyms
DEV-0257
PUSHCHA
Storm-0257
TA445
UNC1151
Internal MISP references

UUID 749aaa11-f0fd-416b-bf6c-112f9b5930a5 which can be used as unique global reference for Ghostwriter in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Belarus
cfr-suspected-victims ['Germany', 'Latvia', 'Lithuania', 'Poland', 'Ukraine']
cfr-target-category ['Government']
country BY
Related clusters

To see the related clusters, click here.

Yanbian Gang

RiskIQ characterizes the Yanbian Gang as a group that targeted South Korean Android mobile banking customers since 2013 with malicious Android apps purporting to be from major banks, namely Shinhan Savings Bank, Saemaul Geumgo, Shinhan Finance, KB Kookmin Bank, and NH Savings Bank.

Internal MISP references

UUID eaeae8e9-cc4b-4be8-82fd-8edc65ff9a5e which can be used as unique global reference for Yanbian Gang in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['South Korea', 'Japan']

TRAVELING SPIDER

Crowdstrike Tracks the criminal developer of Nemty ransomware as TRAVELING SPIDER. The actor has been observed to take advantage of single-factor authentication to gain access to victim organizations through Citrix Gateway and send extortion-related emails using the victim’s own Microsoft Office 365 instance.

Internal MISP references

UUID a515632e-3374-4602-911e-4f4e259ae0fd which can be used as unique global reference for TRAVELING SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

MALLARD SPIDER

Crowdstrike tarcks the operators behind the Qbot as MALLARD SPIDER

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MALLARD SPIDER.

Known Synonyms
GOLD LAGOON
Internal MISP references

UUID 08f4bfa6-8326-42b5-a9e2-d6e1c360a160 which can be used as unique global reference for MALLARD SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

RIDDLE SPIDER

According to Crowdstrike, RIDDLE SPIDER is the operator behind the avaddon ransomware

Internal MISP references

UUID 090d0553-cdcf-4f4e-ae3b-b5d751acaf5d which can be used as unique global reference for RIDDLE SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

GOLD DUPONT

GOLD DUPONT is a financially motivated cybercriminal threat group that specializes in post-intrusion ransomware attacks using 777 (aka Defray777 or RansomExx) malware. Active since November 2018, GOLD DUPONT establishes initial access into victim networks using stolen credentials to remote access services like virtual desktop infrastructure (VDI) or virtual private networks (VPN). From October 2019 to early 2020 the group used GOLD BLACKBURN's TrickBot malware as an initial access vector (IAV) during some intrusions. Since July 2020, the group has also used GOLD SWATHMORE's IcedID (Bokbot) malware as an IAV in some intrusions.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GOLD DUPONT.

Known Synonyms
SPRITE SPIDER
Internal MISP references

UUID 3570552c-c46f-428e-9472-744a14e6ece7 which can be used as unique global reference for GOLD DUPONT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

SOLAR SPIDER

SOLAR SPIDER’s phishing campaigns deliver the JSOutProx RAT to financial institutions across Africa, the Middle East, South Asia and Southeast Asia.

Internal MISP references

UUID f65103ad-f051-47c3-b90e-c77239a4d65c which can be used as unique global reference for SOLAR SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
targeted-sector ['Finance']

VIKING SPIDER

VIKING SPIDER is the criminal group behind the development and distribution of Ragnar Locker ransomware. While public reporting indicates the group began threatening to leak victim data in February 2020, a DLS was not observed until April 2020. The DLS is hosted on Tor, and similar to other actors, proof of data exfiltration is provided before the stolen data is fully leaked. It was also noted that On Dec. 22, 2020, a new post made to MountLocker ransomware’s Tor-hosted DLS was titled 'Cartel News' and included details of a victim of VIKING SPIDER’s Ragnar Locker

Internal MISP references

UUID ffc02459-3d94-4558-bff0-2e7f0bbf70c6 which can be used as unique global reference for VIKING SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

CIRCUS SPIDER

According to Crowdstrike, the NetWalker ransomware is being developed and maintained by a Russian-speaking actor designated as CIRCUS SPIDER. Initially discovered in September 2019and havinga compilation timestamp dating back to 28 August 2019, NetWalker has been found to be used in Big Game Hunting (BGH)-style operations while also being distributed via spam. CIRCUS SPIDER is advertising NetWalkeras being a closed-affiliate program,and verifies applicants before they are being accepted as an affiliate. The requirements rangefrom providing proof of previous revenue in similar affiliates programs, experience in the field and what type of industry the applicantis targeting.

Internal MISP references

UUID 3ebf503c-c554-4ac3-aa3e-3ef114ca2345 which can be used as unique global reference for CIRCUS SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country RU

GOLD EVERGREEN

GOLD EVERGREEN was a financially motivated cybercriminal threat group that operated the Gameover Zeus (aka Mapp, P2P Zeus) botnet until June 2014. It encompasses an expansive and long running criminal conspiracy operated by a confederation of individuals calling themselves The Business Club from the mid 2000s until 2014. GOLD EVERGREEN's technical operation was facilitated primarily through botnets using the Zeus, JabberZeus, and eventually Gameover Zeus malware families. These malware families were designed and maintained by a Russian national Evgeniy Bogachev (aka 'slavik') who was indicted by the U.S. DOJ in 2014 and remains a fugitive.

Internal MISP references

UUID fc1c1d9f-1432-417f-a3bf-e730ddd1d139 which can be used as unique global reference for GOLD EVERGREEN in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

BAMBOO SPIDER

Crowdstrike tracks the developer of Panda Zeus as BAMBOO SPIDER

Internal MISP references

UUID 419599eb-c1ea-4d32-8c9e-0ad61d7c5ba5 which can be used as unique global reference for BAMBOO SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

BOSON SPIDER

BOSON SPIDER is a cyber criminal group, which was first identified in 2015, recently and inexplicably went dark in the spring of 2016, appears to be a tightly knit group operating out of Eastern Europe. They have used a variety of distribution mechanisms such as the infamous (and now defunct) angler exploit kit, and obfuscated JavaScript to reduce the detection by antivirus solutions.

Internal MISP references

UUID 9c11a822-2239-42ca-a439-ee57edb44ebf which can be used as unique global reference for BOSON SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

OVERLORD SPIDER

OVERLORD SPIDER, aka The Dark Overlord. Similar to ransomware operators today, OVERLORD SPIDER likely purchased RDP access to compromised servers on underground forums in order to exfiltrate data from corporate networks. The actor was known to attempt to “sell back” the data to the respective victims, threatening to sell the data to interested parties should the victim refuse to pay. There was at least one identified instance of OVERLORD SPIDER successfully selling victim data on an underground market.

Internal MISP references

UUID b43ce229-feaa-4731-9926-e0970140ab0b which can be used as unique global reference for OVERLORD SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

OUTLAW SPIDER

On May 7, 2019, Mayor Bernard “Jack” Young confirmed that the network for the U.S. City of Baltimore (CoB) was infected with ransomware, which was announced via Twitter1. This infection was later confirmed to be conducted by OUTLAW SPIDER, which is the actor behind the RobbinHood ransomware. The actor demanded to be paid 3 BTC (approximately $17,600 USD at the time) per infected system, or 13 BTC (approximately $76,500 USD at the time) for all infected systems to recover the city’s files.

Internal MISP references

UUID ae121063-3960-4834-90d7-66aad69c5e8b which can be used as unique global reference for OUTLAW SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
targeted-sector ['Government, Administration']

MIMIC SPIDER

MIMIC SPIDER is mentioned in two summary reports only

Internal MISP references

UUID 20e2be89-a54d-46c7-a837-1f17359f30ba which can be used as unique global reference for MIMIC SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

HOUND SPIDER

According to Crowdstrike, HOUND SPIDER affiliates arrested in Romania on December,2017

Internal MISP references

UUID 22dd1608-272c-4243-9bda-25eec834a24d which can be used as unique global reference for HOUND SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

GOLD BURLAP

GOLD BURLAP is a group of financially motivated criminals responsible for the development of the Pysa ransomware, also referred to as Mespinoza. Pysa is a cross-platform ransomware with known versions written in C++ and Python. As of December 2020, approximately 50 organizations had reportedly been targeted in Pysa ransomware attacks. The operators leverage 'name and shame' tactics to apply additional pressure to victims. As of January 2021, CTU researchers had found no Pysa advertisements on underground forums, which likely indicates that it is not operated as ransomware as a service (RaaS).

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GOLD BURLAP.

Known Synonyms
CYBORG SPIDER
Internal MISP references

UUID d34ca487-1613-4ee5-8930-2ac8a60f945f which can be used as unique global reference for GOLD BURLAP in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-target-category ['Healthcare']
Related clusters

To see the related clusters, click here.

GOLD CABIN

GOLD CABIN is a financially motivated cybercriminal threat group operating a malware distribution service on behalf of numerous customers since 2018. GOLD CABIN uses malicious documents, often contained in password-protected archives, delivered through email to download and execute payloads. The second-stage payloads are most frequently Gozi ISFB (Ursnif) or IcedID (Bokbot), sometimes using intermediary malware like Valak. GOLD CABIN infrastructure relies on artificial appearing and frequently changing URLs created with a domain generation algorithm (DGA). The URLs host a PHP object that returns the malware as a DLL file.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GOLD CABIN.

Known Synonyms
ATK236
G0127
Monster Libra
Shakthak
TA551
Internal MISP references

UUID 36e8c848-4d20-47ea-9fc2-31aa17bf82d1 which can be used as unique global reference for GOLD CABIN in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

GOLD FAIRFAX

GOLD FAIRFAX is a financially motivated cybercriminal threat group responsible for the creation, distribution, and operation of the Ramnit botnet. Ramnit, the phonetic spelling of RMNet, the internal name of the core module, began operation in April 2010 and became widespread in July 2010. A particularly virulent file-infecting component of early Ramnit variants that spreads by modifying executables and HTML files has resulted in the continued prevalence of those early variants. Currently, Ramnit remains an actively maintained and distributed threat. The intent of Ramnit is to intercept and manipulate online financial transactions through modification of web browser behavior ('man-in-the-browser').

Internal MISP references

UUID eadc8c5c-a97d-454e-8e67-475ac60749bf which can be used as unique global reference for GOLD FAIRFAX in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

GOLD FLANDERS

GOLD FLANDERS is a financially motivated group responsible for distributed denial of service (DDOS) attacks linked to extortion emails demanding between 5 and 30 bitcoins. The attacks consist mostly of fragmented UDP packets (DNS and NTP reflection) as well as other traffic that can vary per victim. The arrival of the extortion email is timed to coincide with a DDOS attack consisting of traffic between 20 Gbps and 200 Gbps and 12-15 million packets per second, lasting between 20 and 70 minutes targeted at a particular Autonomous System Number (ASN) or group of IP addresses. In some cases victim organisations have replied to these extortion emails and received personal replies from GOLD FLANDERS operators within 20 minutes.

Internal MISP references

UUID 20180cbb-27e3-49d5-922e-1e3bddc6c085 which can be used as unique global reference for GOLD FLANDERS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

GOLD GALLEON

GOLD GALLEON is a financially motivated cybercriminal threat group comprised of at least 20 criminal associates that collectively carry out business email compromise (BEC) and spoofing (BES) campaigns. The group appears to specifically target maritime organizations and their customers. CTU researchers have observed GOLD GALLEON targeting firms in South Korea, Japan, Singapore, Philippines, Norway, U.S., Egypt, Saudi Arabia, and Colombia. The threat actors leverage tools, tactics, and procedures that are similar to those used by other BEC/BES groups CTU researchers have previously investigated, such as GOLD SKYLINE. The groups have used the same caliber of publicly available malware (inexpensive and commodity remote access trojans), crypters, and email lures.

Internal MISP references

UUID 6976b33c-a45b-4330-b0d8-8ef029ef830e which can be used as unique global reference for GOLD GALLEON in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

GOLD GARDEN

GOLD GARDEN was a financially motivated cybercriminal threat group that authored and operated the GandCrab ransomware from January 2018 through May 2019. GandCrab was operated as a ransomware-as-a-service operation whereby numerous affiliates distributed the malware and split ransom payments with the core operators. GOLD GARDEN maintained exclusive control of the development of GandCrab and associated command and control (C2) infrastructure. Individual affiliates, of which there were frequently more than a dozen in operation simultaneously, coordinated the distribution of GandCrab through spam emails, web exploit kits, pay-per-install botnets, and scan-and-exploit style attacks. On May 31, 2019 the operators announced they have halted operations with no intent to resume for unknown reasons. In April 2019 the operators of GOLD GARDEN transferred the source code of GandCrab to GOLD SOUTHFIELD who used it as the foundation of the REvil ransomware operation. GOLD SOUTHFIELD operates a similar affiliate program comprised largely of former GandCrab users and other groups recruited from underground forums.

Internal MISP references

UUID c0f86de9-888e-42b0-90f4-f313808533ff which can be used as unique global reference for GOLD GARDEN in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

GOLD MANSARD

GOLD MANSARD is a financially motivated cybercriminal threat group that operated the Nemty ransomware from August 2019. The threat actor behind Nemty is known on Russian underground forums as 'jsworm'. Nemty was operated as a ransomware as a service (RaaS) affiliate program and featured a 'name and shame' website where exfiltrated victim data was leaked. In April 2020, jsworm appeared to acquire new partners and retired the Nemty ransomware. This was followed by the introduction of Nefilim ransomware, which does not operate as an affiliate model. Nefilim has been used in post-intrusion ransomware attacks against organizations in logistics, telecommunications, energy and other sectors.

Internal MISP references

UUID bda575ed-5066-4625-98ef-938bbffddc00 which can be used as unique global reference for GOLD MANSARD in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

GOLD NORTHFIELD

Operational since at least October 2020, GOLD NORTHFIELD is a financially motivated cybercriminal threat group that leverages GOLD SOUTHFIELD's REvil ransomware in their attacks. To do this, the threat actors replace the configuration of the REvil ransomware binary with their own in an effort to repurpose the ransomware for their operations. GOLD NORTHFIELD has given this modified REvil ransomware variant the name 'LV ransomware'.

Internal MISP references

UUID 4c51f24c-90a1-4f22-b932-bd4bb9d488f6 which can be used as unique global reference for GOLD NORTHFIELD in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

GOLD RIVERVIEW

GOLD RIVERVIEW was a financially motivated cybercriminal group that facilitated the distribution of malware- and scam-laden spam email on behalf of its customers. This threat group authored and sold the Necurs rootkit beginning in early 2014, including to GOLD EVERGREEN who integrated it into Gameover Zeus. GOLD RIVERVIEW also operated a global botnet that was colloquially known as Necurs (CraP2P) and was a major source of spam email from 2016 through 2018. Necurs distributed malware such as GOLD DRAKE's Dridex (Bugat v5), GOLD BLACKBURN's TrickBot, and other families like Locky and FlawedAmmy. Necurs also distributed a large volume of email pushing securities 'pump and dump' scams, rogue pharmacies, and fraudulent dating sites. On March 4, 2019 all three active segments of the Necurs botnet ceased operation and have not since resumed. On March 10, 2020 Microsoft took civil action against GOLD RIVERVIEW and made technical steps that would complicate the threat actors' ability to reconstitute the botnet.

Internal MISP references

UUID 3806516d-151b-4869-88bc-1f2a2cb73c3c which can be used as unique global reference for GOLD RIVERVIEW in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

GOLD SKYLINE

GOLD SKYLINE is a financially motivated cybercriminal threat group operating from Nigeria engaged in high-value wire fraud facilitated by business email compromise (BEC) and spoofing (BES). Also known as Wire-Wire Group 1 (WWG1), GOLD SKYLINE has been active since at least 2016 and relies heavily on compromised email accounts, social engineering, and increasingly malware to divert inter-organization funds transfers.

Internal MISP references

UUID dcb6b056-7a1b-484c-82ee-f3962d47bcd9 which can be used as unique global reference for GOLD SKYLINE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

GOLD SOUTHFIELD

GOLD SOUTHFIELD is a financially motivated cybercriminal threat group that authors and operates the REvil (aka Sodinokibi) ransomware on behalf of various affiliated threat groups. Operational since April 2019, the group obtained the GandCrab source code from GOLD GARDEN, the operators of GandCrab that voluntarily withdrew their ransomware from underground markets in May 2019. GOLD SOUTHFIELD is responsible for authoring REvil and operating the backend infrastructure used by affiliates (also called partners) to create malware builds and to collect ransom payments from victims. CTU researchers assess with high confidence that GOLD SOUTHFIELD is a former GandCrab affiliate and continues to work with other former GandCrab affiliates.

Internal MISP references

UUID 262c8537-1cdb-4297-aa3e-1410164160bf which can be used as unique global reference for GOLD SOUTHFIELD in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

GOLD SYMPHONY

GOLD SYMPHONY is a financially motivated cybercrime group, likely based in Russia, that is responsible for the development and sale on underground forums of the Buer Loader malware. First discovered around August 2019, Buer Loader is offered as a malware-as-a-service (MasS) and has been advertised by a threat actor using the handle 'memeos'. Customers include GOLD BLACKBURN, the operators of the TrickBot malware. In addition to TrickBot, Buer Loader has been reported to download Cobalt Strike and other tools for use in post-intrusion ransomware attacks.

Internal MISP references

UUID bf151740-b667-4f06-87a1-131c3261cca2 which can be used as unique global reference for GOLD SYMPHONY in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

GOLD WATERFALL

GOLD WATERFALL is a group of financially motivated cybercriminals responsible for the creation, distribution, and operation of the Darkside ransomware. Active since August 2020, GOLD WATERFALL uses a variety of tactics, techniques, and procedures (TTPs) to infiltrate and move laterally within targeted organizations to deploy Darkside ransomware to its most valuable resources. Among these TTPs are using malicious documents delivered by email to establish a foothold and using stolen credentials to access victims' remote access services. In November 2020, the 'darksupp' persona was observed advertising an affiliate program on several semi-exclusive underground forums, marking GOLD WATERFALL's entry into the ransomware-as-a-service (RaaS) landscape.

Internal MISP references

UUID 4d787c58-2581-4696-ad6c-e0e36ed2bac7 which can be used as unique global reference for GOLD WATERFALL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

GOLD WINTER

GOLD WINTER are a financially motivated group, likely based in Russia, who operate the Hades ransomware. Hades activity was first identified in December 2020 and its lack of presence on underground forums and marketplaces leads CTU researchers to conclude that it is not operated under a ransomware as a service affiliate model. GOLD WINTER do employ name-and-shame tactics, where data is stolen and used as additional leverage over victims, but rather than a single centralized leak site CTU researchers have observed the group using Tor sites customized for each victim that include a Tox chat ID for communication, which also appears to be unique for each victim.

Internal MISP references

UUID 6c514d9d-e2fa-45a5-a938-9a461f69ad2d which can be used as unique global reference for GOLD WINTER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

BackdoorDiplomacy

An APT group that we are calling BackdoorDiplomacy, due to the main vertical of its victims, has been targeting Ministries of Foreign Affairs and telecommunication companies in Africa and the Middle East since at least 2017.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BackdoorDiplomacy.

Known Synonyms
BackDip
CloudComputating
Quarian
Internal MISP references

UUID 6472be4d-c186-4c86-b3b7-7dc1b4d3a3d8 which can be used as unique global reference for BackdoorDiplomacy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Libya', 'Namibia', 'Sudan', 'Albania', 'Croatia', 'Georgia', 'Poland', 'Iran', 'Qatar', 'Saudi Arabia', 'Sri Lanka', 'Uzbekistan']
cfr-target-category ['Government', 'Telecomms']

Gelsemium

The Gelsemium group has been active since at least 2014 and was described in the past by a few security companies. Gelsemium’s name comes from one possible translation ESET found while reading a report from VenusTech who dubbed the group 狼毒草 for the first time. It’s the name of a genus of flowering plants belonging to the family Gelsemiaceae, Gelsemium elegans is the species that contains toxic compounds like Gelsemine, Gelsenicine and Gelsevirine, which ESET choses as names for the three components of this malware family.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Gelsemium.

Known Synonyms
狼毒草
Internal MISP references

UUID 2dd31182-bae1-48ed-8bb3-805a3df89783 which can be used as unique global reference for Gelsemium in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['North Korea', 'South Korea', 'Japan', 'China', 'Mongolia', 'Egypt', 'Saudi Arabia', 'Yemen', 'Oman', 'Iran', 'Iraq', 'Kuwait', 'Israel', 'Jordan', 'Gaza', 'Syria', 'Turkey', 'Lebanon']
cfr-target-category ['Government', 'Electronics Manufacturers', 'Universities', 'Religious organization']

BelialDemon

Mentioned as operator of TriumphLoader and Matanbuchus

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BelialDemon.

Known Synonyms
Matanbuchus
Internal MISP references

UUID e7aff414-fc21-43eb-ad5d-9a46e07be9f5 which can be used as unique global reference for BelialDemon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Common Raven

Threat actor Common Raven has been actively targeting financial sector institutions, compromising their SWIFT payment infrastructure to send out fraudulent payments.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Common Raven.

Known Synonyms
DESKTOP-GROUP
NXSMS
OPERA1ER
Internal MISP references

UUID da581c60-7c3d-4de6-b54c-cafea1c58389 which can be used as unique global reference for Common Raven in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

FIN13

Since 2017, Mandiant has been tracking FIN13, an industrious and versatile financially motivated threat actor conducting long-term intrusions in Mexico with an activity timeframe stretching back as early as 2016. Although their operations continue through the present day, in many ways FIN13's intrusions are like a time capsule of traditional financial cybercrime from days past. Instead of today's prevalent smash-and-grab ransomware groups, FIN13 takes their time to gather information to perform fraudulent money transfers. Rather than relying heavily on attack frameworks such as Cobalt Strike, the majority of FIN13 intrusions involve heavy use of custom passive backdoors and tools to lurk in environments for the long haul.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular FIN13.

Known Synonyms
Elephant Beetle
TG2003
Internal MISP references

UUID 60fa684d-c738-4b77-98fb-3f6605e2bb82 which can be used as unique global reference for FIN13 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country RU

SideCopy

The SideCopy APT is a Pakistani threat actor that has been operating since at least 2019, mainly targeting South Asian countries and more specifically India and Afghanistan. Its name comes from its infection chain that tries to mimic that of the SideWinder APT. It has been reported that this actor has similarities with Transparent Tribe (APT36) and possibly is a subdivision of this actor. Cisco Talos and Seqrite have provided comprehensive reports on this actor’s activities.

Internal MISP references

UUID f6d02ac3-3447-4892-b844-1ef31839e04f which can be used as unique global reference for SideCopy in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country PK

Antlion

Antlion is a Chinese state-backed advanced persistent threat (APT) group, who has been targeting financial institutions in Taiwan. This persistent campaign has lasted over the course of at least 18 months.

Internal MISP references

UUID 8482f350-867c-11ec-a8a3-0242ac120002 which can be used as unique global reference for Antlion in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Taiwan']
cfr-target-category ['Financial']
country CN

TA2541

Persistent cybercrime threat actor targeting aviation, aerospace, transportation, manufacturing, and defense industries for years. This threat actor consistently uses remote access trojans (RATs) that can be used to remotely control compromised machines. This threat actor uses consistent themes related to aviation, transportation, and travel. The threat actor has used similar themes and targeting since 2017.

Internal MISP references

UUID a57e5bf5-d7f4-43a1-9c15-8a44cdb95079 which can be used as unique global reference for TA2541 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

TA516

This actor typically distributes instances of the SmokeLoader intermediate downloader, which, in turn, downloads additional malware of the actor’s choice -- often banking Trojans. Figure 3 shows a lure document from a November campaign in which TA516 distributed fake resumes with malicious macros that, if enabled, launch a PowerShell script that downloads SmokeLoader. In this instance, we observed SmokeLoader downloading a Monero coinminer. Since the middle of 2017, TA516 has used similar macro-laden documents as well as malicious JavaScript hosted on Google Drive to distribute both Panda Banker and a coinminer executable via SmokeLoader, often in the same campaigns.

Internal MISP references

UUID 0466bbf1-a187-4b3d-b558-a31e5ca11ea7 which can be used as unique global reference for TA516 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

TA547

TA547 is responsible for many other campaigns since at least November 2017. The other campaigns by the actor were often localized to countries such as Australia, Germany, the United Kingdom, and Italy. Delivered malware included ZLoader (a.k.a. Terdot), Gootkit, Ursnif, Corebot, Panda Banker, Atmos, Mazar Bot, and Red Alert Android malware.

Internal MISP references

UUID 29fbc8d4-1e6e-4edc-9887-bdf47f36e4c1 which can be used as unique global reference for TA547 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

TA554

Since May 2018, Proofpoint researchers have observed email campaigns using a new downloader called sLoad. sLoad is a PowerShell downloader that most frequently delivers Ramnit banker and includes noteworthy reconnaissance features. The malware gathers information about the infected system including a list of running processes, the presence of Outlook, and the presence of Citrix-related files. sLoad can also take screenshots and check the DNS cache for specific domains (e.g., targeted banks), as well as load external binaries. While initial versions of sLoad appeared in May 2018, we began tracking the campaigns from this actor (internally named TA554) since at least the beginning of 2017.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TA554.

Known Synonyms
TH-163
Internal MISP references

UUID 36f1a1b8-e03a-484f-95a3-005345679cbe which can be used as unique global reference for TA554 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

TA555

Beginning in May 2018, Proofpoint researchers observed a previously undocumented downloader dubbed AdvisorsBot appearing in malicious email campaigns. The campaigns appear to primarily target hotels, restaurants, and telecommunications, and are distributed by an actor we track as TA555. To date, we have observed AdvisorsBot used as a first-stage payload, loading a fingerprinting module that, as with Marap, is presumably used to identify targets of interest to further infect with additional modules or payloads. AdvisorsBot is under active development and we have also observed another version of the malware completely rewritten in PowerShell and .NET.

Internal MISP references

UUID d0d26dae-195f-4503-a6a9-ebb1ec0e07f9 which can be used as unique global reference for TA555 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

TA800

This attacker is an affiliate distributor of the The Trick, also known as Trickbot, and BazaLoader. (For more on how affiliates work, see the description of TA573). TA800 has targeted a wide range of industries in North America, infecting victims with banking Trojans and malware loaders (malware designed to download other malware onto a compromised device). Malicious emails have often included recipients’ names, titles and employers along with phishing pages designed to look like the targeted company. Lures have included hard-to-resist subjects such as related to payment, meetings, termination, bonuses and complaints in the subject line or body of the email.

Internal MISP references

UUID 75fac2e9-8f2c-4620-a1cc-4b8a61c1bb48 which can be used as unique global reference for TA800 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

MosesStaff

Cybereason Nocturnus describes Moses Staff as an Iranian hacker group, first spotted in October 2021. Their motivation appears to be to harm Israeli companies by leaking sensitive, stolen data.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MosesStaff.

Known Synonyms
DEV-0500
Marigold Sandstorm
Moses Staff
Internal MISP references

UUID d45dd940-b38d-4b2c-9f2f-3e4a0eac841c which can be used as unique global reference for MosesStaff in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country IR
Related clusters

To see the related clusters, click here.

Avivore

The group’s existence came to light during Context’s investigation of a number of attacks against multinational enterprises that compromise smaller engineering services and consultancies working in their supply chains.

Internal MISP references

UUID 8045fc09-13d6-4f90-b239-ed5060b9297b which can be used as unique global reference for Avivore in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

HAZY TIGER

The Bitter threat group initially started using RAT tools in their campaigns, as the first Bitter versions, for Android released in 2014 were based on the AndroRAT framework. Over time, they switched to a custom version that has been known as BitterRAT ever since.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular HAZY TIGER.

Known Synonyms
APT-C-08
Bitter
Orange Yali
T-APT-17
Internal MISP references

UUID 1e9bd6fe-e009-41ce-8e92-ad78c73ee772 which can be used as unique global reference for HAZY TIGER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Germany']
country IN

LAPSUS

An actor group conducting large-scale social engineering and extortion campaign against multiple organizations with some seeing evidence of destructive elements.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LAPSUS.

Known Synonyms
DEV-0537
LAPSUS$
SLIPPY SPIDER
Strawberry Tempest
Internal MISP references

UUID d9e5be22-1a04-4956-af6c-37af02330980 which can be used as unique global reference for LAPSUS in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Scarab

Scarab APT was first spotted in 2015, but is believed to have been active since at least 2012, conducting surgical attacks against a small number of individuals across the world, including Russia and the United States. The backdoor deployed by Scarab in their campaigns is most commonly known as Scieron.

Internal MISP references

UUID ef59014b-79bb-408f-97f1-3c585a240ca7 which can be used as unique global reference for Scarab in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Russia', 'Ukraine', 'United States']
cfr-type-of-incident Espionage
country CN

BladeHawk

Internal MISP references

UUID 0d72c57c-73e3-4739-8144-c8055cabd7dc which can be used as unique global reference for BladeHawk in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Kurdistan']
cfr-target-category ['Government']
cfr-type-of-incident Espionage

Copy-Paste

The title ‘Copy-paste compromises’ is derived from the actor’s heavy use of tools copied almost identically from open source given by The Australian Government.

Internal MISP references

UUID 38d75c89-f243-45ee-87e7-e4675f0c53b3 which can be used as unique global reference for Copy-Paste in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Australia']
cfr-target-category ['Government']
cfr-type-of-incident Espionage

Killnet

A group targeting various countries using Denial of Services attacked.

Internal MISP references

UUID ad2d6946-1ec2-4d77-b864-39980af4e103 which can be used as unique global reference for Killnet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['United States', 'Czech Republic']
cfr-target-category ['Government']
cfr-type-of-incident Denial of service

SaintBear

A group targeting UA state organizations using the GraphSteel and GrimPlant malware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular SaintBear.

Known Synonyms
DEV-0587
FROZENVISTA
Nascent Ursa
Nodaria
Saint Bear
Storm-0587
TA471
UAC-0056
UNC2589
Internal MISP references

UUID c67d3dfb-ab39-46e1-a971-5efdfe6a5b9f which can be used as unique global reference for SaintBear in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country RU

UNC3524

Mandiant observed this group operating since December 2019. Its techniques partially overlap with multiple Russian-based espionage actors (APT28 and APT29). They are described as having a high level of operational security, low malware footprint, adept evasive skills, and a large Internet of Things (IoT) device botnet at their disposal.

Internal MISP references

UUID bee8b09c-07e5-4c12-94d6-266ebcb1ec24 which can be used as unique global reference for UNC3524 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-type-of-incident Espionage

Curious Gorge

Curious Gorge, a group TAG attributes to China's PLA SSF, has conducted campaigns against government and military organizations in Ukraine, Russia, Kazakhstan, and Mongolia. The actor has remained active against government, military, logistics and manufacturing organizations in Ukraine, Russia and Central Asia. In Russia, long running campaigns against multiple government organizations have continued, including the Ministry of Foreign Affairs. Over the past week, TAG identified additional compromises impacting multiple Russian defense contractors and manufacturers and a Russian logistics company.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Curious Gorge.

Known Synonyms
UNC3742
Internal MISP references

UUID 6ee284d9-2742-4468-851c-a61366cc9a20 which can be used as unique global reference for Curious Gorge in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Ukraine', 'Russia', 'Kazakhstan', 'Mongolia']
cfr-target-category ['Government', 'Military', 'Logistics', 'Defense Contractor']
cfr-type-of-incident Espionage
country CN

Red Menshen

Since 2021, Red Menshen, a China based threat actor, which has been observed targeting telecommunications providers across the Middle East and Asia, as well as entities in the government, education, and logistics sectors using a custom backdoor referred as BPFDoor. This threat actor uses a variety of tools in its post-exploitation phase. This includes custom variants of the shared tool Mangzamel (including Golang variants), custom variants of Gh0st, and open source tools like Mimikatz and Metasploit to aid in its lateral movement across Windows systems. Also, They have been seen sending commands to BPFDoor victims via Virtual Privat Servers (VPSs) hosted at a well-known provider, and that these VPSs, in turn, are administered via compromised routers based in Taiwan, which the threat actor uses as VPN tunnels. Most Red Menshen activity that has been observed took place between Monday to Friday (with none observed on the weekends), with most communication taking place between 01:00 and 10:00 UTC.131 This pattern suggests a consistent 8 to 9-hour activity window for the threat actor, with realistic probability of it aligning to local working hours.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Red Menshen.

Known Synonyms
Red Dev 18
Internal MISP references

UUID bfe66711-32dc-4c1f-b78b-9b2f9e4c1525 which can be used as unique global reference for Red Menshen in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Middle East', 'Asia']
cfr-target-category ['Government', 'Education', 'Logistics']
country CN

Cosmic Lynx

Cosmic Lynx is a Russia-based BEC cybercriminal organization that has significantly impacted the email threat landscape with sophisticated, high-dollar phishing attacks.

Internal MISP references

UUID 54ae5c75-8aab-41a8-971a-03d53db9b35c which can be used as unique global reference for Cosmic Lynx in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-type-of-incident Business Email Compromise

ModifiedElephant

Our research into these intrusions revealed a decade of persistent malicious activity targeting specific groups and individuals that we now attribute to a previously unknown threat actor named ModifiedElephant. This actor has operated for years, evading research attention and detection due to their limited scope of operations, the mundane nature of their tools, and their regionally-specific targeting. ModifiedElephant is still active at the time of writing.

Internal MISP references

UUID 6cce6ecc-e6f5-4ae5-b8c5-cf633b7cf973 which can be used as unique global reference for ModifiedElephant in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-target-category ['Civil Society']

EXOTIC LILY

EXOTIC LILY is a resourceful, financially motivated group whose activities appear to be closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol. In early September 2021, the group has been obeserved exploiting a 0day in Microsoft MSHTML (CVE-2021-40444). Investigation lead researchers to believe that they are an Initial Access Broker (IAB) who appear to be working with the Russian cyber crime gang known as FIN12 (Mandiant, FireEye) / WIZARD SPIDER (CrowdStrike). This threat actor deploys tactics, techniques and procedures (TTPs) that are traditionally associated with more targeted attacks, like spoofing companies and employees as a means of gaining trust of a targeted organization through email campaigns that are believed to be sent by real human operators using little-to-no automation. Additionally and rather uniquely, they leverage legitimate file-sharing services like WeTransfer, TransferNow and OneDrive to deliver the payload, namely BUMBLEEBEE and BAZARLOADER, further evading detection mechanisms. This level of human-interaction is rather unusual for cyber crime groups focused on mass scale operations.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular EXOTIC LILY.

Known Synonyms
DEV-0413
Internal MISP references

UUID 3ce2a9e0-c435-402a-a7f3-d48b64d1ab9d which can be used as unique global reference for EXOTIC LILY in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

TA578

TA578, a threat actor that Proofpoint researchers have been tracking since May of 2020. TA578 has previously been observed in email-based campaigns delivering Ursnif, IcedID, KPOT Stealer, Buer Loader, BazaLoader, and Cobalt Strike.

Internal MISP references

UUID d1a8626a-06a5-4ecc-9519-e17fc6724f15 which can be used as unique global reference for TA578 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

TA579

TA579, a threat actor that Proofpoint researchers have been tracking since August 2021. This actor frequently delivered BazaLoader and IcedID in past campaigns.

Internal MISP references

UUID 7ab283ac-b78f-42db-b564-0550b9637b0b which can be used as unique global reference for TA579 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

RansomHouse

This group started operating during the first quarter of 2022. They published samples of alleged stolen data from companies on their site on Tor. It is unclear if they conducted the attacks themselves, or if they bought leaked databases from third parties.

Internal MISP references

UUID 4d522fad-452c-46be-94ea-5803aec9b709 which can be used as unique global reference for RansomHouse in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-target-category ['Private sector']

ToddyCat

ToddyCat is responsible for multiple sets of attacks detected since December 2020 against high-profile entities in Europe and Asia. There is still little information about this actor, but its main distinctive signs are two formerly unknown tools that Kaspersky call ‘Samurai backdoor’ and ‘Ninja Trojan’.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular ToddyCat.

Known Synonyms
Websiic
Internal MISP references

UUID 091a0b69-74de-44b6-bb12-16b7a8fd078b which can be used as unique global reference for ToddyCat in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Afghanistan', 'India', 'Indonesia', 'Iran', 'Kyrgyzstan', 'Malaysia', 'Pakistan', 'Russia', 'Slovakia', 'Taiwan', 'Thailand', 'United Kingdom', 'Uzbekistan', 'Vietnam']
cfr-target-category ['Military', 'Government']

POLONIUM

Microsoft successfully detected and disabled attack activity abusing OneDrive by a previously undocumented Lebanon-based activity group Microsoft Threat Intelligence Center (MSTIC) tracks as POLONIUM.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular POLONIUM.

Known Synonyms
GREATRIFT
Plaid Rain
UNC4453
Internal MISP references

UUID 3c5129ea-8f18-4bcf-a33b-b5aab0720494 which can be used as unique global reference for POLONIUM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 75
cfr-suspected-state-sponsor Lebanon
cfr-suspected-victims ['Israel']
cfr-target-category ['Critical manufacturing', 'Defense industrial base', 'Financial services', 'Food and agriculture', 'Government agencies and services', 'Healthcare', 'Pharmaceuticals', 'Information technology', 'Transportation systems', 'NGOs', 'Civil Society', 'Military', 'Defense']
cfr-type-of-incident Espionage
country LB
Related clusters

To see the related clusters, click here.

Predatory Sparrow

A self-proclaimed hacktivist group that carried out attacks against Iranian railway systems and against Iranian steel plants.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Predatory Sparrow.

Known Synonyms
Gonjeshke Darande
Indra
Internal MISP references

UUID e665ac2f-87b4-4c2e-bef7-78bf0a8af87b which can be used as unique global reference for Predatory Sparrow in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Iran']
cfr-target-category ['Critical manufacturing', 'Transportation systems']
cfr-type-of-incident Sabotage

DEV-0586

MSTIC has not found any notable associations between this observed activity, tracked as DEV-0586, and other known activity groups. MSTIC assesses that the malware (WhisperGate), which is designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DEV-0586.

Known Synonyms
Cadet Blizzard
Ruinous Ursa
Internal MISP references

UUID a5f64c1a-c829-4855-903d-e0ff2098b2d7 which can be used as unique global reference for DEV-0586 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Ukraine']
cfr-type-of-incident Sabotage
country RU
Related clusters

To see the related clusters, click here.

Kinsing

This group started operating during the first quarter of 2022. They published samples of alleged stolen data from companies on their site on Tor. It is unclear if they conducted the attacks themselves, or if they bought leaked databases from third parties.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Kinsing.

Known Synonyms
Money Libra
Internal MISP references

UUID bc6f3b91-5a28-46df-9778-179218c809fe which can be used as unique global reference for Kinsing in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Earth Berberoka

According to TrendMicro, Earth Berberoka is a threat group originating from China that mainly focuses on targeting gambling websites. This group's campaign uses multiple malware families that target the Windows, Linux, and macOS platforms that have been attributed to Chinese-speaking actors. Aside from using tried-and-tested malware families that have been upgraded, such as PlugX and Gh0st RAT, Earth Berberoka has also developed a brand-new complex, multistage malware family, which has been dubbed PuppetLoader.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Earth Berberoka.

Known Synonyms
GamblingPuppet
Internal MISP references

UUID 9d82077b-7e95-4b22-8762-3224797ff5f0 which can be used as unique global reference for Earth Berberoka in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['China', 'United States', 'Hong Kong', 'Malaysia', 'Taiwan']
cfr-target-category ['Gambling Websites', 'Information technology', 'Electronics Manufacturers', 'Education']
country CN

Earth Lusca

Earth Lusca is a threat actor from China that targets organizations of interest to the Chinese government, including academic institutions, telecommunication companies, religious organizations, and other civil society groups. Earth Lusca's tools closely resemble those used by Winnti Umbrella, but the group appears to operate separately from Winnti. Earth Lusca has also been observed targeting cryptocurrency payment platforms and cryptocurrency exchanges in what are likely financially motivated attacks.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Earth Lusca.

Known Synonyms
AQUATIC PANDA
BRONZE UNIVERSITY
BountyGlad
CHROMIUM
Charcoal Typhoon
ControlX
FISHMONGER
Red Dev 10
Red Scylla
RedHotel
TAG-22
Internal MISP references

UUID 39150b30-61af-4d9c-9682-1595e145f3c1 which can be used as unique global reference for Earth Lusca in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Australia', 'China', 'France', 'Germany', 'Hong Kong', 'Japan', 'Mongolia', 'Nepal', 'Nigeria', 'Philippines', 'Taiwan', 'Thailand', 'United Arab Emirates', 'United States', 'Vietnam']
cfr-target-category ['Gambling companies', 'Government Institutions', 'Education', 'Media and Entertainment', 'Pro-democracy and human rights political organizations', 'Telecommunications', 'Religious organization', 'Cryptocurrency', 'Medical', 'Covid-19 research organizations']
country CN
Related clusters

To see the related clusters, click here.

Earth Wendigo

Earth Wendigo is a threat actor from China that has been targeting several organizations — including government organizations, research institutions, and universities in Taiwan — since May 2019, aiming to exfiltrate emails from targeted organizations via the injection of JavaScript backdoors to a webmail system that is widely used in Taiwan. The threat actor also sent spear-phishing emails embedded with malicious links to multiple individuals, including politicians and activists, who support movements in Tibet, the Uyghur region, or Hong Kong.

Internal MISP references

UUID c96e1329-cf7e-44ac-a3db-9e251dc98ec5 which can be used as unique global reference for Earth Wendigo in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Hong Kong', 'Taiwan']
cfr-target-category ['Government', 'Education']
country CN

BRONZE EDGEWOOD

In early 2021 CTU researchers observed BRONZE EDGEWOOD exploiting the Microsoft Exchange Server of an organization in Southeast Asia. The threat group deployed a China Chopper webshell and ran the Nishang Invoke-PowerShellTcp.ps1 script to connect back to C2 infrastructure. The threat group is publicly linked to malware families Chinoxy, PCShare and FunnyDream. CTU researchers have discovered that BRONZE EDGEWOOD also leverages Cobalt Strike in its intrusion activity. BRONZE EDGEWOOD has been active since at least 2018 and targets government and private enterprises across Southeast Asia. CTU researchers assess with moderate confidence that BRONZE EDGEWOOD operates on behalf the Chinese government and has a remit that covers political espionage.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BRONZE EDGEWOOD.

Known Synonyms
Red Hariasa
Internal MISP references

UUID b4ce9385-eedf-4a71-803c-6d53a250d10b which can be used as unique global reference for BRONZE EDGEWOOD in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Kyrgyzstan', 'Malaysia', 'Vietnam']
country CN

APT9

APT9 engages in cyber operations where the goal is data theft, usually focusing on the data and projects that make a particular organization competitive within its field. APT9 was historically very active in the pharmaceuticals and biotechnology industry. We have observed this actor use spearphishing, valid accounts, as well as remote services for Initial Access. On at least one occasion, Mandiant observed APT9 at two companies in the biotechnology industry and suspect that APT9 actors may have gained initial access to one of the companies by using a trusted relationship between the two companies. APT9 use a wide range of backdoors, including publicly available backdoors, as well as backdoors that are believed to be custom, but are used by multiple APT groups.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT9.

Known Synonyms
Group 27
NIGHTSHADE PANDA
Red Pegasus
Internal MISP references

UUID 7e6d82a4-3b7d-4c24-a2c5-e211ce6eafc5 which can be used as unique global reference for APT9 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['United States']
cfr-target-category ['Pharmaceuticals', 'Healthcare', 'Construction', 'Aerospace', 'Defense industrial base']
country CN

BRONZE SPRING

BRONZE SPRING is a threat group that CTU researchers assess with high confidence operates on behalf of China in the theft of intellectual property from defense, engineering, pharmaceutical and technology companies. The threat group typically uses scan-and-exploit for initial access, deploys the China Chopper webshell for remote execution and persistence, and creates RAR archives with a '.jpg' file extension for data exfiltration. In July 2020 the U.S. Department of Justice indicted two Chinese hackers CTU researchers assess are members of the BRONZE SPRING threat group. The Department of Justice allege these hackers were responsible for compromising networks of hundreds of organisations and individuals in the U.S. and abroad since 2009, and that exfiltrated data would be passed to the Chinese Ministry of State Security or sold for financial gain.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BRONZE SPRING.

Known Synonyms
UNC302
Internal MISP references

UUID 8b77424e-18bc-4ea7-baa4-d87441978e20 which can be used as unique global reference for BRONZE SPRING in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['United States', 'Australia', 'Belgium', 'Germany', 'Japan', 'Lithuania', 'Netherlands', 'Spain', 'South Korea', 'Sweden', 'United Kingdom']
cfr-target-category ['Information technology', 'Medical', 'Civil engineering', 'Business', 'Education', 'Gaming', 'Energy', 'Pharmaceuticals', 'Defense industrial base']
country CN

BRONZE STARLIGHT

BRONZE STARLIGHT has been active since mid 2021 and targets organizations globally across a range of industry verticals. The group leverages HUI Loader to load Cobalt Strike and PlugX payloads for command and control. CTU researchers have observed BRONZE STARLIGHT deploying ransomware to compromised networks as part of name-and-shame ransomware schemes, and posted victim names to leak sites. CTU researchers assess with moderate confidence that BRONZE STARLIGHT is located in China based on observed tradecraft, including the use of HUI Loader and PlugX which are associated with China-based threat group activity. It is plausible that BRONZE STARLIGHT deploys ransomware as a smokescreen rather than for financial gain, with the underlying motivation of stealing intellectual property theft or conducting espionage.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BRONZE STARLIGHT.

Known Synonyms
Cinnamon Tempest
DEV-0401
Emperor Dragonfly
SLIME34
Internal MISP references

UUID 737c0207-1a1a-4480-86e7-b6a5066e1ee5 which can be used as unique global reference for BRONZE STARLIGHT in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN
Related clusters

To see the related clusters, click here.

BRONZE HIGHLAND

BRONZE HIGHLAND has been observed using spearphishing as an initial infection vector to deploy the MgBot remote access trojan against targets in Hong Kong. Third party reporting suggests the threat group also targets India, Malaysia and Taiwan and leverages Cobalt Strike and KsRemote Android Rat. CTU researchers assess with moderate confidence that BRONZE HIGHLAND operates on behalf of China and has a remit covering espionage against domestic human rights and pro-democracy advocates and nations neighbouring China

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BRONZE HIGHLAND.

Known Synonyms
Daggerfly
Evasive Panda
Internal MISP references

UUID 62710572-e416-419d-bb1f-81ffc1ddc976 which can be used as unique global reference for BRONZE HIGHLAND in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Hong Kong', 'Malaysia', 'India', 'Taiwan', 'Macao', 'Nigeria']
country CN

BRONZE SPIRAL

In December 2020, the IT management software provider SolarWinds announced that an unidentified threat actor had exploited a vulnerability in their Orion Platform software to deploy a web shell dubbed SUPERNOVA. CTU researchers track the operators of the SUPERNOVA web shell as BRONZE SPIRAL and assess with low confidence that the group is of Chinese origin. SUPERNOVA was likely deployed through exploitation of CVE-2020-10148, and CTU researchers observed post-exploitation reconnaissance commands roughly 30 minutes before the web shell was deployed. This may have been indicative of the threat actor conducting scan-and-exploit activity and then triaging for victims of particular interest, before deploying SUPERNOVA and attempting to dump credentials and move laterally.

BRONZE SPIRAL has been associated with previous intrusions involving the targeting of ManageEngine servers, maintenance of long-term access to periodically harvest credentials and exfiltrate data, and espionage or theft of intellectual property. The threat group makes extensive use of native system tools and 'living off the land' techniques.

Internal MISP references

UUID 3f04dbbc-69bc-409b-82a1-6135f0b6a41c which can be used as unique global reference for BRONZE SPIRAL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

BRONZE VAPOR

BRONZE VAPOR is a targeted threat group assessed with moderate confidence to be of Chinese origin. Artefacts from tools associated with this group and open source reporting on related incidents indicate that BRONZE VAPOR have operated since at least 2017. The group conducts espionage against multiple industries including semiconductors, aviation and telecommunications. CTU researchers assess BRONZE VAPOR's intent to be information theft, with operations focused on intellectual property (semiconductors) and personally identifiable information such as traveller records (aviation). Compromise of telecommunications companies can yield personally identifiable information and meta data on client communications such as Call Data Records (CDR).

Prior to 2019 their operational focus, with some exceptions, revolved around targets in East Asia particularity Taiwan with it's thriving semiconductor industry. In 2021 details emerged in open source of attacks on at least one European semiconductor company believed to date back to 2017. In 2019 BRONZE VAPOR attacked one of more entities in the European airlines sector. The group gains initial access via VPN services, may use spearphishing with 'Letter of Appointment' themed lures, and deploys Cobalt Strike along with custom data exfiltration tools to target organizations. Post-intrusion activity involves living-of-the-land using legitimate tools and commands available within victim environment as well as using AceHash for credential harvesting, WATERCYCLE for data exfiltration and STOCKPIPE for proxying information through Microsoft Exchange servers over email.

BRONZE VAPOR uses a set of tactics that, although not individually unique, when viewed in aggregate create a relatively distinct playbook. Intrusions begin with credential based attacks against an existing remote access solution (Citrix, VPN etc.) or B2B network access. Cobalt Strike is deployed into the environment and further access is then conducted via Cobalt Strike Beacon and other features of the platform. Sharphound is deployed to map out the victim's Active Directory infrastructure and and collect critical information about the domain including important account names. Command and control infrastructure is hosted on subdomains of Azure and Appspot services to blend in with legitimate traffic. The threat actor also registers their own domains for command and control, often with a "sync" or "update" related theme. WinRAR is commonly used for compressing data prior to exfiltration. Filenames for these archives often involve a string of numbers and variations of the word "update". Data is exfiltrated using WATERCYCLE to cloud based platforms such as OneDrive and GoogleDrive.

Internal MISP references

UUID af12a336-bb68-41ff-866a-834cedc0b5fc which can be used as unique global reference for BRONZE VAPOR in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Taiwan']
cfr-target-category ['Semiconductor Industry']
country CN

Vicious Panda

Check Point Research discovered a new campaign against the Mongolian public sector, which takes advantage of the current Coronavirus scare, in order to deliver a previously unknown malware implant to the target. A closer look at this campaign allowed us to tie it to other operations which were carried out by the same anonymous group, dating back to at least 2016. Over the years, these operations targeted different sectors in multiple countries, such as Ukraine, Russia, and Belarus.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Vicious Panda.

Known Synonyms
SixLittleMonkeys
Internal MISP references

UUID 68d8c25b-8595-4c20-a5c7-a11a2a34b717 which can be used as unique global reference for Vicious Panda in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Belarus', 'Russia', 'Mongolia', 'Ukraine']
country CN

Red Nue

Red Nue, active since at least 2017, is known for its use of the multi-platform LootRAt backdoor, also known as ReverseWindow. LootRAT has variants for Windows and Macintosh (reported in open source as Demsty), as well as an Android variant known as SpyDealer. Red Nue has also used another Windows backdoor known as WinDealer since at least 2019, when it deployed it to targets as part of a watering hole campaign on a Chinese news website for the Chinese diaspora community. Parts of Asia feature heavily in Red Nue's victimology.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Red Nue.

Known Synonyms
LuoYu
Internal MISP references

UUID c73c8a76-1e44-44d6-b955-79f3a73582a1 which can be used as unique global reference for Red Nue in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

Pickaxe

Prying Libra, also known as Pickaxe, is a threat actor active since at least August 2017, and continues to remain active to this day. The adversary's goal is to install and maintain a popular cryptocurrency miner on the victim's machine. The miner in question is an open-source tool named XMRig that generates the Monero cryptocurrency. Malware is delivered via downloads through the popular Adfly advertisement platform. Users are often mislead into clicking on a malicious advertisement that results in the payload being delivered to the victim. Once installed, the malware leverages VBS scripts and redirection services, such as bitly, to ultimately download and execute XMRig. Over 15 million confirmed victims have been discovered to be infected in recent campaigns, with actual numbers likely to be between 30-45 million victims. The victims are found across the globe, with high concentrations in Thailand, Vietnam, Egypt, Indonesia, and Turkey.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Pickaxe.

Known Synonyms
Prying Libra
Internal MISP references

UUID 1bfd16ae-fd98-4a96-9397-d1651548bda2 which can be used as unique global reference for Pickaxe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Watchdog

Thief Libra is a cloud-focused threat group that has a history of cryptojacking operations as well as cloud service platform credential scraping. They were first known to operate on January 27, 2019. They use a variety of custom build Go Scripts as well as repurposed cryptojacking scripts from other groups including TeamTNT. They are currently considered to be an opportunistic threat group that targets exposed cloud instances and applications.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Watchdog.

Known Synonyms
Thief Libra
Internal MISP references

UUID 4b4b4717-d31e-4be6-a3ba-b13edb42decd which can be used as unique global reference for Watchdog in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Returned Libra

Returned Libra, also known as 8220 Mining Group, is a cloud threat actor group that has been active since at least 2017. Tools commonly employed during their operations are PwnRig or DBUsed which are customized variants of the XMRig Monero mining software. The Returned Libra mining group is believed to have originated from a GitHub fork of the Rocke group's software. Returned Libra has elevated its mining operations with the use of cloud service platform credential scrapping.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Returned Libra.

Known Synonyms
8220 Mining Group
Internal MISP references

UUID 7831d56e-5913-44ca-8835-f42017aeb0cd which can be used as unique global reference for Returned Libra in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

TianWu

Internal MISP references

UUID a3831248-5e2f-492d-8bb6-5e82c2f6481d which can be used as unique global reference for TianWu in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 75
cfr-suspected-state-sponsor China
cfr-suspected-victims ['China', 'Hong Kong', 'Kazakhstan', 'Taiwan', 'Philippines']
cfr-target-category ['Private Sector', 'Gambling companies', 'Gaming', 'Information technology', 'Telecommunications', 'Government', 'Transportation systems', 'Dissident']
country CN

SLIME29

Internal MISP references

UUID d58030e2-5673-4836-9aff-ab6d55da0bc0 which can be used as unique global reference for SLIME29 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 75
cfr-suspected-state-sponsor China
cfr-target-category ['Private Sector']
country CN

GOBLIN PANDA

Goblin Panda is one of a handful of elite Chinese advanced persistent threat (APT) groups. Most Chinese APTs target the United States and NATO, but Goblin Panda focuses primarily on Southeast Asia.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GOBLIN PANDA.

Known Synonyms
Conimes
Cycldek
Internal MISP references

UUID 8d73715a-8bbd-4eaa-ae24-2f1b1c84cf21 which can be used as unique global reference for GOBLIN PANDA in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 75
cfr-suspected-state-sponsor China
cfr-suspected-victims ['Malaysia', 'India', 'Indonesia', 'Japan', 'Philippines', 'Southeast Asia', 'South Korea', 'Vietnam']
cfr-target-category ['Private Sector']
country CN

TA558

Since 2018, security researchers tracked a financially-motivated cybercrime actor, TA558, targeting hospitality, travel, and related industries located in Latin America and sometimes North America, and western Europe. The actor sends malicious emails written in Portuguese, Spanish, and sometimes English. The emails use reservation-themed lures with business-relevant themes such as hotel room bookings. The emails may contain malicious attachments or URLs aiming to distribute one of at least 15 different malware payloads.

Internal MISP references

UUID e1e70539-8916-45c2-9b01-891c1c5bd8a1 which can be used as unique global reference for TA558 in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
sources ['https://www.proofpoint.com/us/blog/threat-insight/reservations-requested-ta558-targets-hospitality-and-travel']

PARINACOTA

One actor that has emerged in this trend of human-operated attacks is an active, highly adaptive group that frequently drops Wadhrama as payload. PARINACOTA impacts three to four organizations every week and appears quite resourceful: during the 18 months that we have been monitoring it, we have observed the group change tactics to match its needs and use compromised machines for various purposes, including cryptocurrency mining, sending spam emails, or proxying for other attacks. The group’s goals and payloads have shifted over time, influenced by the type of compromised infrastructure, but in recent months, they have mostly deployed the Wadhrama ransomware. The group most often employs a smash-and-grab method, whereby they attempt to infiltrate a machine in a network and proceed with subsequent ransom in less than an hour. There are outlier campaigns in which they attempt reconnaissance and lateral movement, typically when they land on a machine and network that allows them to quickly and easily move throughout the environment. PARINACOTA’s attacks typically brute forces their way into servers that have Remote Desktop Protocol (RDP) exposed to the internet, with the goal of moving laterally inside a network or performing further brute-force activities against targets outside the network. This allows the group to expand compromised infrastructure under their control. Frequently, the group targets built-in local administrator accounts or a list of common account names. In other instances, the group targets Active Directory (AD) accounts that they compromised or have prior knowledge of, such as service accounts of known vendors. The group adopted the RDP brute force technique that the older ransomware called Samas (also known as SamSam) infamously used. Other malware families like GandCrab, MegaCortext, LockerGoga, Hermes, and RobbinHood have also used this method in targeted ransomware attacks. PARINACOTA, however, has also been observed to adapt to any path of least resistance they can utilize. For instance, they sometimes discover unpatched systems and use disclosed vulnerabilities to gain initial access or elevate privileges.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular PARINACOTA.

Known Synonyms
Wine Tempest
Internal MISP references

UUID 4245e4cd-a57a-4e0b-9853-acaa549d495d which can be used as unique global reference for PARINACOTA in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Red Dev 17

In 2021, PwC started tracking a series of intrusions under the moniker of Red Dev 17 that they assess were highly likely conducted by a China-based threat actor. Their analysis suggests Red Dev 17 has been active since at least 2017. Red Dev 17's observed targets are mainly in India, and include the Indian military, a multinational India-based technology company, and a state energy company. They assess that it is highly probable that the threat actor behind intrusions associated with Red Dev 17 is also responsible for the campaign known in open source as Operation NightScout. Red Dev 17 is a user of the 8.t document weaponisation framework (also known as RoyalRoad), and abuses benign utilities such as Logitech or Windows Defender binaries to sideload and execute Chinoxy or PoisonIvy variants on victim systems. They identified capability and infrastructure links between Red Dev 17 and the threat actor they call Red Hariasa (aka FunnyDream APT), as well as infrastructure overlaps with Red Wendigo (aka Icefog, RedFoxtrot), and with ShadowPad C2 servers. At this time, they do not have sufficient evidence to directly link Red Dev 17 to any of these threat actors. However, They assess with realistic probability that Red Dev 17 operates within a cluster of threat actors that share tools and infrastructure, as well as a strong targeting focus on Southeast Asia and Central Asia.

Internal MISP references

UUID 50d61877-bfc7-4c65-980e-c0589b5561fa which can be used as unique global reference for Red Dev 17 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['India']
cfr-target-category ['High-Tech', 'Military', 'Energy']
country CN

Aoqin Dragon

SentinelLabs has uncovered a cluster of activity beginning at least as far back as 2013 and continuing to the present day, primarily targeting organizations in Southeast Asia and Australia. They assess that the threat actor's primary focus is espionage and relates to targets in Australia, Cambodia, Hong Kong, Singapore, and Vietnam. We track this activity as 'Aoqin Dragon'. The threat actor has a history of using document lures with pornographic themes to infect users and makes heavy use of USB shortcut techniques to spread the malware and infect additional targets. Attacks attributable to Aoqin Dragon typically drop one of two backdoors, Mongall and a modified version of the open source Heyoka project.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Aoqin Dragon.

Known Synonyms
UNC94
Internal MISP references

UUID fa1fdccb-1a06-4607-bd45-1a7df4db02d7 which can be used as unique global reference for Aoqin Dragon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Australia', 'Cambodia', 'Hong Kong', 'Singapore', 'Vietnam']
cfr-target-category ['Government', 'Education', 'Telecommunications']
country CN

DangerousSavanna

Malicious campaign called DangerousSavanna has been targeting multiple major financial service groups in French-speaking Africa for the last two years. The threat actors behind this campaign use spear-phishing as a means of initial infection, sending emails with malicious attachments to the employees of financial institutions in at least five different French-speaking countries: Ivory Coast, Morocco, Cameroon, Senegal, and Togo. DangerousSavanna tends to install relatively unsophisticated software tools in the infected environments. These tools are both self-written and based on open-source projects such as Metasploit, PoshC2, DWservice, and AsyncRAT. The threat actors’ creativity is on display in the initial infection stage, as they persistently pursue the employees of the targeted companies, constantly changing infection chains that utilize a wide range of malicious file types, from self-written executable loaders and malicious documents, to ISO, LNK, JAR and VBE files in various combinations. The evolving infection chains by the threat actor reflect the changes in the threat landscape seen over the past few years as infection vectors became more and more sophisticated and diverse.

Internal MISP references

UUID 1bb64526-cc51-475a-b6bc-af30df9f2fb6 which can be used as unique global reference for DangerousSavanna in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Ivory Coast', 'Morocco', 'Cameroon', 'Senegal', 'Togo']
threat-actor-classification ['campaign']

Hezb

Hezb is a group deploying cryptominers when new exploit are available for public facing vulnerabilities. The name is after the miner process they deploy.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Hezb.

Known Synonyms
Mimo
Internal MISP references

UUID fd82cd40-9306-4285-8fae-ad29a9711603 which can be used as unique global reference for Hezb in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

NoName057(16)

NoName057(16) is performing DDoS attacks on websites belonging to governments, news agencies, armies, suppliers, telecommunications companies, transportation authorities, financial institutions, and more in Ukraine and neighboring countries supporting Ukraine, like Ukraine itself, Estonia, Lithuania, Norway, and Poland.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NoName057(16).

Known Synonyms
05716nnm
Nnm05716
NoName057
NoName05716
Internal MISP references

UUID e62937d0-dec6-4c39-a836-e43b1d138df4 which can be used as unique global reference for NoName057(16) in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Czech Republic', 'Denmark', 'Estonia', 'Lithuania', 'NATO', 'Norway', 'Poland', 'Ukraine']
cfr-target-category ['Financial', 'Government', 'Military', 'Telecommunications', 'Transportation']
cfr-type-of-incident ['Denial of service']

BITWISE SPIDER

BITWISE SPIDER has recently and quickly become a significant player in the big game hunting (BGH) landscape. Their dedicated leak site (DLS) has received the highest number of victims posted each month since July 2021 compared to other adversary DLSs due to the growing popularity and effectiveness of LockBit 2.0.

Internal MISP references

UUID ecf4d7cb-9bf7-4d9d-8450-c99e885b9aac which can be used as unique global reference for BITWISE SPIDER in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Void Balaur

Void Balaur is a highly active hack-for-hire / cyber mercenary group with a wide range of known target types across the globe. Their services have been observed for sale to the public online since at least 2016. Services include the collection of private data and access to specific online email and social media services, such as Gmail, Outlook, Telegram, Yandex, Facebook, Instagram, and business emails.

Internal MISP references

UUID ca310f0a-1131-4c67-b0a7-f1cd4ce0f87f which can be used as unique global reference for Void Balaur in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Brazil', 'Central African Republic', 'Georgia', 'Kazakhstan', 'Moldova', 'Russia', 'Spain', 'Sudan', 'Taiwan', 'Ukraine', 'United Kingdom', 'United States']

APT-C-60

APT-C-60

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT-C-60.

Known Synonyms
APT-Q-12
Internal MISP references

UUID 6a83b2bf-0c51-4c9b-89b0-35df7cab1dd5 which can be used as unique global reference for APT-C-60 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

RomCom

ROMCOM is an evolving and sophisticated threat actor group that has been using the malware tool ROMCOM for espionage and financially motivated attacks. They have targeted organizations in Ukraine and NATO countries, including military personnel, government agencies, and political leaders. The ROMCOM backdoor is capable of stealing sensitive information and deploying other malware, showcasing the group's adaptability and growing sophistication.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RomCom.

Known Synonyms
Storm-0978
Internal MISP references

UUID ba9e1ed2-e142-48d0-a593-f73ac6d59ccd which can be used as unique global reference for RomCom in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Germany']
country RU

GOLD PRELUDE

GOLD PRELUDE is a financially motivated cybercriminal threat group that operates the SocGholish (aka FAKEUPDATES) malware distribution network. GOLD PRELUDE operates a large global network of compromised websites, frequently running vulnerable content management systems (CMS), that redirect into a malicious traffic distribution system (TDS). The TDS, which researchers at Avast have named Parrot TDS, uses opaque criteria to select victims to serve a fake browser update page. These pages, which are customized to the specific visiting browser software, download the JavaScript-based SocGholish payload frequently embedded within a compressed archive.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GOLD PRELUDE.

Known Synonyms
TA569
UNC1543
Internal MISP references

UUID 8134c96d-d6ed-49cc-99d6-fe74c0636387 which can be used as unique global reference for GOLD PRELUDE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

BazarCall

BazarCall campaigns forgo malicious links or attachments in email messages in favor of phone numbers that recipients are misled into calling. It’s a technique reminiscent of vishing and tech support scams where potential victims are being cold called by the attacker, except in BazarCall’s case, targeted users must dial the number. And when they do, the users are connected with actual humans on the other end of the line, who then provide step-by-step instructions for installing malware into their devices.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BazarCall.

Known Synonyms
BazaCall
BazzarCall
Internal MISP references

UUID 906e2091-cc32-499e-a799-2b9b15e45042 which can be used as unique global reference for BazarCall in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Evasive Panda

Evasive Panda is an APT group that has been active since at least 2012, conducting cyberespionage targeting individuals, government institutions and organizations.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Evasive Panda.

Known Synonyms
BRONZE HIGHLAND
Internal MISP references

UUID 171d0590-be92-443f-addb-af5dc2a8034d which can be used as unique global reference for Evasive Panda in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor China
cfr-suspected-victims ['Hong Kong', 'India', 'Malaysia', 'Taiwan']
cfr-target-category ['Government', 'Individuals', 'Universities']
cfr-type-of-incident Espionage
country CN

TAG-53

A Russia-linked threat actor tracked as TAG-53 is running phishing campaigns impersonating various defense, aerospace, and logistic companies, according to The Record by Recorded Future. Recorded Future’s Insikt Group identified overlaps with a threat actor tracked by other companies as Callisto Group, COLDRIVER, and SEABORGIUM.

Internal MISP references

UUID e5865ca1-ec95-43e2-954a-d0f3507a9747 which can be used as unique global reference for TAG-53 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Malteiro

This group of cybercriminals is named Malteiroby SCILabs, they operate and distribute the URSA/Mispadu banking trojan.

Internal MISP references

UUID ba57c28a-47d0-46ba-a933-9aed69f7b84f which can be used as unique global reference for Malteiro in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Moskalvzapoe

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Moskalvzapoe.

Known Synonyms
MAN1
TA511
Internal MISP references

UUID 66a0a3ad-5b07-4876-baee-cf44000f7470 which can be used as unique global reference for Moskalvzapoe in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

TA570

One of the most active Qbot malware affiliates, Proofpoint has tracked the large cybercrime threat actor TA570 since 2018.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TA570.

Known Synonyms
DEV-0450
Internal MISP references

UUID 82a808ad-3f2f-43c0-bd15-848a6e27da95 which can be used as unique global reference for TA570 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country RU
Related clusters

To see the related clusters, click here.

TA575

TA575 is a Dridex affiliate tracked by Proofpoint since late 2020. This group distributes malware such as Dridex, Qakbot, and WastedLocker via malicious URLs, Office attachments, and password-protected files. On average, TA575 distributes almost 4,000 messages per campaign impacting hundreds of organizations.

Internal MISP references

UUID fbb04514-f71d-4a95-a1af-727d21ef12a2 which can be used as unique global reference for TA575 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

TA577

TA577 is a prolific cybercrime threat actor tracked by Proofpoint since mid-2020. This actor conducts broad targeting across various industries and geographies, and Proofpoint has observed TA577 deliver payloads including Qbot, IcedID, SystemBC, SmokeLoader, Ursnif, and Cobalt Strike.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TA577.

Known Synonyms
Hive0118
Internal MISP references

UUID e405b7d0-3eed-4f9d-9b68-728e9793974c which can be used as unique global reference for TA577 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country RU
Related clusters

To see the related clusters, click here.

TA2536

TA2536, which has been active since at least 2015, is likely Nigerian based on its unique linguistic style, tactics and tools. It uses keyloggers such as HawkEye and distinctive stylometric features in typo-squatted domains that resemble legitimate names and the use of recurring names and substrings in email addresses.

Internal MISP references

UUID 9687a6a9-0a66-4373-b546-60553857a442 which can be used as unique global reference for TA2536 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country NG
Related clusters

To see the related clusters, click here.

DEV-0147

DEV-0147 is a China-based cyber espionage actor was observed compromising diplomatic targets in South America, a notable expansion of the group's data exfiltration operations that traditionally targeted gov't agencies and think tanks in Asia and Europe. DEV-0147 is known to use tools like ShadowPad, a remote access trojan associated with other China-based actors, to maintain persistent access, and QuasarLoader, a webpack loader, to deploy additional malware. DEV-0147's attacks in South America included post-exploitation activity involving the abuse of on-premises identity infrastructure for recon and lateral movement, and the use of Cobalt Strike for command and control and data exfiltration.

Internal MISP references

UUID 85f20141-1c8e-49ac-b963-eaa1fb1f4018 which can be used as unique global reference for DEV-0147 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['South America', 'Asia', 'European Union']
country CN

TA406

TA406 is engaging in malware distribution, phishing, intelligence collection, and cryptocurrency theft, resulting in a wide range of criminal activities.

Internal MISP references

UUID 89f005f9-22e9-4c50-9b48-e94c521266e5 which can be used as unique global reference for TA406 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['China', 'France', 'Germany', 'India', 'Japan', 'North America', 'Russia', 'South Africa', 'South Korea', 'United Kingdom']
cfr-target-category ['Government', 'Journalists', 'NGOs']
country KR
Related clusters

To see the related clusters, click here.

APT42

Iranian state-sponsored cyber espionage group tasked with conducting information collection and surveillance operations against individuals and organizations of strategic interest to the Iranian government.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular APT42.

Known Synonyms
CALANQUE
UNC788
Internal MISP references

UUID 35f887ad-6709-4d0b-8e9c-6b3fa09c783f which can be used as unique global reference for APT42 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Iran (Islamic Republic of)
cfr-suspected-victims ['Australia', 'Europe', 'Israel', 'Middle East', 'US']
cfr-target-category ['Education', 'Government', 'Military', 'Defense', 'Energy', 'Finance', 'Healthcare', 'Pharmaceuticals', 'Civil Society', 'Legal', 'Manufacturing', 'Media', 'NGOs', 'Pharmaceuticals']
cfr-type-of-incident Espionage
country IR
Related clusters

To see the related clusters, click here.

TA453

TA453 has employed the use of compromised accounts, malware, and confrontational lures to go after targets with a range of backgrounds from medical researchers to realtors to travel agencies.

Internal MISP references

UUID c1d44f44-425e-48fd-b78b-84b988da8bc3 which can be used as unique global reference for TA453 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country IR
Related clusters

To see the related clusters, click here.

Chamelgang

In Q2 2021, the PT Expert Security Center incident response team conducted an investigation in an energy company. The investigation revealed that the company's network had been compromised by an unknown group for the purpose of data theft. They gave the group the name ChamelGang (from the word "chameleon"), because the group disguised its malware and network infrastructure under legitimate services of Microsoft, TrendMicro, McAfee, IBM, and Google.

Internal MISP references

UUID eafdd27f-a3e2-4bb1-ae03-bf9ca5ff0355 which can be used as unique global reference for Chamelgang in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['India', 'Japan', 'Nepal', 'Russia', 'Taiwan', 'US']
cfr-target-category ['Aviation', 'Energy']
Related clusters

To see the related clusters, click here.

Karakurt

Karakurt actors have employed a variety of tactics, techniques, and procedures (TTPs), creating significant challenges for defense and mitigation. Karakurt victims have not reported encryption of compromised machines or files; rather, Karakurt actors have claimed to steal data and threatened to auction it off or release it to the public unless they receive payment of the demanded ransom. Known ransom demands have ranged from $25,000 to $13,000,000 in Bitcoin, with payment deadlines typically set to expire within a week of first contact with the victim.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Karakurt.

Known Synonyms
Karakurt Lair
Internal MISP references

UUID 035fbd5c-e4a1-4c7b-80fb-f5a89a361aed which can be used as unique global reference for Karakurt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Canada', 'Germany', 'United Kingdom', 'United States']
cfr-type-of-incident Extortion
Related clusters

To see the related clusters, click here.

DEV-0270

Microsoft threat intelligence teams have been tracking multiple ransomware campaigns and have tied these attacks to DEV-0270, also known as Nemesis Kitten, a sub-group of Iranian actor PHOSPHORUS. Microsoft assesses with moderate confidence that DEV-0270 conducts malicious network operations, including widespread vulnerability scanning, on behalf of the government of Iran.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DEV-0270.

Known Synonyms
Nemesis Kitten
Storm-0270
Internal MISP references

UUID 7b90319a-9f7b-466d-9f90-7fcc270ed505 which can be used as unique global reference for DEV-0270 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country IR
Related clusters

To see the related clusters, click here.

Prophet Spider

PROPHET SPIDER is an eCrime actor, active since at least May 2017, that primarily gains access to victims by compromising vulnerable web servers, which commonly involves leveraging a variety of publicly disclosed vulnerabilities. The adversary has likely functioned as an access broker — handing off access to a third party to deploy ransomware — in multiple instances.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Prophet Spider.

Known Synonyms
GOLD MELODY
UNC961
Internal MISP references

UUID eb0b100c-8a4e-4859-b6f8-eebd66c3d20c which can be used as unique global reference for Prophet Spider in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country
Related clusters

To see the related clusters, click here.

TA866

According to Proofpoint, TA866 is a newly identified threat actor that distributes malware via email utilizing both commodity and custom tools. While most of the activity observed occurred since October 2022, Proofpoint researchers identified multiple activity clusters since 2019 that overlap with TA866 activity. Most of the activity recently observed by Proofpoint suggests recent campaigns are financially motivated, however assessment of historic related activities suggests a possible, additional espionage objective.

Internal MISP references

UUID a3c22f46-5135-4b39-a33f-92906ac12c31 which can be used as unique global reference for TA866 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
motive mainly financially motivated, additional espionage objective.
Related clusters

To see the related clusters, click here.

Anonymous Sudan

Since January 23, 2023, a threat actor identifying as "Anonymous Sudan" has been conducting denial of service (DDoS) attacks against multiple organizations in Sweden. This group claims to be "hacktivists," politically motivated hackers from Sudan. According to Truesec’s report, the threat actor has nothing to do with the online activists collectively known as Anonymous.

Internal MISP references

UUID 8ca38564-5515-45f5-9f3b-a4091546e10b which can be used as unique global reference for Anonymous Sudan in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Denmark', 'Sweden']
cfr-type-of-incident ['Denial of service']

RedGolf

Recorded Future’s Insikt Group has identified a large cluster of new operational infrastructure associated with use of the custom Windows and Linux backdoor KEYPLUG. We attribute this activity to a threat activity group tracked as RedGolf, which is highly likely to be a Chinese state-sponsored group. RedGolf closely overlaps with threat activity reported in open sources under the aliases APT41/BARIUM and has likely carried out state-sponsored espionage activity in parallel with financially motivated operations for personal gain from at least 2014 onward.

Internal MISP references

UUID eff0c059-5449-4207-9860-715475139595 which can be used as unique global reference for RedGolf in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-state-sponsor China
cfr-target-category ['Aviation', 'Automotive', 'Education', 'Intergovernmental', 'Media and Entertainment', 'Information Technology', 'Religious Organizations']
country CN
motive state-sponsored espionage and financially motivated
Related clusters

To see the related clusters, click here.

APT43

• APT43 is a prolific cyber operator that supports the interests of the North Korean regime. The group combines moderately-sophisticated technical capabilities with aggressive social engineering tactics, especially against South Korean and U.S.-based government organizations, academics, and think tanks focused on Korean peninsula geopolitical issues. • In addition to its espionage campaigns, we believe APT43 funds itself through cybercrime operations to support its primary mission of collecting strategic intelligence. • The group creates numerous spoofed and fraudulent personas for use in social engineering, as well as cover identities for purchasing operational tooling and infrastructure. • APT43 has collaborated with other North Korean espionage operators on multiple operations, underscoring the major role APT43 plays in the regime’s cyber apparatus.

Internal MISP references

UUID aac49b4e-74e9-49fa-84f9-e340cf8bafbc which can be used as unique global reference for APT43 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Hagga

Hagga is believed to have been using Agent Tesla, 2021’s sixth most prevalent malware, to steal sensitive information from his victims since the latter part of 2021.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Hagga.

Known Synonyms
Aggah
TH-157
Internal MISP references

UUID 1e318d85-79c7-4988-83b7-ff86a974786c which can be used as unique global reference for Hagga in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Volt Typhoon

[Microsoft] Volt Typhoon, a state-sponsored actor based in China that typically focuses on espionage and information gathering. Microsoft assesses with moderate confidence that this Volt Typhoon campaign is pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.

[Secureworks] BRONZE SILHOUETTE likely operates on behalf the PRC. The targeting of U.S. government and defense organizations for intelligence gain aligns with PRC requirements, and the tradecraft observed in these engagements overlap with other state-sponsored Chinese threat groups.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Volt Typhoon.

Known Synonyms
BRONZE SILHOUETTE
Dev-0391
Insidious Taurus
Storm-0391
UNC3236
VANGUARD PANDA
VOLTZITE
Internal MISP references

UUID f02679fa-5e85-4050-8eb5-c2677d93306f which can be used as unique global reference for Volt Typhoon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

SmugX

The campaign, called SmugX, overlaps with previously reported activity by Chinese APT actors RedDelta and Mustang Panda. Although those two correlate to some extent with Camaro Dragon, there is insufficient evidence to link the SmugX campaign to the Camaro Dragon group.

The campaign uses new delivery methods to deploy (most notably – HTML Smuggling) a new variant of PlugX, an implant commonly associated with a wide variety of Chinese threat actors. Although the payload itself remains similar to the one found in older PlugX variants, its delivery methods results in low detection rates, which until recently helped the campaign fly under the radar.

Internal MISP references

UUID c95520c1-0a27-42aa-9853-bf5f0f3bc074 which can be used as unique global reference for SmugX in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

RedDelta

Likely Chinese state-sponsored threat activity group RedDelta targeting organizations within Europe and Southeast Asia using a customized variant of the PlugX backdoor. Since at least 2019, RedDelta has been consistently active within Southeast Asia, particularly in Myanmar and Vietnam, but has also routinely adapted its targeting in response to global geopolitical events. This is historically evident through the group’s targeting of the Vatican and other Catholic organizations in the lead-up to 2021 talks between Chinese Communist Party (CCP) and Vatican officials, as well as throughout 2022 through the group’s shift towards increased targeting of European government and diplomatic entities following Russia’s invasion of Ukraine.

During the 3-month period from September through November 2022, RedDelta has regularly used an infection chain employing malicious shortcut (LNK) files, which trigger a dynamic-link library (DLL) search-order-hijacking execution chain to load consistently updated PlugX versions. Throughout this period, the group repeatedly employed decoy documents specific to government and migration policy within Europe. Of note, we identified a European government department focused on trade communicating with RedDelta command-and-control (C2) infrastructure in early August 2022. This activity commenced on the same day that a RedDelta PlugX sample using this C2 infrastructure and featuring an EU trade-themed decoy document surfaced on public malware repositories. We also identified additional probable victim entities within Myanmar and Vietnam regularly communicating with RedDelta C2 infrastructure.

RedDelta closely overlaps with public industry reporting under the aliases BRONZE PRESIDENT, Mustang Panda, TA416, Red Lich, and HoneyMyte.

Internal MISP references

UUID fceed509-938e-4f9e-acd4-76e6c28dc6f1 which can be used as unique global reference for RedDelta in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Worok

Worok is a cyber espionage group, mostly targeting Central Asia. The group toolset includes a C++ loader named CLRLoad, a PowerShell backdoor named PowHeartBeat, and a C# loader named PNGLoad.

Internal MISP references

UUID 77742419-aa71-4bc2-94c6-29c394b350e7 which can be used as unique global reference for Worok in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor China
cfr-suspected-victims ['East Asia', 'Central Asia', 'Southeast Asia', 'The Middle East', 'Southern Africa']
cfr-target-category ['Government', 'Energy Company']
cfr-type-of-incident Espionage
country CN

MoustachedBouncer

MoustachedBouncer is a cyberespionage group discovered by ESET Research and first publicly disclosed in August 2023. The group has been active since at least 2014 and only targets foreign embassies in Belarus. Since 2020, MoustachedBouncer has most likely been able to perform adversary-in-the-middle (AitM) attacks at the ISP level, within Belarus, in order to compromise its targets. The group uses two separate toolsets that we have named NightClub and Disco.

Internal MISP references

UUID 01ac8b25-492e-444b-891b-968f2694e7b2 which can be used as unique global reference for MoustachedBouncer in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Belarus
cfr-suspected-victims ['Europe', 'Eastern Europe', 'South Asia', 'Northeast Africa']
cfr-target-category ['Government']
cfr-type-of-incident Espionage
country BY

Storm-0324

The threat actor that Microsoft tracks as Storm-0324 is a financially motivated group known to gain initial access using email-based initial infection vectors and then hand off access to compromised networks to other threat actors. These handoffs frequently lead to ransomware deployment.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Storm-0324.

Known Synonyms
DEV-0324
Sagrid
TA543
Internal MISP references

UUID 8cb6f57b-9ebb-45a6-a89f-9efdb8065d70 which can be used as unique global reference for Storm-0324 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Scattered Canary

When the first member of Scattered Canary, who, for the purposes of this report, we call Alpha, began his operations, he was a lone wolf—working mostly Craigslist scams as he learned the tricks of the trade from a mentor. However, within a few years, he had honed his craft enough to expand into romance scams, where he met his first “employee,” Beta. Once they had secured enough mules via their romance scams to launder their stolen money, they shifted from targeting individuals to targeting enterprises, and the group’s BEC operation was born.

Internal MISP references

UUID fde2d0f9-ed23-4cdc-96d3-f0a01f804707 which can be used as unique global reference for Scattered Canary in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country NG
motive Cybercrime

Scattered Spider

Scattered Spider, a highly active hacking group, has made headlines by targeting more than 130 organizations, with the number of victims steadily increasing.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Scattered Spider.

Known Synonyms
0ktapus
DEV-0971
Muddled Libra
Octo Tempest
Oktapus
Scatter Swine
Scattered Swine
Storm-0971
UNC3944
Internal MISP references

UUID 3b238f3a-c67a-4a9e-b474-dc3897e00129 which can be used as unique global reference for Scattered Spider in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

AtlasCross

NSFOCUS Security Labs recently discovered a new attack process based on phishing documents in their daily threat-hunting operations. Delving deeper into this finding through extensive research, they confirmed two new Trojan horse programs and many rare attack techniques and tactics. NSFOCUS Security Labs believes that this new attack process comes from a new APT attacker, who has a high technical level and cautious attack attitude. The phishing attack activity captured this time is part of the attacker’s targeted strike on specific targets and is its main means to achieve in-domain penetration. NSFOCUS Security Labs validated the high-level threat attributes of AtlasCross in terms of development technology and attack strategy through an in-depth analysis of its attack metrics. At this current stage, AtlasCross has a relatively limited scope of activity, primarily focusing on targeted attacks against specific hosts within a network domain. However, the attack processes they employ are highly robust and mature. NSFOCUS Security Labs deduce that this attacker is highly likely to deploy this attack process into larger-scale network attack operations.

Internal MISP references

UUID 32eebd31-5e0f-4fb9-b478-26ff4e48aaf4 which can be used as unique global reference for AtlasCross in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

Void Rabisu

Void Rabisu is an intrusion set associated with both financially motivated ransomware attacks and targeted campaigns on Ukraine and countries supporting Ukraine.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Void Rabisu.

Known Synonyms
Tropical Scorpius
Internal MISP references

UUID 9766d52e-0e5d-4997-9c31-7f2291dcda9e which can be used as unique global reference for Void Rabisu in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Ukraine', 'European Union']
Related clusters

To see the related clusters, click here.

Camaro Dragon

In early 2023, the Check Point Incident Response Team (CPIRT) team investigated a malware incident at a European healthcare institution involving a set of tools mentioned in the Avast report in late 2022. The incident was attributed to Camaro Dragon, a Chinese-based espionage threat actor whose activities overlap with activities tracked by different researchers as Mustang Panda and LuminousMoth, whose focus is primarily on Southeast Asian countries and their close peers.

Internal MISP references

UUID 9ee446fd-b0cd-4662-9cd1-a60b429192db which can be used as unique global reference for Camaro Dragon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

Storm-0558

Storm-0558 is a China-based threat actor with espionage objectives. While there are some minimal overlaps with other Chinese groups such as Violet Typhoon (ZIRCONIUM, APT31), Microsoft maintain high confidence that Storm-0558 operates as its own distinct group

Internal MISP references

UUID 5b30bcb8-4923-45cc-bc89-29651ca5d54e which can be used as unique global reference for Storm-0558 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor China
cfr-suspected-victims ['United States', 'Germany']
cfr-target-category ['Government']
cfr-type-of-incident Espionage
country CN

Scarred Manticore

Scarred Manticore has been pursuing high-value targets for years, utilizing a variety of IIS-based backdoors to attack Windows servers. These include a variety of custom web shells, custom DLL backdoors, and driver-based implants.

Internal MISP references

UUID 79d0da59-9400-40f6-b72b-6c6f47354d59 which can be used as unique global reference for Scarred Manticore in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country IR

Keksec

The threat group behind EnemyBot, Keksec, is well-resourced and has the ability to update and add new capabilities to its arsenal of malware on a daily basis (see below for more detail on Keksec)

Internal MISP references

UUID 39ef9941-4f9c-4807-ab10-88e863ce7953 which can be used as unique global reference for Keksec in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Xiaoqiying

Xiaoqiying is a primarily Chinese-speaking threat group that is most well known for conducting website defacement and data exfiltration attacks on more than a dozen South Korean research and academic institutions in late-January 2023. Research from Recorded Futures Insikt Group has found that the groups affiliated threat actors have signaled a new round of cyberattacks against organizations in Japan and Taiwan. Although it shows no clear ties to the Chinese government, Xiaoqiying is staunchly pro-China and vows to target NATO countries as well as any country or region that is deemed hostile to China.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Xiaoqiying.

Known Synonyms
Genesis Day
Teng Snake
Internal MISP references

UUID 0ee7be4f-389f-4083-a1e4-4c39dc1ae105 which can be used as unique global reference for Xiaoqiying in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

Winter Vivern

Winter Vivern is a cyberespionage group first revealed by DomainTools in 2021. It is thought to have been active since at least 2020 and it targets governments in Europe and Central Asia. To compromise its targets, the group uses malicious documents, phishing websites, and a custom PowerShell backdoor.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Winter Vivern.

Known Synonyms
TA-473
TA473
TAG-70
UAC-0114
Internal MISP references

UUID b7497d28-02de-4722-8b97-1fc53e1d1b68 which can be used as unique global reference for Winter Vivern in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Germany']
country RU

UNC3886

UNC3886 is an advanced cyber espionage group with unique capabilities in how they operate on-network as well as the tools they utilize in their campaigns. UNC3886 has been observed targeting firewall and virtualization technologies which lack EDR support. Their ability to manipulate firewall firmware and exploit a zero-day indicates they have curated a deeper-level of understanding of such technologies. UNC3886 has modified publicly available malware, specifically targeting *nix operating systems.

Internal MISP references

UUID 8c08dbe7-3ed0-4d7d-b315-22d8774a5bd9 which can be used as unique global reference for UNC3886 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

Earth Longzhi

Earth Longzhi is a subgroup of APT41 targeting organizations based in Taiwan, Thailand, the Philippines, and Fiji, and using “stack rumbling” via Image File Execution Options (IFEO), a new denial-of-service (DoS) technique to disable security software.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Earth Longzhi.

Known Synonyms
SnakeCharmer
Internal MISP references

UUID b21dbf83-3459-44f4-b91b-6157379e430a which can be used as unique global reference for Earth Longzhi in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Redfly

Redfly hacked a national electricity grid organization in Asia and maintained persistent access to the network for about six months. Researchers discovered evidence for this attack between 28 February and 3 August 2023 after noticing suspicious malware activity within the organization’s network.

Internal MISP references

UUID 4f1c43a4-3788-4035-a99c-e510f89edd0f which can be used as unique global reference for Redfly in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

TetrisPhantom

TetrisPhantom relies on compromising of certain type of secure USB drives that provide hardware encryption and is commonly used by government organizations. While investigating this threat, experts identified an entire spying campaign that uses a range of malicious modules to execute commands, collect files and information from compromised computers and transfer them to other machines also using secure USB drives.

Internal MISP references

UUID 5368c0a2-eb79-420c-b808-85ae719efccd which can be used as unique global reference for TetrisPhantom in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Earth Estries

Trend Micro found that Earth Estries relies heavily on DLL sideloading to load various tools within its arsenal. Aside from the backdoors previously mentioned, this intrusion set also utilizes commonly used remote control tools like Cobalt Strike, PlugX, or Meterpreter stagers interchangeably in various attack stages. These tools come as encrypted payloads loaded by custom loader DLLs.

Internal MISP references

UUID 1f7f4a51-c4a8-4365-ade3-83b222e7cb67 which can be used as unique global reference for Earth Estries in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

GoldenJackal

GoldenJackal activity is characterized by the use of compromised WordPress websites as a method to host C2-related logic. Kaspersky believes the attackers upload a malicious PHP file that is used as a relay to forward web requests to another backbone C2 server. They developed a collection of .NET malware tools known as Jackal.

Internal MISP references

UUID 8e93e09a-734d-4b16-933f-9feb58f6ce7d which can be used as unique global reference for GoldenJackal in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Germany']

Lancefly

Lancefly targets government, aviation, and telecom organizations in South and Southeast Asia. They use a custom backdoor named Merdoor, developed since 2018, and employ various tactics to gain access, including phishing emails, SSH credential brute-forcing, and exploiting server vulnerabilities. Additionally, Lancefly has been observed using a newer version of the ZXShell rootkit and tools like PlugX and ShadowPad RAT, which are typically associated with Chinese-speaking APT groups.

Internal MISP references

UUID 2ceeab57-85e3-468b-a1b8-c035c496dcdc which can be used as unique global reference for Lancefly in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

LofyGang

LofyGang has been found to be linked to more than 200 malicious packages, with thousands of installations throughout 2022. The group, believed to have been operating for more than a year, has multiple hacking objectives, including stealing credit card information and stealing user accounts including Discord Inc. premium accounts, streaming services accounts such as Disney+ and Minecraft accounts.

Internal MISP references

UUID a47b0f97-30fe-451d-9983-3bdc1e4608ab which can be used as unique global reference for LofyGang in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Storm-0062

The cyberattack campaign that Microsoft uncovered was launched by a China-linked hacking group called Storm-0062. According to the company, the group is launching cyberattacks by exploiting a vulnerability in the Data Center and Server editions of Confluence. Those are versions of the application that companies run on-premises.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Storm-0062.

Known Synonyms
DarkShadow
Oro0lxy
Internal MISP references

UUID d1fe4546-616a-409c-8d2c-f7a7e0a183f8 which can be used as unique global reference for Storm-0062 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

SparklingGoblin

ESET researchers have discovered a new undocumented modular backdoor, SideWalk, being used by an APT group they’ve named SparklingGoblin; this backdoor was used during one of SparklingGoblin’s recent campaigns that targeted a computer retail company based in the USA. This backdoor shares multiple similarities with another backdoor used by the group: CROSSWALK.

Internal MISP references

UUID f3fd4397-19e4-47e0-b1bc-f792690e3bd0 which can be used as unique global reference for SparklingGoblin in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Kasablanka

The Kasablanka group is a cyber-criminal organization that has specifically targeted Russia between September and December 2022, using various payloads delivered through phishing emails containing socially engineered lnk files, zip packages, and executables attached to virtual disk image files.

Internal MISP references

UUID 6db3ad41-6b47-43c8-b94b-98853749ee02 which can be used as unique global reference for Kasablanka in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country MA

YoroTrooper

YoroTrooper’s main targets are government or energy organizations in Azerbaijan, Tajikistan, Kyrgyzstan and other Commonwealth of Independent States, based on Cisco Talos analysis. YoroTrooper was also observed compromising accounts from at least two international organizations: a critical European Union health care agency and the World Intellectual Property Organization. Successful compromises also included Embassies of European countries including Azerbaijan and Turkmenistan.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular YoroTrooper.

Known Synonyms
Salted Earth
Sturgeon Fisher
Internal MISP references

UUID 2031ae01-e962-4861-a224-0934af6cdd3a which can be used as unique global reference for YoroTrooper in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Germany']
country KZ

Metador

Metador primarily targets telecommunications, internet service providers, and universities in several countries in the Middle East and Africa. Metador’s attack chains are designed to bypass native security solutions while deploying malware platforms directly into memory. SentinelLabs researchers discovered variants of two long-standing Windows malware platforms, and indications of an additional Linux implant.

Internal MISP references

UUID 5d22315b-55ef-4d8a-86aa-00ba38057641 which can be used as unique global reference for Metador in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

SiegedSec

SiegedSec, a hacktivist collective, emerged coincidentally just days before Russia’s invasion of Ukraine. Under the leadership of the hacktivist known as “YourAnonWolf,” the group swiftly gained strength, announcing an increasing number of victims after its inception. The group humorously self-identifies as “gay furry hackers” and is renowned for its comical slogans and the use of vulgar language. SiegedSec has affiliations with other hacker groups like GhostSec and typically consists of members aged between 18 and 26.

Internal MISP references

UUID 3c2f534a-a898-4af6-b3e8-f2740c473de0 which can be used as unique global reference for SiegedSec in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

RansomVC

Ransomed.VC burst onto the scene with a well-orchestrated PR campaign, encompassing a clearnet site and multiple communication channels including Telegram and Twitter/X profiles. Their operations are heavily inclined towards exploiting GDPR penalties as a method of extortion, threatening victims with potential legal repercussions in case of data leaks.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RansomVC.

Known Synonyms
Ransomed.vc
Internal MISP references

UUID f939b51d-32f9-41d9-8549-f00b2db104c7 which can be used as unique global reference for RansomVC in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Carderbee

Symantec recently reported on activity attributed to a threat actor group dubbed Carderbee. In the campaign, the threat actors target entities in Hong Kong and other regions of Asia via a supply chain attack leveraging the legitimate Cobra DocGuard software. The activity began as early as September 2022.

Internal MISP references

UUID ce793b99-0cf2-4148-831c-ea5f6a9e0a76 which can be used as unique global reference for Carderbee in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

UNC3890

A suspected Iranian threat activity cluster has been linked to attacks aimed at Israeli shipping, government, energy, and healthcare organizations, in a campaign stretching back to late 2020. Researchers believe that the data harvested during the campaign could be used to support various activities. UNC3890, the threat actor behind the attacks, deployed two proprietary pieces of malware – a backdoor named “SUGARUSH” and a browser credential stealer called “SUGARDUMP”, which exfiltrates password information to email addresses registered with Gmail, ProtonMail, Yahoo and Yandex email services. The threat actor also employs a network of C&C servers that host fake login pages impersonating legitimate platforms such as Office 365, LinkedIn and Facebook. These servers are designed to communicate with the targets and also with a watering hole hosted on the login page of a legitimate Israeli shipping company.

Internal MISP references

UUID 27e11cc5-1688-4aea-a98d-96e6c275d005 which can be used as unique global reference for UNC3890 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country IR

RedStinger

In October 2022, Kaspersky identified an active infection of government, agriculture and transportation organizations located in the Donetsk, Lugansk, and Crimea regions. Although the initial vector of compromise is unclear, the details of the next stage imply the use of spear phishing or similar methods. The victims navigated to a URL pointing to a ZIP archive hosted on a malicious web server.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular RedStinger.

Known Synonyms
Bad Magic
Internal MISP references

UUID b813c6a2-f8c7-4071-83bd-24c181ff2bd4 which can be used as unique global reference for RedStinger in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Witchetty

Witchetty was first documented by ESET in April 2022, who concluded that it was one of three sub-groups of TA410, a broad cyber-espionage operation with some links to the Cicada group (aka APT10). Witchetty’s activity was characterized by the use of two pieces of malware, a first-stage backdoor known as X4 and a second-stage payload known as LookBack. ESET reported that the group had targeted governments, diplomatic missions, charities, and industrial/manufacturing organizations.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Witchetty.

Known Synonyms
LookingFrog
Internal MISP references

UUID 202f5481-7bae-4a0b-b117-0642ea1dbe65 which can be used as unique global reference for Witchetty in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

NB65

Network Battalion 65 is an hactivist group with ties to Anonymous, known for attacking Russian companies and performing hack-and-leak operations.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular NB65.

Known Synonyms
Network Battalion 65
Internal MISP references

UUID e1941666-dcde-4f31-8a56-8041ac82bb99 which can be used as unique global reference for NB65 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

IndigoZebra

IndigoZebra is a Chinese state-sponsored actor mentioned for the first time by Kaspersky in its APT Trends report Q2 2017, targeting, at the time of its discovery, former Soviet Republics with multiple malware strains including Meterpreter, Poison Ivy, xDown, and a previously unknown backdoor called “xCaon.”

Internal MISP references

UUID 79e826b0-b051-4a61-b38c-496021b3afdb which can be used as unique global reference for IndigoZebra in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

GhostSec

GhostSec is a hacktivist group that emerged as an offshoot of Anonymous. They primarily focused on counterterrorism efforts and monitoring online activities associated with terrorism. They gained prominence following the 2015 Charlie Hebdo shooting in Paris and the rise of ISIS.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular GhostSec.

Known Synonyms
Ghost Security
Internal MISP references

UUID a1315451-326f-4185-8d71-80f9243f395f which can be used as unique global reference for GhostSec in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

OilAlpha

OilAlpha has almost exclusively relied on infrastructure associated with the Public Telecommunication Corporation (PTC), a Yemeni government-owned enterprise reported to be under the direct control of the Houthi authorities. OilAlpha used encrypted chat messengers like WhatsApp to launch social engineering attacks against its targets. It has also used URL link shorteners. Per victimology assessment, it appears a majority of the targeted entities were Arabic-language speakers and operated Android devices.

Internal MISP references

UUID ae2b897d-f285-4d03-9bab-0ff59d6657a7 which can be used as unique global reference for OilAlpha in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

HiddenArt

It was observed that a mobile network threat actor designated as ‘HiddenArt’ actively sustains a capacity to remotely access the personal devices of targeted individuals around the world on an ongoing basis. Since detecting this threat actor, periodic reconnaissance activities were observed in at least 7 target mobile networks around the world and given the wide geographic distribution of these targeted mobile operators, it is probable that the threat actor is active on a global scale.

Internal MISP references

UUID cdcfd3e1-4e42-4746-b1f1-66d5ce27b4da which can be used as unique global reference for HiddenArt in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country RU

REF5961

Elastic's security team has published a report on REF5961, a cyber-espionage group they found on the network of a Foreign Affairs Ministry from a member of the Association of Southeast Asian Nations (ASEAN). Elastic says it found the group's tools next to the malware of another cyber-espionage group it tracks as REF2924. REF5961's arsenal includes malware such as EAGERBEE, RUDEBIRD, and DOWNTOWN.

Internal MISP references

UUID 64234b2e-0c78-466d-8253-0df339f99f5f which can be used as unique global reference for REF5961 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

REF2924

A group monitored as REF2924 by Elastic Security Labs is wielding novel data-stealing malware — an HTTP listener written in C# dubbed Naplistener by the researchers — in attacks against victims operating in southern and southeast Asia.According to a blog post by Elastic senior security research engineer Remco Sprooten, in that region of the world, network-based detection and prevention technologies are the de facto method for securing many environments.

Internal MISP references

UUID c46ed7e9-3949-4c57-ab14-177d88f27e2c which can be used as unique global reference for REF2924 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

Storm-1133

In early 2023, Microsoft In early 2023, observed a wave of activity from a Gaza-based group that we track as Storm-1133 targeting Israeli private sector energy, defense, and telecommunications organizations.

Internal MISP references

UUID d5908276-068a-4a4f-a60d-ab5800173ccd which can be used as unique global reference for Storm-1133 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country PS

TA499

TA499, also known as Vovan and Lexus, is a Russia-aligned threat actor that has aggressively engaged in email campaigns since at least 2021. The threat actor’s campaigns attempt to convince high-profile North American and European government officials as well as CEOs of prominent companies and celebrities into participating in recorded phone calls or video chats.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TA499.

Known Synonyms
Lexus
Vovan
Internal MISP references

UUID 0e9bbcf1-9273-4438-b437-287317bfb989 which can be used as unique global reference for TA499 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

BadRory

Kaspersky researchers have identified a new APT group named BadRory that has mounted two waves of spear-phishing attacks against Russian organizations. The campaigns took place in October 2022 and April 2023 and leveraged boobytrapped Office emails. Targets included government entities, military contractors, universities, and hospitals.

Internal MISP references

UUID aa74d1f3-b294-405b-bb18-3ac1c13560a1 which can be used as unique global reference for BadRory in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

SharpPanda

SharpPanda, an APT group originating from China, has seen a rise in its cyber-attack operations starting from at least 2018. The APT group utilizes spear-phishing techniques to obtain initial access, employing a combination of outdated Microsoft Office document vulnerabilities, novel evasion techniques, and highly potent backdoor malware.

Internal MISP references

UUID 7133a722-088c-4d5a-b2e0-a1f9915f807d which can be used as unique global reference for SharpPanda in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Germany']
country CN

Guacamaya

Guacamaya has conducted multiple hack and leak campaigns against military and police agencies and mining companies across Latin America, which they believe have played a role in the region’s environmental degradation and repression of native populations.

Internal MISP references

UUID 51f056f5-b596-446e-9394-a310af4e2e75 which can be used as unique global reference for Guacamaya in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

DustSquad

Prodaft researchers have published a report on Paperbug, a cyber-espionage campaign carried out by suspected Russian-speaking group Nomadic Octopus and which targeted entities in Tajikistan. According to Prodaft, known compromised victims included high-ranking government officials, telcos, and public service infrastructures. Compromised devices also included OT devices, besides your typical computers, servers, and mobile devices. In typical Prodaft fashion, the company also gained access to one of the group's C&C server backend panels.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DustSquad.

Known Synonyms
Nomadic Octopus
Internal MISP references

UUID 7b227f41-efea-4dc0-8a2a-148893795ce4 which can be used as unique global reference for DustSquad in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country RU

KromSec

KromSec is a hacktivist group that claims to be composed of hackers, activists, writers, and journalists. The group has been involved in a number of high-profile cyberattacks, including a cyber offensive against Iran in September 2022 and the sale of the database of the Iran Ministry of Industries and Mines on a hacker forum in November 2023. KromSec's attacks have been met with mixed reactions, but the group has quickly made a name for itself as a significant threat to governments and organizations around the world.

Internal MISP references

UUID f4b81cb7-0492-414f-8bf4-cc806cbff1a9 which can be used as unique global reference for KromSec in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Cyber Av3ngers

The hacktivist group ‘Cyber Av3ngers’ has historically claimed attacks on Israel’s critical infrastructures. It has been launching DDoS attacks and claiming breach of Israeli networks with supporting data leaks.

Internal MISP references

UUID 286db62d-859d-48e2-9601-1b7abde9f3c3 which can be used as unique global reference for Cyber Av3ngers in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country IR

Altahrea Team

Altahrea Team is a pro-Iranian hacking group that has been active since at least 2020. The group has claimed responsibility for a number of cyberattacks, including DDoS attacks against Israeli websites, a hack of the Israel Airports Authority website, and a cyberattack on the Orot Yosef power plant in Israel.

Internal MISP references

UUID b87f9ba7-f480-4ed5-b60e-b880e6b519ea which can be used as unique global reference for Altahrea Team in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country IQ

1937CN

1937CN is a Chinese hacking group that has been active since at least 2013. The group is known for targeting Vietnamese organizations, including government agencies, businesses, and media outlets. 1937CN has been linked to a number of high-profile cyberattacks, including the hacking of Vietnam Airlines in 2016 and the defacement of Vietnamese government websites in 2015.

Internal MISP references

UUID 391573c5-9c21-4984-b6b8-97d42623d6cc which can be used as unique global reference for 1937CN in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

ShroudedSnooper

In September 2023, Cisco Talos identified a new malware family that it calls ‘HTTPSnoop’ being deployed against telecommunications providers in the Middle East. They also discovered a sister implant to 'HTTPSnoop,’ that they are naming ‘PipeSnoop,’ which can accept arbitrary shellcode from a named pipe and execute it on the infected endpoint. Based on these findings, the researchers assess with high confidence that both implants belong to a new intrusion set that it named ‘ShroudedSnooper.’

Internal MISP references

UUID 3437c5a5-4c42-4665-99df-b17bc57a7ba6 which can be used as unique global reference for ShroudedSnooper in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

ShinyHunters

ShinyHunters is a cybercriminal group of unknown origin that is motivated by financial gain. The group is known for its sophisticated attacks against a wide range of targets, including businesses, organizations, and government agencies. ShinyHunters typically uses phishing attacks and exploit kits to gain access to victim networks, where they deploy malware to steal sensitive data, such as names, addresses, phone numbers, Social Security numbers, and credit card information.

Internal MISP references

UUID d4fd0a30-15d4-4dfd-bf98-beff5fe34c33 which can be used as unique global reference for ShinyHunters in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

IronHusky

IronHusky is a Chinese-based threat actor first attributed in July 2017 targeting Russian and Mongolian governments, as well as aviation companies and research institutes. Since their initial attacks ceased in 2018, they have been working on a new remote access trojan dubbed MysterySnail.

Internal MISP references

UUID 34d1e532-3d47-44cb-b87c-7e9cbba2321e which can be used as unique global reference for IronHusky in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

UserSec

UserSec is a pro-Russian hacking group that has been active since at least 2022. The group is known for its DDoS attacks and has collaborated with other pro-Russian hacking groups. In May 2023, UserSec announced a cyber campaign targeting NATO member states and joined forces with KillNet to launch attacks against NATO.

Internal MISP references

UUID d0e1811e-53f9-48b5-b2ef-107e0f53239b which can be used as unique global reference for UserSec in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country RU

UAC-0094

State Service of Special Communication and Information Protection of Ukraine spotted a new wave of cyber attacks aimed at gaining access to users’ Telegram accounts. The Ukrainian CERT attributes the hacking campaign to threat actors tracked as UAC-0094. Threat actors are targeting Telegram users by sending Telegram messages with malicious links to the Telegram website in order to gain unauthorized access to the records and transfer a one-time code from SMS.

Internal MISP references

UUID def3c4e4-9d59-478f-8895-d3850cfa99c3 which can be used as unique global reference for UAC-0094 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country RU

TraderTraitor

TraderTraitor targets blockchain companies through spear-phishing messages. The group sends these messages to employees, particularly those in system administration or software development roles, on various communication platforms, intended to gain access to these start-up and high-tech companies. TraderTraitor may be the work of operators previously responsible for APT38 activity.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TraderTraitor.

Known Synonyms
Jade Sleet
UNC4899
Internal MISP references

UUID 825abfd9-7238-4438-a9e7-c08791f4df4e which can be used as unique global reference for TraderTraitor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country KP

TheDarkOverlord

The Dark Overlord is a financially motivated ransomware group that has been active since 2016. The group is known for targeting large organizations, including Netflix, ABC, and Miramax.

Internal MISP references

UUID 167bd5f9-fa61-4a4e-91bc-3ca0d17294b2 which can be used as unique global reference for TheDarkOverlord in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

UNC2565

UNC2565 is a threat group that has used the GOOTLOADER downloader to deliver Cobalt Strike BEACON. These intrusions have stemmed from victims accessing malicious websites that use SEO techniques to improve Google search rankings. After obtaining a foothold in the environment, UNC2565 has conducted reconnaissance and credential harvesting activity using common tools such as BLOODHOUND and KERBEROAST. UNC2565's motivations are currently unknown but overlaps with activity that has led to SODINOKIBI ransomware. This suggests that the threat group may be financially motivated.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular UNC2565.

Known Synonyms
Hive0127
Internal MISP references

UUID d7d270d2-b91f-4978-a9e9-76fa7f0d8f06 which can be used as unique global reference for UNC2565 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Desorden Group

Desorden (Disorder in Spanish, previously known as ChaosCC), is a financially motivated hacker group. The group first emerged under the new name Desorden in September 2021, on Raidforums. Today the group maintains users under that name on several popular English-speaking hacking forums, where they share their attacks and ransom demands, and offer databases for sale. The group gained an excellent reputation among the cybercriminal communities due to their successful operations and the unique data that they share and offer for sale.

Internal MISP references

UUID e89ebfcb-e7a3-4b2d-b0d7-399bb4904e27 which can be used as unique global reference for Desorden Group in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Confucious

Confucius is an APT organization funded by India. It has been carrying out cyber attacks since 2013. Its main targets are India's neighbouring countries such as Pakistan and China. It has a strong interest in targets in the fields of military, government and energy.

Internal MISP references

UUID 54618130-55d3-4506-b62b-67f2dca12b04 which can be used as unique global reference for Confucious in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country IN

Kiss-a-Dog

CrowdStrike identified a cryptojacking campaign targeting vulnerable Docker and Kubernetes infrastructure. Called “Kiss-a-dog,” the campaign targets Docker and Kubernetes infrastructure using an obscure domain from the payload, container escape attempt and anonymized “dog” mining pools.

Internal MISP references

UUID 1db6375f-0471-47c5-8128-5ab1519b01ab which can be used as unique global reference for Kiss-a-Dog in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

DEV-1028

Microsoft reported on MCCrash, an IoT botnet operated by the DEV-1028 threat actor and used to launch DDoS attacks against private Minecraft servers.

Internal MISP references

UUID 6616d2ac-2025-47f8-bb1a-1ece2b627c16 which can be used as unique global reference for DEV-1028 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

TwoSail Junk

TwoSail Junk directs visitors to its exploit site by posting links within the threads of forum discussions, or creating new topic threads of their own. To date, dozens of visits were recorded from within Hong Kong, with a couple from Macau. The technical details around the functionality of the iOS implant, called LightSpy, and related infrastructure, reveal a low-to-mid capable actor. However, the iOS implant is a modular and exhaustively functional iOS surveillance framework.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TwoSail Junk.

Known Synonyms
Operation Poisoned News
Internal MISP references

UUID 533af03d-e160-4312-a92f-0500055f2b56 which can be used as unique global reference for TwoSail Junk in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Xcatze

Cloud security company Lacework says it discovered a threat actor group named Xcatze that uses a Python named AndroxGh0st to take over AWS servers and send out massive email spam campaigns. Lacework says the malware operates by scanning web apps written in the Laravel PHP framework for exposed configuration files to identify and steal server credentials. Researchers said AndroxGh0st specifically searches for AWS, SendGrid, and Twilio credentials, which it uses to take control of email servers and accounts and send out the spam campaigns.

Internal MISP references

UUID 83764206-8012-47c6-9c7a-dc04c99559e7 which can be used as unique global reference for Xcatze in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

BlueBottle

Bluebottle, a cyber-crime group that specializes in targeted attacks against the financial sector, is continuing to mount attacks on banks in Francophone countries. The group makes extensive use of living off the land, dual-use tools, and commodity malware, with no custom malware deployed in this campaign.

Internal MISP references

UUID 87f1ab70-a102-4566-a09e-838b39c18a62 which can be used as unique global reference for BlueBottle in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Dalbit

The group usually targets vulnerable servers to breach information including internal data from companies or encrypts files and demands money. Their targets of attack are usually Windows servers that are poorly managed or are not patched to the latest version. Besides these, there are also attack cases that targeted email servers or MS-SQL database servers.

Internal MISP references

UUID be4ea668-6a74-44d9-946e-e98e64a8855b which can be used as unique global reference for Dalbit in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

SingularityMD

SingularityMD is a threat actor group that has targeted educational institutions in the US. They gained unauthorized access to their networks by exploiting weak security practices, such as using students' dates of birth as passwords. SingularityMD demanded a ransom in cryptocurrency and threatened to leak stolen information if not paid. They have demonstrated a willingness to follow through on their threats and have already leaked some data.

Internal MISP references

UUID d52a06dd-3ee9-47cf-ad31-b55ca4cbc5cf which can be used as unique global reference for SingularityMD in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

SCARLETEEL

SCARLETEEL is a threat actor that primarily targets cloud environments, specifically AWS and Kubernetes. They have been observed stealing proprietary data and intellectual property, as well as conducting cryptomining operations. SCARLETEEL employs sophisticated tactics and tools to bypass security measures and gain unauthorized access to accounts, often exploiting vulnerabilities in containerized workloads and misconfigurations in AWS policies.

Internal MISP references

UUID e03a7ecb-b8a1-40c5-b5af-638ee6029374 which can be used as unique global reference for SCARLETEEL in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

DiceyF

DiceyF is an advanced persistent threat group that has been targeting online casinos and other victims in Southeast Asia for an extended period. They have exhibited overlapping activity with LuckyStar PlugX and Earth Berberoka/GamblingPuppet, as reported by various cybersecurity vendors. While their motivations remain unclear, previous incidents suggest a combination of espionage and intellectual property theft rather than immediate financial gain. DiceyF continuously evolves their codebase and adds encryption capabilities to enhance their stealthy cyberespionage activities.

Internal MISP references

UUID 46de4091-379f-478c-bb6d-5833e2047f15 which can be used as unique global reference for DiceyF in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

DEV-0950

Lace Tempest, also known as DEV-0950, is a threat actor that exploited vulnerabilities in software such as SysAid and PaperCut to gain unauthorized access to systems. Lace Tempest is known for deploying the Clop ransomware and exfiltrating data from compromised networks.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DEV-0950.

Known Synonyms
Lace Tempest
Internal MISP references

UUID 4581f930-348e-4054-a71c-863871de66ee which can be used as unique global reference for DEV-0950 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

WeRedEvils

WeRedEvils is a hacking group that has claimed responsibility for multiple cyber attacks. They targeted the Iranian Electric Grid and the Tasnimnews website, causing the latter to go offline. The group also claimed to have hacked into Iran's oil infrastructure, causing significant damage. They emerged in response to the Hamas massacre and are believed to be a group of Israeli cyber experts.

Internal MISP references

UUID 7ba756f0-0753-4da9-b00d-8cf35ba84e57 which can be used as unique global reference for WeRedEvils in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country IL

WIRTE

WIRTE is a threat actor group that was first discovered in 2018. They are suspected to be part of the Gaza Cybergang, an Arabic politically motivated cyber criminal group. WIRTE has been observed changing their toolkit and operating methods to remain undetected for longer periods of time. They primarily target governmental and political entities, but have also been known to target law firms and financial institutions.

Internal MISP references

UUID ec6bcaa9-4cb3-4397-a735-c806bc986c81 which can be used as unique global reference for WIRTE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country PS

Caracal Kitten

Caracal Kitten is an APT group that has been targeting activists associated with the Kurdistan Democratic Party. They employ a mobile remote access Trojan to gain unauthorized access to victims' devices. The group disguises their malware as legitimate mobile apps, tricking users into installing them and granting the hackers access to their personal data.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Caracal Kitten.

Known Synonyms
APT-Q-58
Internal MISP references

UUID 46a67fdf-5376-4d01-8092-6549a20030af which can be used as unique global reference for Caracal Kitten in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Water Labbu

Trend Micro discovered a threat actor they named Water Labbu that was targeting cryptocurrency scam websites. Typically, cryptocurrency scammers use social engineering techniques, interacting with victims to gain their trust and then manipulating them into providing the permissions needed to transfer cryptocurrency assets. While Water Labbu managed to steal cryptocurrencies via a similar method by obtaining access permissions and token allowances from their victim’s wallets, unlike other similar campaigns, they did not use any kind of social engineering — at least not directly. Instead, Water Labbu lets other scammers use their social engineering tricks to scam unsuspecting victims.

Internal MISP references

UUID 7f24740c-9370-4968-a92e-667ef2591abe which can be used as unique global reference for Water Labbu in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

TAG-56

TAG-56 is a threat actor group that shares similarities with the APT42 group. They use tactics such as fake registration pages and spearphishing to target victims, often using encrypted chat platforms like WhatsApp or Telegram. TAG-56 is believed to be part of a broader campaign led by an Iran-nexus threat activity group. They have been observed using shared web hosts and recycled code, indicating a preference for acquiring purpose-built infrastructure rather than establishing their own.

Internal MISP references

UUID 7cae7378-5595-4d1e-be63-e13216162a20 which can be used as unique global reference for TAG-56 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country IR

TA482

Since early 2022, Proofpoint researchers have observed a prolific threat actor, tracked as TA482, regularly engaging in credential harvesting campaigns that target the social media accounts of mostly US-based journalists and media organizations. This victimology, TA482’s use of services originating from Turkey to host its domains and infrastructure, as well as Turkey’s history of leveraging social media to spread pro-President Recep Tayyip Erdogan and pro-Justice and Development Party (Turkey’s ruling party) propaganda support Proofpoint’s assessment that TA482 is aligned with the Turkish state.

Internal MISP references

UUID 610a7301-5963-4653-8aa2-eeb8573dfad9 which can be used as unique global reference for TA482 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country TR

XakNet

XakNet is a self-proclaimed hacktivist group that has targeted Ukraine. They claim to be comprised of Russian patriotic volunteers and have conducted various threat activities, including DDoS attacks, compromises, data leaks, and website defacements. They coordinate their operations with other hacktivist groups and have connections to APT28, a cyber espionage group sponsored by the GRU.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular XakNet.

Known Synonyms
UAC-0100
UAC-0106
Internal MISP references

UUID 566752f5-a294-4430-b47e-8e705f9887ea which can be used as unique global reference for XakNet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country RU

Zarya

Zarya is a pro-Russian hacktivist group that emerged in March 2022. Initially operating as a special forces unit under the command of Killnet, Zarya has since become an independent entity. The group is primarily known for engaging in Denial-of-Service attacks, website defacement campaigns, and data leaks. Zarya targets government agencies, service providers, critical infrastructure, and civil service employees, both domestically and internationally.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Zarya.

Known Synonyms
UAC-0109
Internal MISP references

UUID 3689f0e2-6c39-4864-ae0b-cc03e4cb695a which can be used as unique global reference for Zarya in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country RU

DarkCasino

DarkCasino is an economically motivated APT group that targets online trading platforms, including cryptocurrencies, online casinos, network banks, and online credit platforms. They are skilled at stealing passwords to access victims' online accounts and have been active for over a year. DarkCasino exploits vulnerabilities, such as the WinRAR vulnerability CVE-2023-38831, to launch phishing attacks and steal online property.

Internal MISP references

UUID b9128c29-8941-48a8-a5be-8076dde03a08 which can be used as unique global reference for DarkCasino in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Prolific Puma

Prolific Puma provides an underground link shortening service to criminals. Infoblox states that during analysis, no legitimate content was observed being served through their shortener. For operation they use a registered domain generation algorithm (RDGA), based upon which they registered between 35k-75k domain names.

Internal MISP references

UUID c8782e46-447c-4c6e-90c0-82f3bf49d64b which can be used as unique global reference for Prolific Puma in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Bohrium

Bohrium is an Iranian threat actor that has been involved in spear-phishing operations targeting organizations in the US, Middle East, and India. They often create fake social media profiles, particularly posing as recruiters, to trick victims into running malware on their computers. Microsoft's Digital Crimes Unit has taken legal action and seized 41 domains used by Bohrium to disrupt their activities. The group has shown a particular interest in sectors such as technology, transportation, government, and education.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Bohrium.

Known Synonyms
BOHRIUM
Smoke Sandstorm
Internal MISP references

UUID 111efc97-6a93-487b-8cb3-1e890ac51066 which can be used as unique global reference for Bohrium in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country IR

KAX17

KAX17 is a sophisticated threat actor that has been active since at least 2017. They have operated hundreds of malicious servers within the Tor network, primarily as entry and middle points. Their main objective appears to be collecting information on Tor users and mapping their routes within the network. Despite efforts to remove their servers, KAX17 has shown resilience and continues to operate.

Internal MISP references

UUID 615311f0-58d4-4d1d-ac86-6ba86d119317 which can be used as unique global reference for KAX17 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

MirrorFace

MirrorFace is a Chinese-speaking advanced persistent threat group that has been targeting high-value organizations in Japan, including media, government, diplomatic, and political entities. They have been conducting spear-phishing campaigns, utilizing malware such as LODEINFO and MirrorStealer to steal credentials and exfiltrate sensitive data. While there is speculation about their connection to APT10, ESET currently track them as a separate entity.

Internal MISP references

UUID e992d874-604b-4a09-9c6c-0319d5be652a which can be used as unique global reference for MirrorFace in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

VulzSecTeam

VulzSec, also known as VulzSecTeam, is a hacktivist group that has been involved in various cyber-attacks. They have targeted government websites in retaliation for issues such as police brutality and the treatment of Indian Muslims. The group has been involved in campaigns like OpIndia2.0, where they planned to launch DDoS attacks on Indian government websites.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular VulzSecTeam.

Known Synonyms
VulzSec
Internal MISP references

UUID fcb18ca2-ea45-4f5c-a827-ed8b6b697a08 which can be used as unique global reference for VulzSecTeam in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country ID

Chernovite

Chernovite is a highly capable and sophisticated threat actor group that has developed a modular ICS malware framework called PIPEDREAM. They are known for targeting industrial control systems and operational technology environments, with the ability to disrupt, degrade, and potentially destroy physical processes. Chernovite has demonstrated a deep understanding of ICS protocols and intrusion techniques, making them a significant threat to critical infrastructure sectors.

Internal MISP references

UUID 2ce00149-9a25-4dea-8dd5-59bdb68d11a1 which can be used as unique global reference for Chernovite in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country RU

MurenShark

MurenShark is an advanced persistent threat group that operates primarily in the Middle East, with a focus on targeting Turkey. They have shown interest in military projects, as well as research institutes and universities. This group is highly skilled in counter-analysis and reverse traceability, using sophisticated tactics to avoid detection. They utilize compromised websites as file servers and command and control servers, and have been known to use attack tools like NiceRender for phishing purposes.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular MurenShark.

Known Synonyms
Actor210426
Internal MISP references

UUID e5c78742-bf60-4da8-b038-d548ae3f4ecb which can be used as unique global reference for MurenShark in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

DriftingCloud

DriftingCloud is a persistent threat actor known for targeting various industries and locations. They are skilled at developing or acquiring zero-day exploits to gain unauthorized access to target networks. Compromising gateway devices is a common tactic used by DriftingCloud, making network monitoring solutions crucial for detecting their attacks.

Internal MISP references

UUID 6f6b187b-971b-4df9-a7ef-9b3fd7e092f7 which can be used as unique global reference for DriftingCloud in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

UNC4191

UNC4191 is a China-linked threat actor that has been involved in cyber espionage campaigns targeting public and private sectors primarily in Southeast Asia. They have been known to use USB devices as an initial infection vector and have been observed deploying various malware families on infected systems. UNC4191's operations have also extended to the US, Europe, and the Asia Pacific Japan region, with a particular focus on the Philippines.

Internal MISP references

UUID df697450-57e0-496b-982c-a167ed41f023 which can be used as unique global reference for UNC4191 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

DragonSpark

DragonSpark is a threat actor that has been conducting attacks primarily targeting organizations in East Asia. They utilize the open-source tool SparkRAT, which is a multi-platform and frequently updated remote access Trojan. The threat actor is believed to be Chinese-speaking based on their use of Chinese language support and compromised infrastructure located in China and Taiwan. They employ various techniques to evade detection, including Golang source code interpretation and the use of the China Chopper webshell.

Internal MISP references

UUID a219a78b-7b91-41b1-bf14-91e31e0bb9da which can be used as unique global reference for DragonSpark in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

FusionCore

The CYFIRMA research team has identified a new up-and-coming European threat actor group known as FusionCore. Running Malware-as-a-service, along with the hacker-for- hire operation, they have a wide variety of tools and services that are being offered on their website, making it a one-stop-shop for threat actors looking to purchase cost- effective yet customizable malware. The operators have started a ransomware affiliate program that equips the attackers with the ransomware and affiliate software to manage victims. FusionCore typically provides sellers with a detailed set of instructions for any service or product being sold, enabling individuals with minimal experience to carry out complex attacks.

Internal MISP references

UUID ab376039-4ede-4dfc-a45b-c80d9d994657 which can be used as unique global reference for FusionCore in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Earth Kitsune

Earth Kitsune is an advanced persistent threat actor that has been active since at least 2019. They primarily target individuals interested in North Korea and use various tactics, such as compromising websites and employing social engineering, to distribute self-developed backdoors. Earth Kitsune demonstrates technical proficiency and continuously evolves their tools, tactics, and procedures. They have been associated with malware such as WhiskerSpy and SLUB.

Internal MISP references

UUID a9f29636-26e4-42f0-95d1-7a49dd6f0a79 which can be used as unique global reference for Earth Kitsune in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

AppMilad

AppMilad is an Iranian hacking group that has been identified as the source of a spyware campaign called RatMilad. This spyware is designed to silently infiltrate victims' devices and gather personal and corporate information, including private communications and photos. The group has been distributing the spyware through fake apps and targeting primarily Middle Eastern enterprises.

Internal MISP references

UUID e284c356-4b77-4f86-a8f2-7793cbe8662b which can be used as unique global reference for AppMilad in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country IR

UNC4841

UNC4841 is a well-resourced threat actor that has utilized a wide range of malware and purpose-built tooling to enable their global espionage operations. They have been observed selectively deploying specific malware families at high priority targets, with SKIPJACK being the most widely deployed. UNC4841 primarily targeted government and technology organizations, but they have also been observed targeting other verticals.

Internal MISP references

UUID 8959fbb4-95f0-485d-bba2-db9140b95386 which can be used as unique global reference for UNC4841 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

CL-STA-0043

CL-STA-0043 is a highly skilled and sophisticated threat actor, believed to be a nation-state, targeting governmental entities in the Middle East and Africa. They exploit vulnerabilities in on-premises Internet Information Services and Microsoft Exchange servers to infiltrate target networks. They engage in reconnaissance, locate vital assets, and have been observed using native Windows tools for privilege escalation.

Internal MISP references

UUID 5d0aee14-f18a-44da-a44d-28d950f06b9c which can be used as unique global reference for CL-STA-0043 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

DEV-0928

DEV-0928 is a threat actor that has been tracked by Microsoft since September 2022. They are known for their involvement in high-volume phishing campaigns, using tools offered by DEV-1101. DEV-0928 sends phishing emails to targets and has been observed launching campaigns involving millions of emails. They also utilize evasion techniques, such as redirection to benign pages, to avoid detection.

Internal MISP references

UUID 8345dd24-7884-48e3-b231-4791d31afe3d which can be used as unique global reference for DEV-0928 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

TEMP_Heretic

TEMP_Heretic is a threat actor that has been observed engaging in targeted spear-phishing campaigns. They exploit vulnerabilities in email platforms, such as Zimbra, to exfiltrate emails from government, military, and media organizations. They use multiple outlook.com email addresses and manually craft content for each email before sending it.

Internal MISP references

UUID 8dfac62e-395e-4e47-b6b6-8ab817ac25c1 which can be used as unique global reference for TEMP_Heretic in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

WeedSec

WeedSec is a threat actor group that recently targeted the online learning and course management platform Moodle. They posted sample databases of Moodle on their Telegram channel, which is widely used by educational institutions and workplaces.

Internal MISP references

UUID 000a2535-8fbf-459d-a067-d10528496a92 which can be used as unique global reference for WeedSec in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

TA444

TA444 is a North Korea state-sponsored threat actor that primarily focuses on financially motivated operations. They have been active since at least 2017 and have recently shifted their attention to targeting cryptocurrencies. TA444 employs various infection methods and has a diverse range of malware and backdoors at their disposal. They have been attributed to stealing hundreds of millions of dollars' worth of cryptocurrency and related assets.

Internal MISP references

UUID 5a38db83-16b3-477f-a045-66a922868eea which can be used as unique global reference for TA444 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country KP

UAC-0006

UAC-0006 is a financially motivated threat actor that has been active since at least 2013. They primarily target Ukrainian organizations, particularly accountants, with phishing emails containing the SmokeLoader malware. Their goal is to steal credentials and execute unauthorized fund transfers, posing a significant risk to financial systems.

Internal MISP references

UUID 013f56ea-a441-483f-812c-c384c790e474 which can be used as unique global reference for UAC-0006 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

NewsPenguin

NewsPenguin is threat actor that has been targeting organizations in Pakistan. They use a complex payload delivery mechanism and exploit the upcoming Pakistan International Maritime Expo & Conference as a lure to trick their victims. The group has been linked to a phishing campaign that leverages spear-phishing emails and weaponized documents to deliver an advanced espionage tool.

Internal MISP references

UUID 4c4a8cb7-b4c4-4637-8e41-dfe19a6b40c7 which can be used as unique global reference for NewsPenguin in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

DefrayX

DefrayX is a threat actor group known for their RansomExx ransomware operations. They primarily target Linux operating systems, but also release versions for Windows. The group has been active since 2018 and has targeted various sectors, including healthcare and manufacturing. They have also developed other malware strains such as PyXie RAT, Vatet loader, and Defray ransomware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DefrayX.

Known Synonyms
Hive0091
Internal MISP references

UUID 9c102b55-29ea-4d90-9b36-33ba42f65d79 which can be used as unique global reference for DefrayX in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

PerSwaysion

PerSwaysion is a threat actor known for conducting phishing campaigns targeting high-level executives. They have been active since at least August 2019 and are believed to be based in Vietnam. PerSwaysion has recently updated their techniques, using more direct phishing methods and leveraging Microsoft 365 to steal credentials.

Internal MISP references

UUID a413c605-0e0a-41ca-bae2-5623908fda3a which can be used as unique global reference for PerSwaysion in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country VN

Webworm

Space Pirates is a cybercrime group that has been active since at least 2017. They primarily target Russian companies and have been observed using various malware, including Deed RAT and ShadowPad. The group uses a combination of publicly available tools and their own protocols to communicate with their command-and-control servers.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Webworm.

Known Synonyms
Space Pirates
Internal MISP references

UUID ee306b4d-1b2b-4872-a8f1-d07e7fbab2f0 which can be used as unique global reference for Webworm in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

N4ughtysecTU

In March 2022, a hacking group calling themselves N4ughtySecTU claimed to have breached TransUnion’s systems and threatened to leak four terabytes of data if the credit bureau didn’t pay a $15-million (R242-million) ransom.

Internal MISP references

UUID 43236d8e-27ee-40f1-ad15-a2ad23738a76 which can be used as unique global reference for N4ughtysecTU in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country BR

Moshen Dragon

Moshen Dragon is a Chinese-aligned cyberespionage threat actor operating in Central Asia. They have been observed deploying multiple malware triads and utilizing DLL search order hijacking to sideload ShadowPad and PlugX variants. The threat actor also employs various tools, including an LSA notification package and a passive backdoor known as GUNTERS. Their activities involve targeting the telecommunication sector and leveraging Impacket for lateral movement and data exfiltration.

Internal MISP references

UUID 41243ff2-e4f1-4605-9259-ab494c1c8c04 which can be used as unique global reference for Moshen Dragon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

TiltedTemple

One of their notable tools is a custom backdoor called SockDetour, which operates filelessly and socketlessly on compromised Windows servers. The group's activities have been linked to the exploitation of vulnerabilities in Zoho ManageEngine ADSelfService Plus and ServiceDesk Plus.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TiltedTemple.

Known Synonyms
Circle Typhoon
DEV-0322
Internal MISP references

UUID aca6b3d2-1c3b-4674-9de8-975e35723bcf which can be used as unique global reference for TiltedTemple in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

OldGremlin

OldGremlin is a Russian-speaking ransomware group that has been active for several years. They primarily target organizations in Russia, including banks, logistics, industrial, insurance, retail, and IT companies. OldGremlin is known for using phishing emails as an initial infection vector and has developed custom malware for both Windows and Linux systems. They have conducted multiple malicious email campaigns and demand large ransoms from their victims, with some reaching millions of dollars.

Internal MISP references

UUID ad8b73df-c526-4a32-b52f-c7c3c4c058d2 which can be used as unique global reference for OldGremlin in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country RU

Storm Cloud

Storm Cloud is a Chinese espionage threat actor known for targeting organizations across Asia, particularly Tibetan organizations and individuals. They use a variety of malware families, including GIMMICK and GOSLU, which are feature-rich and multi-platform. Storm Cloud leverages public cloud hosting services like Google Drive for command-and-control channels, making it difficult to detect their activities.

Internal MISP references

UUID 3baec27f-3827-4a38-82c8-7195a18193f9 which can be used as unique global reference for Storm Cloud in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

CostaRicto

CostaRicto is a cyber-espionage threat actor that operates as a mercenary group, offering its services to various clients globally. They use bespoke malware tools and sophisticated techniques like VPN proxy and SSH tunnelling. While their targets are scattered across different regions, there is a concentration in South Asia.

Internal MISP references

UUID 5587f082-349b-46ab-9e6f-303d9bfd1e1b which can be used as unique global reference for CostaRicto in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

TA402

TA402 is an APT group that has been tracked by Proofpoint since 2020. They primarily target government entities in the Middle East and North Africa, with a focus on intelligence collection. TA402 is known for using sophisticated phishing campaigns and constantly updating their malware implants and delivery methods to evade detection. They have been observed using cloud services like Dropbox and Google Drive for hosting malicious payloads and command-and-control infrastructure.

Internal MISP references

UUID aad291eb-08d1-4af4-9dd1-e90fe1f2d6c6 which can be used as unique global reference for TA402 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country PS

SilverFish

SilverFish is believed to be a Russian cyberespionage group that has been involved in various cyberattacks, including the use of the SolarWinds breach as an attack vector. SilverFish has been linked to the Wasted Locker ransomware and has displayed a high level of skill and organization in their cyber operations. There are also connections between SilverFish and the threat actor Evil Corp, suggesting a possible evolution or collaboration between the two groups.

Internal MISP references

UUID 55bcc595-2442-4f98-9477-7fe9b507607c which can be used as unique global reference for SilverFish in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Blacktail

Blacktail is a cybercrime group that has gained attention for its ransomware campaigns, particularly the Buhti ransomware. They are known for using custom-built data exfiltration tools and have been observed exploiting vulnerabilities in both Windows and Linux systems.

Internal MISP references

UUID e06e1bcd-7da2-4732-934a-9fa1efa427ad which can be used as unique global reference for Blacktail in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

MalKamak

MalKamak is an Iranian threat actor that has been operating since at least 2018. They have been involved in highly targeted cyber espionage campaigns against global aerospace and telecommunications companies. MalKamak utilizes a sophisticated remote access Trojan called ShellClient, which evades antivirus tools and uses cloud services like Dropbox for command and control.

Internal MISP references

UUID 4915bfa3-5f0a-48ec-8ed5-bcd878cba504 which can be used as unique global reference for MalKamak in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country IR

DragonForce

DragonForce is a hacktivist group based in Malaysia that has been involved in cyberattacks targeting government institutions and commercial organizations in India. They have also targeted websites affiliated with Israel and have shown support for pro-Palestinian causes. The group has been observed using defacement attacks, distributed denial-of-service attacks, and data leaks as part of their campaigns. DragonForce Malaysia has demonstrated an ability to adapt and evolve their tactics over time.

Internal MISP references

UUID 40375ed2-04ec-433f-969d-b9a004c0272e which can be used as unique global reference for DragonForce in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country MY

LightBasin

UNC1945 is an APT group that has been targeting telecommunications companies globally. They use Linux-based implants to maintain long-term access in compromised networks. UNC1945 has demonstrated advanced technical abilities, utilizing various tools and techniques to evade detection and move laterally through networks. They have also been observed targeting other industries, such as financial and professional consulting, and have been linked to other threat actors, including MustangPanada and RedDelta.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular LightBasin.

Known Synonyms
CL-CRI-0025
UNC1945
Internal MISP references

UUID a1955738-563c-413c-8602-ea5b8c89ce21 which can be used as unique global reference for LightBasin in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Red-Lili

RED-LILI is an active threat actor that has been identified by Checkmarx SCS research team. They have been publishing malicious packages on NPM and PyPi platforms, and have recently automated the process of creating NPM users for package publication. The Checkmarx team has detected around 1500 malicious packages associated with RED-LILI and has continuously disclosed their findings to the respective security teams.

Internal MISP references

UUID 99d188cf-31e5-440d-a114-297cb2242d73 which can be used as unique global reference for Red-Lili in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

WildCard

Wildcard is a threat actor that initially targeted Israel's educational sector with the SysJoker malware. They have since expanded their operations and developed additional malware variants, disguised as legitimate software, including one written in the Rust programming language called RustDown. Their precise identity remains unknown, but they have shown advanced capabilities and a focus on critical sectors within Israel.

Internal MISP references

UUID dc8a7137-f56e-41db-a500-920e69fa29f5 which can be used as unique global reference for WildCard in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

WildPressure

WildPressure is a threat actor that targets industrial-related entities in the Middle East. They use a variety of programming languages, including C++, VBScript, and Python, to develop their malware. They have been observed using virtual private servers and compromised servers, particularly WordPress websites, in their infrastructure. While there are some minor similarities with other threat actors in the region, there is not enough evidence to make any attribution.

Internal MISP references

UUID 89f5a5cb-514f-46db-8959-6bb9aa991e9f which can be used as unique global reference for WildPressure in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

TunnelSnake

The TunnelSnake campaign demonstrates the activity of a sophisticated actor that invests significant resources in designing an evasive toolset and infiltrating networks of high-profile organizations. By leveraging Windows drivers, covert communications channels and proprietary malware, the group behind it maintains a considerable level of stealth. That said, some of its TTPs, like the usage of a commodity webshell and open-source legacy code for loading unsigned drivers, may get detected and in fact were flagged by Kaspersky's product, giving them visibility into the group’s operation.

Internal MISP references

UUID f0bb3d3a-c012-4d12-b621-51192977f190 which can be used as unique global reference for TunnelSnake in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

ScamClub

ScamClub is a threat actor involved in malvertising activities since 2018. They target the Mobile Web market segment, particularly on iOS devices, where security software is often lacking. ScamClub utilizes obfuscation techniques and real-time bidding integration with ad exchanges to push malicious JavaScript payloads, leading to forced redirects and various scams such as phishing and gift card scams.

Internal MISP references

UUID dae45b1c-f957-4242-aa5b-f36b08994bad which can be used as unique global reference for ScamClub in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Daixin Team

Daixin is a threat actor group that has been active since at least June 2022. They primarily target the healthcare and public health sector with ransomware attacks, stealing sensitive data and threatening to release it if a ransom is not paid. They have successfully targeted various industries, including healthcare, aerospace, automotive, and packaged foods. Daixin gains initial access through VPN servers and exploits vulnerabilities or uses phishing attacks to obtain credentials. They have been responsible for cyberattacks on organizations such as the North Texas Municipal Water District and TransForm Shared Service Org, impacting their networks and stealing customer and patient information.

Internal MISP references

UUID 5e32baed-f4b5-4149-8540-7515ad8c4dc0 which can be used as unique global reference for Daixin Team in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

UNC2717

UNC2717 is a threat actor that engages in espionage activities aligned with Chinese government priorities. They demonstrate advanced tradecraft and take measures to avoid detection, making it challenging for network defenders to identify their tools and intrusion methods. UNC2717, along with other Chinese APT actors, has been observed stealing credentials, email communications, and intellectual property. They have targeted global government agencies using malware such as HARDPULSE, QUIETPULSE, and PULSEJUMP.

Internal MISP references

UUID f1d90b54-4821-41ff-8e07-ac650e0454b7 which can be used as unique global reference for UNC2717 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

UNC2659

UNC2659 has been active since at least January 2021. We have observed the threat actor move through the whole attack lifecycle in under 10 days. UNC2659 is notable given their use of an exploit in the SonicWall SMA100 SSL VPN product, which has since been patched by SonicWall. The threat actor appeared to download several tools used for various phases of the attack lifecycle directly from those tools’ legitimate public websites.

Internal MISP references

UUID 697cb051-5315-4026-bf4c-553b49f817a9 which can be used as unique global reference for UNC2659 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

AeroBlade

AeroBlade is a previously unknown threat actor that has been targeting an aerospace organization in the United States. Their objective appears to be conducting commercial and competitive cyber espionage. They employ spear-phishing as a delivery mechanism, using weaponized documents with embedded remote template injection techniques and malicious VBA macro code. The attacks have been ongoing since September 2022, with multiple phases identified in the attack chain. The origin and precise objective of AeroBlade remain unknown.

Internal MISP references

UUID 47739f40-c80c-435a-bedc-0d2b38e87ddc which can be used as unique global reference for AeroBlade in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

WIP19

WIP19 is a Chinese-speaking threat group involved in espionage targeting the Middle East and Asia. They utilize a stolen certificate to sign their malware, including SQLMaggie, ScreenCap, and a credential dumper. The group has been observed targeting telecommunications and IT service providers, using toolsets authored by WinEggDrop. WIP19's activities suggest they are after specific information and are part of the broader Chinese espionage landscape.

Internal MISP references

UUID 21bb2dab-4125-4ae8-8966-c7381659e180 which can be used as unique global reference for WIP19 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

UNC2447

UNC2447 is a financially motivated threat actor with ties to multiple hacker groups. They have been observed deploying ransomware, including FiveHands and Hello Kitty, and engaging in double extortion tactics. They have been active since at least May 2020 and target organizations in Europe and North America.

Internal MISP references

UUID 590ecec6-4047-4d0f-9143-2e367700423d which can be used as unique global reference for UNC2447 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

UNC215

UNC215 is a Chinese nation-state threat actor that has been active since at least 2014. They have targeted organizations in various sectors, including government, technology, telecommunications, defense, finance, entertainment, and healthcare. UNC215 has been observed using tools such as Mimikatz, FOCUSFJORD, and HYPERBRO for initial access and post-compromise activities. They have demonstrated a focus on evading detection and have employed tactics such as using trusted third parties, minimizing forensic evidence, and incorporating false flags. UNC215's targets are located globally, with a particular focus on the Middle East, Europe, Asia, and North America.

Internal MISP references

UUID 9795249f-8954-4632-830f-7e1f0ebc1dd5 which can be used as unique global reference for UNC215 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

DEV-0569

DEV-0569, also known as Storm-0569, is a threat actor group that has been observed deploying the Royal ransomware. They utilize malicious ads and phishing techniques to distribute malware and gain initial access to networks. The group has been linked to the distribution of payloads such as Batloader and has forged relationships with other threat actors. DEV-0569 has targeted various sectors, including healthcare, communications, manufacturing, and education in the United States and Brazil.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular DEV-0569.

Known Synonyms
Storm-0569
Internal MISP references

UUID e883458d-496f-4a94-b916-4b7b83e3d525 which can be used as unique global reference for DEV-0569 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

UAC-0118

From Russia with Love, is a threat actor group that emerged during the Russia-Ukraine war in 2022. They primarily engage in DDoS attacks and have targeted critical infrastructure, media, energy, and government entities. FRwL has been linked to the use of the Somnia ransomware, which they employ as a wiper rather than for financial gain. While there is no direct evidence linking FRwL to the Russian Main Intelligence Directorate, it is possible that they coordinate activities with state-aligned hacktivist groups.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular UAC-0118.

Known Synonyms
FRwL
FromRussiaWithLove
Internal MISP references

UUID d869486a-ec70-4a74-897e-31aa7b3df48d which can be used as unique global reference for UAC-0118 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

UAC-0050

UAC-0050 is a threat actor that has been active since 2020, targeting government agencies in Ukraine. They have been distributing the Remcos RAT malware through phishing campaigns, using tactics such as impersonating the Security Service of Ukraine and sending emails with malicious attachments. The group has also been linked to other hacking collectives, such as UAC-0096, and has previously used remote administration tools like Remote Utilities. The motive behind their attacks is likely espionage.

Internal MISP references

UUID e3ff56b6-2663-46bd-9e5c-017a350896d9 which can be used as unique global reference for UAC-0050 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Germany']

UNC2630

UNC2630 is a threat actor believed to be affiliated with the Chinese government. They engage in cyber espionage activities, targeting organizations aligned with Beijing's strategic objectives. UNC2630 demonstrates advanced tradecraft and employs various malware families, including SLOWPULSE and RADIALPULSE, to compromise Pulse Secure VPN appliances. They also utilize modified binaries and scripts to maintain persistence and move laterally within compromised networks.

Internal MISP references

UUID 86dfe64e-7101-4d45-bb94-efc40c5e14fe which can be used as unique global reference for UNC2630 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

Sandman APT

First disclosed in 2023, the Sandman APT is likely associated with suspected China-based threat clusters known for using the KEYPLUG backdoor, specifically STORM-0866/Red Dev 40. Sandman is tracked as a distinct cluster, pending additional conclusive information. A notable characteristic is its use of the LuaDream backdoor. LuaDream is based on the Lua platform, a relatively rare occurrence in the cyberespionage domain, historically associated with APTs considered Western or Western-aligned.

Internal MISP references

UUID 00b84012-fa25-4942-ad64-c76be24828a8 which can be used as unique global reference for Sandman APT in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor China
cfr-suspected-victims ['Middle East', 'Southeast Asian', 'France', 'Egypt', 'Sudan', 'South Sudan', 'Libya', 'Turkey', 'Saudi Arabia', 'Oman', 'Yemen', 'Sri Lanka', 'India', 'Pakistan', 'Iran', 'Afghanistan', 'Kuwait', 'Iraq', 'United Arab Emirates']
cfr-target-category ['Government', 'Telecommunications']
cfr-type-of-incident Espionage
country CN
references ['https://www.sentinelone.com/labs/sandman-apt-china-based-adversaries-embrace-lua/', 'https://www.sentinelone.com/labs/sandman-apt-a-mystery-group-targeting-telcos-with-a-luajit-toolkit/']

BiBiGun

A pro-Hamas hacktivist group developed a wiper called BiBi-Linux to target and destroy data on Israeli systems. The malware impersonates ransomware but operates solely to corrupt and delete files, indicating no data theft. A Windows variant, BiBi-Windows, was also discovered, sharing similarities with BiBi-Linux but targeting all files except executables. ESET researchers have named the group behind the wipers BiBiGun. The group's TTPs have shown overlaps with Moses Staff, which is believed to have an Iran nexus.

Internal MISP references

UUID f8054f5b-45e5-4624-b8d0-1b9c30aa084e which can be used as unique global reference for BiBiGun in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country PS

Storm-1283

Storm-1283 is a threat actor that targeted Microsoft Azure cloud platform. They gained access to user accounts and created OAuth applications using stolen credentials, allowing them to control resources and deploy virtual machines for cryptomining. The targeted organizations incurred significant financial losses ranging from $10,000 to $1.5 million. Storm-1283 utilized compromised accounts and subscriptions to carry out their illicit activities.

Internal MISP references

UUID c9ffcc82-f7ac-46ce-9ea2-91e51d14e11b which can be used as unique global reference for Storm-1283 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Solntsepek

Solntsepek is a threat actor group with ties to the Russian military unit GRU. They have claimed responsibility for a cyberattack on Kyivstar, a Ukrainian mobile operator, and have been linked to previous attacks on Ukrainian infrastructure. Solntsepek has been associated with the Sandworm hacking group, known for their destructive cyberattacks, including the NotPetya worm. They have also engaged in hostile activities, such as revealing personal details of Ukrainian soldiers.

Internal MISP references

UUID 0b792fbe-87c2-42c5-8d0d-97c7d47078b5 which can be used as unique global reference for Solntsepek in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country RU

UNC4736

UNC4736 is a North Korean threat actor that has been involved in supply chain attacks targeting software chains of 3CX and X_TRADER. They have used malware strains such as TAXHAUL, Coldcat, and VEILEDSIGNAL to compromise Windows and macOS systems. UNC4736 has been linked to financially motivated cybercrime operations, particularly focused on cryptocurrency and fintech-related services. They have also demonstrated infrastructure overlap with other North Korean and APT43 activity.

Internal MISP references

UUID afe5526e-e5e4-4b05-bc69-2bfb6785fc7e which can be used as unique global reference for UNC4736 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country KP

GambleForce

GambleForce is a threat actor specializing in SQL injection attacks. They have targeted over 20 websites in various sectors across multiple countries, compromising six companies. GambleForce utilizes publicly available pentesting tools and has been active since mid-September 2023.

Internal MISP references

UUID 94ce7925-1a37-4b02-a25b-b87a389c92b3 which can be used as unique global reference for GambleForce in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

GREF

GREF is a China-aligned APT group that has been active since at least March 2017. They are known for using custom backdoors, loaders, and ancillary tools in their targeted attacks. Recently, they have been attributed to two active Android campaigns that distribute the BadBazaar malware through malicious apps on official and alternative app stores. GREF has targeted Android users, particularly Uyghurs and other Turkic ethnic minorities outside of China, using trojanized versions of popular messaging apps like Signal and Telegram.

Internal MISP references

UUID e6d16c22-0780-483c-9920-c1d9f27b10c8 which can be used as unique global reference for GREF in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

PhantomControl

PhantomControl is a sophisticated threat actor that emerged in November 2023. They utilize phishing emails as their initial infection vector and employ a ScreenConnect client to establish a connection for their malicious activities. Their arsenal includes a VBS script that hides its true intentions and reveals a complex mechanism involving PowerShell scripts and image-based data retrieval. PhantomControl has been associated with the Blind Eagle threat actors, showcasing their versatility and reach.

Internal MISP references

UUID a2208d56-8f08-4ca3-a304-8bdc334b5ebf which can be used as unique global reference for PhantomControl in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Team-Xecuter

Team-Xecuter is a hacking group led by Gary Bowser, also known as GaryOPA. They were involved in a piracy conspiracy against Nintendo, creating and selling illegal circumvention devices that allowed users to hack video game consoles for playing pirated games. Gary Bowser has admitted his participation in this activity and is facing legal consequences.

Internal MISP references

UUID ef9f4e6d-4262-4fca-9535-56af9e46281f which can be used as unique global reference for Team-Xecuter in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

KelvinSecurity

KelvinSecurity is a hacker group that has been active since at least 2015. They are known for their hacktivist and black hat activities, targeting public and private organizations globally. The group sells and leaks databases, documents, and access belonging to their victims, often on the dark web or their own platforms. They have been involved in attacks against various sectors, including telecommunications, political parties, and healthcare.

Internal MISP references

UUID 7b8845d9-d7f5-4895-9dcc-54da3492bd55 which can be used as unique global reference for KelvinSecurity in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country ES

Storm-1113

Storm-1113 is a threat actor that acts both as an access broker focused on malware distribution through search advertisements and as an “as-a-service” entity providing malicious installers and landing page frameworks. In Storm-1113 malware distribution campaigns, users are directed to landing pages mimicking well-known software that host installers, often MSI files, that lead to the installation of malicious payloads. Storm-1113 is also the developer of EugenLoader, a commodity malware first observed around November 2022.

Internal MISP references

UUID 993e81e8-63f4-4666-9538-4053a69287ba which can be used as unique global reference for Storm-1113 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

HomeLand Justice

HomeLand Justice is an Iranian state-sponsored cyber threat group that has been active since at least May 2021. They have targeted various organizations, including a well-known telecommunication company and the Albanian Parliament. The group engaged in information operations and messaging campaigns to amplify the impact of their attacks.

Internal MISP references

UUID bfc538e1-9205-420a-8641-6292023ecd08 which can be used as unique global reference for HomeLand Justice in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country IR

UAC-0099

UAC-0099 is a threat actor that has been active since at least May 2023, targeting Ukrainian entities. They have been observed using a known WinRAR vulnerability to carry out attacks, indicating a level of sophistication. The actor relies on PowerShell and the creation of scheduled tasks to execute malicious VBS files for initial infection. Monitoring and limiting the functionality of these components can help mitigate the risk of UAC-0099 attacks.

Internal MISP references

UUID 267488cb-159a-46d6-a6d6-fe93c90360b2 which can be used as unique global reference for UAC-0099 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Gray Sandstorm

Gray Sandstorm is an Iran-linked threat actor that has been active since at least 2012. They have targeted defense technology companies, maritime transportation companies, and Persian Gulf ports of entry. Their primary method of attack is password spraying, and they have been observed using tools like o365spray. They have a specific focus on US and Israeli targets and are likely operating in support of Iranian interests.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Gray Sandstorm.

Known Synonyms
DEV-0343
Internal MISP references

UUID 6ea73b7f-b2e5-4e6d-a1ff-705f91175613 which can be used as unique global reference for Gray Sandstorm in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country IR

Threatsec

ThreatSec is a hacktivist group that has targeted various organizations, including internet service providers in Gaza. They claim to fight for the rights and freedom of the oppressed and do not prioritize monetary gain. The group is part of the "Five Families" consortium, which includes other hacktivist groups such as GhostSec and Stormous. ThreatSec has been involved in cyberattacks, data breaches, and ransomware activities.

Internal MISP references

UUID 179deaab-12d2-4371-b499-51b925546a22 which can be used as unique global reference for Threatsec in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Cyber Toufan

Cyber Toufan is a threat actor group that has gained prominence for its cyberattacks targeting Israeli organizations. The group's tactics suggest potential nation-state backing, possibly from Iran. They have been involved in hack-and-leak operations, data breaches, and data destruction, impacting over 100 organizations. Cyber Toufan's activities align with geopolitical tensions in the Middle East and their attacks are characterized by a combination of technical breaches and psychological warfare.

Internal MISP references

UUID 3decddc7-e554-48d8-8304-38b243fc9ccb which can be used as unique global reference for Cyber Toufan in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country IR

Water Curupira

With its emergence in 2022, Water Curupira has established itself as a persistent threat actor targeting organizations primarily in South America and Europe. Their modus operandi involves a combination of social engineering tactics and a diversified malware arsenal, including ransomware variants like Black Basta and credential stealers like Cobalt Strike. This multifaceted approach enables them to gain unauthorized access to victim systems, steal sensitive data, and ultimately extort victims through ransomware demands. It has been actively using Pikabot, a loader malware with similarities to Qakbot, in spam campaigns throughout 2023.

Internal MISP references

UUID a36266ce-2374-472a-a715-13b99e38e74e which can be used as unique global reference for Water Curupira in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

UTA0178

While Volexity largely observed the attacker essentially living off the land, they still deployed a handful of malware files and tools during the course of the incident which primarily consisted of webshells, proxy utilities, and file modifications to allow credential harvesting. Once UTA0178 had access into the network via the ICS VPN appliance, their general approach was to pivot from system to system using compromised credentials. They would then further compromise credentials of users on any new system that was breached, and use these credentials to log into additional systems via RDP. Volexity observed the attacker obtaining credentials in a variety of ways.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular UTA0178.

Known Synonyms
Red Dev 61
UNC5221
Internal MISP references

UUID f288f686-b5b3-4c86-9960-5f8fb18709a3 which can be used as unique global reference for UTA0178 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Germany']
country CN
Related clusters

To see the related clusters, click here.

TAG-28

TAG-28 is a Chinese state-sponsored threat actor that has been targeting Indian organizations, including media conglomerates and government agencies. They have been using the Winnti malware, which is commonly shared among Chinese state-sponsored groups. TAG-28's main objective is to gather intelligence on Indian targets, potentially for espionage purposes.

Internal MISP references

UUID 6c706d8b-95a4-428d-9de5-b68b29b1893c which can be used as unique global reference for TAG-28 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

Flax Typhoon

Flax Typhoon is a Chinese state-sponsored threat actor that primarily targets organizations in Taiwan. They conduct espionage campaigns and focus on gaining and maintaining long-term access to networks using minimal malware. Flax Typhoon relies on tools built into the operating system and legitimate software to remain undetected. They exploit vulnerabilities in public-facing servers, use living-off-the-land techniques, and deploy a VPN connection to maintain persistence and move laterally within compromised networks.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Flax Typhoon.

Known Synonyms
Ethereal Panda
Storm-0919
Internal MISP references

UUID 50ee2b1b-979e-4507-8747-8597a95938f6 which can be used as unique global reference for Flax Typhoon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

Cyber Partisans

The Cyber Partisans, a hacktivist group based in Belarus, has been involved in various cyber-attacks targeting organizations and infrastructure in Belarus and Ukraine. They have hacked and wiped the network of the Belarusian Telegraph Agency, targeted the Belarusian Red Cross, and conducted ransomware attacks on the Belarusian Railway and Belarusian State University. The group aims to expose alleged crimes committed by pro-government organizations and disrupt operations supporting the Russian military operation against Ukraine. They have also leaked stolen data to journalists and expressed support for Ukraine.

Internal MISP references

UUID a9f894c6-70ab-4174-b470-5999fe93d4f3 which can be used as unique global reference for Cyber Partisans in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country BY

Caliente Bandits

Caliente Bandits is a highly active threat group that targets multiple industries, including finance and entertainment. They distribute the Bandook remote access trojan using Spanish-language lures through low-volume email campaigns. The group primarily impacts individuals with Spanish surnames and conducts reconnaissance to obtain employee data. They masquerade as companies in South America and use Hotmail or Gmail email addresses.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Caliente Bandits.

Known Synonyms
TA2721
Internal MISP references

UUID 6a77a337-bfa0-416c-8c06-1d489d0d6838 which can be used as unique global reference for Caliente Bandits in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Cotton Sandstorm

Cotton Sandstorm is an Iranian threat actor involved in hack-and-leak operations. They have targeted various organizations, including the French satirical magazine Charlie Hebdo, where they obtained and leaked personal information of over 200,000 customers. The group has been linked to the Iranian government and has been sanctioned by the US Treasury

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cotton Sandstorm.

Known Synonyms
Emennet Pasargad
Holy Souls
MARNANBRIDGE
NEPTUNIUM
Internal MISP references

UUID bbb389f2-344f-4ca8-a9c9-902061f88deb which can be used as unique global reference for Cotton Sandstorm in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Iran (Islamic Republic of)
cfr-suspected-victims ['United States', 'Israel', 'Middle East', 'Europe']
cfr-target-category ['Government', 'Finance', 'High-Tech', 'Telecoms', 'NGOs', 'Civil Society', 'Rail', 'Energy']
cfr-type-of-incident Information Operations
country IR

Blackwood

Blackwood is a China-aligned APT group that has been active since at least 2018. They primarily engage in cyberespionage operations targeting individuals and companies in China, Japan, and the United Kingdom. Blackwood utilizes sophisticated techniques such as adversary-in-the-middle attacks to deliver their custom implant, NSPX30, through updates of legitimate software. They also have the capability to hide the location of their command and control servers by intercepting traffic generated by the implant.

Internal MISP references

UUID 46e26e5c-ad74-45aa-a654-1afef67f4566 which can be used as unique global reference for Blackwood in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

Denim Tsunami

Denim Tsunami is a threat actor group that has been involved in targeted attacks against European and Central American customers. They have been observed using multiple Windows and Adobe 0-day exploits, including one for CVE-2022-22047, which is a privilege escalation vulnerability. Denim Tsunami developed a custom malware called Subzero, which has capabilities such as keylogging, capturing screenshots, data exfiltration, and running remote shells. They have also been associated with the Austrian spyware distributor DSIRF.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Denim Tsunami.

Known Synonyms
DSIRF
KNOTWEED
Internal MISP references

UUID 79a347d9-1938-4550-8836-98e4ed95f77c which can be used as unique global reference for Denim Tsunami in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country AT

Blue Tsunami

Blue Tsunami, also known as Black Cube, is a cyber mercenary group associated with the private intelligence firm Black Cube. They target individuals in various industries, including human rights, finance, and consulting. Blue Tsunami engages in social engineering and uses techniques such as honeypot profiles, fake jobs, and fake companies to gather human intelligence for their clients. LinkedIn and Microsoft recently took down numerous fake accounts and company pages linked to Blue Tsunami.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Blue Tsunami.

Known Synonyms
Black Cube
Internal MISP references

UUID 46104ded-49f5-4440-bd25-e05c1126f0ba which can be used as unique global reference for Blue Tsunami in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country IL

Cuboid Sandstorm

Cuboid Sandstorm is an Iranian threat actor that targeted an Israel-based IT company in July 2021. They gained access to the company's network and used it to compromise downstream customers in the defense, energy, and legal sectors in Israel. The group also utilized custom implants, including a remote access Trojan disguised as RuntimeBroker.exe or svchost.exe, to establish persistence on victim hosts.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cuboid Sandstorm.

Known Synonyms
DEV-0228
Internal MISP references

UUID a4004712-f74b-4c8c-b1fb-bb7229bc2da1 which can be used as unique global reference for Cuboid Sandstorm in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country IR

Pearl Sleet

Pearl Sleet is a nation state activity group based in North Korea that has been active since at least 2012. They primarily target defectors from North Korea, media organizations in carrying out their cyber espionage activities.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Pearl Sleet.

Known Synonyms
DEV-0215
LAWRENCIUM
Internal MISP references

UUID ef0d776a-51de-4965-ba1c-69ed256e0e5d which can be used as unique global reference for Pearl Sleet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country KP

Carmine Tsunami

Carmine Tsunami is a threat actor linked to an Israel-based private sector offensive actor called QuaDream. QuaDream sells a platform called REIGN to governments for law enforcement purposes, which includes exploits, malware, and infrastructure for data exfiltration from mobile devices. Carmine Tsunami is associated with the iOS malware called KingsPawn and has targeted civil society victims, including journalists, political opposition figures, and NGO workers, in various regions. They utilize domain registrars and inexpensive cloud hosting providers, often using single domains per IP address and deploying free Let's Encrypt SSL certificates.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Carmine Tsunami.

Known Synonyms
DEV-0196
QuaDream
Internal MISP references

UUID fa76ce6a-f434-4d4a-817f-c4bd0a3f803c which can be used as unique global reference for Carmine Tsunami in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country IL

Mustard Tempest

Mustard Tempest is a threat actor that primarily uses malvertising as their main technique to gain access to and profile networks. They deploy FakeUpdates, disguised as browser updates or software packages, to lure targets into downloading a ZIP file containing a JavaScript file. Once executed, the JavaScript framework acts as a loader for other malware campaigns, often Cobalt Strike payloads. Mustard Tempest has been associated with the cybercrime syndicate Mustard Tempest, also known as EvilCorp, and has been involved in ransomware attacks using payloads such as WastedLocker, PhoenixLocker, and Macaw.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Mustard Tempest.

Known Synonyms
DEV-0206
Purple Vallhund
Internal MISP references

UUID 3ce9610b-2435-4c41-80d1-3f95a5ff2984 which can be used as unique global reference for Mustard Tempest in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

UNC4990

UNC4990 is a financially motivated threat actor that has been active since at least 2020. They primarily target users in Italy and rely on USB devices for initial infection. The group has evolved their tactics over time, using encoded text files on popular websites like GitHub and Vimeo to host payloads. They have been observed using sophisticated backdoors like QUIETBOARD and EMPTYSPACE, and have targeted organizations in various industries, particularly in Italy.

Internal MISP references

UUID 7db46444-2d27-4922-8a21-98f8509476dc which can be used as unique global reference for UNC4990 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country IT

Caramel Tsunami

Caramel Tsunami is a threat actor that specializes in spyware attacks. They have recently resurfaced with an updated toolset and zero-day exploits, targeting specific victims through watering hole attacks. Candiru has been observed exploiting vulnerabilities in popular browsers like Google Chrome and using third-party signed drivers to gain access to the Windows kernel. They have also been linked to other spyware vendors and have been associated with extensive abuses of their surveillance tools.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Caramel Tsunami.

Known Synonyms
Candiru
SOURGUM
Internal MISP references

UUID 062938a2-6fa1-4217-ad73-f5e0b5186966 which can be used as unique global reference for Caramel Tsunami in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Storm-0867

Storm-0867 is a threat actor that has been active since 2012 and has targeted various industries and regions. They employ sophisticated phishing campaigns, utilizing social engineering techniques and a phishing as a service platform called Caffeine. Their attacks involve intercepting and manipulating communication between users and legitimate services, allowing them to steal passwords, hijack sign-in sessions, bypass multifactor authentication, and modify authentication methods.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Storm-0867.

Known Synonyms
DEV-0867
Internal MISP references

UUID dc1d0202-8976-4d15-810d-4af0feff6af9 which can be used as unique global reference for Storm-0867 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country EG

Velvet Tempest

Velvet Tempest is a threat actor associated with the BlackCat ransomware group. They have been observed deploying multiple ransomware payloads, including BlackCat, and have targeted various industries such as energy, fashion, tobacco, IT, and manufacturing. Velvet Tempest relies on access brokers to gain network access and utilizes tools like Cobalt Strike Beacons and PsExec for lateral movement and payload staging. They exfiltrate stolen data using a tool called StealBit and frequently disable unprotected antivirus products.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Velvet Tempest.

Known Synonyms
DEV-0504
Internal MISP references

UUID 209b1452-7062-46f8-9037-3be5f7eda54f which can be used as unique global reference for Velvet Tempest in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Sunglow Blizzard

DEV-0665 is a threat actor associated with the HermeticWiper attacks. Their objective is to disrupt, degrade, and destroy specific resources within a targeted country.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Sunglow Blizzard.

Known Synonyms
DEV-0665
Internal MISP references

UUID 9c0f0db1-b773-42ff-a6f7-d4b6c1d28ca4 which can be used as unique global reference for Sunglow Blizzard in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country RU

Vanilla Tempest

Vice Society is a ransomware group that has been active since at least June 2021. They primarily target the education and healthcare sectors, but have also been observed targeting the manufacturing industry. The group has used multiple ransomware families and has been known to utilize PowerShell scripts for their attacks. There are similarities between Vice Society and the Rhysida ransomware group, suggesting a potential connection or rebranding.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Vanilla Tempest.

Known Synonyms
DEV-0832
Vice Society
Internal MISP references

UUID c4132d43-2405-43ca-9940-a6f78e007861 which can be used as unique global reference for Vanilla Tempest in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Lilac Typhoon

Lilac Typhoon is a threat actor attributed to China. They have been identified as exploiting the Atlassian Confluence RCE vulnerability CVE-2022-26134, which allows for remote code execution. This vulnerability has been used in cryptojacking campaigns and is included in commercial exploit frameworks. Lilac Typhoon has also been involved in deploying various payloads such as Cobalt Strike, web shells, botnets, coin miners, and ransomware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Lilac Typhoon.

Known Synonyms
DEV-0234
Internal MISP references

UUID b80be7a7-6d06-4da7-8ae0-302a198e7c73 which can be used as unique global reference for Lilac Typhoon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

Ruby Sleet

Ruby Sleet is a threat actor linked to North Korea's Ministry of State Security. Cerium has been involved in spear-phishing campaigns, compromising devices, and conducting cyberattacks alongside other North Korean threat actors. They have also targeted companies involved in COVID-19 research and vaccine development.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Ruby Sleet.

Known Synonyms
CERIUM
Internal MISP references

UUID 03ff54cf-f7d4-4606-a531-2ca6d4fa6a54 which can be used as unique global reference for Ruby Sleet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country KP

Raspberry Typhoon

Microsoft has tracked Raspberry Typhoon (RADIUM) as the primary threat group targeting nations that ring the South China Sea. Raspberry Typhoon consistently targets government ministries, military entities, and corporate entities connected to critical infrastructure, particularly telecoms. Since January 2023, Raspberry Typhoon has been particularly persistent. When targeting government ministries or infrastructure, Raspberry Typhoon typically conducts intelligence collection and malware execution. In many countries, targets vary from defense and intelligence-related ministries to economic and trade-related ministries

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Raspberry Typhoon.

Known Synonyms
RADIUM
Internal MISP references

UUID 37f012df-54d8-4b3d-a288-af47240430ea which can be used as unique global reference for Raspberry Typhoon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

Phlox Tempest

Phlox Tempest is a threat actor responsible for a large-scale click fraud campaign targeting users through YouTube comments and malicious ads. They use ChromeLoader to infect victims' computers with malware, often delivered as ISO image files that victims are tricked into downloading. The attackers aim to profit from clicks generated by malicious browser extensions or node-WebKit installed on the victim's device. Microsoft and other cybersecurity organizations have issued warnings about this ongoing and prevalent campaign.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Phlox Tempest.

Known Synonyms
DEV-0796
Internal MISP references

UUID dd012c50-4f4f-4485-ac52-294a341f03e5 which can be used as unique global reference for Phlox Tempest in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Storm-1295

Storm-1295 is a threat actor group that operates the Greatness phishing-as-a-service platform. They utilize synchronous relay servers to present targets with a replica of a sign-in page, resembling traditional phishing attacks. Their adversary-in-the-middle capability allows Storm-1295 to offer their services to other attackers. Active since mid-2022, Storm-1295 is tracked by Microsoft and is known for their involvement in the Greatness PhaaS platform.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Storm-1295.

Known Synonyms
DEV-1295
Internal MISP references

UUID 5f485e47-18ad-4302-85a1-0a390fe90dc1 which can be used as unique global reference for Storm-1295 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Storm-1167

Storm-1167 is a threat actor tracked by Microsoft, known for their use of an AiTM phishing kit. They were responsible for launching an attack that led to Business Email Compromise activity.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Storm-1167.

Known Synonyms
DEV-1167
Internal MISP references

UUID 17fb8267-44a3-405b-b6b9-ba7fdeb56693 which can be used as unique global reference for Storm-1167 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country ID

Opal Sleet

Konni is a threat actor associated with APT37, a North Korean cyber crime group. They have been active since 2012 and are known for their cyber-espionage activities. Konni has targeted various sectors, including education, government, business organizations, and the cryptocurrency industry. They have exploited vulnerabilities such as CVE-2023-38831 and have used malware like KonniRAT to gain control of victim hosts and steal important information.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Opal Sleet.

Known Synonyms
Konni
OSMIUM
Vedalia
Internal MISP references

UUID 5f71a9ea-511d-4fdd-9807-271ef613f488 which can be used as unique global reference for Opal Sleet in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country KP

Storm-1044

Storm-1044 has been identified as part of a cyber campaign in collaboration with Twisted Spider. They employ a strategic approach, targeting specific endpoints using an initial access trojan called DanaBot. Once they gain access, Storm-1044 initiates lateral movement through Remote Desktop Protocol sign-in attempts, passing control to Twisted Spider. Twisted Spider then compromises the endpoints by introducing the CACTUS ransomware. Microsoft has detected ongoing malvertising attacks involving Storm-1044, leading to the deployment of CACTUS ransomware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Storm-1044.

Known Synonyms
DEV-1044
Internal MISP references

UUID 5ec7a98e-9725-4f87-8a6e-91e2b4ba04ac which can be used as unique global reference for Storm-1044 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Pink Sandstorm

Agonizing Serpens is an Iranian-linked APT group that has been active since 2020. They are known for their destructive wiper and fake-ransomware attacks, primarily targeting Israeli organizations in the education and technology sectors. The group has strong connections to Iran's Ministry of Intelligence and Security and has been observed using various tools and techniques to bypass security measures. They aim to steal sensitive information, including PII and intellectual property, and inflict damage by wiping endpoints.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Pink Sandstorm.

Known Synonyms
AMERICIUM
Agonizing Serpens
Agrius
BlackShadow
DEV-0022
Internal MISP references

UUID 0876c327-c82a-45f7-82fa-267c312ceb05 which can be used as unique global reference for Pink Sandstorm in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country IR

Storm-1084

Storm-1084 is a threat actor that has been observed collaborating with the MuddyWater group. They have used the DarkBit persona to mask their involvement in targeted attacks. Storm-1084 has been linked to destructive actions, including the encryption of on-premise devices and deletion of cloud resources. They have been observed using tools such as Rport, Ligolo, and a customized PowerShell backdoor. The extent of their autonomy or collaboration with other Iranian threat actors is currently unclear.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Storm-1084.

Known Synonyms
DEV-1084
Internal MISP references

UUID 2cc32087-f242-4091-8634-4554635b7a58 which can be used as unique global reference for Storm-1084 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country IR

Storm-1099

Storm-1099 is a sophisticated Russia-affiliated influence actor that has been conducting pro-Russia influence operations targeting international supporters of Ukraine since Spring 2022. They are known for their website forgery operation called "Doppelganger" and have been actively spreading false information. They have been involved in pushing the claim that Hamas acquired Ukrainian weapons for an attack on Israel. Storm-1099 has also been implicated in amplifying images of graffiti in Paris, suggesting possible Russian involvement and aligning with Russia's Active Measures playbook.

Internal MISP references

UUID b05a2a56-08dc-4827-9aef-aaade91016a4 which can be used as unique global reference for Storm-1099 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country RU

Storm-1286

Storm-1286 is a threat actor that engages in large-scale spamming activities, primarily targeting user accounts without multifactor authentication enabled. They employ password spraying attacks to compromise these accounts and utilize legacy authentication protocols like IMAP and SMTP. In the past, they have attempted to compromise admin accounts and create new LOB applications with high administrative permissions to spread spam. Despite previous actions taken by Microsoft Threat Intelligence, Storm-1286 continues to explore new methods to establish a high-scale spamming platform within victim organizations using non-privileged users.

Internal MISP references

UUID 375988ab-91b9-419e-8646-a4783b931288 which can be used as unique global reference for Storm-1286 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Storm-1101

DEV-1101 is a threat actor tracked by Microsoft who is responsible for developing and advertising phishing kits, specifically AiTM phishing kits. These kits are capable of bypassing multifactor authentication and are available for purchase or rent by other cybercriminals. DEV-1101 offers an open-source kit with various enhancements, such as mobile device management and CAPTCHA evasion. Their tool has been used in high-volume phishing campaigns by multiple actors, including DEV-0928, and is sold for $300 with VIP licenses available for $1,000.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Storm-1101.

Known Synonyms
DEV-1101
Internal MISP references

UUID 8081af2c-442f-4487-9cf7-022cbe010b8f which can be used as unique global reference for Storm-1101 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Storm-0381

Storm-0381 is a threat actor identified by Microsoft as a Russian cybercrime group. They are known for their use of malvertising to deploy Magniber, a type of ransomware.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Storm-0381.

Known Synonyms
DEV-0381
Internal MISP references

UUID 874860fe-5aee-4c94-aee1-2166c225c41e which can be used as unique global reference for Storm-0381 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country RU

Storm-0530

H0lyGh0st is a North Korean threat actor that has been active since June 2021. They are responsible for developing and deploying the H0lyGh0st ransomware, which targets small-to-medium businesses in various sectors. The group employs "double extortion" tactics, encrypting data and threatening to publish it if the ransom is not paid. There are connections between H0lyGh0st and the PLUTONIUM APT group, indicating a possible affiliation.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Storm-0530.

Known Synonyms
DEV-0530
H0lyGh0st
Internal MISP references

UUID 47945864-c233-46e7-8b96-b427b97b0ebf which can be used as unique global reference for Storm-0530 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country KP

Storm-0539

Storm-0539 is a financially motivated threat actor that has been active since at least 2021. They primarily target retail organizations for gift card fraud and theft. Their tactics include phishing via emails or SMS to distribute malicious links that redirect users to phishing pages designed to steal credentials and session tokens. Once access is gained, Storm-0539 registers a device for secondary authentication prompts, bypassing multi-factor authentication and gaining persistence in the environment. They also collect emails, contact lists, and network configurations for further attacks against the same organizations.

Internal MISP references

UUID 760b350c-522e-432d-80c5-7aab0eaf8873 which can be used as unique global reference for Storm-0539 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Storm-1152

Storm-1152, a cybercriminal group, was recently taken down by Microsoft for illegally reselling Outlook accounts. They operated by creating approximately 750 million fraudulent Microsoft accounts and earned millions of dollars in illicit revenue. Storm-1152 also offered CAPTCHA-solving services and was connected to ransomware and extortion groups. Microsoft obtained a court order to seize their infrastructure and domains, disrupting their operations.

Internal MISP references

UUID e18dca82-0524-4338-9a66-e13e67c81ac4 which can be used as unique global reference for Storm-1152 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country VN

Storm-1567

Storm-1567 is the threat actor behind the Ransomware-as-a-Service Akira. They attacked Swedish organizations in March 2023. This ransomware utilizes the ChaCha encryption algorithm, PowerShell, and Windows Management Instrumentation (WMI). Microsoft's Defender for Endpoint successfully blocked a large-scale hacking campaign carried out by Storm-1567, highlighting the effectiveness of their security solution.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Storm-1567.

Known Synonyms
Akira
Internal MISP references

UUID 3a912680-6f38-4fe7-9941-744f0e2280b3 which can be used as unique global reference for Storm-1567 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Storm-0829

Nwgen is a group that focuses on data exfiltration and ransomware activities. They have been found to share techniques with other threat groups such as Karakurt, Lapsus$, and Yanluowang. Nwgen has been observed carrying out attacks and deploying ransomware, encrypting files and demanding a ransom of $150,000 in Monero cryptocurrency for the decryption software.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Storm-0829.

Known Synonyms
DEV-0829
Nwgen Team
Internal MISP references

UUID 3e595289-05b8-43fc-bd88-f8650436447f which can be used as unique global reference for Storm-0829 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Storm-1674

Storm-1674 is an access broker known for using tools based on the publicly available TeamsPhisher tool to distribute DarkGate malware. Storm-1674 campaigns have typically relied on phishing lures sent over Teams with malicious attachments, such as ZIP files containing a LNK file that ultimately drops DarkGate and Pikabot. In September 2023, Microsoft observed handoffs from Storm-1674 to ransomware operators that have led to Black Basta ransomware deployment.

Internal MISP references

UUID eb7b5ed7-cf9d-4c72-8f89-a2ee070b89b6 which can be used as unique global reference for Storm-1674 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Storm-0835

Cybercriminals have launched a phishing campaign targeting senior executives in U.S. firms, using the EvilProxy phishing toolkit for credential harvesting and account takeover attacks. This campaign, initiated in July 2023, primarily targets sectors such as banking, financial services, insurance, property management, real estate, and manufacturing. The attackers exploit an open redirection vulnerability on the job search platform "indeed.com," redirecting victims to malicious phishing pages impersonating Microsoft. EvilProxy functions as a reverse proxy, intercepting credentials, two-factor authentication codes, and session cookies to hijack accounts. The threat actors, known as Storm-0835 by Microsoft, have hundreds of customers who pay monthly fees for their services, making attribution difficult. The attacks involve sending phishing emails with deceptive links to Indeed, redirecting victims to EvilProxy pages for credential harvesting.

Internal MISP references

UUID 2da09284-be56-49cd-ad18-993a6eb17af2 which can be used as unique global reference for Storm-0835 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Storm-1575

Storm-1575 is a threat actor identified by Microsoft as being involved in phishing campaigns using the Dadsec platform. They utilize hundreds of Domain Generated Algorithm domains to host credential harvesting pages and target global organizations to steal Microsoft 365 credentials.

Internal MISP references

UUID 2485a9cb-b41c-43bd-8b1c-c64e919c0a4e which can be used as unique global reference for Storm-1575 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

TA2552

Since January 2020, Proofpoint researchers have tracked an actor abusing Microsoft Office 365 (O365) third-party application (3PA) access, with suspected activity dating back to August 2019. The actor, known as TA2552, uses well-crafted Spanish language lures that leverage a narrow range of themes and brands. The lures entice users to click a link in the message, taking them to the legitimate Microsoft third-party apps consent page. There they are prompted to grant a third-party application read-only user permissions to their O365 account via OAuth2 or other token-based authorization methods. TA2552 seeks access to specific account resources like the user’s contacts and mail. Requesting read-only permissions for such account resources could be used to conduct account reconnaissance, silently steal data, or to intercept password reset messages from other accounts such as those at financial institutions. While organizations with global presence have received messages from this group, they appear to choose recipients who are likely Spanish speakers.

Internal MISP references

UUID e9de47f0-3e68-465c-b91e-7a2b7371955c which can be used as unique global reference for TA2552 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

TA2722

TA2722 is a highly active threat actor that targets various industries including Shipping/Logistics, Manufacturing, Business Services, Pharmaceutical, and Energy. They primarily focus on organizations in North America, Europe, and Southeast Asia. This threat actor impersonates Philippine government entities and uses themes related to the government to gain remote access to target computers. Their objectives include information gathering, installing follow-on malware, and engaging in business email compromise activities.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular TA2722.

Known Synonyms
Balikbayan Foxes
Internal MISP references

UUID 625c3fb4-16fc-4992-9ff2-4fad869750ac which can be used as unique global reference for TA2722 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

TA2719

In late March 2020, Proofpoint researchers began tracking a new actor with a penchant for using NanoCore and later AsyncRAT, popular commodity remote access trojans (RATs). Dubbed TA2719 by Proofpoint, the actor uses localized lures with colorful images that impersonate local banks, law enforcement, and shipping services. Proofpoint has observed this actor send low volume campaigns to recipients in Austria, Chile, Greece, Hungary, Italy, North Macedonia, Netherlands, Spain, Sweden, Taiwan, United States, and Uruguay.

Internal MISP references

UUID 33bfb09d-c6f4-4403-b434-1d4d4733ec52 which can be used as unique global reference for TA2719 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Karkadann

Karkadann is a threat actor that has been active since at least October 2020, targeting government bodies and news outlets in the Middle East. They have been involved in watering hole attacks, compromising high-profile websites to inject malicious JavaScript code. The group has been linked to another commercial spyware company called Candiru, suggesting they may utilize multiple spyware technologies. There are similarities in the infrastructure and tactics used by Karkadann in their campaigns.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Karkadann.

Known Synonyms
Piwiks
Internal MISP references

UUID 8146ba06-cef2-4a94-b26e-1a4041e04c7d which can be used as unique global reference for Karkadann in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Tomiris

Tomiris is a threat actor that has been active since at least 2019. They primarily target government and diplomatic entities in the Commonwealth of Independent States region, with occasional victims in other regions being foreign representations of CIS countries. Tomiris uses a wide variety of malware implants, including downloaders, backdoors, and file stealers, developed in different programming languages. They employ various attack vectors such as spear-phishing, DNS hijacking, and exploitation of vulnerabilities. There are potential ties between Tomiris and Turla, but they are considered separate threat actors with distinct targeting and tradecraft by Kaspersky.

Internal MISP references

UUID 2f854548-1af0-4f55-acab-4f85ce9f162c which can be used as unique global reference for Tomiris in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

ShaggyPanther

ShaggyPanther is a threat actor that primarily targets government entities in Taiwan and Malaysia. They have been active since 2008 and utilize hidden encrypted payloads in registry keys. Their activities have been detected in various locations, including Indonesia and Syria.

Internal MISP references

UUID 07791d89-64b6-46df-9f67-ccde8c2cbb20 which can be used as unique global reference for ShaggyPanther in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

Fishing Elephant

Fishing Elephant is a threat actor that primarily targets victims in Bangladesh and Pakistan. They rely on consistent TTPs, including payload and communication patterns, while occasionally incorporating new techniques such as geo-fencing and hiding executables within certificate files. Their tool of choice is AresRAT, which they deliver through platforms like Heroku and Dropbox. Recently, they have shifted their focus to government and diplomatic entities in Turkey, Pakistan, Bangladesh, Ukraine, and China.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Fishing Elephant.

Known Synonyms
Outrider Tiger
Internal MISP references

UUID 0df34184-4ccf-4357-8e8e-e990058d2992 which can be used as unique global reference for Fishing Elephant in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Germany']

RevengeHotels

RevengeHotels is a targeted cybercrime campaign that has been active since 2015, primarily targeting hotels, hostels, and tourism companies. The threat actor uses remote access Trojan malware to infiltrate hotel front desks and steal credit card data from guests and travelers. The campaign has impacted hotels in multiple countries, including Brazil, Argentina, Chile, and Mexico. The threat actor employs social engineering techniques and sells credentials from infected systems to other cybercriminals for remote access.

Internal MISP references

UUID 083acee6-6969-4c74-80c2-5d442936aa97 which can be used as unique global reference for RevengeHotels in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

GhostEmperor

GhostEmperor is a Chinese-speaking threat actor that targets government entities and telecom companies in Southeast Asia. They employ a Windows kernel-mode rootkit called Demodex to gain remote control over their targeted servers. The actor demonstrates a high level of sophistication and uses various anti-forensic and anti-analysis techniques to evade detection. They have been active for a significant period of time and continue to pose a threat to their targets.

Internal MISP references

UUID 3c3ca8f3-c6ab-4c5d-9bd0-be6677d6cdeb which can be used as unique global reference for GhostEmperor in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

Operation Triangulation

Operation Triangulation is an ongoing APT campaign targeting iOS devices with zero-click iMessage exploits. The threat actor behind the campaign has been active since at least 2019 and continues to operate. The attack chain involves the delivery of a malicious iMessage attachment that launches a series of exploits, ultimately leading to the deployment of the TriangleDB implant. Kaspersky researchers have discovered and reported multiple vulnerabilities used in the campaign, with patches released by Apple.

Internal MISP references

UUID 220001c6-c976-4cad-a356-4d8c2dd2b1c1 which can be used as unique global reference for Operation Triangulation in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Operation Ghoul

Operation Ghoul is a profit-driven threat actor that targeted over 130 organizations in 30 countries, primarily in the industrial and engineering sectors. They employed high-quality social engineering techniques, such as spear-phishing emails disguised as payment advice from a UAE bank, to distribute malware. The group's main motivation is financial gain through the sale of stolen intellectual property and business intelligence, as well as attacks on banking accounts. Their attacks were effective, particularly against companies that were unprepared to detect them.

Internal MISP references

UUID 624cc006-1131-4e53-a53c-3958cfbe233f which can be used as unique global reference for Operation Ghoul in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

CardinalLizard

CardinalLizard, a cyber threat actor linked to China, has targeted entities in Asia since 2018. Their methods include spear-phishing, custom malware with anti-detection features, and potentially shared infrastructure with other actors.

Internal MISP references

UUID 97f40858-1582-4a59-a990-866813982830 which can be used as unique global reference for CardinalLizard in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

Ferocious Kitten

Ferocious Kitten is an APT group that has been active against Persian-speaking individuals since 2015 and appears to be based in Iran. Although it has been active over a large timespan, the group has mostly operated under the radar until a lure document was uploaded to VirusTotal and was brought to public knowledge by researchers on Twitter. Subsequently, one of its implants was analyzed by a Chinese intelligence firm. Kaspersky then expanded some of the findings on the group and provided insights on additional variants. The malware dropped from the aforementioned document is dubbed MarkiRAT and is used to record keystrokes and clipboard content, provide file download and upload capabilities as well as the ability to execute arbitrary commands on the victims machine. Kaspersky were able to trace the implant back to at least 2015, along with variants intended to hijack the execution of the Telegram and Chrome applications as a persistence method. Interestingly, some of the TTPs used by this threat actor are reminiscent of other groups operating in the domain of dissident surveillance. For example, it used the same C2 domains across its implants for years, which was witnessed in the activity of Domestic Kitten. In the same vein, the Telegram execution hijacking technique observed in this campaign by Ferocious Kitten was also observed being used by Rampant Kitten, as covered by Check Point.

Internal MISP references

UUID f34962a4-a792-4f23-af23-a8bf0f053fcf which can be used as unique global reference for Ferocious Kitten in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country IR

Operation Red Signature

The threat actors compromised the update server of a remote support solutions provider to deliver a remote access tool called 9002 RAT to their targets of interest through the update process. They carried this out by first stealing the company’s certificate then using it to sign the malware. They also configured the update server to only deliver malicious files if the client is located in the range of IP addresses of their target organisations.

Internal MISP references

UUID 3e9b98d9-0c61-4050-bafa-486622de0080 which can be used as unique global reference for Operation Red Signature in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

Earth Yako

Earth Yako is a threat actor that has been actively targeting researchers in academic organizations and think tanks in Japan. They use spearphishing emails with malicious attachments to gain initial access to their targets' systems. Earth Yako's objectives and patterns suggest a possible connection to a Chinese APT group, but conclusive proof of their nationality is lacking. They have been observed using various malware delivery methods and techniques, such as the use of Winword.exe for DLL Hijacking.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Earth Yako.

Known Synonyms
Enelink
Operation RestyLink
Internal MISP references

UUID 2875aff1-2a0f-4e82-ae42-607a3a74d129 which can be used as unique global reference for Earth Yako in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Urpage

What sets Urpage attacks apart is its targeting of InPage, a word processor for Urdu and Arabic languages. However, its Delphi backdoor component, which it has in common with Confucius and Patchwork, and its apparent use of Bahamut-like malware, is what makes it more intriguing as it connects Urpage to these other known threats. Trend Micro covered the Delphi component in the context of the Confucius and Patchwork connection. They mentioned Urpage as a third unnamed threat actor connected to the two.

Internal MISP references

UUID 4e137d53-b9cf-4b9a-88c2-f29dd27ac302 which can be used as unique global reference for Urpage in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Operation Emmental

Operation Emmental, also known as the Retefe gang, is a threat actor group that has been active since at least 2012. They primarily target customers of banks in countries such as Austria, Sweden, Switzerland, and Japan. The group has developed sophisticated malware, including a Mac alternative called Dok, to bypass two-factor authentication and hijack network traffic. They have also been observed using phishing emails to spread their malware. The group is believed to be Russian-speaking and has continuously improved their malicious codes over the years.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Operation Emmental.

Known Synonyms
Retefe Gang
Retefe Group
Internal MISP references

UUID a1527821-fe84-44ec-ad29-8d3040463bc9 which can be used as unique global reference for Operation Emmental in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country RU

TA2725

TA2725 is a threat actor that has been tracked since March 2022. They primarily target organizations in Brazil and Mexico using Brazilian banking malware and phishing techniques. Recently, they have expanded their operations to also target victims in Spain and Mexico simultaneously. TA2725 typically uses GoDaddy virtual hosting for their URL redirector and hosts malicious files on legitimate cloud hosting providers like Amazon AWS, Google Cloud, or Microsoft Azure. They have been known to spoof legitimate companies, such as ÉSECÈ Group, to deceive their victims.

Internal MISP references

UUID 1697dace-fe21-452c-acee-bef62fc5e386 which can be used as unique global reference for TA2725 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Blackatom

Recent campaigns suggest Hamas-linked actors may be advancing their TTPs to include intricate social engineering lures specially crafted to appeal to a niche group of high value targets. In September 2023, a Palestine-based group likely linked to Hamas targeted Israeli software engineers using an elaborate social engineering ruse that ultimately installed malware and stole cookies. The attackers, which Google’s Threat Analysis Group (TAG) tracks as BLACKATOM, posed as employees of legitimate companies and reached out via LinkedIn to invite targets to apply for software development freelance opportunities. Targets included software engineers in the Israeli military, as well as Israel’s aerospace and defense industry

Internal MISP references

UUID 264687b8-82f4-43b5-b7bb-dc3e0b9246bc which can be used as unique global reference for Blackatom in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Palestine
cfr-suspected-victims ['Israel']
cfr-target-category ['Military', 'Defense', 'Transportation']
cfr-type-of-incident Espionage
country PS

BANISHED KITTEN

BANISHED KITTEN is an Iranian state-nexus adversary active since at least 2008. While the adversary’s most prominent activity is the July and September 2022 disruptive attacks targeting Albanian government infrastructure and the use of the HomelandJustice persona to leak stolen data, BANISHED KITTEN has likely targeted dissidents using the AllinOneNeo malware family.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular BANISHED KITTEN.

Known Synonyms
DUNE
Storm-0842
Internal MISP references

UUID 3682a08e-c1d9-4dff-ae08-774883dddba6 which can be used as unique global reference for BANISHED KITTEN in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
attribution-confidence 50
cfr-suspected-state-sponsor Iran (Islamic Republic of)
cfr-suspected-victims ['United States', 'Israel', 'Middle East', 'Europe']
cfr-target-category ['Government', 'Healthcare', 'Pharmaceuticals', 'High-Tech', 'Telecomms', 'Education', 'Media', 'NGOs', 'Civil Society']
cfr-type-of-incident ['Espionage', 'Information Operations', 'Sabotage']
country IR

ProCC

ProCC is a threat actor targeting the hospitality sector with remote access Trojan malware. They use email attachments to exploit vulnerabilities like CVE-2017-0199 and deploy customized versions of RATs such as RevengeRAT, NjRAT, NanoCoreRAT, and 888 RAT. ProCC's malware is capable of collecting data from the clipboard and printer spooler, as well as capturing screenshots on infected machines.

Internal MISP references

UUID c74f78d1-3728-4bb9-b84f-0e46d2e870b2 which can be used as unique global reference for ProCC in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

ResumeLooters

Since the beginning of 2023, ResumeLooters have been able to compromise at least 65 websites. The group employs a variety of simple techniques, including SQL injection and XSS. The threat actor attempted to insert XSS scripts into all available forms, aiming to execute it on the administrators’ device to obtain admin credentials. While the group was able to execute the XSS script on some visitors’ devices with administrative access, allowing ResumeLooters to steal the HTML code of the pages the victims were visiting, Group-IB did not find any confirmation of admin credential thefts.

Internal MISP references

UUID 76dbe26b-8b39-40f5-bc2b-9620004f388e which can be used as unique global reference for ResumeLooters in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

ShadowSyndicate

ShadowSyndicate is a threat actor associated with various ransomware groups, using a consistent Secure Shell fingerprint across multiple servers. They have been linked to ransomware families such as Quantum, Nokoyawa, and ALPHV. ShadowSyndicate's infrastructure overlaps with that of Cl0p, suggesting potential connections between the two groups. Their activities indicate they may be a Ransomware-as-a-Service affiliate.

Internal MISP references

UUID 24a7e1eb-b7c7-486b-96b2-8d313d65bf70 which can be used as unique global reference for ShadowSyndicate in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

LabHost

LabHost is a threat actor group targeting Canadian Banks with Phishing-as-a-Service attacks. They have been observed using tools like LabRat and LabSend for real-time campaign management and SMS lures. LabHost's phishing campaigns have similarities to Frappo campaigns, but they operate separately and offer different subscription packages.

Internal MISP references

UUID 583cdea6-1d72-44d4-824f-f965e8a23f3e which can be used as unique global reference for LabHost in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Cyber.Anarchy.Squad

Cyber Anarchy Squad is a pro-Ukrainian hacktivist group known for targeting Russian companies and infrastructure. They have carried out cyberattacks on Russian telecom providers, financial institutions, and government agencies, causing disruptions to services and leaking stolen data. The group has used techniques such as wiping network equipment, defacing websites, and leaking sensitive documents to support their cause. Cyber Anarchy Squad has been active for at least four years, evolving from cyber-bullying to more sophisticated hacking activities.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Cyber.Anarchy.Squad.

Known Synonyms
Cyber Anarchy Squad
Internal MISP references

UUID 264d9a4b-9b0b-416f-9b09-819e96967a30 which can be used as unique global reference for Cyber.Anarchy.Squad in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country UA

GoldFactory

GoldFactory is a threat actor group attributed to developing sophisticated mobile banking malware targeting victims primarily in the Asia-Pacific region, specifically Vietnam and Thailand. They utilize social engineering to deliver malware to victims' devices and have close connections to the Gigabud malware family. GoldFactory's Trojans, such as GoldPickaxe and GoldDigger, employ tactics like smishing, phishing, and fake login screens to compromise victims' phones and steal sensitive information. Their evolving malware suite demonstrates a high level of operational maturity and ingenuity, requiring a proactive and multi-faceted cybersecurity approach to detect and mitigate their threats.

Internal MISP references

UUID 74268518-8dd9-4223-9f7f-54421463cdb3 which can be used as unique global reference for GoldFactory in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

SPIKEDWINE

SPIKEDWINE is a threat actor targeting European officials with a new backdoor called WINELOADER. They use a bait PDF document posing as an invitation letter from the Ambassador of India to lure diplomats. The attack is characterized by advanced tactics, techniques, and procedures in the malware and command and control infrastructure. The motivation behind the attacks seems to be exploiting the geopolitical relations between India and European nations.

Internal MISP references

UUID d3cda6b1-a5da-4afc-bee4-80ea2cf05e5e which can be used as unique global reference for SPIKEDWINE in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

UAC-0184

UAC-0184 is a threat actor targeting Ukrainian organizations in Finland, using the Remcos Remote Access Trojan in their attacks. They have been observed utilizing steganographic image files and the IDAT Loader to deliver the malware. The group has targeted the Armed Forces of Ukraine and impersonated military recruitment processes to infect systems with the Remcos RAT.

Internal MISP references

UUID 0e3224a0-3544-47d7-b1ce-fb3eb21286ad which can be used as unique global reference for UAC-0184 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

UNC1549

UNC1549 is an Iranian threat actor linked to Tortoiseshell and potentially the IRGC. They have been active since at least June 2022, targeting entities worldwide with a focus on the Middle East. UNC1549 uses spear-phishing and credential harvesting for initial access, deploying custom malware like MINIBIKE and MINIBUS backdoors. They have also been observed using evasion techniques and a tunneler named LIGHTRAIL in their operations.

Internal MISP references

UUID a2a7d49f-f517-4eeb-9ec8-b9b74e3fe756 which can be used as unique global reference for UNC1549 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country IR

Mogilevich

Mogilevich is a ransomware group known for claiming to breach organizations like Epic Games and Ireland's Department of Foreign Affairs, offering stolen data for sale without providing proof of the attacks. They operate as an extortion group, targeting high-profile victims and demanding payment for the data they claim to have stolen. Despite their claims, security researchers have noted that Mogilevich's tactics and website design suggest they may not be a sophisticated threat actor.

Internal MISP references

UUID 95634994-9604-4fe6-9462-f472c2d82271 which can be used as unique global reference for Mogilevich in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

R00tK1T

R00TK1T is a hacking group known for sophisticated cyber attacks targeting governmental agencies in Malaysia, including data exfiltration from the National Population and Family Development Board. The group has publicized their successful attacks on social media, showcasing stolen data. R00TK1T has also targeted Malaysian telecom providers, defacing portals and potentially breaching user data.

Internal MISP references

UUID 69a944ef-4962-432e-a1b9-575b646ee2ed which can be used as unique global reference for R00tK1T in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country IL

UNC5325

UNC5325 is a suspected Chinese cyber espionage operator that exploited CVE-2024-21893 to compromise Ivanti Connect Secure appliances. UNC5325 leveraged code from open-source projects, installed custom malware, and modified the appliance's settings in order to evade detection and attempt to maintain persistence. UNC5325 has been observed deploying LITTLELAMB.WOOLTEA, PITSTOP, PITDOG, PITJET, and PITHOOK. Mandiant identified TTPs and malware code overlaps in LITTLELAMB.WOOLTEA and PITHOOK with malware leveraged by UNC3886. Mandiant assesses with moderate confidence that UNC5325 is associated with UNC3886.

Internal MISP references

UUID ffb28c09-16a6-483a-817a-89c89751c9d4 which can be used as unique global reference for UNC5325 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

Earth Kapre

Earth Kapre is an APT group specializing in cyberespionage. They target organizations in various countries through phishing campaigns using malicious attachments to infect machines. Earth Kapre employs techniques like abusing PowerShell, curl, and Program Compatibility Assistant to execute malicious commands and evade detection within targeted networks. The group has been active since at least 2018 and has been linked to multiple incidents involving data theft and espionage.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular Earth Kapre.

Known Synonyms
Red Wolf
RedCurl
Internal MISP references

UUID d4004926-bf12-4cfe-b141-563c8ffb304a which can be used as unique global reference for Earth Kapre in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Earth Krahang

Earth Krahang is an APT group targeting government organizations worldwide. They use spear-phishing emails, weak internet-facing servers, and custom backdoors like Cobalt Strike, RESHELL, and XDealer to conduct cyber espionage. The group creates VPN servers on infected systems, employs brute force attacks on email accounts, and exploits compromised government infrastructure to attack other governments. Earth Krahang has been linked to another China-linked actor, Earth Lusca, and is believed to be part of a specialized task force for cyber espionage against government institutions.

Internal MISP references

UUID 8cfc9653-51bc-40f1-a267-78a1b8c763f6 which can be used as unique global reference for Earth Krahang in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

Mirage Tiger

Internal MISP references

UUID da89d534-5be8-414b-832c-3e9d0d66b4e0 which can be used as unique global reference for Mirage Tiger in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Germany']

SilitNetwork

SilitNetwork is a hacking group known for targeting high-profile entities, such as airlines, for various motives. They utilize sophisticated tactics to breach their targets, potentially including social engineering and exploiting software vulnerabilities. The group's attack on RwandAir highlighted the vulnerability of the aviation industry and the need for robust cybersecurity measures.

Internal MISP references

UUID a0b92be9-7b62-47df-a2e8-16211c864599 which can be used as unique global reference for SilitNetwork in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Edalat-e Ali

Edalat-e Ali is a hacktivist group known for disrupting Iranian state-run TV and radio transmissions during significant events, such as the Revolution Day ceremonies. They have also targeted government facilities, releasing security camera footage to expose abuses and draw attention to human rights violations. The group has used their hacks to call for protests against the Iranian regime and have displayed anti-government messages during their disruptions. Edalat-e Ali has been active in releasing sensitive information and footage to embarrass Iranian officials and highlight injustices within the country.

Internal MISP references

UUID 1759f8f2-e6ef-4683-a9e4-44984b9deaba which can be used as unique global reference for Edalat-e Ali in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country IR

Saad Tycoon

Saad Tycoon is the operator and alleged developer of the Tycoon 2FA PhaaS, a phishing service that targets users for financial gain. The actor utilizes Bitcoin transactions to generate significant profits from the fraudulent service. The phishing infrastructure includes domain registration, server hosting, and possibly Cloudflare protection.

Internal MISP references

UUID d9709373-7a3a-4905-8c90-ba74237e77ea which can be used as unique global reference for Saad Tycoon in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

UNC5174

UNC5174, a Chinese state-sponsored threat actor, has been identified by Mandiant for exploiting critical vulnerabilities in F5 BIG-IP and ScreenConnect. They have been linked to targeting research and education institutions, businesses, charities, NGOs, and government organizations in Southeast Asia, the U.S., and the UK. UNC5174 is believed to have connections to China's Ministry of State Security and has been observed using custom tooling and the SUPERSHELL framework in their operations. The actor has shown indications of transitioning from hacktivist collectives to working as a contractor for Chinese intelligence agencies.

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular UNC5174.

Known Synonyms
Uteus
Internal MISP references

UUID 0b158297-ee47-48ef-9346-0cb0f9cb348a which can be used as unique global reference for UNC5174 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

CyberNiggers

CyberNiggers is a threat group known for breaching various organizations, including the US military, federal contractors, and multinational corporations like General Electric. Led by the prominent member IntelBroker, they specialize in selling access to compromised systems and stealing sensitive data, such as military files and personally identifiable information. The group has targeted a diverse portfolio of organizations, showcasing their strategic approach to gathering varied sets of information. Their activities raise concerns about national security, individual privacy, and the need for robust cybersecurity measures to mitigate the impact of cyber adversaries.

Internal MISP references

UUID 21ad5aad-0a55-457d-b94d-3b4565e82e0a which can be used as unique global reference for CyberNiggers in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Bignosa

Bignosa is a threat actor known for launching malware campaigns targeting Australian and US organizations using phishing emails with disguised Agent Tesla attachments protected by Cassandra Protector. They compromised servers by installing Plesk and RoundCube, connected via SSH and RDP, and used advanced obfuscation methods to evade detection. Bignosa collaborated with another cybercriminal named Gods, who provided advice and assistance in their malicious activities. The actor has been linked to multiple phishing attacks and malware distribution campaigns, showcasing a high level of sophistication in their operations.

Internal MISP references

UUID 07232925-bd1b-49a9-adca-46536ff6fdd8 which can be used as unique global reference for Bignosa in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country KE

Smishing Triad

The Smishing Triad is a Chinese-speaking threat group known for targeting postal services and their customers globally through smishing campaigns. They leverage compromised Apple iMessage accounts to send fraudulent messages warning of undeliverable packages, aiming to collect personally identifying information and payment credentials. The group offers smishing kits for sale on platforms like Telegram, enabling other cybercriminals to launch independent attacks. "Smishing Triad" has expanded its operations to target UAE citizens, using geo-filtering to focus on victims in the Emirates.

Internal MISP references

UUID 85db04b5-1ec2-4e25-908a-f53576bd175a which can be used as unique global reference for Smishing Triad in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

BlackJack

Blackjack, a threat actor linked to Ukraine's security apparatus, has targeted critical Russian entities such as ISPs, utilities, and military infrastructure. They have claimed responsibility for launching cyberattacks resulting in substantial damage and data exfiltration. The group allegedly used the Fuxnet malware to target sensor gateways connected to internet-connected sensors, impacting infrastructure monitoring systems. Blackjack has also been involved in attacks against companies like Moscollector, causing disruptions and stealing sensitive data.

Internal MISP references

UUID a5aa9b72-2bfb-427c-97fc-6ec04357233b which can be used as unique global reference for BlackJack in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country UA

CoralRaider

CoralRaider is a financially motivated threat actor of Vietnamese origin, targeting victims in Asian and Southeast Asian countries since at least 2023. They use the RotBot loader family and XClient stealer to steal victim information, with hardcoded Vietnamese words in their payloads. CoralRaider operates from Hanoi, Vietnam, and uses a Telegram bot as a C2 channel for their malicious campaigns. Their activities include system reconnaissance, data exfiltration, and targeting victims in multiple countries in the region.

Internal MISP references

UUID 20927a3f-d011-4e22-8268-0938d6816a13 which can be used as unique global reference for CoralRaider in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country VN

RUBYCARP

RUBYCARP is a financially-motivated threat actor group likely based in Romania, with a history of at least 10 years of activity. They operate a botnet using public exploits and brute force attacks, communicating via public and private IRC networks. RUBYCARP targets vulnerabilities in frameworks like Laravel and WordPress, as well as conducting phishing operations to steal financial assets. They use a variety of tools, including the Perl Shellbot, for post-exploitation activities and have a diverse set of illicit income streams.

Internal MISP references

UUID 2742b229-02f4-40d0-9b99-91844a2b030e which can be used as unique global reference for RUBYCARP in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country RO

Starry Addax

Starry Addax is a threat actor targeting human rights activists associated with the Sahrawi Arab Democratic Republic using a novel mobile malware called FlexStarling. They conduct phishing attacks to trick targets into installing malicious Android applications and serve credential-harvesting pages to Windows-based targets. Their infrastructure targets both Windows and Android users, with the campaign starting with spear-phishing emails containing requests to install specific mobile apps or related themes. The campaign is in its early stages, with potential for additional malware variants and infrastructure development.

Internal MISP references

UUID 579fde0d-0840-4e49-ad62-405ce338f5a6 which can be used as unique global reference for Starry Addax in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

Cyber Army of Russia Reborn

Internal MISP references

UUID e496af6a-1f1b-47fd-b908-fc369e32ffba which can be used as unique global reference for Cyber Army of Russia Reborn in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

People's Cyber Army of Russia

Internal MISP references

UUID ceee219c-8af2-4cea-8382-6ef6c311eac8 which can be used as unique global reference for People's Cyber Army of Russia in MISP communities and other software using the MISP galaxy

Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

RGB-TEAM

RGB-TEAM is a previously unknown Russian-speaking threat actor. They describe themselves as “a community of anonymous hacktivists fighting for freedom.” The group stated that it doesn’t have enemies in the U.S., Europe, “in the East, or in the West.”

Internal MISP references

UUID 9b670978-f346-48dc-a292-7ae05b6f90a0 which can be used as unique global reference for RGB-TEAM in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
cfr-suspected-victims ['Russia']

UNC5266

Mandiant created UNC5266 to track post-disclosure exploitation leading to deployment of Bishop Fox's SLIVER implant framework, a WARPWIRE variant, and a new malware family that Mandiant has named TERRIBLETEA. At this time, based on observed infrastructure usage similarities, Mandiant suspects with moderate confidence that UNC5266 overlaps in part with UNC3569, a China-nexus espionage actor that has been observed exploiting vulnerabilities in Aspera Faspex, Microsoft Exchange, and Oracle Web Applications Desktop Integrator, among others, to gain initial access to target environments.

Internal MISP references

UUID 083a637b-c58c-4ccb-ab59-81d783873e80 which can be used as unique global reference for UNC5266 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

UNC5330

UNC5330 is a suspected China-nexus espionage actor. UNC5330 has been observed chaining CVE-2024-21893 and CVE-2024-21887 to compromise Ivanti Connect Secure VPN appliances as early as Feb. 2024. Post-compromise activity by UNC5330 includes deployment of PHANTOMNET and TONERJAM. UNC5330 has employed Windows Management Instrumentation (WMI) to perform reconnaissance, move laterally, manipulate registry entries, and establish persistence. Mandiant observed UNC5330 operating a server since Dec. 6, 2021, which the group used as a GOST proxy to help facilitate malicious tool deployment to endpoints. The default certificate for GOST proxy was observed from Sept. 1, 2022 through Jan. 1, 2024. UNC5330 also attempted to download Fast Reverse Proxy (FRP) from this server on Feb. 3, 2024, from a compromised Ivanti Connect Secure device. Given the SSH key reuse in conjunction with the temporal proximity of these events, Mandiant assesses with moderate confidence UNC5330 has been operating through this server since at least 2021.

Internal MISP references

UUID c5ea778c-df2f-4c63-b401-dded9cb2419c which can be used as unique global reference for UNC5330 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN
Related clusters

To see the related clusters, click here.

UNC5337

UNC5337 is a suspected China-nexus espionage actor that compromised Ivanti Connect Secure VPN appliances as early as Jan. 2024. UNC5337 is suspected to exploit CVE-2023-46805 (authentication bypass) and CVE-2024-21887 (command injection) for infecting Ivanti Connect Secure appliances. UNC5337 leveraged multiple custom malware families including the SPAWNSNAIL passive backdoor, SPAWNMOLE tunneler, SPAWNANT installer, and SPAWNSLOTH log tampering utility. Mandiant suspects with medium confidence that UNC5337 is UNC5221.

Internal MISP references

UUID 6fcf8d1f-2e68-4982-a579-2ca5595e4990 which can be used as unique global reference for UNC5337 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN
Related clusters

To see the related clusters, click here.

UNC5291

UNC5291 is a cluster of targeted probing activity that we assess with moderate confidence is associated with UNC3236, also known publicly as Volt Typhoon. Activity for this cluster started in December 2023 focusing on Citrix Netscaler ADC and then shifted to focus on Ivanti Connect Secure devices after details were made public in mid-Jan. 2024. Probing has been observed against the academic, energy, defense, and health sectors, which aligns with past Volt Typhoon interest in critical infrastructure. In Feb. 2024, the Cybersecurity and Infrastructure Security Agency (CISA) released an advisory warning that Volt Typhoon was targeting critical infrastructure and was potentially interested in Ivanti Connect Secure devices for initial access.

Internal MISP references

UUID b2535333-629d-4cd6-a98b-14c86f6a57ee which can be used as unique global reference for UNC5291 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

UNC3569

China-nexus espionage actor that has been observed exploiting vulnerabilities in Aspera Faspex, Microsoft Exchange, and Oracle Web Applications Desktop Integrator, among others, to gain initial access to target environments.

Internal MISP references

UUID dd0063e0-2d44-4798-9e6d-ef0eaa2c2508 which can be used as unique global reference for UNC3569 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
country CN

UNC3236

Synonyms

"synonyms" in the meta part typically refer to alternate names or labels that are associated with a particular UNC3236.

Known Synonyms
Volt Typhoon
Internal MISP references

UUID 97c6d972-a3af-4a21-94a2-0f5e09c7320e which can be used as unique global reference for UNC3236 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value
Related clusters

To see the related clusters, click here.

GhostR

Ghostr is a financially motivated threat actor known for stealing a confidential database containing 5.3 million records from the World-Check and leaking about 186GB of data from a stock trading platform. They have been active on Breachforums.is, revealing massive data breaches involving comprehensive details of Thai users, including full names, phone numbers, email addresses, and ID card numbers.

Internal MISP references

UUID 0e4ed0ab-87e2-4588-8fc0-3d720e0efebd which can be used as unique global reference for GhostR in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

UTA0218

UTA0218 is a threat actor with advanced capabilities, targeting organizations to establish a reverse shell, acquire tools, and extract data. They exploit vulnerabilities in firewall devices to move laterally within victim networks, focusing on obtaining domain backup keys and active directory credentials. The actor deploys a custom Python backdoor named UPSTYLE to execute commands and download additional tools. UTA0218 is likely state-backed, utilizing a mix of infrastructure including VPNs and compromised routers to store malicious files.

Internal MISP references

UUID ee8b8fc4-59f4-4442-a4e6-3686d09c6509 which can be used as unique global reference for UTA0218 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value

UAC-0149

UAC-0149 is a threat actor targeting the Armed Forces of Ukraine with COOKBOX malware. They use obfuscation techniques like character encoding and base64 encoding to evade detection. The group leverages dynamic DNS services and Cloudflare Workers for their C2 infrastructure.

Internal MISP references

UUID f5f6d4eb-1ec3-494e-807d-5b767122f9b2 which can be used as unique global reference for UAC-0149 in MISP communities and other software using the MISP galaxy

External references
Associated metadata
Metadata key Value