Skip to content

Hide Navigation Hide TOC

DarkHotel (b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d)

Kaspersky described DarkHotel in a 2014 report as: '... DarkHotel drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics. Moreover, this crews most unusual characteristic is that for several years the Darkhotel APT has maintained a capability to use hotel networks to follow and hit selected targets as they travel around the world.'

Cluster A Galaxy A Cluster B Galaxy B Level
DarkHotel (b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d) Threat Actor Zigzag Hail (0a4ddab3-a1a6-5372-b11f-5edc25c0e548) Microsoft Activity Group actor 1
DarkHotel (b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d) Threat Actor Darkhotel - APT-C-06 (f52ab8b8-71f2-5a88-946f-853dc3441efe) 360.net Threat Actors 1
DarkHotel (b8c8b96d-61e6-47b1-8e38-fd8ad5d9854d) Threat Actor DUBNIUM (b56af6ab-69f8-457a-bf50-c3aefa6dc14a) Microsoft Activity Group actor 1
Zigzag Hail (0a4ddab3-a1a6-5372-b11f-5edc25c0e548) Microsoft Activity Group actor Darkhotel - APT-C-06 (f52ab8b8-71f2-5a88-946f-853dc3441efe) 360.net Threat Actors 2
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Darkhotel - APT-C-06 (f52ab8b8-71f2-5a88-946f-853dc3441efe) 360.net Threat Actors 2
Darkhotel - APT-C-06 (f52ab8b8-71f2-5a88-946f-853dc3441efe) 360.net Threat Actors DUBNIUM (b56af6ab-69f8-457a-bf50-c3aefa6dc14a) Microsoft Activity Group actor 2
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set 3
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set 3
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set 3
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set 3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6) Attack Pattern 3
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set 3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set 3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 3
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set 3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4) Attack Pattern 3
Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63) Attack Pattern Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set 3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set 3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Taint Shared Content - T1080 (246fd3c7-f5e3-466d-8787-4c13d9e3b61c) Attack Pattern 3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set User Activity Based Checks - T1497.002 (91541e7e-b969-40c6-bbd8-1b5352ec2938) Attack Pattern 3
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set 3
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set 3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern 3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 3
Darkhotel - G0012 (9e729a7e-0dd6-4097-95bf-db8d64911383) Intrusion Set Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 4
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 4
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 4
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 4
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 4
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 4
User Activity Based Checks - T1497.002 (91541e7e-b969-40c6-bbd8-1b5352ec2938) Attack Pattern Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern 4
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern 4
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 4
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 4