{"type":"bundle","id":"bundle--5ae4feab-9500-57ba-b09f-27e62daec1f7","objects":[{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--e777a4ae-d347-5782-bea8-487eb688a10f","created":"2022-03-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"8Base","description":"Russian-speaking ransomware-as-a-service operation that emerged in 2022 as a Phobos affiliate, deploying a modified Phobos encryptor with double-extortion tactics. Targeted small and medium-sized businesses across finance, manufacturing, business services, and IT — over 1,000 victims claimed and an estimated $16M extracted. Disrupted on 10 February 2025 by **Operation Phobos Aetor**, a multi-jurisdiction action coordinated by the U.K. NCA, FBI, Europol, and police agencies from Bavaria, Belgium, Czechia, France, Germany, Japan, Romania, Spain, Switzerland, and Thailand. Four Europeans were arrested in Phuket; Russian nationals Roman Berezhnoy (33) and Egor Nikolaevich Glebov (39) were named as the operators of the 8Base / Affiliate 2803 RaaS organisation.","first_seen":"2022-03-01T00:00:00.000Z","aliases":["Affiliate 2803"],"last_seen":"2025-02-10T00:00:00.000Z","goals":["financial gain"],"primary_motivation":"personal-gain","labels":["country:RU"],"x_threatintel_kind":"ransomware","x_threatintel_target_sectors":["manufacturing","professional services","financial","healthcare","technology"],"x_threatintel_target_countries":["US","GB","BR","CH","FR","DE"],"x_threatintel_attack_techniques":["T1486","T1490","T1567.002","T1133"]},{"type":"report","spec_version":"2.1","id":"report--c47105f7-0f5e-5fa3-8dfe-f0dc4d74fae3","created":"2025-02-10T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Operation Phobos Aetor takes down 8Base; Russian operators arrested in Phuket","description":"International operation coordinated by the U.K. NCA, FBI, Europol, and police agencies from Bavaria, Belgium, Czechia, France, Germany, Japan, Romania, Spain, Switzerland, and Thailand seized 8Base's leak site and negotiation infrastructure. Four European nationals (two men, two women) were arrested in Phuket; Russian nationals Roman Berezhnoy (33) and Egor Nikolaevich Glebov (39) were named as the operators of 8Base / Affiliate 2803. Japan's NPA subsequently released a free decryptor for 8Base / Phobos victims. The action was the largest multi-jurisdiction Phobos-affiliate takedown to date, ending an operation that had claimed 1,000+ victims and an estimated $16M in extortion proceeds.","published":"2025-02-10T00:00:00.000Z","report_types":["sanction"],"object_refs":["intrusion-set--e777a4ae-d347-5782-bea8-487eb688a10f"],"external_references":[{"source_name":"Europol","url":"https://www.europol.europa.eu/media-press/newsroom/news/key-figures-behind-phobos-and-8base-ransomware-arrested-in-international-cybercrime-crackdown"}],"labels":["takedown","ransomware","europol","decryptor-released"],"x_threatintel_severity":"high"},{"type":"indicator","spec_version":"2.1","id":"indicator--76ea5384-6451-5787-9944-5ea61d55bf36","created":"2023-06-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 5ba74a5693f4810a8eb9b9eeb1d69d943cf5bbc46f319a32802c23c7654194b0 (Phobos)","description":"8Base ransom note dropped after Phobos-based encryption in the campaigns documented by VMware Carbon Black researchers.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = '5ba74a5693f4810a8eb9b9eeb1d69d943cf5bbc46f319a32802c23c7654194b0']","pattern_type":"stix","valid_from":"2023-06-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"VMware Carbon Black","url":"https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--6089e79b-01ea-5018-859d-af40ec9e9183","created":"2023-06-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--76ea5384-6451-5787-9944-5ea61d55bf36","target_ref":"intrusion-set--e777a4ae-d347-5782-bea8-487eb688a10f"},{"type":"indicator","spec_version":"2.1","id":"indicator--57819497-358c-5aef-84ea-caa14400e09c","created":"2023-06-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c (Phobos)","description":"Phobos-derived 8Base ransomware payload analyzed by VMware Carbon Black in the June 2023 spike of double-extortion intrusions. Loaded via SmokeLoader with SystemBC for C2.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = '518544e56e8ccee401ffa1b0a01a10ce23e49ec21ec441c6c7c3951b01c1b19c']","pattern_type":"stix","valid_from":"2023-06-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"VMware Carbon Black","url":"https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--3f90c259-dfaf-5a9b-9be0-91f890a77987","created":"2023-06-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--57819497-358c-5aef-84ea-caa14400e09c","target_ref":"intrusion-set--e777a4ae-d347-5782-bea8-487eb688a10f"},{"type":"indicator","spec_version":"2.1","id":"indicator--0570733c-08b3-5bae-b0de-0af9efc72957","created":"2023-06-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOMAIN admlogs25.xyz (SystemBC)","description":"SystemBC C2 / staging domain in the 8Base infrastructure cluster (admlogs25, admhexlogs25, admlog2, serverlogs37, dnm777, dexblog, blogstat355, blogstatserv25, wlaexfpxrs) listed by VMware Carbon Black.","indicator_types":["malicious-activity"],"pattern":"[domain-name:value = 'admlogs25.xyz']","pattern_type":"stix","valid_from":"2023-06-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"VMware Carbon Black","url":"https://blogs.vmware.com/security/2023/06/8base-ransomware-a-heavy-hitting-player.html"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--53401c41-8baa-58f7-8cb8-619d5cb60261","created":"2023-06-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--0570733c-08b3-5bae-b0de-0af9efc72957","target_ref":"intrusion-set--e777a4ae-d347-5782-bea8-487eb688a10f"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--b60f7d57-8912-562d-90e4-11c49cd20d40","created":"2023-03-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Akira","description":"Ransomware-as-a-service operation active since March 2023, characterized by an unusually retro 1980s-terminal-styled leak site. CISA estimated $42M+ in extracted ransoms across 250+ organizations within the first year. Notable for targeting Cisco ASA/FTD VPN appliances lacking MFA as the initial-access vector, and for deploying Linux/ESXi variants against virtualized infrastructure to maximize impact.","first_seen":"2023-03-01T00:00:00.000Z","aliases":["Howling Scorpius"],"goals":["financial gain"],"primary_motivation":"personal-gain","x_threatintel_kind":"ransomware","x_threatintel_target_sectors":["manufacturing","professional services","education","healthcare"],"x_threatintel_target_countries":["US","GB","CA","AU","DE"],"x_threatintel_attack_techniques":["T1133","T1486","T1490","T1567.002"]},{"type":"report","spec_version":"2.1","id":"report--67e38983-a14e-5349-829b-b9a3b793749f","created":"2025-11-13T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Updated joint advisory: Akira tied to ~$244M in proceeds, now hitting Nutanix AHV","description":"The 13 Nov 2025 update to AA24-109A — co-signed by FBI, CISA, DC3, HHS, Europol EC3, French OFAC, German LKA Baden-Württemberg, and NCSC-NL — reports that Akira has claimed approximately $244.17M (USD) in ransom proceeds as of late September 2025 and, in a June 2025 incident, encrypted Nutanix AHV virtual-machine disk files for the first time, abusing SonicWall CVE-2024-40766 for initial access.","published":"2025-11-13T00:00:00.000Z","report_types":["advisory"],"object_refs":["intrusion-set--b60f7d57-8912-562d-90e4-11c49cd20d40"],"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a"}],"labels":["advisory","stopransomware","nutanix","sonicwall","cve-2024-40766"],"x_threatintel_severity":"critical"},{"type":"report","spec_version":"2.1","id":"report--ab783b1b-ba4e-5671-b61b-050b38fad74a","created":"2024-04-18T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FBI, CISA, Europol, NCSC-NL issue joint #StopRansomware advisory on Akira","description":"FBI, CISA, the Europol European Cybercrime Centre, and the Netherlands' National Cyber Security Centre published the first joint #StopRansomware advisory on Akira (AA24-109A), detailing initial-access TTPs against Cisco VPN appliances without MFA (CVE-2020-3259, CVE-2023-20269), Megazord and Akira_v2 tradecraft, and a multi-page IOC table covering encryptor hashes and supporting tooling.","published":"2024-04-18T00:00:00.000Z","report_types":["advisory"],"object_refs":["intrusion-set--b60f7d57-8912-562d-90e4-11c49cd20d40"],"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a"}],"labels":["advisory","stopransomware","cisco-vpn"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--043d4d60-4959-58f1-a293-db3d648485d2","created":"2023-08-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Akira begins deploying Rust-based 'Megazord' encryptor","description":"Beginning in August 2023, Akira intrusions started deploying a secondary encryptor written in Rust and tracked as Megazord, which appends a .powerranges extension. Akira affiliates have continued to use the original C++ Akira encryptor, Megazord, and Akira_v2 interchangeably across campaigns.","published":"2023-08-01T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--b60f7d57-8912-562d-90e4-11c49cd20d40"],"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a"}],"labels":["ransomware","rust","megazord"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--8b5684ef-9475-5465-ad87-5c1a4bfb1e88","created":"2023-04-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Akira deploys Linux variant targeting VMware ESXi","description":"Within a month of emergence, Akira threat actors deployed a Linux variant targeting VMware ESXi virtual machines, allowing the operation to encrypt entire virtualisation estates from a single foothold. The pivot to ESXi is documented in the joint FBI/CISA #StopRansomware advisory AA24-109A.","published":"2023-04-01T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--b60f7d57-8912-562d-90e4-11c49cd20d40"],"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a"}],"labels":["ransomware","esxi","linux"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--a0e63e7e-350c-58c5-92e3-577169027e0e","created":"2023-03-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Akira ransomware operation emerges, targeting Windows environments","description":"Akira ransomware activity first observed in March 2023, initially targeting Windows systems with a C++ encryptor that appends a .akira extension. Akira operates as a double-extortion crew and is tracked by industry as Storm-1567, Howling Scorpius, Punk Spider, and Gold Sahara, with code overlap suggesting links to the defunct Conti operation.","published":"2023-03-01T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--b60f7d57-8912-562d-90e4-11c49cd20d40"],"external_references":[{"source_name":"MITRE ATT&CK","url":"https://attack.mitre.org/groups/G1024/"}],"labels":["ransomware","double-extortion","conti-lineage"],"x_threatintel_severity":"high"},{"type":"indicator","spec_version":"2.1","id":"indicator--b13d5412-532f-5b77-8591-365fe9c41c2a","created":"2024-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 3298d203c2acb68c474e5fdad8379181890b4403d6491c523c13730129be3f75 (Akira_v2)","description":"SHA-256 of Akira_v2, a Rust-based variant of the Akira ransomware that targets VMware ESXi servers. Published in Table 2 of CISA AA24-109A.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = '3298d203c2acb68c474e5fdad8379181890b4403d6491c523c13730129be3f75']","pattern_type":"stix","valid_from":"2024-01-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--8f460296-4d97-5a77-bdc4-4c05cfaf1177","created":"2024-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--b13d5412-532f-5b77-8591-365fe9c41c2a","target_ref":"intrusion-set--b60f7d57-8912-562d-90e4-11c49cd20d40"},{"type":"indicator","spec_version":"2.1","id":"indicator--9e2f223a-7382-549b-bb26-9c6528a9d2e9","created":"2023-08-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 9585af44c3ff8fd921c713680b0c2b3bbc9d56add848ed62164f7c9b9f23d065 (Megazord)","description":"SHA-256 of the Megazord encryptor — the Rust-based Akira variant that appends a `.powerranges` extension. Listed in the Megazord row of Table 2 of CISA AA24-109A.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = '9585af44c3ff8fd921c713680b0c2b3bbc9d56add848ed62164f7c9b9f23d065']","pattern_type":"stix","valid_from":"2023-08-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--3d29b024-c35f-5797-889e-25024f93008a","created":"2023-08-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--9e2f223a-7382-549b-bb26-9c6528a9d2e9","target_ref":"intrusion-set--b60f7d57-8912-562d-90e4-11c49cd20d40"},{"type":"indicator","spec_version":"2.1","id":"indicator--d7208cf1-5784-531c-8ce8-a37dae2bd953","created":"2023-03-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 d2fd0654710c27dcf37b6c1437880020824e161dd0bf28e3a133ed777242a0ca (Akira)","description":"SHA-256 of the Akira ransomware encryptor `w.exe`. Listed in Table 2 of CISA AA24-109A as the canonical C++ Akira encryptor observed in early intrusions.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = 'd2fd0654710c27dcf37b6c1437880020824e161dd0bf28e3a133ed777242a0ca']","pattern_type":"stix","valid_from":"2023-03-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--68206724-cd26-5033-a1cb-3ad3053f3602","created":"2023-03-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--d7208cf1-5784-531c-8ce8-a37dae2bd953","target_ref":"intrusion-set--b60f7d57-8912-562d-90e4-11c49cd20d40"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--b71cbf88-9e14-56f7-87a4-c7ba28c42794","created":"2021-11-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"ALPHV/BlackCat","description":"Russian-speaking ransomware-as-a-service operation, first observed November 2021, notable as the first prominent ransomware family written in Rust. Operated the affiliate program responsible for the February 2024 attack on Change Healthcare (UnitedHealth subsidiary) which disrupted U.S. pharmacy claims processing for weeks. The operation ran an exit-scam in early March 2024 after the Change Healthcare ransom was paid, stiffing its own affiliate.","first_seen":"2021-11-01T00:00:00.000Z","aliases":["ALPHV","BlackCat","Noberus"],"last_seen":"2024-03-01T00:00:00.000Z","goals":["financial gain"],"primary_motivation":"personal-gain","x_threatintel_kind":"ransomware","x_threatintel_target_sectors":["healthcare","financial","professional services","manufacturing","energy"],"x_threatintel_target_countries":["US","GB","DE","AU","CA","FR","IT"],"x_threatintel_attack_techniques":["T1486","T1490","T1567.002","T1078"]},{"type":"report","spec_version":"2.1","id":"report--6e0f1883-2ef3-5a2e-a51f-5032768f82d7","created":"2025-11-19T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Two U.S. cybersecurity workers plead guilty to ALPHV BlackCat affiliate scheme","description":"DOJ announced that Ryan Goldberg and Kevin Martin pleaded guilty in the Southern District of Florida to conspiring to commit Hobbs Act extortion via ALPHV BlackCat attacks on U.S. victims between April and December 2023. The defendants, both employed in the cybersecurity industry, agreed to pay BlackCat operators a 20% share of ransoms and successfully extorted one victim of approximately $1.2 million in Bitcoin.","published":"2025-11-19T00:00:00.000Z","report_types":["indictment"],"object_refs":["intrusion-set--b71cbf88-9e14-56f7-87a4-c7ba28c42794"],"external_references":[{"source_name":"U.S. Department of Justice","url":"https://www.justice.gov/opa/pr/two-americans-plead-guilty-targeting-multiple-us-victims-using-alphv-blackcat-ransomware"}],"labels":["doj","guilty-plea","affiliate","extortion"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--26d239fb-2d5f-51e5-a008-c884797bfa4a","created":"2024-03-05T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"ALPHV BlackCat shuts down in apparent exit scam after Change Healthcare payment","description":"The ALPHV BlackCat operators took their Tor leak site offline on 1 March 2024 and on 5 March announced the operation's closure, posting a fabricated FBI seizure banner that the UK NCA publicly denied. The operators offered the ransomware source code for $5 million and stiffed the affiliate behind the Change Healthcare intrusion, who retained roughly 4 TB of stolen data.","published":"2024-03-05T00:00:00.000Z","report_types":["announcement"],"object_refs":["intrusion-set--b71cbf88-9e14-56f7-87a4-c7ba28c42794"],"external_references":[{"source_name":"BleepingComputer","url":"https://www.bleepingcomputer.com/news/security/blackcat-ransomware-shuts-down-in-exit-scam-blames-the-feds/"}],"labels":["exit-scam","raas","infrastructure"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--1ac73b8d-9698-5fff-a4be-36a4ff71cd73","created":"2024-02-21T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Change Healthcare ransomware incident attributed to ALPHV BlackCat","description":"UnitedHealth Group's Change Healthcare subsidiary was crippled by ALPHV BlackCat ransomware after the actors used credentials on a remote-access portal lacking multi-factor authentication. The incident disrupted U.S. healthcare claims and pharmacy processing for weeks and ultimately involved a roughly $22 million ransom payment that the operators kept rather than sharing with the affiliate who conducted the intrusion.","published":"2024-02-21T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--b71cbf88-9e14-56f7-87a4-c7ba28c42794"],"external_references":[{"source_name":"Krebs on Security","url":"https://krebsonsecurity.com/2024/03/blackcat-ransomware-group-implodes-after-apparent-22m-ransom-payment-by-change-healthcare/"}],"labels":["healthcare","supply-chain","extortion","mfa"],"x_threatintel_severity":"critical"},{"type":"report","spec_version":"2.1","id":"report--e56cecf0-f49e-5b5c-b81b-b529b51e5fb2","created":"2023-12-19T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FBI-led international operation seizes ALPHV infrastructure and releases decryptor","description":"U.S. and partner agencies (UK NCA, Europol, Germany, Denmark, Spain, Australia) executed a coordinated disruption of ALPHV BlackCat, seizing several Tor sites and releasing a decryptor developed with the help of a confidential source who provided access to the affiliate panel. The FBI said the tool had already helped roughly 500 victims avoid an estimated $68 million in ransom demands.","published":"2023-12-19T00:00:00.000Z","report_types":["announcement"],"object_refs":["intrusion-set--b71cbf88-9e14-56f7-87a4-c7ba28c42794"],"external_references":[{"source_name":"Krebs on Security","url":"https://krebsonsecurity.com/2023/12/blackcat-ransomware-raises-ante-after-fbi-disruption/"}],"labels":["law-enforcement","takedown","decryptor"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--0cd6a937-cae1-55b1-8dae-5125ad50cfed","created":"2023-12-19T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Joint CISA/FBI/HHS advisory AA23-353A on ALPHV BlackCat","description":"FBI, CISA, and HHS released joint Cybersecurity Advisory AA23-353A detailing TTPs and IOCs for the ALPHV BlackCat RaaS, including the February 2023 'Sphynx' 2.0 rewrite that added Linux and VMware ESXi targeting. The advisory was updated on 27 February 2024 to note that, after early-December 2023 law enforcement action, the administrator urged affiliates to target the healthcare sector.","published":"2023-12-19T00:00:00.000Z","report_types":["advisory"],"object_refs":["intrusion-set--b71cbf88-9e14-56f7-87a4-c7ba28c42794"],"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a"}],"labels":["advisory","ransomware","healthcare","esxi"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--8cf317bb-d413-525a-9891-f1f0e1874b6d","created":"2021-11-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"ALPHV/BlackCat Rust-based RaaS first observed","description":"MITRE ATT&CK records the BlackCat (a.k.a. ALPHV, Noberus) ransomware-as-a-service as first observed in November 2021. Written in Rust, it was among the first cross-platform ransomware families to ship native Windows, Linux, and ESXi builds, and is linked by researchers to the BlackMatter / DarkSide lineage.","published":"2021-11-01T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--b71cbf88-9e14-56f7-87a4-c7ba28c42794"],"external_references":[{"source_name":"MITRE ATT&CK","url":"https://attack.mitre.org/software/S1068/"}],"labels":["ransomware","raas","rust","emergence"],"x_threatintel_severity":"medium"},{"type":"indicator","spec_version":"2.1","id":"indicator--55136fb0-3b45-5469-b814-540bb5f84710","created":"2023-12-19T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 c64300cf8bacc4e42e74715edf3f8c3287a780c9c0a38b0d9675d01e7e231f16 (ALPHV/BlackCat)","description":"SHA-256 of an ALPHV BlackCat Windows encryptor sample listed in CISA/FBI/HHS joint advisory AA23-353A (Table 2).","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = 'c64300cf8bacc4e42e74715edf3f8c3287a780c9c0a38b0d9675d01e7e231f16']","pattern_type":"stix","valid_from":"2023-12-19T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--c3c21a5d-262d-542f-88d3-be989e8f2766","created":"2023-12-19T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--55136fb0-3b45-5469-b814-540bb5f84710","target_ref":"intrusion-set--b71cbf88-9e14-56f7-87a4-c7ba28c42794"},{"type":"indicator","spec_version":"2.1","id":"indicator--fea04aca-e336-5b88-9558-db40d0d16644","created":"2023-12-19T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 bbfe7289de6ab1f374d0bcbeecf31cad2333b0928ea883ca13b9e733b58e27b1 (ALPHV/BlackCat)","description":"SHA-256 of an ALPHV BlackCat Linux encryptor sample listed in CISA/FBI/HHS joint advisory AA23-353A (Table 2).","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = 'bbfe7289de6ab1f374d0bcbeecf31cad2333b0928ea883ca13b9e733b58e27b1']","pattern_type":"stix","valid_from":"2023-12-19T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--eac0a8bc-8e14-5009-9290-50bb9db3f6cf","created":"2023-12-19T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--fea04aca-e336-5b88-9558-db40d0d16644","target_ref":"intrusion-set--b71cbf88-9e14-56f7-87a4-c7ba28c42794"},{"type":"indicator","spec_version":"2.1","id":"indicator--1828700f-8654-5a96-bf9f-0e39ea5756c3","created":"2023-12-19T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOMAIN resources.docusong.com (ALPHV/BlackCat)","description":"Command-and-control domain used by ALPHV BlackCat affiliates, published in the Network Indicators table of CISA/FBI/HHS advisory AA23-353A.","indicator_types":["malicious-activity"],"pattern":"[domain-name:value = 'resources.docusong.com']","pattern_type":"stix","valid_from":"2023-12-19T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--2fd190a0-2b44-5aa8-88e3-eaedf22d2d63","created":"2023-12-19T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--1828700f-8654-5a96-bf9f-0e39ea5756c3","target_ref":"intrusion-set--b71cbf88-9e14-56f7-87a4-c7ba28c42794"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--1bd960db-739e-5b57-80b8-389dc74c3388","created":"2009-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Andariel","description":"DPRK state-sponsored intrusion set publicly attributed to the Reconnaissance General Bureau's 3rd Bureau (Andariel). Treated by MITRE as a sub-cluster of Lazarus Group; conducts both espionage against defense, aerospace, nuclear, and engineering targets and financially-motivated operations against banks and ATMs. Joint advisory AA24-207A in July 2024 attributed sustained intellectual-property theft against critical-infrastructure research to the group.","first_seen":"2009-01-01T00:00:00.000Z","aliases":["Silent Chollima","Onyx Sleet","PLUTONIUM","Stonefly","APT45"],"goals":["espionage","financial gain"],"primary_motivation":"personal-gain","labels":["country:KP"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["defense","aerospace","nuclear","energy","financial"],"x_threatintel_target_countries":["KR","US","JP","IN"],"x_threatintel_attack_techniques":["T1190","T1059.001","T1486","T1078"]},{"type":"report","spec_version":"2.1","id":"report--2fc46d74-2c54-5c2d-a20b-364a257cc568","created":"2024-07-25T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Joint advisory AA24-207A attributes IP theft to DPRK Andariel","description":"CISA, the FBI, the NSA, and partners from the U.K., South Korea, Germany, and others released a joint advisory attributing a long-running cyberespionage campaign against critical-infrastructure research — defense, aerospace, nuclear, and engineering — to North Korea's Reconnaissance General Bureau 3rd Bureau, also tracked as Andariel and APT45.","published":"2024-07-25T00:00:00.000Z","report_types":["advisory"],"object_refs":["intrusion-set--1bd960db-739e-5b57-80b8-389dc74c3388"],"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"}],"labels":["five-eyes","attribution","dprk","ip-theft"],"x_threatintel_severity":"high"},{"type":"indicator","spec_version":"2.1","id":"indicator--b6fe3fd7-7097-5032-adb7-5fada5c71f95","created":"2024-07-25T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6","description":"Andariel implant sample listed in CISA / FBI / NSA joint advisory AA24-207A (25 July 2024) covering the RGB 3rd Bureau group also tracked as Onyx Sleet / Stonefly / Silent Chollima. The advisory ties the group to defence, aerospace, nuclear and engineering espionage in support of DPRK military and nuclear programs.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = 'ed8ec7a8dd089019cfd29143f008fa0951c56a35d73b2e1b274315152d0c0ee6']","pattern_type":"stix","valid_from":"2024-07-25T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-207a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--a8b5459e-6ced-5b11-8a74-93470efb85c4","created":"2024-07-25T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--b6fe3fd7-7097-5032-adb7-5fada5c71f95","target_ref":"intrusion-set--1bd960db-739e-5b57-80b8-389dc74c3388"},{"type":"indicator","spec_version":"2.1","id":"indicator--bb7990b8-84d5-5283-9607-a1778b79bfa5","created":"2021-05-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e (Maui)","description":"Maui ransomware sample (maui.exe). FBI / CISA / Treasury advisory AA22-187A documents its use by DPRK state actors against U.S. Healthcare and Public Health sector targets from at least May 2021. Encryption combines AES, RSA and XOR and is driven manually via CLI by the operator.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = '5b7ecf7e9d0715f1122baf4ce745c5fcd769dee48150616753fec4d6da16e99e']","pattern_type":"stix","valid_from":"2021-05-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-187a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--28f05d15-66dc-5463-9edd-77e23fa56c7a","created":"2021-05-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--bb7990b8-84d5-5283-9607-a1778b79bfa5","target_ref":"intrusion-set--1bd960db-739e-5b57-80b8-389dc74c3388"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--b13f2750-2d8a-5bed-9117-12f1d69a0278","created":"2023-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Anonymous Sudan","description":"DDoS-as-a-service operation that publicly framed itself as Islamist hacktivism originating from Sudan; multiple researcher reports and the U.S. DOJ indictment unsealed in October 2024 identified two Sudanese nationals (the Omer brothers) as operators of the service from Sudan, not from Russia. Operated the 'Skynet' / 'InfraShutdown' DDoS service, briefly disrupted X (Twitter), Microsoft 365, and OpenAI services in 2023. Service disabled following the DOJ takedown.","first_seen":"2023-01-01T00:00:00.000Z","aliases":["Storm-1359"],"last_seen":"2024-10-01T00:00:00.000Z","goals":["disruption","financial gain","information operations"],"primary_motivation":"personal-gain","x_threatintel_kind":"hacktivist","x_threatintel_target_sectors":["technology","government","media","financial","healthcare"],"x_threatintel_target_countries":["US","GB","FR","IL","SE","DK"],"x_threatintel_attack_techniques":["T1498","T1499"]},{"type":"report","spec_version":"2.1","id":"report--53471cae-ee64-51ac-9d83-b42e87a16075","created":"2024-10-16T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOJ unseals indictment of Sudanese nationals running Anonymous Sudan","description":"A federal grand jury in the Central District of California indicted brothers Ahmed Salah Yusuuf Omer (22) and Alaa Salah Yusuuf Omer (27), Sudanese nationals, for operating the Anonymous Sudan DDoS service. Prosecutors attributed 35,000+ DDoS attacks to the operation, with high-profile disruptions against Microsoft 365, ChatGPT/OpenAI, X, PayPal, and Cedars-Sinai hospital. The takedown disabled the Skynet / InfraShutdown DDoS-as-a-service offering. Ahmed Salah faces potential life imprisonment on charges tied to the Cedars-Sinai attack endangering patient care.","published":"2024-10-16T00:00:00.000Z","report_types":["indictment"],"object_refs":["intrusion-set--b13f2750-2d8a-5bed-9117-12f1d69a0278"],"external_references":[{"source_name":"U.S. Department of Justice","url":"https://www.justice.gov/usao-cdca/pr/two-sudanese-nationals-indicted-alleged-roles-anonymous-sudan-cyberattack-group"}],"labels":["indictment","ddos","disruption","fbi-takedown"],"x_threatintel_severity":"high"},{"type":"indicator","spec_version":"2.1","id":"indicator--a38a4c78-386c-541a-ba66-5a221fb18604","created":"2023-01-18T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME @InfraShutdown","description":"Primary Telegram handle/channel branding used by Anonymous Sudan to claim DDoS attacks (also operated companion bot @InfraShutdown_bot and channel 'Skynet/Godzilla-BotNet'). Documented verbatim throughout the DOJ indictment of the Omer brothers (Central District of California, March 2024, unsealed October 2024).","indicator_types":["malicious-activity"],"pattern":"[file:name = '@InfraShutdown']","pattern_type":"stix","valid_from":"2023-01-18T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"U.S. Department of Justice","url":"https://www.justice.gov/usao-cdca/pr/two-sudanese-nationals-indicted-alleged-roles-anonymous-sudan-cyberattack-group"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--20c5a6ee-c503-5469-bca7-245206239125","created":"2023-01-18T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--a38a4c78-386c-541a-ba66-5a221fb18604","target_ref":"intrusion-set--b13f2750-2d8a-5bed-9117-12f1d69a0278"},{"type":"indicator","spec_version":"2.1","id":"indicator--6d4e8471-e70f-5bd1-8f49-d0ac969f1550","created":"2023-01-18T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME InfraShutdown (DCAT)","description":"Operator name for the Distributed Cloud Attack Tool (DCAT) used by Anonymous Sudan to launch 35,000+ DDoS attacks. Aliased as 'Skynet' and 'Godzilla Botnet' in the same Telegram channels. Tool seized and operators charged by DOJ in the unsealed October 2024 indictment of brothers Ahmed and Alaa Salah Yusuuf Omer.","indicator_types":["malicious-activity"],"pattern":"[file:name = 'InfraShutdown']","pattern_type":"stix","valid_from":"2023-01-18T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"U.S. Department of Justice","url":"https://www.justice.gov/usao-cdca/pr/two-sudanese-nationals-indicted-alleged-roles-anonymous-sudan-cyberattack-group"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--83949430-8045-5f8c-99ab-a9a38cac1960","created":"2023-01-18T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--6d4e8471-e70f-5bd1-8f49-d0ac969f1550","target_ref":"intrusion-set--b13f2750-2d8a-5bed-9117-12f1d69a0278"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--128989e4-01c4-5c0c-a37b-4e72e2401116","created":"2006-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"APT10","description":"PRC state-sponsored intrusion set publicly attributed by the U.S. DOJ to the Ministry of State Security's Tianjin State Security Bureau, operating through Huaying Haitai. Best known for the Cloud Hopper campaign against managed service providers (MSPs) and cloud platforms — supply-chain compromise to pivot into downstream customer networks across aviation, satellite, automotive, biotech, pharma, and IT services. The U.S. DOJ unsealed an indictment of Zhu Hua and Zhang Shilong in December 2018.","first_seen":"2006-01-01T00:00:00.000Z","aliases":["Stone Panda","MenuPass","Red Apollo","POTASSIUM","Bronze Riverside","CVNX"],"goals":["espionage"],"primary_motivation":"organizational-gain","labels":["country:CN"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["managed service providers","aviation","satellite","biotechnology","pharmaceutical","telecommunications"],"x_threatintel_target_countries":["US","GB","JP","DE","FR","CA","AU","BR","IN","KR"],"x_threatintel_attack_techniques":["T1199","T1078.004","T1059.001","T1133"]},{"type":"report","spec_version":"2.1","id":"report--c7fcaffb-ff10-563e-81dd-f63b5507862f","created":"2018-12-20T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOJ unseals indictment of MSS Tianjin operators for APT10 Cloud Hopper","description":"U.S. DOJ unsealed an indictment of Zhu Hua and Zhang Shilong, PRC nationals working through Huaying Haitai, charging them with conspiracy to commit computer intrusions tied to the APT10 Group. The indictment publicly attributed the long-running 'Cloud Hopper' campaign — exploiting managed service providers as a pivot into downstream customer networks — to the MSS Tianjin State Security Bureau, naming over 45 victim organizations across aviation, satellite, biotech, automotive, and IT services.","published":"2018-12-20T00:00:00.000Z","report_types":["indictment"],"object_refs":["intrusion-set--128989e4-01c4-5c0c-a37b-4e72e2401116"],"external_references":[{"source_name":"U.S. Department of Justice","url":"https://www.justice.gov/archives/opa/pr/two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion"}],"labels":["indictment","supply-chain","msp","china"],"x_threatintel_severity":"high"},{"type":"indicator","spec_version":"2.1","id":"indicator--147f87a0-2d1c-5471-8496-ee35a66f7535","created":"2018-09-13T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME UPPERCUT (UPPERCUT)","description":"UPPERCUT (a.k.a. ANEL) backdoor attributed to APT10 / menuPass by MITRE ATT&CK (S0275). Deployed in long-running espionage campaigns against Japanese targets and tracked alongside the Cloud Hopper MSP intrusion set.","indicator_types":["malicious-activity"],"pattern":"[file:name = 'UPPERCUT']","pattern_type":"stix","valid_from":"2018-09-13T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"MITRE ATT&CK","url":"https://attack.mitre.org/groups/G0045/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--d4e1ece7-980c-50af-a73e-fc822a1c5b7f","created":"2018-09-13T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--147f87a0-2d1c-5471-8496-ee35a66f7535","target_ref":"intrusion-set--128989e4-01c4-5c0c-a37b-4e72e2401116"},{"type":"indicator","spec_version":"2.1","id":"indicator--91126a64-1be6-51e5-bae1-02a4a2ba085b","created":"2017-04-05T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME RedLeaves (RedLeaves)","description":"RedLeaves is a custom RAT first publicly associated with APT10 / menuPass in PwC and BAE Systems' Operation Cloud Hopper report. The Cloud Hopper IOC annex enumerates RedLeaves implant paths such as `C:\\windows\\system32\\RedLeaves.exe` on victim hosts.","indicator_types":["malicious-activity"],"pattern":"[file:name = 'RedLeaves']","pattern_type":"stix","valid_from":"2017-04-05T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"PwC UK / BAE Systems","url":"https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-indicators-of-compromise-april-2017.pdf"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--9001c366-59d5-5c52-86d2-30ae86ce3f10","created":"2017-04-05T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--91126a64-1be6-51e5-bae1-02a4a2ba085b","target_ref":"intrusion-set--128989e4-01c4-5c0c-a37b-4e72e2401116"},{"type":"indicator","spec_version":"2.1","id":"indicator--778efaaf-4187-5811-a1c0-2571a5cf1d62","created":"2017-04-05T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOMAIN domainnow.yourtrap.com","description":"Dynamic-DNS C2 hostname listed in PwC's Operation Cloud Hopper Annex A domain table. Used by APT10 across MSP-pivot intrusions documented in the 2016-2017 Cloud Hopper campaign.","indicator_types":["malicious-activity"],"pattern":"[domain-name:value = 'domainnow.yourtrap.com']","pattern_type":"stix","valid_from":"2017-04-05T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"PwC UK / BAE Systems","url":"https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-indicators-of-compromise-april-2017.pdf"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--f4d0d642-59b2-58da-a478-b856ead5b5e5","created":"2017-04-05T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--778efaaf-4187-5811-a1c0-2571a5cf1d62","target_ref":"intrusion-set--128989e4-01c4-5c0c-a37b-4e72e2401116"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--a7857ad6-5733-5acb-8169-b0166472c2cd","created":"2004-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"APT28","description":"Russian military-intelligence (GRU Unit 26165) intrusion set. Long-running espionage operations against military, government, political, and media targets, including the 2016 DNC intrusion and sustained targeting of NATO members. Frequent use of credential phishing, router compromise, and zero-day exploitation.","first_seen":"2004-01-01T00:00:00.000Z","aliases":["Fancy Bear","Forest Blizzard","Sofacy","STRONTIUM"],"goals":["espionage","information operations"],"primary_motivation":"organizational-gain","labels":["country:RU"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["government","military","political","media","defense"],"x_threatintel_target_countries":["US","GB","DE","FR","UA","GE","PL","NO","EE","LV"],"x_threatintel_attack_techniques":["T1566.002","T1110.003","T1133","T1190"]},{"type":"report","spec_version":"2.1","id":"report--1f0a9068-a1cd-5602-828e-b4a244508fe6","created":"2023-12-04T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Forest Blizzard exploits CVE-2023-23397 Outlook elevation flaw","description":"Microsoft and Polish Cyber Command attributed sustained exploitation of CVE-2023-23397 — an Outlook NTLM credential leak — to Forest Blizzard (APT28) against government, energy, transportation, and NGO targets across Europe and North America.","published":"2023-12-04T00:00:00.000Z","report_types":["advisory"],"object_refs":["intrusion-set--a7857ad6-5733-5acb-8169-b0166472c2cd"],"external_references":[{"source_name":"Microsoft Threat Intelligence","url":"https://www.microsoft.com/en-us/security/blog/2023/12/04/star-blizzard-increases-sophistication-and-evasion-in-ongoing-attacks/"}],"labels":["cve-2023-23397","ntlm","outlook"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--ee20aa81-ed36-5efa-aed0-2861d185ef69","created":"2018-07-13T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOJ indicts 12 GRU officers for 2016 election operations","description":"A federal grand jury indicted twelve officers of Russia's GRU (Units 26165 and 74455) for computer-intrusion operations targeting U.S. political organizations during the 2016 election cycle. Unit 26165 is the GRU designation associated with APT28.","published":"2018-07-13T00:00:00.000Z","report_types":["indictment"],"object_refs":["intrusion-set--a7857ad6-5733-5acb-8169-b0166472c2cd"],"external_references":[{"source_name":"U.S. Department of Justice","url":"https://www.justice.gov/opa/pr/grand-jury-indicts-12-russian-intelligence-officers-hacking-offenses-related-2016-election"}],"labels":["indictment","gru","election-interference"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--5a09f127-f59b-58dd-9e91-97452cb9b6e9","created":"2016-06-14T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DNC intrusion publicly disclosed","description":"CrowdStrike disclosed that two Russian intrusion sets — APT28 (Fancy Bear) and APT29 (Cozy Bear) — had compromised the Democratic National Committee's network. The breach became central to U.S. assessments of 2016 election interference.","published":"2016-06-14T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--a7857ad6-5733-5acb-8169-b0166472c2cd"],"external_references":[{"source_name":"CrowdStrike","url":"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"}],"labels":["election-interference","espionage"],"x_threatintel_severity":"critical"},{"type":"indicator","spec_version":"2.1","id":"indicator--221642b5-1cd1-5e3c-aaa0-7cb52fd4fe7e","created":"2020-08-13T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME Drovorub (Drovorub)","description":"Linux malware toolset attributed by NSA and FBI to GRU 85th GTsSS Military Unit 26165 (APT28 / Fancy Bear / Strontium). Comprises a kernel-module rootkit, client, agent, and file-transfer / port-forwarding server, all communicating via JSON over WebSockets. Disclosed in joint advisory AA20-280A on 13 August 2020.","indicator_types":["malicious-activity"],"pattern":"[file:name = 'Drovorub']","pattern_type":"stix","valid_from":"2020-08-13T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-280a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--909b4d5e-90bc-5f4a-8f5f-4ef5512808b3","created":"2020-08-13T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--221642b5-1cd1-5e3c-aaa0-7cb52fd4fe7e","target_ref":"intrusion-set--a7857ad6-5733-5acb-8169-b0166472c2cd"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--de1bde10-b746-5a47-93bc-e97670eebe0b","created":"2008-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"APT29","description":"Russian state-sponsored intrusion set publicly attributed to the SVR. Long history of espionage operations against Western government, diplomatic, think tank, and technology targets, including the SolarWinds supply-chain compromise (2020) and a 2024 intrusion into Microsoft corporate email. Tradecraft emphasizes credential theft, OAuth abuse, and stealthy persistence in cloud identity systems.","first_seen":"2008-01-01T00:00:00.000Z","aliases":["Cozy Bear","Midnight Blizzard","NOBELIUM","The Dukes"],"goals":["espionage"],"primary_motivation":"organizational-gain","labels":["country:RU"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["government","defense","diplomatic","technology","think tanks"],"x_threatintel_target_countries":["US","GB","DE","FR","NL","NO","DK","PL","CA","UA"],"x_threatintel_attack_techniques":["T1078","T1199","T1550.001","T1098.001"]},{"type":"report","spec_version":"2.1","id":"report--d5ada8a3-7ad4-5e8e-8451-211468eff775","created":"2024-06-28T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"TeamViewer corporate IT compromise attributed to APT29","description":"TeamViewer disclosed that its internal corporate IT environment was compromised by APT29, with the company stating the intrusion was contained to that environment and did not reach product, customer, or production systems.","published":"2024-06-28T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--de1bde10-b746-5a47-93bc-e97670eebe0b"],"external_references":[{"source_name":"TeamViewer","url":"https://www.teamviewer.com/en/resources/trust-center/statement/"}],"labels":["corporate-it","espionage"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--d0d099a4-387a-552d-a9fd-fc0956153cab","created":"2024-01-19T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Midnight Blizzard intrusion into Microsoft corporate email","description":"Microsoft disclosed that Midnight Blizzard (APT29) compromised a legacy non-production test tenant via password spray, then pivoted to access a small number of Microsoft corporate email accounts, including members of the senior leadership team and cybersecurity / legal staff.","published":"2024-01-19T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--de1bde10-b746-5a47-93bc-e97670eebe0b"],"external_references":[{"source_name":"Microsoft Security Response Center","url":"https://msrc.microsoft.com/blog/2024/01/microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/"}],"labels":["password-spray","oauth","email"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--76e4269e-09e1-53bd-a39a-eb43dfaf546e","created":"2021-04-15T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"U.S. Treasury sanctions SVR for SolarWinds compromise","description":"OFAC formally attributed the SolarWinds compromise to the Russian Foreign Intelligence Service (SVR) and imposed sanctions on six Russian technology companies that provide support to the SVR's cyber program.","published":"2021-04-15T00:00:00.000Z","report_types":["sanction"],"object_refs":["intrusion-set--de1bde10-b746-5a47-93bc-e97670eebe0b"],"external_references":[{"source_name":"U.S. Department of the Treasury","url":"https://home.treasury.gov/news/press-releases/jy0127"}],"labels":["sanctions","svr"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--39297c81-d936-5582-b776-6cad57d72e2a","created":"2020-12-13T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SolarWinds Orion supply-chain compromise disclosed","description":"FireEye and Microsoft disclosed a sophisticated supply-chain compromise of SolarWinds Orion software, attributed to APT29. The trojanized SUNBURST update reached approximately 18,000 customers and enabled second-stage access to U.S. federal agencies and Fortune 500 networks.","published":"2020-12-13T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--de1bde10-b746-5a47-93bc-e97670eebe0b"],"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a"}],"labels":["supply-chain","espionage","us-government"],"x_threatintel_severity":"critical"},{"type":"indicator","spec_version":"2.1","id":"indicator--a525a5ed-051e-530d-8e9d-97996b2512ae","created":"2020-12-13T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOMAIN avsvmcloud.com (SUNBURST)","description":"Primary first-stage command-and-control domain used by the SUNBURST backdoor inside trojanized SolarWinds Orion updates. Subdomains under this domain encoded victim identifiers.","indicator_types":["malicious-activity"],"pattern":"[domain-name:value = 'avsvmcloud.com']","pattern_type":"stix","valid_from":"2020-12-13T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--c588c18b-5819-5653-9e5a-51bfe4f7360c","created":"2020-12-13T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--a525a5ed-051e-530d-8e9d-97996b2512ae","target_ref":"intrusion-set--de1bde10-b746-5a47-93bc-e97670eebe0b"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--0abe4ebc-6c1f-57ba-b5d9-675531002c1b","created":"2010-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"APT3","description":"PRC state-affiliated intrusion set publicly attributed by the U.S. DOJ to the Guangzhou-based front company Boyusec (Guangzhou Bo Yu Information Technology), working in concert with the Ministry of State Security's Guangdong State Security Department. Historically notable for weaponizing equation-group-style exploits (EternalBlue precursors) against U.S. corporate targets including Moody's, Siemens, and Trimble. DOJ unsealed an indictment of Wu Yingzhuo, Dong Hao, and Xia Lei in November 2017; Boyusec subsequently dissolved as a public-facing entity.","first_seen":"2010-01-01T00:00:00.000Z","aliases":["Gothic Panda","Buckeye","UPS Team","TG-0110"],"last_seen":"2017-11-28T00:00:00.000Z","goals":["espionage"],"primary_motivation":"organizational-gain","labels":["country:CN"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["technology","engineering","professional services","manufacturing","financial"],"x_threatintel_target_countries":["US","GB","DE","HK"],"x_threatintel_attack_techniques":["T1190","T1078","T1059.003","T1071.001"]},{"type":"report","spec_version":"2.1","id":"report--7ca21f19-af77-51cf-aec9-3ce5e9e58b8f","created":"2017-11-28T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOJ unseals APT3/Boyusec indictment of three Chinese nationals","description":"U.S. DOJ unsealed an indictment of Wu Yingzhuo, Dong Hao, and Xia Lei — three Chinese nationals working at Guangzhou Bo Yu Information Technology (Boyusec) — for computer hacking, trade-secret theft, and aggravated identity theft against Moody's Analytics, Siemens AG, and Trimble Inc. Boyusec was publicly linked by independent researchers (Intrusion Truth) to the Chinese MSS Guangdong State Security Department and to APT3 itself; the company subsequently dissolved as a public-facing entity.","published":"2017-11-28T00:00:00.000Z","report_types":["indictment"],"object_refs":["intrusion-set--0abe4ebc-6c1f-57ba-b5d9-675531002c1b"],"external_references":[{"source_name":"U.S. Department of Justice","url":"https://www.justice.gov/usao-wdpa/pr/us-charges-three-chinese-hackers-who-work-internet-security-firm-stealing"}],"labels":["indictment","trade-secret-theft","china"],"x_threatintel_severity":"high"},{"type":"indicator","spec_version":"2.1","id":"indicator--4742a9fb-b26c-5541-93ff-cf10593ac331","created":"2010-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME Pirpi (RSFuncs / sslshell) (Pirpi)","description":"Custom Windows RAT used by APT3 (Gothic Panda / TG-0110 / UPS) in browser zero-day campaigns. Group is attributed to Guangzhou Bo Yu Information Technology Co., Ltd. (Boyusec), a MSS contractor. On 27 November 2017 the U.S. DOJ unsealed an indictment against Boyusec employees Wu Yingzhuo, Dong Hao and Xia Lei for intrusions into Moody's, Siemens and Trimble between 2011 and 2017.","indicator_types":["malicious-activity"],"pattern":"[file:name = 'Pirpi (RSFuncs / sslshell)']","pattern_type":"stix","valid_from":"2010-01-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"U.S. Department of Justice","url":"https://flashpoint.io/blog/usa-vs-wu-yingzhuo-dong-hao-xia-lei/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--48172772-5694-5439-ad9d-268fdfa1b014","created":"2010-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--4742a9fb-b26c-5541-93ff-cf10593ac331","target_ref":"intrusion-set--0abe4ebc-6c1f-57ba-b5d9-675531002c1b"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--67cc837c-1fa5-5209-b067-3d925d7e56c2","created":"2010-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"APT31","description":"PRC state-sponsored intrusion set publicly attributed to the Ministry of State Security's Hubei State Security Department, operating through the front company Wuhan Xiaoruizhi Science and Technology Company. UK and U.S. sanctioned named operators in March 2024 for a 14-year global cyberespionage campaign targeting elected officials, government critics, journalists, and democratic institutions. The Czech government publicly attributed a 2022-2024 intrusion of its Ministry of Foreign Affairs unclassified network to APT31 on 28 May 2025.","first_seen":"2010-01-01T00:00:00.000Z","aliases":["Zirconium","Violet Typhoon","Judgment Panda","Bronze Vinewood"],"goals":["espionage"],"primary_motivation":"organizational-gain","labels":["country:CN"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["government","diplomatic","journalism","dissidents","ngo"],"x_threatintel_target_countries":["US","GB","CZ","NO","NZ","FI","DE","BE"],"x_threatintel_attack_techniques":["T1566.002","T1071.001","T1133","T1078.004"]},{"type":"report","spec_version":"2.1","id":"report--d6a0f59b-a517-5d93-a757-f94b34351abe","created":"2025-05-28T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Czech Republic publicly attributes multi-year MFA intrusion to APT31","description":"The Czech government, supported by NUKIB and three Czech intelligence services, publicly attributed a cyber-espionage campaign targeting an unclassified network of the Ministry of Foreign Affairs — designated critical infrastructure — to APT31, linked to China's Ministry of State Security. The intrusion is assessed to have run since at least 2022. The Chinese Ambassador was summoned and the EU and NATO issued statements of solidarity calling on China to adhere to UN norms of responsible state behaviour in cyberspace.","published":"2025-05-28T00:00:00.000Z","report_types":["announcement"],"object_refs":["intrusion-set--67cc837c-1fa5-5209-b067-3d925d7e56c2"],"external_references":[{"source_name":"NUKIB (National Cyber and Information Security Agency, Czech Republic)","url":"https://nukib.gov.cz/en/infoservis-en/news/2263-the-czech-government-has-publicly-attributed-cyberattacks-to-china-actor-apt31-linked-to-the-chinese-ministry-of-state-security-has-targeted-the-infrastructure-of-the-czech-ministry-of-foreign-affairs/"}],"labels":["attribution","czech-republic","mfa","eu-nato"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--2a580bb4-4e84-56ea-80af-e37c10e842f2","created":"2024-03-25T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"UK sanctions APT31 front company and operators over Electoral Commission breach and parliamentary targeting","description":"The UK Foreign, Commonwealth and Development Office sanctioned Wuhan Xiaoruizhi Science and Technology Company Limited along with Zhao Guangzong and Ni Gaobin, attributing two campaigns to APT31: a 2021-2022 compromise of the UK Electoral Commission that the NCSC assessed as highly likely conducted by a China state-affiliated actor, and a 2021 reconnaissance campaign against UK parliamentarians — many members of the Inter-Parliamentary Alliance on China. The Chinese Ambassador was summoned and 16 partner governments expressed support.","published":"2024-03-25T00:00:00.000Z","report_types":["sanction"],"object_refs":["intrusion-set--67cc837c-1fa5-5209-b067-3d925d7e56c2"],"external_references":[{"source_name":"UK Foreign, Commonwealth & Development Office","url":"https://www.gov.uk/government/news/uk-holds-china-state-affiliated-organisations-and-individuals-responsible-for-malicious-cyber-activity"}],"labels":["sanction","uk","electoral-commission","ipac"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--d7dabc5d-f53d-5f72-b17e-721ab0c2c9ab","created":"2024-03-25T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Treasury sanctions Wuhan XRZ front company and two APT31 hackers for targeting US critical infrastructure","description":"OFAC designated Wuhan Xiaoruizhi Science and Technology Company, Limited (Wuhan XRZ) — a Wuhan-based Ministry of State Security front company — along with Chinese nationals Zhao Guangzong and Ni Gaobin for their roles in APT31 cyber operations targeting US critical infrastructure. The designations were issued under Executive Order 13694, as amended, and were coordinated with a parallel UK sanctions package and a US Department of Justice indictment unsealed the same day in the Eastern District of New York charging seven APT31-affiliated nationals.","published":"2024-03-25T00:00:00.000Z","report_types":["sanction"],"object_refs":["intrusion-set--67cc837c-1fa5-5209-b067-3d925d7e56c2"],"external_references":[{"source_name":"U.S. Department of the Treasury","url":"https://home.treasury.gov/news/press-releases/jy2205"}],"labels":["sanction","ofac","mss","critical-infrastructure"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--01de2edf-6880-56d3-b831-d191e621506d","created":"2024-03-25T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOJ unseals indictment charging seven APT31 hackers tied to MSS Hubei State Security Department","description":"Federal prosecutors in the Eastern District of New York unsealed an indictment charging seven Chinese nationals — Ni Gaobin, Weng Ming, Cheng Feng, Peng Yaowen, Sun Xiaohui, Xiong Wang, and Zhao Guangzong — with conspiracy to commit computer intrusions and wire fraud as members of APT31, a hacking group operated by the MSS Hubei State Security Department in Wuhan. The 14-year campaign targeted US and foreign government officials, political dissidents, journalists, IPAC parliamentarians, defense contractors, and companies in aerospace, defense, telecommunications, and other sectors.","published":"2024-03-25T00:00:00.000Z","report_types":["indictment"],"object_refs":["intrusion-set--67cc837c-1fa5-5209-b067-3d925d7e56c2"],"external_references":[{"source_name":"U.S. Department of Justice","url":"https://www.justice.gov/opa/pr/seven-hackers-associated-chinese-government-charged-computer-intrusions-targeting-perceived"}],"labels":["indictment","doj","mss","hubei-ssd"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--c1696744-70c1-5d17-8beb-90064eda40fe","created":"2020-09-10T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Microsoft discloses Zirconium (APT31) targeting of 2020 US presidential campaign and international affairs community","description":"Microsoft's Customer Security & Trust team reported that Zirconium — the Microsoft alias for APT31 — had launched thousands of attacks between March and September 2020, resulting in nearly 150 compromises. The China-based group indirectly targeted the Joe Biden for President campaign via non-campaign email accounts of affiliated individuals, as well as academics at more than 15 universities and 18 international affairs organizations including the Atlantic Council and Stimson Center, using web-beacon reconnaissance tied to attacker-controlled domains.","published":"2020-09-10T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--67cc837c-1fa5-5209-b067-3d925d7e56c2"],"external_references":[{"source_name":"Microsoft","url":"https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/"}],"labels":["report","election-security","zirconium","microsoft"],"x_threatintel_severity":"high"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--79137e8e-a48a-5942-a8aa-1a30a2274880","created":"2013-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"APT33","description":"Iranian state-sponsored actor with strategic intelligence interest in the global energy supply chain. Long-running password-spray and credential-theft campaigns against aviation and defense industrial bases, especially organizations linked to Saudi Arabian, U.S., and South Korean petrochemical and aerospace work.","first_seen":"2013-01-01T00:00:00.000Z","aliases":["Refined Kitten","HOLMIUM","Peach Sandstorm","Elfin"],"goals":["espionage"],"primary_motivation":"organizational-gain","labels":["country:IR"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["energy","aviation","defense","petrochemical"],"x_threatintel_target_countries":["SA","US","KR","AE"],"x_threatintel_attack_techniques":["T1110.003","T1078.004","T1133","T1567"]},{"type":"report","spec_version":"2.1","id":"report--67de14fa-ea56-569d-903b-76a1eca49b0d","created":"2023-09-14T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Peach Sandstorm password-spray campaign against defense industry","description":"Microsoft Threat Intelligence reported that Peach Sandstorm (APT33) had been running a sustained password-spray campaign against the defense industrial base, satellite operators, and pharmaceutical sectors throughout 2023, deploying the Tickler backdoor on successfully accessed accounts.","published":"2023-09-14T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--79137e8e-a48a-5942-a8aa-1a30a2274880"],"external_references":[{"source_name":"Microsoft Threat Intelligence","url":"https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/"}],"labels":["password-spray","iran","defense"],"x_threatintel_severity":"high"},{"type":"indicator","spec_version":"2.1","id":"indicator--c800a369-87f4-5281-aa98-f7cc570d0167","created":"2024-04-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOMAIN subreviews.azurewebsites.net (Tickler)","description":"Azure App Service C2 subdomain associated with Tickler backdoor activity. Microsoft's August 2024 Peach Sandstorm report lists this in the IOC appendix alongside other actor-controlled azurewebsites.net subdomains used to abuse fraudulent Azure tenants for command-and-control.","indicator_types":["malicious-activity"],"pattern":"[domain-name:value = 'subreviews.azurewebsites.net']","pattern_type":"stix","valid_from":"2024-04-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Microsoft","url":"https://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--3fb2970d-30cd-59d5-bec6-d983970c1a31","created":"2024-04-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--c800a369-87f4-5281-aa98-f7cc570d0167","target_ref":"intrusion-set--79137e8e-a48a-5942-a8aa-1a30a2274880"},{"type":"indicator","spec_version":"2.1","id":"indicator--b5317b5e-3002-541d-ad13-e4cf5667b39f","created":"2024-04-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 7eb2e9e8cd450fc353323fd2e8b84fbbdfe061a8441fd71750250752c577d198 (Tickler)","description":"Tickler custom multi-stage backdoor sample published by Microsoft Threat Intelligence in August 2024 as part of Peach Sandstorm operations against satellite, oil-and-gas, communications and US/UAE federal and state government targets observed April-July 2024.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = '7eb2e9e8cd450fc353323fd2e8b84fbbdfe061a8441fd71750250752c577d198']","pattern_type":"stix","valid_from":"2024-04-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Microsoft","url":"https://www.microsoft.com/en-us/security/blog/2024/08/28/peach-sandstorm-deploys-new-custom-tickler-malware-in-long-running-intelligence-gathering-operations/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--dea05de2-4df9-5339-ab96-9c86d977374b","created":"2024-04-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--b5317b5e-3002-541d-ad13-e4cf5667b39f","target_ref":"intrusion-set--79137e8e-a48a-5942-a8aa-1a30a2274880"},{"type":"indicator","spec_version":"2.1","id":"indicator--145c8f52-7d32-59a1-a096-7e528180b2b5","created":"2023-02-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME go-http-client","description":"User-agent string Microsoft observed in the Feb-Jul 2023 Peach Sandstorm password-spray wave against thousands of organizations in satellite, defense and pharmaceutical sectors. Sprays were routed through TOR exit nodes; Microsoft attributes the activity to overlaps with APT33 / Elfin / Refined Kitten.","indicator_types":["malicious-activity"],"pattern":"[file:name = 'go-http-client']","pattern_type":"stix","valid_from":"2023-02-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Microsoft","url":"https://www.microsoft.com/en-us/security/blog/2023/09/14/peach-sandstorm-password-spray-campaigns-enable-intelligence-collection-at-high-value-targets/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--4fa8637c-a520-5bdf-b928-b2a4f6d85db1","created":"2023-02-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--145c8f52-7d32-59a1-a096-7e528180b2b5","target_ref":"intrusion-set--79137e8e-a48a-5942-a8aa-1a30a2274880"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--b39e5f60-fa18-5fab-9984-415502d4b1c7","created":"2014-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"APT34","description":"Iranian state-sponsored actor publicly assessed to operate on behalf of the Iranian government, with persistent targeting of Middle East government, financial, energy, and telecommunications organizations. Known for DNS-tunneling implants and supply-chain compromise against telecom providers as a stepping stone to downstream customers.","first_seen":"2014-01-01T00:00:00.000Z","aliases":["OilRig","Helix Kitten","Hazel Sandstorm","EUROPIUM","Crambus"],"goals":["espionage"],"primary_motivation":"organizational-gain","labels":["country:IR"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["government","energy","financial","telecommunications"],"x_threatintel_target_countries":["SA","AE","IL","US","GB","KW","JO"],"x_threatintel_attack_techniques":["T1071.004","T1190","T1078.004","T1566.001"]},{"type":"report","spec_version":"2.1","id":"report--08212a13-74a7-5e1e-a986-ecb912102147","created":"2018-02-28T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Symantec attributes Middle East telecom intrusions to OilRig","description":"Symantec published a profile linking OilRig (APT34) to a multi-year intrusion campaign against Middle East government and financial-sector targets, including telecom providers used as supply-chain stepping stones to downstream customers.","published":"2018-02-28T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--b39e5f60-fa18-5fab-9984-415502d4b1c7"],"external_references":[{"source_name":"Symantec (Broadcom)","url":"https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions"}],"labels":["attribution","iran","telecommunications"],"x_threatintel_severity":"medium"},{"type":"indicator","spec_version":"2.1","id":"indicator--eb28a8fd-307b-5753-be28-038d36b4d09a","created":"2022-04-26T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 26884f872f4fae13da21fa2a24c24e963ee1eb66da47e270246d6d9dc7204c2b (Saitama)","description":"Malicious Excel document 'Confirmation Receive Document.xls' used by APT34 to drop the Saitama backdoor in the April 2022 Jordanian Foreign Ministry spearphishing campaign analyzed by Malwarebytes.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = '26884f872f4fae13da21fa2a24c24e963ee1eb66da47e270246d6d9dc7204c2b']","pattern_type":"stix","valid_from":"2022-04-26T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Malwarebytes (ThreatDown)","url":"https://www.threatdown.com/blog/apt34-targets-jordan-government-using-new-saitama-backdoor/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--d0a61be0-1341-567d-be3f-01bed97be99b","created":"2022-04-26T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--eb28a8fd-307b-5753-be28-038d36b4d09a","target_ref":"intrusion-set--b39e5f60-fa18-5fab-9984-415502d4b1c7"},{"type":"indicator","spec_version":"2.1","id":"indicator--136faafa-495b-554a-9277-600a3993d546","created":"2022-04-26T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOMAIN uber-asia.com (Saitama)","description":"DNS-tunneling C2 domain used by APT34's Saitama backdoor per the May 2022 Malwarebytes analysis; one of three actor-controlled domains (alongside asiaworldremit.com and joexpediagroup.com) impersonating legitimate travel and remittance brands.","indicator_types":["malicious-activity"],"pattern":"[domain-name:value = 'uber-asia.com']","pattern_type":"stix","valid_from":"2022-04-26T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Malwarebytes (ThreatDown)","url":"https://www.threatdown.com/blog/apt34-targets-jordan-government-using-new-saitama-backdoor/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--1c480d79-b318-548b-b78a-62613e1337a2","created":"2022-04-26T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--136faafa-495b-554a-9277-600a3993d546","target_ref":"intrusion-set--b39e5f60-fa18-5fab-9984-415502d4b1c7"},{"type":"indicator","spec_version":"2.1","id":"indicator--edfc9335-5ee2-5e14-b867-7777578ba3dd","created":"2022-04-26T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 e0872958b8d3824089e5e1cfab03d9d98d22b9bcb294463818d721380075a52d (Saitama)","description":"Saitama .NET backdoor payload (update.exe) attributed by Malwarebytes/ThreatDown to APT34 (OilRig / Helix Kitten / Hazel Sandstorm) in a May 2022 spearphishing operation against a Jordanian Ministry of Foreign Affairs official. Saitama uses DNS tunneling for C2.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = 'e0872958b8d3824089e5e1cfab03d9d98d22b9bcb294463818d721380075a52d']","pattern_type":"stix","valid_from":"2022-04-26T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Malwarebytes (ThreatDown)","url":"https://www.threatdown.com/blog/apt34-targets-jordan-government-using-new-saitama-backdoor/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--9533be45-c07d-54ff-854c-6a9fd1c416b2","created":"2022-04-26T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--edfc9335-5ee2-5e14-b867-7777578ba3dd","target_ref":"intrusion-set--b39e5f60-fa18-5fab-9984-415502d4b1c7"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--73518178-e5e1-5932-a4f0-e26ea52a2a89","created":"2014-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"APT35","description":"Iranian state-sponsored actor associated with the IRGC. Conducts long-term espionage and credential-phishing operations against journalists, dissidents, U.S. and Israeli government targets, and academic researchers working on Middle East policy. Known for elaborate social-engineering personas sustained over months.","first_seen":"2014-01-01T00:00:00.000Z","aliases":["Charming Kitten","Mint Sandstorm","PHOSPHORUS"],"goals":["espionage"],"primary_motivation":"organizational-gain","labels":["country:IR"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["government","academia","journalism","dissidents","energy"],"x_threatintel_target_countries":["US","IL","GB","SA","AE","DE"],"x_threatintel_attack_techniques":["T1566.003","T1056.003","T1539","T1204.001"]},{"type":"report","spec_version":"2.1","id":"report--89ab14a1-e2c5-5c13-a2f7-8c07e1733b3a","created":"2022-01-11T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"APT35 weaponizes Log4Shell against unpatched targets","description":"Check Point Research observed APT35 actively exploiting Log4Shell (CVE-2021-44228) within a week of public disclosure, deploying a modular PowerShell toolkit ('CharmPower') against vulnerable VMware Horizon and similar Java-stack targets.","published":"2022-01-11T00:00:00.000Z","report_types":["advisory"],"object_refs":["intrusion-set--73518178-e5e1-5932-a4f0-e26ea52a2a89"],"external_references":[{"source_name":"Check Point Research","url":"https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/"}],"labels":["log4shell","cve-2021-44228","powershell"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--0bacda19-ec9f-5053-a165-dda5c342267d","created":"2018-03-23T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOJ indicts nine IRGC-affiliated actors for academic phishing","description":"DOJ indicted nine Iranians associated with the Mabna Institute for a multi-year credential-phishing campaign against more than 300 universities worldwide, the U.S. Department of Labor, the FERC, and the United Nations — overlapping with APT35 / Charming Kitten activity.","published":"2018-03-23T00:00:00.000Z","report_types":["indictment"],"object_refs":["intrusion-set--73518178-e5e1-5932-a4f0-e26ea52a2a89"],"external_references":[{"source_name":"U.S. Department of Justice","url":"https://www.justice.gov/opa/pr/nine-iranians-charged-conducting-massive-cyber-theft-campaign-behalf-islamic-revolutionary"}],"labels":["indictment","credential-phishing","academia"],"x_threatintel_severity":"high"},{"type":"indicator","spec_version":"2.1","id":"indicator--db697051-890b-54df-8743-d2548ba6434b","created":"2023-11-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME MischiefTut (MischiefTut)","description":"PowerShell reconnaissance backdoor named by Microsoft in the January 2024 Mint Sandstorm advisory; deployed post-intrusion alongside MediaPl to write recon output to documentLoger.txt and pull additional tools onto victim hosts at Middle East research organizations.","indicator_types":["malicious-activity"],"pattern":"[file:name = 'MischiefTut']","pattern_type":"stix","valid_from":"2023-11-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Microsoft","url":"https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--ed358e94-cf25-573e-baeb-541d0d14bb87","created":"2023-11-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--db697051-890b-54df-8743-d2548ba6434b","target_ref":"intrusion-set--73518178-e5e1-5932-a4f0-e26ea52a2a89"},{"type":"indicator","spec_version":"2.1","id":"indicator--edd93b83-2216-5ba1-ae56-7d1ec3110048","created":"2023-11-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 f2dec56acef275a0e987844e98afcc44bf8b83b4661e83f89c6a2a72c5811d5f (MediaPl)","description":"MediaPl custom backdoor (MediaPl.dll) masquerading as Windows Media Player, attributed by Microsoft in January 2024 to a Mint Sandstorm subgroup (APT35 / Charming Kitten / Phosphorus) targeting Middle East affairs researchers at universities in BE, FR, IL, UK and US. Communicates with C2 via AES-CBC encrypted, Base64-encoded channels.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = 'f2dec56acef275a0e987844e98afcc44bf8b83b4661e83f89c6a2a72c5811d5f']","pattern_type":"stix","valid_from":"2023-11-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Microsoft","url":"https://www.microsoft.com/en-us/security/blog/2024/01/17/new-ttps-observed-in-mint-sandstorm-campaign-targeting-high-profile-individuals-at-universities-and-research-orgs/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--8d963819-53e7-5707-b0c1-6e154c0a2bde","created":"2023-11-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--edd93b83-2216-5ba1-ae56-7d1ec3110048","target_ref":"intrusion-set--73518178-e5e1-5932-a4f0-e26ea52a2a89"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--f674142d-c297-5fa1-ac44-7c0677c586db","created":"2012-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"APT37","description":"DPRK state-sponsored actor publicly attributed to North Korea's Ministry of State Security (MSS). Conducts espionage against South Korean public and private sector targets and, to a lesser extent, Japan, Vietnam, and the Middle East. Known for early adoption of zero-day exploits and the use of decoy documents exploiting Hangul Word Processor.","first_seen":"2012-01-01T00:00:00.000Z","aliases":["Reaper","ScarCruft","Ricochet Chollima","InkySquid","Opal Sleet"],"goals":["espionage"],"primary_motivation":"organizational-gain","labels":["country:KP"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["government","defense","media","academia","dissidents"],"x_threatintel_target_countries":["KR","JP","VN","KW","BH"],"x_threatintel_attack_techniques":["T1203","T1204.002","T1566.001","T1071.001"]},{"type":"report","spec_version":"2.1","id":"report--6de5e2ef-6221-5a19-8482-8df6f9879a55","created":"2018-02-20T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FireEye publicly names APT37 (Reaper) as a DPRK actor","description":"FireEye published a comprehensive profile naming APT37 (Reaper) as a North Korean state-sponsored actor distinct from Lazarus, documenting its targeting beyond the Korean Peninsula and its early use of zero-day exploits in delivery chains.","published":"2018-02-20T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--f674142d-c297-5fa1-ac44-7c0677c586db"],"external_references":[{"source_name":"Mandiant (FireEye)","url":"https://services.google.com/fh/files/misc/rpt-apt37.pdf"}],"labels":["attribution","dprk","zero-day"],"x_threatintel_severity":"medium"},{"type":"indicator","spec_version":"2.1","id":"indicator--1def5aba-61d9-5475-9a17-08899bddff1d","created":"2021-08-17T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 5c430e2770b59cceba1f1587b34e686d586d2c8ba1908bb5d066a616466d2cc6 (BLUELIGHT)","description":"BLUELIGHT backdoor sample published by Volexity on 17 August 2021 in the 'InkySquid' blog. BLUELIGHT uses the Microsoft Graph API (OneDrive appfolder) for C2 and was deployed via IE / legacy-Edge zero-days CVE-2020-1380 and CVE-2021-26411 from a strategic web compromise of dailynk.com. Volexity attributes InkySquid to APT37 / ScarCruft.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = '5c430e2770b59cceba1f1587b34e686d586d2c8ba1908bb5d066a616466d2cc6']","pattern_type":"stix","valid_from":"2021-08-17T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Volexity","url":"https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--ebb02613-e371-5fe3-bbce-df5c9c7a442a","created":"2021-08-17T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--1def5aba-61d9-5475-9a17-08899bddff1d","target_ref":"intrusion-set--f674142d-c297-5fa1-ac44-7c0677c586db"},{"type":"indicator","spec_version":"2.1","id":"indicator--afdf8cce-8b8c-528d-90e9-38f40b451f22","created":"2021-04-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOMAIN jquery.services (BLUELIGHT)","description":"APT37 / InkySquid C2 root. Subdomains ui.jquery.services and storage.jquery.services served BLUELIGHT loader scripts via a strategic web compromise of South Korean news site dailynk.com starting April 2021. Reported by Volexity.","indicator_types":["malicious-activity"],"pattern":"[domain-name:value = 'jquery.services']","pattern_type":"stix","valid_from":"2021-04-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Volexity","url":"https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--8e1de7e1-2cc0-594f-ac8e-28abf4ec444b","created":"2021-04-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--afdf8cce-8b8c-528d-90e9-38f40b451f22","target_ref":"intrusion-set--f674142d-c297-5fa1-ac44-7c0677c586db"},{"type":"indicator","spec_version":"2.1","id":"indicator--440343d3-46cc-5eec-be6d-d4230080c485","created":"2017-11-16T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 b3de3f9309b2f320738772353eb724a0782a1fc2c912483c036c303389307e2e (RokRAT)","description":"RokRAT (DOGCALL) backdoor sample documented by Cisco Talos in 'ROKRAT Reloaded' (November 2017). RokRAT abuses legitimate cloud services (pCloud, Box, Dropbox, Yandex) as C2 and is consistently attributed to APT37 / ScarCruft / Reaper / Group 123 (DPRK MSS).","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = 'b3de3f9309b2f320738772353eb724a0782a1fc2c912483c036c303389307e2e']","pattern_type":"stix","valid_from":"2017-11-16T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Cisco Talos","url":"https://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--05b80524-0cd9-59f5-9b62-ff2a70ba8a62","created":"2017-11-16T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--440343d3-46cc-5eec-be6d-d4230080c485","target_ref":"intrusion-set--f674142d-c297-5fa1-ac44-7c0677c586db"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--5dc691a3-22ab-5ae3-b02d-10e96ff0dc19","created":"2014-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"APT39","description":"Iranian state-affiliated intrusion set publicly attributed to Rana Intelligence Computing — an MOIS (Ministry of Intelligence and Security) front company sanctioned by the U.S. Treasury OFAC in September 2020. Targets the telecommunications and travel-reservation systems that Iran's intelligence services use to surveil ethnic minorities, Iranian dissidents, journalists, and former Iranian officials abroad. The 2020 OFAC action named 45 MOIS officers and unsealed parallel FBI charges.","first_seen":"2014-01-01T00:00:00.000Z","aliases":["Chafer","Remix Kitten","ITG07"],"goals":["espionage","surveillance"],"primary_motivation":"organizational-gain","labels":["country:IR"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["telecommunications","travel","media","dissidents"],"x_threatintel_target_countries":["US","GB","TR","IL","AE","SA","DE"],"x_threatintel_attack_techniques":["T1566.001","T1059.001","T1078","T1071.001"]},{"type":"report","spec_version":"2.1","id":"report--4e474961-6b55-5071-a4e2-2ecc70a08105","created":"2020-09-17T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"U.S. Treasury OFAC sanctions Rana Intelligence Computing as MOIS front","description":"U.S. Treasury OFAC sanctioned Rana Intelligence Computing — publicly attributing the MOIS-fronted Iranian company as the operational identity behind APT39. The action named 45 individual MOIS officers and was paired with parallel FBI charges, marking the first formal U.S. government public attribution of a MOIS contractor for the cyber-surveillance campaign against Iranian dissidents and minorities abroad.","published":"2020-09-17T00:00:00.000Z","report_types":["sanction"],"object_refs":["intrusion-set--5dc691a3-22ab-5ae3-b02d-10e96ff0dc19"],"external_references":[{"source_name":"U.S. Department of the Treasury","url":"https://home.treasury.gov/news/press-releases/sm1127"}],"labels":["sanctions","iran","mois","surveillance"],"x_threatintel_severity":"high"},{"type":"indicator","spec_version":"2.1","id":"indicator--dcc795cb-86f5-5b80-a6e5-effbee5904eb","created":"2020-09-17T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME MAR-10303705-1.v1 (Rana toolset)","description":"Identifier for the CISA-hosted STIX bundle accompanying the FBI Malware Analysis Report on Rana / APT39 tooling, released alongside Treasury press release SM1127 on 17 Sep 2020. The bundle enumerates hashes, file names and C2 infrastructure for the eight malware sets attributed to MOIS through Rana.","indicator_types":["malicious-activity"],"pattern":"[file:name = 'MAR-10303705-1.v1']","pattern_type":"stix","valid_from":"2020-09-17T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"U.S. Department of the Treasury","url":"https://home.treasury.gov/news/press-releases/sm1127"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--be37f262-3b2f-5267-9f55-f35443311030","created":"2020-09-17T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--dcc795cb-86f5-5b80-a6e5-effbee5904eb","target_ref":"intrusion-set--5dc691a3-22ab-5ae3-b02d-10e96ff0dc19"},{"type":"indicator","spec_version":"2.1","id":"indicator--9ce93ac4-f896-50e5-a33e-1ebdb7a79d3d","created":"2020-09-17T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME Rana Intelligence Computing toolset (Rana toolset)","description":"Composite designation Treasury and the FBI used on 17 Sep 2020 for the eight malware sets (VBS/AutoIt scripts, BITS 1.0 and BITS 2.0 variants, a Firefox-impersonating binary, a Python tool, Android malware and Depot.dat) operated by MOIS front company Rana Intelligence Computing Company (APT39 / Chafer / Remix Kitten). Released as FBI advisory MAR-10303705 the same day Treasury sanctioned the front company and 45 associated individuals.","indicator_types":["malicious-activity"],"pattern":"[file:name = 'Rana Intelligence Computing toolset']","pattern_type":"stix","valid_from":"2020-09-17T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"FBI","url":"https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-releases-cybersecurity-advisory-on-previously-undisclosed-iranian-malware-used-to-monitor-dissidents-and-travel-and-telecommunications-companies"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--6d2d14af-eb05-52fa-b1b7-694f0cbfb87f","created":"2020-09-17T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--9ce93ac4-f896-50e5-a33e-1ebdb7a79d3d","target_ref":"intrusion-set--5dc691a3-22ab-5ae3-b02d-10e96ff0dc19"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--7f55fd6a-8271-5c64-b23f-a1d0d0882cf5","created":"2013-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"APT40","description":"Chinese state-sponsored cyberespionage actor publicly attributed to the Ministry of State Security (MSS) Hainan State Security Department. Targets maritime industries, defense, government, and research aligned with PRC strategic priorities — naval technology, South China Sea, and the Belt and Road Initiative. U.S. DOJ indicted four MSS officers in 2021.","first_seen":"2013-01-01T00:00:00.000Z","aliases":["Leviathan","Kryptonite Panda","Gingham Typhoon","BRONZE MOHAWK","TEMP.Periscope"],"goals":["espionage"],"primary_motivation":"organizational-gain","labels":["country:CN"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["maritime","defense","government","research","healthcare"],"x_threatintel_target_countries":["US","GB","AU","CA","MY","SG","KH","VN","PH"],"x_threatintel_attack_techniques":["T1190","T1078.004","T1133","T1059.001"]},{"type":"report","spec_version":"2.1","id":"report--876fc3c0-b589-5bd1-bdb4-fbcedd242245","created":"2024-07-08T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Five Eyes joint advisory AA24-190A on APT40 tradecraft","description":"ASD's ACSC led a Five Eyes plus Japan, Republic of Korea, and Germany joint advisory detailing APT40's tradecraft, including rapid exploitation of newly disclosed public-facing vulnerabilities and use of compromised SOHO devices as operational infrastructure.","published":"2024-07-08T00:00:00.000Z","report_types":["advisory"],"object_refs":["intrusion-set--7f55fd6a-8271-5c64-b23f-a1d0d0882cf5"],"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-190a"}],"labels":["five-eyes","mss","tradecraft"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--b2aebcc0-5c80-5f49-ac1a-60976281582d","created":"2021-07-19T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOJ indicts four MSS Hainan officers tied to APT40","description":"The U.S. Department of Justice unsealed an indictment charging four Chinese nationals — three Ministry of State Security (MSS) officers from the Hainan State Security Department and one contractor — with a multi-year global computer intrusion campaign targeting research institutions, universities, and private-sector victims across more than a dozen countries.","published":"2021-07-19T00:00:00.000Z","report_types":["indictment"],"object_refs":["intrusion-set--7f55fd6a-8271-5c64-b23f-a1d0d0882cf5"],"external_references":[{"source_name":"U.S. Department of Justice","url":"https://www.justice.gov/opa/pr/four-chinese-nationals-working-ministry-state-security-charged-global-computer-intrusion"}],"labels":["doj","indictment","mss"],"x_threatintel_severity":"high"},{"type":"indicator","spec_version":"2.1","id":"indicator--3c3fcdb6-c369-5e16-8d87-6b35aff73f35","created":"2021-07-19T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOMAIN thyssenkrupp-marinesystems.org","description":"Typosquat of Thyssenkrupp Marine Systems (German naval shipbuilder) listed in the domain appendix of CISA AA21-200A as APT40 infrastructure - consistent with the Hainan State Security Department's interest in naval technology.","indicator_types":["malicious-activity"],"pattern":"[domain-name:value = 'thyssenkrupp-marinesystems.org']","pattern_type":"stix","valid_from":"2021-07-19T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-200a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--1baf8997-5061-5b5b-b200-c93708e9f07c","created":"2021-07-19T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--3c3fcdb6-c369-5e16-8d87-6b35aff73f35","target_ref":"intrusion-set--7f55fd6a-8271-5c64-b23f-a1d0d0882cf5"},{"type":"indicator","spec_version":"2.1","id":"indicator--f5ba7353-f607-507a-9386-f3fdceb61179","created":"2021-07-19T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOMAIN huntingtomingalls.com","description":"Typosquat of `huntingtoningalls.com` (Huntington Ingalls Industries, a U.S. Navy shipbuilder) listed in the domain appendix of CISA AA21-200A. Characteristic of APT40's MSS Hainan-directed targeting of the U.S. maritime defense industrial base.","indicator_types":["malicious-activity"],"pattern":"[domain-name:value = 'huntingtomingalls.com']","pattern_type":"stix","valid_from":"2021-07-19T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-200a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--6620c8f5-a1ea-5200-be3a-2df1a0dd77dc","created":"2021-07-19T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--f5ba7353-f607-507a-9386-f3fdceb61179","target_ref":"intrusion-set--7f55fd6a-8271-5c64-b23f-a1d0d0882cf5"},{"type":"indicator","spec_version":"2.1","id":"indicator--cf99ccb8-a896-5f90-9a42-a903aac75946","created":"2021-07-19T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME AIRBREAK (AIRBREAK)","description":"AIRBREAK (a.k.a. Orz) JavaScript-based backdoor enumerated in the malware-family list of CISA AA21-200A as part of APT40's toolkit. Cross-referenced to MITRE S0229.","indicator_types":["malicious-activity"],"pattern":"[file:name = 'AIRBREAK']","pattern_type":"stix","valid_from":"2021-07-19T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-200a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--ccd201ec-3a83-50fb-9e76-519f7855b82e","created":"2021-07-19T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--cf99ccb8-a896-5f90-9a42-a903aac75946","target_ref":"intrusion-set--7f55fd6a-8271-5c64-b23f-a1d0d0882cf5"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--45c4c9e3-0675-5ed5-8808-f72fc27ac7a5","created":"2012-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"APT41","description":"Chinese state-affiliated group notable for blending espionage with financially-motivated operations (game-industry currency theft, cryptocurrency). Implicated in multiple software supply-chain compromises. U.S. DOJ indicted five members in 2020.","first_seen":"2012-01-01T00:00:00.000Z","aliases":["WICKED PANDA","BARIUM","Brass Typhoon"],"goals":["espionage","financial gain"],"primary_motivation":"personal-gain","labels":["country:CN"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["technology","video games","telecommunications","healthcare"],"x_threatintel_target_countries":["US","KR","TW","HK","JP","GB","IN","SG","MY"],"x_threatintel_attack_techniques":["T1195.002","T1505.003","T1059.001","T1071.001"]},{"type":"report","spec_version":"2.1","id":"report--ecc1b116-df93-5efa-965e-691f831df0ef","created":"2025-05-28T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Google GTIG disrupts APT41 TOUGHPROGRESS Google-Calendar-C2 campaign","description":"Google Threat Intelligence Group (Mandiant) documented APT41 (HOODOO) abusing Google Calendar as a covert command-and-control channel for a multi-stage implant family it named TOUGHPROGRESS, delivered via spear-phishing ZIPs hosted on a compromised government website. The lure masqueraded as an export-declaration document and chained a disguised LNK, an image-decoded payload, and a DLL loader. Google disrupted the campaign by fingerprinting and terminating the attacker-controlled Calendars and Workspace projects.","published":"2025-05-28T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--45c4c9e3-0675-5ed5-8808-f72fc27ac7a5"],"external_references":[{"source_name":"Google Cloud / Mandiant","url":"https://cloud.google.com/blog/topics/threat-intelligence/apt41-innovative-tactics"}],"labels":["c2","google-workspace","spear-phishing","china"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--95f320af-7a6e-5b24-ba26-916adadf614b","created":"2022-03-08T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"APT41 compromises at least six U.S. state government networks","description":"Mandiant reported that APT41 successfully compromised at least six U.S. state government networks between May 2021 and February 2022 via web-application exploitation, including rapid weaponization of zero-day vulnerabilities in USAHerds and Log4j.","published":"2022-03-08T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--45c4c9e3-0675-5ed5-8808-f72fc27ac7a5"],"external_references":[{"source_name":"Mandiant","url":"https://cloud.google.com/blog/topics/threat-intelligence/apt41-us-state-governments"}],"labels":["us-state-government","log4shell","usaherds"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--c182158a-8c11-5bfa-a8fe-cda783febd21","created":"2020-09-16T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOJ indicts five APT41 members for global intrusions","description":"DOJ unsealed charges against five Chinese nationals associated with APT41 for computer intrusions affecting over 100 victim companies in the U.S. and abroad — spanning software development, social media, video games, telecommunications, universities, and foreign governments.","published":"2020-09-16T00:00:00.000Z","report_types":["indictment"],"object_refs":["intrusion-set--45c4c9e3-0675-5ed5-8808-f72fc27ac7a5"],"external_references":[{"source_name":"U.S. Department of Justice","url":"https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer"}],"labels":["indictment","supply-chain"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--857d8fa8-4a61-52a3-9ea4-e5a3d7533b69","created":"2017-09-18T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"CCleaner supply-chain compromise attributed to APT41","description":"Trojanized CCleaner installer was distributed via Piriform's official update channel for approximately a month, reaching more than 2.27 million users. Second-stage targeting focused on technology companies; attributed by multiple researchers to the APT41/Barium intrusion set.","published":"2017-09-18T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--45c4c9e3-0675-5ed5-8808-f72fc27ac7a5"],"external_references":[{"source_name":"Cisco Talos","url":"https://blog.talosintelligence.com/avast-distributes-malware/"}],"labels":["supply-chain","trojanized-installer"],"x_threatintel_severity":"high"},{"type":"indicator","spec_version":"2.1","id":"indicator--e1c7d6c2-c135-5d08-94f8-e4751d601c32","created":"2024-07-18T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"MD5 9991ce9d2746313f505dbf0487337082 (DUSTTRAP)","description":"MD5 of a `dbgeng.dll` DUSTTRAP plugin-framework sample listed in the host-based IOC table of Mandiant's APT41 DUST report. DUSTTRAP is a multi-stage backdoor that AES-128-CFB decrypts an on-disk payload and runs it in memory.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'MD5' = '9991ce9d2746313f505dbf0487337082']","pattern_type":"stix","valid_from":"2024-07-18T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Mandiant / Google Cloud","url":"https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--59e86777-d8ff-5391-9267-fb34a0335a25","created":"2024-07-18T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--e1c7d6c2-c135-5d08-94f8-e4751d601c32","target_ref":"intrusion-set--45c4c9e3-0675-5ed5-8808-f72fc27ac7a5"},{"type":"indicator","spec_version":"2.1","id":"indicator--472a386f-d84c-5414-bcb5-bf290d30be4a","created":"2024-07-18T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"MD5 17d0ada8f5610ff29f2e8eaf0e3bb578 (DUSTPAN)","description":"MD5 of an `aclui.dll` DUSTPAN in-memory dropper sample, listed in the host-based IOC table of Mandiant's 'APT41 Has Arisen From the DUST' report. DUSTPAN is a C++ ChaCha20 loader masked as `w3wp.exe` / `conn.exe`.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'MD5' = '17d0ada8f5610ff29f2e8eaf0e3bb578']","pattern_type":"stix","valid_from":"2024-07-18T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Mandiant / Google Cloud","url":"https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--f7966135-74f5-5dd8-b0a8-087556031d2b","created":"2024-07-18T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--472a386f-d84c-5414-bcb5-bf290d30be4a","target_ref":"intrusion-set--45c4c9e3-0675-5ed5-8808-f72fc27ac7a5"},{"type":"indicator","spec_version":"2.1","id":"indicator--bdba2721-a803-526a-b31b-ae37c26f8765","created":"2024-02-21T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOMAIN www.eloples.com (DUSTTRAP)","description":"DUSTTRAP command-and-control FQDN observed by Mandiant during the APT41 DUST campaign (first observed 2024-02-21, last observed 2024-07-16). Listed in the Network-Based Indicators table of the Google Cloud / Mandiant report.","indicator_types":["malicious-activity"],"pattern":"[domain-name:value = 'www.eloples.com']","pattern_type":"stix","valid_from":"2024-02-21T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Mandiant / Google Cloud","url":"https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--03d9f587-8224-5613-a29d-93e03de13c55","created":"2024-02-21T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--bdba2721-a803-526a-b31b-ae37c26f8765","target_ref":"intrusion-set--45c4c9e3-0675-5ed5-8808-f72fc27ac7a5"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--2300c7cc-7f68-52d7-a27b-080dc65b56ca","created":"2022-04-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Black Basta","description":"Russian-speaking closed-affiliate ransomware operation widely assessed as a Conti spinoff that began encrypting victims in April 2022, days before the Conti brand wound down following the February 2022 Conti Leaks. Affiliate roster reportedly includes former Conti (Wizard Spider) and REvil members. Heavy targeting of healthcare and U.S. critical-infrastructure sectors; pivoted in mid-2024 to a 'vishing + Microsoft Teams social-engineering' initial-access pattern. Internal chat logs leaked in February 2025 ('BlackBastaGPT' dataset) publicly exposed operations and accelerated the brand's fragmentation.","first_seen":"2022-04-01T00:00:00.000Z","aliases":["UNC4393","Storm-1811","BlackBasta"],"last_seen":"2025-02-01T00:00:00.000Z","goals":["financial gain"],"primary_motivation":"personal-gain","x_threatintel_kind":"ransomware","x_threatintel_target_sectors":["healthcare","manufacturing","financial","construction","government"],"x_threatintel_target_countries":["US","DE","GB","CA","AU","FR","IT"],"x_threatintel_attack_techniques":["T1486","T1490","T1566.004","T1219"]},{"type":"report","spec_version":"2.1","id":"report--5c996423-fb2a-531c-8247-a54513c747e5","created":"2025-02-11T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Black Basta internal chat logs leaked (BlackBastaGPT dataset)","description":"A leaker published 200,000+ internal Matrix chat messages from the Black Basta operation spanning September 2023 to September 2024. The dataset (subsequently indexed by researchers as 'BlackBastaGPT') exposed operator handles, internal disputes after a Black Basta affiliate compromised a Russian state-aligned victim, the operation's exploit and CVE-tracking process, and ties to the broader Conti-lineage ecosystem. The leak accelerated the brand's fragmentation and operator dispersion.","published":"2025-02-11T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--2300c7cc-7f68-52d7-a27b-080dc65b56ca"],"external_references":[{"source_name":"Hudson Rock / open-source","url":"https://www.hudsonrock.com/blog/introducing-blackbastagpt-an-ai-trained-on-1-million-leaked-messages-from-black-basta-ransomware"}],"labels":["leak","ransomware","open-source-intelligence"],"x_threatintel_severity":"high"},{"type":"indicator","spec_version":"2.1","id":"indicator--2d9b8038-8c43-582d-85c3-22ceb62a19d2","created":"2024-10-14T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"IPV4 170.130.165.73 (Black Basta)","description":"Likely Black Basta Cobalt Strike infrastructure first seen October 14, 2024 per Table 7 of the November 8, 2024 update to AA24-131A.","indicator_types":["malicious-activity"],"pattern":"[ipv4-addr:value = '170.130.165.73']","pattern_type":"stix","valid_from":"2024-10-14T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--8ddc9e66-cd82-566e-83dc-59d446be31f6","created":"2024-10-14T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--2d9b8038-8c43-582d-85c3-22ceb62a19d2","target_ref":"intrusion-set--2300c7cc-7f68-52d7-a27b-080dc65b56ca"},{"type":"indicator","spec_version":"2.1","id":"indicator--780297a2-560f-5730-ba71-88f86728e52c","created":"2024-10-09T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOMAIN moereng.com (Black Basta)","description":"Suspected Black Basta Cobalt Strike domain first seen October 9, 2024 and listed in Table 8 of the November 8, 2024 update to joint FBI/CISA/HHS/MS-ISAC advisory AA24-131A. Black Basta is a Conti-spinoff RaaS that hit more than 500 organizations across 12 critical-infrastructure sectors, including healthcare.","indicator_types":["malicious-activity"],"pattern":"[domain-name:value = 'moereng.com']","pattern_type":"stix","valid_from":"2024-10-09T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--231b0b4d-f69a-52f2-a4ae-fd4fc1631b39","created":"2024-10-09T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--780297a2-560f-5730-ba71-88f86728e52c","target_ref":"intrusion-set--2300c7cc-7f68-52d7-a27b-080dc65b56ca"},{"type":"indicator","spec_version":"2.1","id":"indicator--ac6650c4-a428-50d5-a471-8b77b560ecbb","created":"2024-10-02T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOMAIN exckicks.com (Black Basta)","description":"Suspected Black Basta Cobalt Strike domain first seen October 2, 2024, listed alongside moereng.com in Table 8 of the November 8, 2024 update to AA24-131A.","indicator_types":["malicious-activity"],"pattern":"[domain-name:value = 'exckicks.com']","pattern_type":"stix","valid_from":"2024-10-02T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--cba7ea2d-cbde-5bb4-a13e-45d939d688e0","created":"2024-10-02T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--ac6650c4-a428-50d5-a471-8b77b560ecbb","target_ref":"intrusion-set--2300c7cc-7f68-52d7-a27b-080dc65b56ca"},{"type":"indicator","spec_version":"2.1","id":"indicator--a8008db5-042e-5c7d-a75c-2fb445109e57","created":"2024-05-10T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME readme.txt (Black Basta)","description":"Black Basta ransom note filename described in AA24-131A; the note omits a payment amount and directs victims to a .onion site (Basta News). Encrypted files receive a .basta or random extension after ChaCha20+RSA-4096 encryption.","indicator_types":["malicious-activity"],"pattern":"[file:name = 'readme.txt']","pattern_type":"stix","valid_from":"2024-05-10T00:00:00.000Z","confidence":50,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-131a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--70e6ceec-d887-511f-9ce1-b0b1f9161d74","created":"2024-05-10T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--a8008db5-042e-5c7d-a75c-2fb445109e57","target_ref":"intrusion-set--2300c7cc-7f68-52d7-a27b-080dc65b56ca"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--eea7fa27-f719-5554-834f-2e45fedfd57e","created":"2022-09-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"BlackSuit","description":"Russian-speaking ransomware-as-a-service operation operating under the Royal brand from September 2022 to June 2023, then rebranding as BlackSuit. Confirmed as a direct continuation by FBI/CISA in joint advisory AA23-061A (updated August 2024) based on code, infrastructure, and TTP continuity. The lineage traces back further to the short-lived Quantum brand, itself a Conti-family spinoff. Heavy targeting of healthcare, education, and manufacturing; ransom demands up to $60M.","first_seen":"2022-09-01T00:00:00.000Z","aliases":["Royal","Quantum (precursor)"],"goals":["financial gain"],"primary_motivation":"personal-gain","x_threatintel_kind":"ransomware","x_threatintel_target_sectors":["healthcare","education","manufacturing","communications","government"],"x_threatintel_target_countries":["US","GB","CA","DE","BR"],"x_threatintel_attack_techniques":["T1486","T1490","T1566.001","T1219"]},{"type":"report","spec_version":"2.1","id":"report--3a84f25e-8f38-5c18-bcf9-3d375072b864","created":"2024-08-07T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"CISA/FBI update AA23-061A confirming Royal → BlackSuit rebrand","description":"FBI and CISA updated joint advisory AA23-061A to notify defenders that Royal ransomware actors had rebranded as BlackSuit. The update added IOCs and TTPs from FBI investigations as recent as July 2024. The advisory tracks the lineage Royal (Sept 2022-June 2023) → BlackSuit (June 2023+) with ransom demands ranging $1M-$60M and $500M+ in cumulative demands.","published":"2024-08-07T00:00:00.000Z","report_types":["advisory"],"object_refs":["intrusion-set--eea7fa27-f719-5554-834f-2e45fedfd57e"],"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a"}],"labels":["rebrand","ransomware","advisory-update"],"x_threatintel_severity":"high"},{"type":"indicator","spec_version":"2.1","id":"indicator--7179d707-36bf-5d61-958b-2921fb76231b","created":"2024-08-07T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME readme.BlackSuit.txt (BlackSuit)","description":"BlackSuit ransom note filename documented in YARA rules and IOC tables of the August 7, 2024 update to AA23-061A. Royal-era victims received README.TXT with the .royal extension; BlackSuit demands have totaled $500M+ with individual asks up to $60M.","indicator_types":["malicious-activity"],"pattern":"[file:name = 'readme.BlackSuit.txt']","pattern_type":"stix","valid_from":"2024-08-07T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--610a0447-0755-5ba3-93a4-de42912c863e","created":"2024-08-07T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--7179d707-36bf-5d61-958b-2921fb76231b","target_ref":"intrusion-set--eea7fa27-f719-5554-834f-2e45fedfd57e"},{"type":"indicator","spec_version":"2.1","id":"indicator--24430c0e-f61a-53ae-a6c7-4b4d2fa6d42d","created":"2024-08-07T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 af9f95497b8503af1a399bc6f070c3bbeabc5aeecd8c09bca80495831ae71e61 (BlackSuit)","description":"SHA256 of 1.exe, the BlackSuit encryptor identified by FBI in threat-response activity through July 2024 and published in Table 10 of the August 7, 2024 update to joint FBI/CISA advisory AA23-061A - the rebrand of Royal ransomware (active September 2022 through June 2023).","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = 'af9f95497b8503af1a399bc6f070c3bbeabc5aeecd8c09bca80495831ae71e61']","pattern_type":"stix","valid_from":"2024-08-07T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--5c42c592-c111-5078-a41c-9986a7c6018e","created":"2024-08-07T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--24430c0e-f61a-53ae-a6c7-4b4d2fa6d42d","target_ref":"intrusion-set--eea7fa27-f719-5554-834f-2e45fedfd57e"},{"type":"indicator","spec_version":"2.1","id":"indicator--18c7528e-e46b-5e16-a8b2-723abb5036c7","created":"2023-03-02T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 8a99353662ccae117d2bb22efd8c43d7169060450be413af763e8ad7522d2451 (BlackSuit)","description":"SHA256 of the Chisel TCP/UDP-over-HTTP tunneling tool used by Royal/BlackSuit operators for C2 egress, listed in Table 4 of AA23-061A as of January 2023.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = '8a99353662ccae117d2bb22efd8c43d7169060450be413af763e8ad7522d2451']","pattern_type":"stix","valid_from":"2023-03-02T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--a0bb1373-0f77-55ef-8b29-ad2f21367cd4","created":"2023-03-02T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--18c7528e-e46b-5e16-a8b2-723abb5036c7","target_ref":"intrusion-set--eea7fa27-f719-5554-834f-2e45fedfd57e"},{"type":"indicator","spec_version":"2.1","id":"indicator--cf3a698c-1189-581f-b93a-1af42402c8a0","created":"2022-12-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOMAIN altocloudzone.live (BlackSuit)","description":"Royal/BlackSuit malicious domain last observed December 2022 and published in Table 3 of AA23-061A.","indicator_types":["malicious-activity"],"pattern":"[domain-name:value = 'altocloudzone.live']","pattern_type":"stix","valid_from":"2022-12-01T00:00:00.000Z","confidence":50,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--6bf969eb-3866-52f1-8baf-bdd9507c79ef","created":"2022-12-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--cf3a698c-1189-581f-b93a-1af42402c8a0","target_ref":"intrusion-set--eea7fa27-f719-5554-834f-2e45fedfd57e"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--03c4a1a0-08c3-5563-a0c1-d665cb6b9a7b","created":"2014-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"BlueNoroff","description":"DPRK state-sponsored intrusion set treated by most vendors as the financial-operations subgroup of Lazarus, attributed to the Reconnaissance General Bureau. Responsible for the major SWIFT-network bank heists (Bangladesh Bank 2016, Bancomext / Banco de Chile 2018) and an escalating series of cryptocurrency thefts including the 2022 Ronin Bridge ($625M), 2022 Harmony Horizon Bridge ($100M), and 2024 DMM Bitcoin ($308M) compromises. Operations frequently start with LinkedIn-delivered fake-job lures to engineers at wallet, exchange, or DeFi targets.","first_seen":"2014-01-01T00:00:00.000Z","aliases":["APT38","Stardust Chollima","Sapphire Sleet","COPERNICIUM","TraderTraitor"],"goals":["financial gain"],"primary_motivation":"personal-gain","labels":["country:KP"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["financial","cryptocurrency","defi","venture capital"],"x_threatintel_target_countries":["US","JP","KR","GB","DE","SG","VN"],"x_threatintel_attack_techniques":["T1566.003","T1078.004","T1041","T1059.001"]},{"type":"report","spec_version":"2.1","id":"report--d797f785-e814-5da5-869e-91ee1d2b8b71","created":"2023-11-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Elastic Security Labs exposes KANDYKORN macOS intrusion at crypto exchange","description":"Elastic Security Labs published 'Elastic catches DPRK passing out KANDYKORN,' describing a Lazarus-cluster intrusion (tracked as REF7001) against blockchain engineers at a cryptocurrency exchange. Operators impersonated community members on Discord and delivered a Python 'arbitrage bot' that staged the SUGARLOADER and HLOADER components and ultimately deployed the KANDYKORN backdoor for remote command execution and file operations.","published":"2023-11-01T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--03c4a1a0-08c3-5563-a0c1-d665cb6b9a7b"],"external_references":[{"source_name":"Elastic Security Labs","url":"https://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn"}],"labels":["macos","kandykorn","cryptocurrency","discord"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--a8c18ffc-e925-5470-bd89-71c5783e8448","created":"2023-04-21T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Jamf Threat Labs discloses RustBucket macOS malware tied to BlueNoroff","description":"Jamf Threat Labs published analysis of RustBucket, a multi-stage macOS malware family attributed to BlueNoroff. The infection chain begins with a backdoored 'Internal PDF Viewer' application that only activates malicious behaviour when a specifically crafted decoy PDF is opened, then retrieves a Rust-based stage-three payload for reconnaissance and follow-on operations against finance-sector targets in Asia, Europe, and the United States.","published":"2023-04-21T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--03c4a1a0-08c3-5563-a0c1-d665cb6b9a7b"],"external_references":[{"source_name":"Jamf Threat Labs","url":"https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/"}],"labels":["macos","rustbucket","malware-report","finance"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--fc8bdf73-f2b7-57cb-8272-7ea2d496f773","created":"2022-04-18T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"CISA/FBI/Treasury joint advisory AA22-108A on TraderTraitor","description":"FBI, CISA, and the U.S. Treasury issued joint advisory AA22-108A warning that a DPRK state-sponsored APT tracked as Lazarus, APT38, BlueNoroff, and Stardust Chollima was targeting blockchain firms with trojanised cryptocurrency trading applications collectively named TraderTraitor. The malware family is built on cross-platform Electron/Node.js code, delivered through spearphishing that mimics recruiter outreach to DevOps and IT staff at crypto exchanges and DeFi protocols.","published":"2022-04-18T00:00:00.000Z","report_types":["advisory"],"object_refs":["intrusion-set--03c4a1a0-08c3-5563-a0c1-d665cb6b9a7b"],"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-108a"}],"labels":["advisory","cryptocurrency","tradertraitor","dprk"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--fe4abd62-e371-5c72-bfc6-018fe4906d5d","created":"2022-01-13T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Kaspersky exposes SnatchCrypto campaign draining cryptocurrency startups","description":"Kaspersky published 'The BlueNoroff cryptocurrency hunt is still on,' detailing a multi-year campaign dubbed SnatchCrypto in which BlueNoroff impersonated venture capital firms to spearphish fintech, DeFi, and blockchain startups. The actor used weaponised Office documents and LNK files, surveilled victims for weeks, and in high-value cases swapped the MetaMask browser extension with a trojanised build to alter outgoing transactions at signing time.","published":"2022-01-13T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--03c4a1a0-08c3-5563-a0c1-d665cb6b9a7b"],"external_references":[{"source_name":"Kaspersky (Securelist)","url":"https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/"}],"labels":["cryptocurrency","spearphishing","metamask","snatchcrypto"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--856f8d5d-377e-592b-8749-98e635d3b16d","created":"2017-04-03T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Securelist 'Lazarus Under the Hood' details Bangladesh Bank SWIFT heist","description":"Kaspersky's Global Research and Analysis Team published technical analysis tying the February 2016 fraudulent SWIFT transfers from Bangladesh Bank's New York Federal Reserve account — through which attackers moved roughly $81 million — to the Lazarus cluster's financial subgroup later widely tracked as BlueNoroff / APT38. The report documents shared tooling, infrastructure, and operator tradecraft across attacks on banks in multiple countries.","published":"2017-04-03T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--03c4a1a0-08c3-5563-a0c1-d665cb6b9a7b"],"external_references":[{"source_name":"Kaspersky (Securelist)","url":"https://securelist.com/lazarus-under-the-hood/77908/"}],"labels":["financial","swift","bank-heist","dprk"],"x_threatintel_severity":"critical"},{"type":"indicator","spec_version":"2.1","id":"indicator--c29419aa-aeee-5246-b95d-27d5e52b79d5","created":"2023-11-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 927b3564c1cf884d2a05e1d7bd24362ce8563a1e9b85be776190ab7f8af192f6 (KANDYKORN)","description":"SHA-256 of the KANDYKORN macOS backdoor staged via SUGARLOADER in the Elastic-tracked REF7001 intrusion against a cryptocurrency exchange. Capabilities include arbitrary command execution, file upload/download, directory listing, and secure deletion.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = '927b3564c1cf884d2a05e1d7bd24362ce8563a1e9b85be776190ab7f8af192f6']","pattern_type":"stix","valid_from":"2023-11-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Elastic Security Labs","url":"https://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--6fd6d3c0-0df7-5c20-b234-2784e5d60d6b","created":"2023-11-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--c29419aa-aeee-5246-b95d-27d5e52b79d5","target_ref":"intrusion-set--03c4a1a0-08c3-5563-a0c1-d665cb6b9a7b"},{"type":"indicator","spec_version":"2.1","id":"indicator--05f0c8dc-fe4b-5ee5-9f08-b440aef2cb68","created":"2023-11-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOMAIN tp-globa.xyz (KANDYKORN)","description":"Command-and-control domain used by the SUGARLOADER stage of the KANDYKORN intrusion chain; identified in Elastic Security Labs' REF7001 report on the DPRK macOS campaign against blockchain engineers.","indicator_types":["malicious-activity"],"pattern":"[domain-name:value = 'tp-globa.xyz']","pattern_type":"stix","valid_from":"2023-11-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Elastic Security Labs","url":"https://www.elastic.co/security-labs/elastic-catches-dprk-passing-out-kandykorn"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--a88c1e02-ea3f-528d-b552-e1a4040e891f","created":"2023-11-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--05f0c8dc-fe4b-5ee5-9f08-b440aef2cb68","target_ref":"intrusion-set--03c4a1a0-08c3-5563-a0c1-d665cb6b9a7b"},{"type":"indicator","spec_version":"2.1","id":"indicator--65e7ec68-8117-5db6-b52d-c2f7a2ab771c","created":"2023-04-21T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOMAIN cloud.dnx.capital (RustBucket)","description":"C2 domain associated with the RustBucket macOS malware family attributed to BlueNoroff in Jamf Threat Labs' April 2023 disclosure. The malware was delivered via a backdoored 'Internal PDF Viewer' application targeting finance-sector users.","indicator_types":["malicious-activity"],"pattern":"[domain-name:value = 'cloud.dnx.capital']","pattern_type":"stix","valid_from":"2023-04-21T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Jamf Threat Labs","url":"https://www.jamf.com/blog/bluenoroff-apt-targets-macos-rustbucket-malware/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--1dc32042-2a59-5cab-a03c-936879c0a6b6","created":"2023-04-21T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--65e7ec68-8117-5db6-b52d-c2f7a2ab771c","target_ref":"intrusion-set--03c4a1a0-08c3-5563-a0c1-d665cb6b9a7b"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--ca17078e-954e-5d24-b5e2-0ca49e8e58e2","created":"2020-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Cadet Blizzard","description":"Russian state-sponsored intrusion set publicly assessed by Microsoft as associated with the GRU but operationally distinct from Forest Blizzard (APT28) and Seashell Blizzard (Sandworm). Conducted the January 2022 WhisperGate destructive wiper operation against Ukrainian government and IT-services targets in the weeks preceding Russia's full-scale invasion. Microsoft assesses 'at least one Russian private sector organization has materially supported' Cadet Blizzard operations.","first_seen":"2020-01-01T00:00:00.000Z","aliases":["DEV-0586","Ember Bear","UAC-0056","Bleeding Bear"],"goals":["destruction","espionage","information operations"],"primary_motivation":"organizational-gain","labels":["country:RU"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["government","technology","education","ngo"],"x_threatintel_target_countries":["UA","GE","PL","CZ"],"x_threatintel_attack_techniques":["T1485","T1561.002","T1190","T1059.001"]},{"type":"report","spec_version":"2.1","id":"report--a286c123-b913-5673-bc2b-69ee0878e334","created":"2022-01-15T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Cadet Blizzard deploys WhisperGate wiper against Ukrainian government","description":"Microsoft Threat Intelligence (then MSTIC) disclosed the WhisperGate destructive-malware operation against multiple Ukrainian government, IT services, and NGO organizations, tracked at the time as DEV-0586 and later named Cadet Blizzard. WhisperGate masqueraded as ransomware but wrote a fake ransom message and irretrievably corrupted disks. The operation immediately preceded Russia's full-scale invasion by approximately five weeks.","published":"2022-01-15T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--ca17078e-954e-5d24-b5e2-0ca49e8e58e2"],"external_references":[{"source_name":"Microsoft Threat Intelligence","url":"https://www.microsoft.com/en-us/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/"}],"labels":["wiper","destructive","ukraine","gru"],"x_threatintel_severity":"critical"},{"type":"indicator","spec_version":"2.1","id":"indicator--aeccb5bb-2b41-5d68-83f0-100360c27657","created":"2022-01-13T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78 (WhisperGate)","description":"WhisperGate stage2.exe - the file-corruption stage that overwrites files matching a hardcoded extension list, downloaded over Discord CDN. Hash from Microsoft MSTIC via CISA / FBI AA22-057A Table 1.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = 'dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78']","pattern_type":"stix","valid_from":"2022-01-13T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-057a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--3d789eb5-328a-5595-b047-901de119ec4d","created":"2022-01-13T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--aeccb5bb-2b41-5d68-83f0-100360c27657","target_ref":"intrusion-set--ca17078e-954e-5d24-b5e2-0ca49e8e58e2"},{"type":"indicator","spec_version":"2.1","id":"indicator--26029365-b746-5aa6-b0a3-f4b9274276d3","created":"2022-01-13T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92 (WhisperGate)","description":"WhisperGate stage1.exe - MBR-corrupting destructive payload disguised as ransomware, deployed against Ukrainian organisations from 13 January 2022. Hash from Microsoft MSTIC, republished in CISA / FBI AA22-057A Table 1. Microsoft renamed the responsible actor Cadet Blizzard (DEV-0586) in June 2023 and attributed it to a GRU subgroup.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = 'a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92']","pattern_type":"stix","valid_from":"2022-01-13T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-057a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--090f3284-8921-5070-ae29-ac856b0ffe54","created":"2022-01-13T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--26029365-b746-5aa6-b0a3-f4b9274276d3","target_ref":"intrusion-set--ca17078e-954e-5d24-b5e2-0ca49e8e58e2"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--3104d900-068d-5e7a-abe3-2a9dfc560f16","created":"2019-02-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Cl0p","description":"Russian-speaking double-extortion crew historically aligned with TA505/FIN11. Specialized in mass exploitation of managed-file-transfer software zero-days: Accellion FTA (2020), GoAnywhere MFT (early 2023), and the MOVEit Transfer CVE-2023-34362 campaign in mid-2023 that compromised an estimated 2,700+ organizations and exposed personal data on tens of millions of individuals.","first_seen":"2019-02-01T00:00:00.000Z","aliases":["CLOP","TA505","FIN11"],"goals":["financial gain"],"primary_motivation":"personal-gain","x_threatintel_kind":"ransomware","x_threatintel_target_sectors":["financial","healthcare","education","government","manufacturing"],"x_threatintel_target_countries":["US","GB","DE","CA","BE","NL","CH"],"x_threatintel_attack_techniques":["T1190","T1486","T1567.002","T1505.003"]},{"type":"report","spec_version":"2.1","id":"report--d4fc8ff5-b773-5c24-b38a-a938b597fa40","created":"2025-09-29T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Cl0p mass-exfiltrates Oracle E-Business Suite via CVE-2025-61882 zero-day","description":"Cl0p exploited CVE-2025-61882 — a previously-unknown Oracle EBS vulnerability — against internet-facing Oracle E-Business Suite deployments from late July through early September 2025, then on 29 September 2025 blasted out hundreds of extortion emails to executives at victim organisations, using compromised email accounts as the delivery channel. By late October 2025 the operators had named 29 victims on their leak site, including Harvard University, American Airlines subsidiary Envoy Air, The Washington Post, Schneider Electric, Emerson, Logitech, and Cox Enterprises. Operationally identical to Cl0p's prior mass-extortion campaigns against Accellion FTA (2020-2021), Fortra GoAnywhere (2023), MOVEit Transfer (2023), and Cleo Harmony / VLTrader / LexiCom (2024) — Cl0p's enterprise managed-file-transfer / ERP-platform cadence is now annual.","published":"2025-09-29T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--3104d900-068d-5e7a-abe3-2a9dfc560f16"],"external_references":[{"source_name":"Google Cloud / Mandiant","url":"https://cloud.google.com/blog/topics/threat-intelligence/oracle-ebusiness-suite-zero-day-exploitation"}],"labels":["zero-day","erp","mass-extortion","oracle"],"x_threatintel_severity":"critical"},{"type":"indicator","spec_version":"2.1","id":"indicator--3727bc8d-8b02-52c1-91df-8ffcf59920a2","created":"2023-06-07T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"EMAIL unlock@rsv-box.com (CL0P)","description":"CL0P negotiation email address published in ransom notes during the MOVEit and GoAnywhere campaigns, listed in the email-address IOC table of AA23-158A.","indicator_types":["malicious-activity"],"pattern":"[email-addr:value = 'unlock@rsv-box.com']","pattern_type":"stix","valid_from":"2023-06-07T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--a0e80512-e560-5955-a6e4-1d39973011b4","created":"2023-06-07T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--3727bc8d-8b02-52c1-91df-8ffcf59920a2","target_ref":"intrusion-set--3104d900-068d-5e7a-abe3-2a9dfc560f16"},{"type":"indicator","spec_version":"2.1","id":"indicator--c117f115-f102-5cb6-a079-2e935f2fb28c","created":"2023-06-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 c58c2c2ea608c83fad9326055a8271d47d8246dc9cb401e420c0971c67e19cbf (LEMURLOOT)","description":"SHA256 of a compiled DLL generated from a human2.aspx LEMURLOOT payload, referenced in the Mandiant YARA rule M_Webshell_LEMURLOOT_DLL_1 included in AA23-158A as a hunting sample for the CL0P MOVEit zero-day intrusion set.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = 'c58c2c2ea608c83fad9326055a8271d47d8246dc9cb401e420c0971c67e19cbf']","pattern_type":"stix","valid_from":"2023-06-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--6b19ff62-91ad-52ca-a099-719c6125b02b","created":"2023-06-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--c117f115-f102-5cb6-a079-2e935f2fb28c","target_ref":"intrusion-set--3104d900-068d-5e7a-abe3-2a9dfc560f16"},{"type":"indicator","spec_version":"2.1","id":"indicator--c64606a1-1a24-5c03-9534-f92119ae946f","created":"2023-05-27T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME human2.aspx (LEMURLOOT)","description":"LEMURLOOT web-shell filename masquerading as MOVEit's legitimate human.aspx, dropped via CVE-2023-34362 starting May 27, 2023. Primary breach indicator per joint FBI/CISA advisory AA23-158A on the CL0P/TA505 MOVEit campaign.","indicator_types":["malicious-activity"],"pattern":"[file:name = 'human2.aspx']","pattern_type":"stix","valid_from":"2023-05-27T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--786f2d2c-aa0f-5d38-8c26-977d31a10f34","created":"2023-05-27T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--c64606a1-1a24-5c03-9534-f92119ae946f","target_ref":"intrusion-set--3104d900-068d-5e7a-abe3-2a9dfc560f16"},{"type":"indicator","spec_version":"2.1","id":"indicator--a567696f-8774-5f34-891b-336fae09e1f8","created":"2023-05-27T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9 (LEMURLOOT)","description":"SHA256 of a LEMURLOOT web-shell ASPX sample listed in the MOVEit Campaign IOC table of AA23-158A; one of the ~40 hashes the FBI/CISA released June 7, 2023 covering TA505 web-shell deployments against MOVEit Transfer.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = '0b3220b11698b1436d1d866ac07cc90018e59884e91a8cb71ef8924309f1e0e9']","pattern_type":"stix","valid_from":"2023-05-27T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-158a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--3afeceb5-e707-5248-8cfa-180a7e97cc12","created":"2023-05-27T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--a567696f-8774-5f34-891b-336fae09e1f8","target_ref":"intrusion-set--3104d900-068d-5e7a-abe3-2a9dfc560f16"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--8f77a4dd-c33e-5e5c-b4c8-51f8932e68f4","created":"2015-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"COLDRIVER","description":"Russian state-sponsored intrusion set publicly assessed by the UK NCSC and Five Eyes partners as 'almost certainly subordinate to FSB Centre 18'. Conducts targeted credential-phishing operations against UK and U.S. political figures, policy-NGOs, journalists, defense contractors, and academia, frequently using elaborate impersonation personas. The U.S. DOJ unsealed an indictment of FSB officer Ruslan Peretyatko and Andrey Korinets on 7 December 2023; the UK Foreign Office concurrently announced sanctions and public attribution.","first_seen":"2015-01-01T00:00:00.000Z","aliases":["Star Blizzard","SEABORGIUM","Callisto Group","TA446","BlueCharlie"],"goals":["espionage","information operations"],"primary_motivation":"organizational-gain","labels":["country:RU"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["government","ngo","academia","defense","journalism"],"x_threatintel_target_countries":["US","GB","UA","DE","FR","BE","PL"],"x_threatintel_attack_techniques":["T1566.001","T1056.003","T1078","T1078.004"]},{"type":"report","spec_version":"2.1","id":"report--5f2a3964-1e29-5d1c-9f03-5427f6cd5933","created":"2023-12-07T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"UK NCSC + DOJ publicly attribute Star Blizzard to FSB Centre 18","description":"The UK NCSC and Five Eyes partners issued a joint advisory assessing that COLDRIVER (Star Blizzard / Callisto / SEABORGIUM) is 'almost certainly subordinate to FSB Centre 18'. The UK Foreign Office concurrently sanctioned two named operators, and the U.S. DOJ unsealed an indictment of FSB officer Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets for spear-phishing campaigns against U.S., UK, NATO, and Ukrainian targets.","published":"2023-12-07T00:00:00.000Z","report_types":["sanction"],"object_refs":["intrusion-set--8f77a4dd-c33e-5e5c-b4c8-51f8932e68f4"],"external_references":[{"source_name":"UK National Cyber Security Centre","url":"https://www.ncsc.gov.uk/news/star-blizzard-continues-spear-phishing-campaigns"}],"labels":["fsb","spear-phishing","five-eyes","sanctions"],"x_threatintel_severity":"high"},{"type":"indicator","spec_version":"2.1","id":"indicator--938caf07-1e26-5803-ab43-31c6d9e5ae9e","created":"2023-09-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 c97acea1a6ef59d58a498f1e1f0e0648d6979c4325de3ee726038df1fc2e831d (SPICA)","description":"SPICA - Rust backdoor delivered as 'Proton-decrypter.exe' in a fake PDF-decryption lure. Google Threat Analysis Group disclosed the sample on 18 January 2024 as the first custom malware they have attributed to COLDRIVER (Star Blizzard / Callisto / SEABORGIUM), assessed as FSB Centre 18.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = 'c97acea1a6ef59d58a498f1e1f0e0648d6979c4325de3ee726038df1fc2e831d']","pattern_type":"stix","valid_from":"2023-09-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Google TAG","url":"https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--6417fff3-8078-5b59-9d7b-f098cd5785fe","created":"2023-09-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--938caf07-1e26-5803-ab43-31c6d9e5ae9e","target_ref":"intrusion-set--8f77a4dd-c33e-5e5c-b4c8-51f8932e68f4"},{"type":"indicator","spec_version":"2.1","id":"indicator--1bcc2f54-3df1-5f1f-8f0b-7eb7f9e397cf","created":"2019-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME Star Blizzard (Callisto / SEABORGIUM)","description":"Long-running FSB Centre 18 spear-phishing cluster targeting academia, defence, NGOs and government in the UK, US and allied countries. NCSC UK and Five Eyes partners published a joint advisory on 7 December 2023; same day, US Treasury (OFAC) and UK sanctioned FSB officer Ruslan Peretyatko and Andrey Korinets for their role in the operation.","indicator_types":["malicious-activity"],"pattern":"[file:name = 'Star Blizzard (Callisto / SEABORGIUM)']","pattern_type":"stix","valid_from":"2019-01-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"NCSC UK","url":"https://www.ncsc.gov.uk/news/star-blizzard-continues-spear-phishing-campaigns"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--ce7c76d2-2077-5e41-9236-75eaaa8951c6","created":"2019-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--1bcc2f54-3df1-5f1f-8f0b-7eb7f9e397cf","target_ref":"intrusion-set--8f77a4dd-c33e-5e5c-b4c8-51f8932e68f4"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--0fd3d884-cc70-50f8-be83-da7aa76c2b0f","created":"2020-05-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Conti","description":"Russian-speaking ransomware operation that ran the dominant double-extortion brand of 2020-2022. After the group publicly declared support for the Russian invasion of Ukraine in February 2022, an insider leaked the operation's complete Jabber chat archive ('Conti Leaks', 27 February 2022), exposing operator identities, salaries, an org chart, and the Conti v2 builder source code. The Conti brand wound down by mid-2022; operators dispersed into Black Basta, Royal/BlackSuit, BlackByte, Karakurt, Quantum, and other successor operations.","first_seen":"2020-05-01T00:00:00.000Z","aliases":["Wizard Spider","TrickBot Group","Gold Ulrick"],"last_seen":"2022-06-01T00:00:00.000Z","goals":["financial gain"],"primary_motivation":"personal-gain","labels":["country:RU"],"x_threatintel_kind":"ransomware","x_threatintel_target_sectors":["healthcare","government","manufacturing","financial"],"x_threatintel_target_countries":["US","GB","DE","FR","IT","CR"],"x_threatintel_attack_techniques":["T1486","T1490","T1078","T1219"]},{"type":"report","spec_version":"2.1","id":"report--78526ae7-0ebd-5ffa-b275-4a4bbf1f7b11","created":"2022-02-27T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Conti Leaks expose 393 days of internal Jabber chat + v2 source","description":"Days after the Conti operation publicly declared support for the Russian invasion of Ukraine, a pro-Ukraine insider (the 'ContiLeaks' account) published 393 days of the group's internal Jabber chat archive, an org chart, salary records, internal training materials, and source code for the Conti v2 builder. The leak directly mapped operator handles to real-world identities and provided the foundation for subsequent indictments and the Black Basta / Royal / BlackSuit successor-operation lineage.","published":"2022-02-27T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--0fd3d884-cc70-50f8-be83-da7aa76c2b0f"],"external_references":[{"source_name":"ContiLeaks (open-source, mirrored by vx-underground)","url":"https://github.com/vxunderground/ConfluencePages/tree/main/Conti%20Leaks"}],"labels":["leak","insider-threat","open-source-intelligence"],"x_threatintel_severity":"high"},{"type":"indicator","spec_version":"2.1","id":"indicator--54ec24e6-f7cf-523c-8c02-e9da242949be","created":"2022-03-09T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOMAIN badiwaw.com (Conti)","description":"One of 98 lookalike domains sharing registration and naming characteristics of Conti-distribution infrastructure published by CISA in the February-March 2022 update to AA21-265A.","indicator_types":["malicious-activity"],"pattern":"[domain-name:value = 'badiwaw.com']","pattern_type":"stix","valid_from":"2022-03-09T00:00:00.000Z","confidence":50,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-265a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--1927e2b8-f0d9-5c25-bd40-1f011fe72c75","created":"2022-03-09T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--54ec24e6-f7cf-523c-8c02-e9da242949be","target_ref":"intrusion-set--0fd3d884-cc70-50f8-be83-da7aa76c2b0f"},{"type":"indicator","spec_version":"2.1","id":"indicator--cb2c05c7-1944-56a0-8b50-ca3cca864c03","created":"2021-09-22T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"IPV4 185.141.63.120 (Conti)","description":"Cobalt Strike C2 server IP attributed to Conti operators in the leaked-playbook artifacts referenced in the March 2022 update to AA21-265A. Conti relied on Cobalt Strike alongside TrickBot for post-exploitation.","indicator_types":["malicious-activity"],"pattern":"[ipv4-addr:value = '185.141.63.120']","pattern_type":"stix","valid_from":"2021-09-22T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-265a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--eb257f32-22be-513a-9056-bbb570cbf603","created":"2021-09-22T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--cb2c05c7-1944-56a0-8b50-ca3cca864c03","target_ref":"intrusion-set--0fd3d884-cc70-50f8-be83-da7aa76c2b0f"},{"type":"indicator","spec_version":"2.1","id":"indicator--f58b74e5-bc57-5a12-a5e6-206a8b3dba28","created":"2021-09-22T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"IPV4 162.244.80.235 (Conti)","description":"Cobalt Strike C2 server IP identified in artifacts leaked with the Conti 'playbook' and republished in the March 9, 2022 update to joint CISA/FBI/NSA/USSS advisory AA21-265A as previously used by Conti affiliates.","indicator_types":["malicious-activity"],"pattern":"[ipv4-addr:value = '162.244.80.235']","pattern_type":"stix","valid_from":"2021-09-22T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-265a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--cc334515-ba0a-5a9d-9bf2-19c09273af8b","created":"2021-09-22T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--f58b74e5-bc57-5a12-a5e6-206a8b3dba28","target_ref":"intrusion-set--0fd3d884-cc70-50f8-be83-da7aa76c2b0f"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--ce51e87d-996b-5849-9369-b8a703a4a885","created":"2020-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"CyberAv3ngers","description":"Iranian state-aligned hacktivist persona publicly attributed by the U.S. Treasury OFAC in February 2024 as a front for the IRGC Cyber-Electronic Command. Conducts opportunistic compromise of internet-exposed Israeli-made Unitronics Vision-series PLCs to deface operator screens at water and wastewater utilities. The November 2023 attack on the Municipal Water Authority of Aliquippa (Pennsylvania) drove a joint CISA/FBI/EPA/NSA advisory.","first_seen":"2020-01-01T00:00:00.000Z","aliases":["Cyber Av3ngers","Soldiers of Solomon"],"goals":["disruption","information operations"],"primary_motivation":"ideology","labels":["country:IR"],"x_threatintel_kind":"hacktivist","x_threatintel_target_sectors":["water","wastewater","manufacturing","energy"],"x_threatintel_target_countries":["IL","US","IE"],"x_threatintel_attack_techniques":["T0883","T0846","T0855"]},{"type":"report","spec_version":"2.1","id":"report--9f291b93-00fd-52f8-b421-f53a690f22f5","created":"2024-12-10T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Claroty Team82 details IOCONTROL malware targeting fuel-management systems","description":"Claroty's Team82 published analysis of IOCONTROL, a custom Linux malware platform built for OT and IoT devices and attributed to CyberAv3ngers. The reverse-engineered sample targeted Orpak and Gasboy fuel-management systems at gas stations in Israel and the United States; it uses MQTT over TLS on port 8883 for command and control and DNS-over-HTTPS for C2 resolution, blending into legitimate IoT telemetry. Affected device classes include routers, PLCs, HMIs, firewalls, and IP cameras from multiple vendors.","published":"2024-12-10T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--ce51e87d-996b-5849-9369-b8a703a4a885"],"external_references":[{"source_name":"Claroty Team82","url":"https://claroty.com/team82/research/inside-a-new-ot-iot-cyber-weapon-iocontrol"}],"labels":["malware-report","ot","iot","iocontrol","fuel-systems"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--b5982020-a0ae-5997-84eb-2fa64085ae1e","created":"2024-02-02T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Treasury sanctions six IRGC-CEC officials behind CyberAv3ngers operations","description":"OFAC designated six senior officials of the IRGC Cyber-Electronic Command (IRGC-CEC) — Hamid Reza Lashgarian, Mahdi Lashgarian, Hamid Homayunfal, Milad Mansuri, Mohammad Bagher Shirinkar, and Reza Mohammad Amin Saberian — for their roles in directing malicious cyber activities against U.S. and partner critical infrastructure, including the late-2023 Unitronics PLC defacements claimed under the CyberAv3ngers persona.","published":"2024-02-02T00:00:00.000Z","report_types":["sanction"],"object_refs":["intrusion-set--ce51e87d-996b-5849-9369-b8a703a4a885"],"external_references":[{"source_name":"U.S. Department of the Treasury","url":"https://home.treasury.gov/news/press-releases/jy2072"}],"labels":["sanctions","ofac","irgc","critical-infrastructure"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--5a16b157-8784-512f-a52f-121d84322953","created":"2023-12-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"CISA AA23-335A: IRGC-affiliated actors exploit Unitronics PLCs","description":"CISA, FBI, NSA, EPA, and INCD released joint advisory AA23-335A attributing a wave of attacks on internet-exposed Unitronics Vision Series PLCs to the IRGC-affiliated persona CyberAv3ngers. Devices reachable on default TCP port 20256 with default or blank passwords were brute-forced and defaced; affected sectors included water and wastewater across multiple U.S. states. The advisory was later updated (14 Dec 2023, 18 Dec 2024) with expanded TTPs and a revised victim count of at least 75 devices, 34 in the WWS sector.","published":"2023-12-01T00:00:00.000Z","report_types":["advisory"],"object_refs":["intrusion-set--ce51e87d-996b-5849-9369-b8a703a4a885"],"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-335a"}],"labels":["advisory","ics","unitronics","water-sector"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--924f5aa9-d463-51e7-b793-1e008c25dfe8","created":"2023-11-25T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"CyberAv3ngers defaces Unitronics PLC at Municipal Water Authority of Aliquippa","description":"On 25 November 2023 the Municipal Water Authority of Aliquippa, Pennsylvania reported that a booster station's Unitronics Vision Series PLC had been taken over and defaced with a CyberAv3ngers message stating Israeli-made equipment was a legitimate target. Operators failed over to manual control and reported no service interruption; the incident catalysed federal advisories on internet-exposed PLCs in the water sector.","published":"2023-11-25T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--ce51e87d-996b-5849-9369-b8a703a4a885"],"external_references":[{"source_name":"CBS News Pittsburgh","url":"https://www.cbsnews.com/pittsburgh/news/municipal-water-authority-of-aliquippa-hacked-iranian-backed-cyber-group/"}],"labels":["water-sector","ics","plc","defacement"],"x_threatintel_severity":"high"},{"type":"indicator","spec_version":"2.1","id":"indicator--df67e832-1674-5065-ae97-a468b7eb2358","created":"2023-12-14T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"MD5 BA284A4B508A7ABD8070A427386E93E0 (Crucio)","description":"MD5 hash listed as 'suspected' in the original (14 Dec 2023) version of CISA AA23-335A as associated with Crucio Ransomware activity attributed to CyberAv3ngers. CISA marked the indicator fidelity as Suspected, not Confirmed; the December 2024 update of the advisory removed IOCs as outdated.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'MD5' = 'BA284A4B508A7ABD8070A427386E93E0']","pattern_type":"stix","valid_from":"2023-12-14T00:00:00.000Z","confidence":15,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/sites/default/files/2023-12/aa23-335a-irgc-affiliated-cyber-actors-exploit-plcs-in-multiple-sectors-1.pdf"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--cd6498da-1922-5960-a1f4-364936e4aba5","created":"2023-12-14T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--df67e832-1674-5065-ae97-a468b7eb2358","target_ref":"intrusion-set--ce51e87d-996b-5849-9369-b8a703a4a885"},{"type":"indicator","spec_version":"2.1","id":"indicator--9dd9213a-0527-5b38-a3f9-e2b1c89633c1","created":"2023-12-14T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"IPV4 178.162.227.180 (Crucio)","description":"IP address listed as 'suspected' in the original CISA AA23-335A appendix as associated with Crucio Ransomware activity tied to CyberAv3ngers. Indicator fidelity in the source is Suspected; the advisory's December 2024 revision removed all IOCs.","indicator_types":["malicious-activity"],"pattern":"[ipv4-addr:value = '178.162.227.180']","pattern_type":"stix","valid_from":"2023-12-14T00:00:00.000Z","confidence":15,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/sites/default/files/2023-12/aa23-335a-irgc-affiliated-cyber-actors-exploit-plcs-in-multiple-sectors-1.pdf"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--5b644b51-801e-5876-90fb-84e53e6ea8b9","created":"2023-12-14T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--9dd9213a-0527-5b38-a3f9-e2b1c89633c1","target_ref":"intrusion-set--ce51e87d-996b-5849-9369-b8a703a4a885"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--4762047c-7a74-5651-91a2-8ac45cb3e5c9","created":"2020-08-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DarkSide","description":"Russian-speaking ransomware-as-a-service operation active from August 2020 to May 2021, when an affiliate's compromise of Colonial Pipeline triggered the fuel-supply crisis on the U.S. East Coast and prompted a U.S. policy and law-enforcement response that drove the brand to shut down. Operationally rebranded as BlackMatter (July 2021-November 2021), then ALPHV/BlackCat (November 2021-March 2024) per consistent code, infrastructure, and operator overlap reported by multiple vendors.","first_seen":"2020-08-01T00:00:00.000Z","aliases":["Carbon Spider","UNC2628"],"last_seen":"2021-05-14T00:00:00.000Z","goals":["financial gain"],"primary_motivation":"personal-gain","labels":["country:RU"],"x_threatintel_kind":"ransomware","x_threatintel_target_sectors":["energy","manufacturing","financial","professional services"],"x_threatintel_target_countries":["US","GB","CA","AU","FR"],"x_threatintel_attack_techniques":["T1486","T1490","T1567.002","T1078"]},{"type":"report","spec_version":"2.1","id":"report--7f9c4a65-7c59-595d-9bc4-a85a463bfd57","created":"2021-05-07T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DarkSide affiliate compromises Colonial Pipeline, halts East Coast fuel","description":"A DarkSide affiliate compromised Colonial Pipeline — the operator of the largest refined-products pipeline in the United States, supplying ~45% of East Coast fuel — and encrypted business systems. Colonial proactively shut down operational systems and paid a $4.4M ransom; the FBI later recovered ~$2.3M of the BTC. The incident triggered fuel shortages across multiple southeastern states, executive-branch attention from the White House, and the policy pressure that drove DarkSide to shut down its operation within weeks.","published":"2021-05-07T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--4762047c-7a74-5651-91a2-8ac45cb3e5c9"],"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-131a"}],"labels":["critical-infrastructure","ransomware","energy","us"],"x_threatintel_severity":"critical"},{"type":"indicator","spec_version":"2.1","id":"indicator--12e911ac-6b70-52dd-bec8-5dfe63bd216e","created":"2021-05-11T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME power_encryptor.exe (DarkSide)","description":"DarkSide encryptor binary name observed across the intrusions Mandiant documented in 'Shining a Light on DARKSIDE' (May 11, 2021) - the public report on the Carbon Spider-aligned RaaS responsible for the Colonial Pipeline shutdown.","indicator_types":["malicious-activity"],"pattern":"[file:name = 'power_encryptor.exe']","pattern_type":"stix","valid_from":"2021-05-11T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Mandiant","url":"https://cloud.google.com/blog/topics/threat-intelligence/shining-a-light-on-darkside-ransomware-operations/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--4ad6039f-cd67-5716-88f3-58c0658e6f2a","created":"2021-05-11T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--12e911ac-6b70-52dd-bec8-5dfe63bd216e","target_ref":"intrusion-set--4762047c-7a74-5651-91a2-8ac45cb3e5c9"},{"type":"indicator","spec_version":"2.1","id":"indicator--36efd292-780e-5635-934e-01bf29765c2d","created":"2021-05-11T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOMAIN darksidedxcftmqa.onion (DarkSide)","description":"DarkSide data-leak Tor hidden service URL embedded in victim ransom notes during the campaigns Mandiant profiled in its May 11, 2021 'Shining a Light on DARKSIDE' report covering UNC2628, UNC2659 and UNC2465 affiliates - the same RaaS used against Colonial Pipeline on May 7, 2021 (CISA AA21-131A).","indicator_types":["malicious-activity"],"pattern":"[domain-name:value = 'darksidedxcftmqa.onion']","pattern_type":"stix","valid_from":"2021-05-11T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Mandiant","url":"https://cloud.google.com/blog/topics/threat-intelligence/shining-a-light-on-darkside-ransomware-operations/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--4a66a535-f686-507b-9b96-9c001efff4f4","created":"2021-05-11T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--36efd292-780e-5635-934e-01bf29765c2d","target_ref":"intrusion-set--4762047c-7a74-5651-91a2-8ac45cb3e5c9"},{"type":"indicator","spec_version":"2.1","id":"indicator--c3b35475-66c2-59cb-8f3c-6ca5047acb17","created":"2021-05-11T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOMAIN athaliaoriginals.com (DarkSide)","description":"DarkSide command-and-control domain documented in Mandiant's May 11, 2021 report on the DARKSIDE ransomware-as-a-service operation, contemporaneous with the Colonial Pipeline incident addressed in joint CISA/FBI advisory AA21-131A.","indicator_types":["malicious-activity"],"pattern":"[domain-name:value = 'athaliaoriginals.com']","pattern_type":"stix","valid_from":"2021-05-11T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Mandiant","url":"https://cloud.google.com/blog/topics/threat-intelligence/shining-a-light-on-darkside-ransomware-operations/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--2af70482-bdcb-5ec5-a262-ca215a3499d7","created":"2021-05-11T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--c3b35475-66c2-59cb-8f3c-6ca5047acb17","target_ref":"intrusion-set--4762047c-7a74-5651-91a2-8ac45cb3e5c9"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--d1fbe2d8-9375-50b2-91c4-5cce146d38b1","created":"2011-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Deep Panda","description":"Chinese state-sponsored intrusion set assessed to operate on behalf of the Ministry of State Security (MSS). Best known for the OPM breach (discovered May 2014, exfiltration through April 2015) — the largest theft of U.S. government personnel records in history, exposing background-investigation files on roughly 22 million individuals with security clearances — and for the 2014 Anthem health-insurer breach exposing 78.8 million records. The group uses webshells, lateral movement via SMB, and PowerShell-based in-memory execution to maintain long-dwell access to high-value identity repositories.","first_seen":"2011-01-01T00:00:00.000Z","aliases":["Shell Crew","WebMasters","KungFu Kittens","Black Vine","G0009"],"goals":["espionage"],"primary_motivation":"organizational-gain","labels":["country:CN"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["government","healthcare","defense","financial","technology"],"x_threatintel_target_countries":["US","GB","DE","JP"],"x_threatintel_attack_techniques":["T1059.001","T1505.003","T1021.002","T1078"]},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--3bed1cce-44eb-531b-a443-2e9ad7e4fd50","created":"2022-05-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Doppelganger","description":"Russian state-coordinated influence operation publicly attributed by EU DisinfoLab, the European Commission, the U.S. Treasury, and the UK Foreign Office to the Social Design Agency (SDA) and Struktura — two Moscow-based Russian PR firms working under Presidential Administration direction. Clones the visual layout of legitimate Western news outlets (Der Spiegel, Le Parisien, Fox News, Washington Post) and seeds anti-Ukraine narratives. EU sanctions imposed July 2023; U.S. Treasury sanctioned SDA operators in March 2024.","first_seen":"2022-05-01T00:00:00.000Z","aliases":["Recent Reliable News","RRN"],"goals":["information operations"],"primary_motivation":"organizational-gain","labels":["country:RU"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["media","elections","civil society"],"x_threatintel_target_countries":["DE","FR","PL","US","UA","IT","RO","SE"],"x_threatintel_attack_techniques":["T1583.001","T1585.001"]},{"type":"report","spec_version":"2.1","id":"report--9519765e-683e-5599-998b-f5877bae803b","created":"2024-03-20T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"U.S. Treasury sanctions Russian Social Design Agency for Doppelganger","description":"U.S. Treasury OFAC sanctioned two Russian companies — the Social Design Agency (SDA) and Structura — and their principals for executing the Doppelganger influence operation on behalf of the Russian Presidential Administration. The sanctions followed similar EU designations from August 2023 and were intended to disrupt the procurement of Western IT services used to host the operation's cloned news-site infrastructure.","published":"2024-03-20T00:00:00.000Z","report_types":["sanction"],"object_refs":["intrusion-set--3bed1cce-44eb-531b-a443-2e9ad7e4fd50"],"external_references":[{"source_name":"U.S. Department of the Treasury","url":"https://home.treasury.gov/news/press-releases/jy2195"}],"labels":["sanctions","disinformation","russia"],"x_threatintel_severity":"high"},{"type":"indicator","spec_version":"2.1","id":"indicator--91f0ca2c-630d-5d36-b42a-52ee64bc420a","created":"2024-09-04T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOMAIN washingtonpost.pm","description":"Spoofed clone of The Washington Post used to host Doppelganger propaganda targeting U.S. audiences. Seized by the U.S. DOJ on 4 September 2024 as part of an action against 32 Doppelganger domains operated by Russia's Social Design Agency (SDA), Structura and ANO Dialog at the direction of the Russian Presidential Administration.","indicator_types":["malicious-activity"],"pattern":"[domain-name:value = 'washingtonpost.pm']","pattern_type":"stix","valid_from":"2024-09-04T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"U.S. Department of Justice","url":"https://www.justice.gov/opa/pr/justice-department-disrupts-covert-russian-government-sponsored-foreign-malign-influence"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--b2891893-7223-5348-b41c-a39d9c693771","created":"2024-09-04T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--91f0ca2c-630d-5d36-b42a-52ee64bc420a","target_ref":"intrusion-set--3bed1cce-44eb-531b-a443-2e9ad7e4fd50"},{"type":"indicator","spec_version":"2.1","id":"indicator--28e04c7e-a306-55cb-847e-3eb3fa282395","created":"2024-09-04T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOMAIN lemonde.ltd","description":"Spoofed clone of French daily Le Monde used in the Doppelganger influence operation; among the 32 domains seized by the U.S. DOJ on 4 September 2024. The same operation was sanctioned by US Treasury on 5 March 2024 (naming SDA founder Ilya Gambashidze) and exposed earlier by EU DisinfoLab in 2022.","indicator_types":["malicious-activity"],"pattern":"[domain-name:value = 'lemonde.ltd']","pattern_type":"stix","valid_from":"2024-09-04T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"U.S. Department of Justice","url":"https://www.justice.gov/opa/pr/justice-department-disrupts-covert-russian-government-sponsored-foreign-malign-influence"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--5995d077-9269-5aa3-87f9-89bc656151bd","created":"2024-09-04T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--28e04c7e-a306-55cb-847e-3eb3fa282395","target_ref":"intrusion-set--3bed1cce-44eb-531b-a443-2e9ad7e4fd50"},{"type":"indicator","spec_version":"2.1","id":"indicator--55e0e280-6eb7-51df-a334-5e72ab685339","created":"2024-09-04T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOMAIN bild.work","description":"Spoofed clone of German tabloid Bild used in the Doppelganger influence operation; among the 32 domains seized by the U.S. DOJ on 4 September 2024.","indicator_types":["malicious-activity"],"pattern":"[domain-name:value = 'bild.work']","pattern_type":"stix","valid_from":"2024-09-04T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"U.S. Department of Justice","url":"https://www.justice.gov/opa/pr/justice-department-disrupts-covert-russian-government-sponsored-foreign-malign-influence"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--7d637d91-f594-573d-81bf-f2cd6db92906","created":"2024-09-04T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--55e0e280-6eb7-51df-a334-5e72ab685339","target_ref":"intrusion-set--3bed1cce-44eb-531b-a443-2e9ad7e4fd50"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--8450e71f-8242-5b75-9282-6d37f0e18283","created":"2011-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Dragonfly","description":"Russian state-sponsored intrusion set publicly attributed by the U.S. DOJ and Treasury OFAC to FSB Center 16 (Military Unit 71330). Long-running targeting of the energy, nuclear, water, aviation, and government sectors across North America and Europe — emphasis on ICS reconnaissance and supply-chain compromise of vendors serving operational technology customers. DOJ indicted three FSB officers in 2022 for the campaign.","first_seen":"2011-01-01T00:00:00.000Z","aliases":["Berserk Bear","Energetic Bear","DYMALLOY","TEMP.Isotope","IRON LIBERTY"],"goals":["espionage","pre-positioning"],"primary_motivation":"organizational-gain","labels":["country:RU"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["energy","nuclear","water","aviation","government","ics"],"x_threatintel_target_countries":["US","GB","DE","UA","TR","CA","FR"],"x_threatintel_attack_techniques":["T1190","T1566.001","T1078","T0866"]},{"type":"report","spec_version":"2.1","id":"report--5bdb3853-1d97-5f44-b3f4-442d0a1b3b66","created":"2022-03-24T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOJ unseals charges against three FSB Center 16 officers (Dragonfly)","description":"U.S. DOJ unsealed an indictment of three FSB Center 16 officers — Pavel Aleksandrovich Akulov, Mikhail Mikhailovich Gavrilov, and Marat Valeryevich Tyukov — for the long-running Dragonfly / Berserk Bear campaign against energy-sector organizations in 135 countries. Charges spanned 2012-2017 campaigns against U.S. nuclear power operators (including Wolf Creek Nuclear) and the 2017 Saudi Aramco TRITON safety-system intrusion.","published":"2022-03-24T00:00:00.000Z","report_types":["indictment"],"object_refs":["intrusion-set--8450e71f-8242-5b75-9282-6d37f0e18283"],"external_references":[{"source_name":"U.S. Department of Justice","url":"https://www.justice.gov/opa/pr/us-charges-4-russian-government-employees-two-historical-hacking-campaigns-targeting"}],"labels":["indictment","ics","energy","fsb"],"x_threatintel_severity":"high"},{"type":"indicator","spec_version":"2.1","id":"indicator--415c4839-efc6-5699-87d3-30e6969b7466","created":"2022-03-24T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME Triton / Havex - DOJ 2022 indictment (Akulov, Gavrilov, Tyukov)","description":"On 24 March 2022 the U.S. DOJ unsealed an indictment charging three FSB Centre 16 officers - Pavel Akulov, Mikhail Gavrilov, and Marat Tyukov - for a 2012-2017 energy-sector intrusion campaign tracked publicly as Dragonfly / Berserk Bear / Energetic Bear / Crouching Yeti, including the Wolf Creek nuclear plant compromise.","indicator_types":["malicious-activity"],"pattern":"[file:name = 'Triton / Havex - DOJ 2022 indictment (Akulov, Gavrilov, Tyukov)']","pattern_type":"stix","valid_from":"2022-03-24T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"U.S. Department of Justice","url":"https://www.justice.gov/d9/press-releases/attachments/2022/03/24/ks_akulov_gavrilov_tyukov_0.pdf"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--afda1729-d856-5b1e-b5e3-ee4bded2b1de","created":"2022-03-24T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--415c4839-efc6-5699-87d3-30e6969b7466","target_ref":"intrusion-set--8450e71f-8242-5b75-9282-6d37f0e18283"},{"type":"indicator","spec_version":"2.1","id":"indicator--1d903b8d-7211-58b9-8723-a53bdac6b0df","created":"2013-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME Havex (Backdoor.Oldrea) (Havex)","description":"OPC-aware RAT used by Dragonfly / Energetic Bear from 2013 in supply-chain compromises of ICS vendor websites (MESA Imaging, eWON/Talk2M, MB Connect Line). Activity is named as BERSERK BEAR in CISA / FBI joint advisory AA22-110A (20 April 2022), which attributes the group to FSB Centre 16 (Military Unit 71330).","indicator_types":["malicious-activity"],"pattern":"[file:name = 'Havex (Backdoor.Oldrea)']","pattern_type":"stix","valid_from":"2013-01-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-110a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--0a1c2da8-4036-568e-8adb-74353a1cb8b0","created":"2013-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--1d903b8d-7211-58b9-8723-a53bdac6b0df","target_ref":"intrusion-set--8450e71f-8242-5b75-9282-6d37f0e18283"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--728e018d-71fd-502b-b8c2-e5535cf7c031","created":"2009-06-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Elderwood","description":"Chinese cyberespionage intrusion set publicly attributed to a Beijing-based group and best known for Operation Aurora — a mid-2009 to January 2010 campaign against Google, Adobe, Juniper Networks, and approximately 30 other technology, defense, and supply-chain firms. Google's January 12 2010 'A new approach to China' blog post publicly disclosed the intrusion and China's role. The 'Elderwood Project' name was coined by Symantec in 2012 after a shared zero-day-delivery framework — the Elderwood platform — used across multiple simultaneously-run supply-chain and watering-hole campaigns against defense manufacturers and NGOs.","first_seen":"2009-06-01T00:00:00.000Z","aliases":["Beijing Group","Sneaky Panda","Elderwood Gang"],"goals":["espionage"],"primary_motivation":"organizational-gain","labels":["country:CN"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["technology","defense","manufacturing","ngo","energy"],"x_threatintel_target_countries":["US","GB","DE","JP","TW"],"x_threatintel_attack_techniques":["T1189","T1203","T1566.001","T1204.002"]},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--5af82f89-9b1b-586d-acff-d3d2a492bd73","created":"2001-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Equation Group","description":"Long-running intrusion set linked by Kaspersky (Feb 2015) to the U.S. NSA's Tailored Access Operations (TAO). Operators behind Stuxnet, Flame, Duqu, Regin, and a series of advanced implants (Fanny, GrayFish, EquationDrug). Tradecraft includes stolen code-signing certificates, multiple Windows zero-days, HDD firmware persistence, and air-gap-bridging via USB.","first_seen":"2001-01-01T00:00:00.000Z","aliases":["EQGRP","Tilded Team"],"goals":["espionage","sabotage"],"primary_motivation":"organizational-gain","labels":["country:US"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["government","telecoms","energy","research","nuclear"],"x_threatintel_target_countries":["IR","RU","PK","AF","IN","CN","SY"],"x_threatintel_attack_techniques":["T1091","T1553.002","T1014","T1542.003"]},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--0415fd0d-f09c-5e5b-a0ce-4f264cfd5c7d","created":"2014-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Evil Corp","description":"Russian cybercrime syndicate publicly attributed by the U.S. Treasury OFAC in December 2019, which sanctioned founder Maksim Yakubets. Operators of the Dridex banking trojan, the BitPaymer and WastedLocker ransomware families, and (per UK NCA October 2024 attribution) the LockBit and HIVE affiliate ecosystems. Treasury attribution made paying their ransoms a sanctions-compliance risk, which the group worked around via brand rotation.","first_seen":"2014-01-01T00:00:00.000Z","aliases":["Indrik Spider","Manatee Tempest","DEV-0243"],"goals":["financial gain"],"primary_motivation":"personal-gain","labels":["country:RU"],"x_threatintel_kind":"cybercrime","x_threatintel_target_sectors":["financial","manufacturing","media","healthcare"],"x_threatintel_target_countries":["US","GB","FR","DE","ES"],"x_threatintel_attack_techniques":["T1566.001","T1486","T1041","T1059.001"]},{"type":"report","spec_version":"2.1","id":"report--724f7a4b-2821-5f52-a3e4-f6e23a2670e7","created":"2024-10-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"US, UK and Australia issue trilateral Evil Corp sanctions naming FSB enabler Benderskiy","description":"OFAC, the UK Foreign, Commonwealth & Development Office and Australia's Department of Foreign Affairs and Trade jointly sanctioned seven more individuals and two entities tied to Evil Corp. Treasury named Eduard Benderskiy — a former FSB Vympel officer and Yakubets' father-in-law — as the broker who shielded the group from Russian internal authorities after the 2019 designations. The action coincided with Operation Cronos revelations linking Evil Corp deputy Aleksandr Ryzhenkov to LockBit affiliate activity.","published":"2024-10-01T00:00:00.000Z","report_types":["sanction"],"object_refs":["intrusion-set--0415fd0d-f09c-5e5b-a0ce-4f264cfd5c7d"],"external_references":[{"source_name":"US Department of the Treasury","url":"https://home.treasury.gov/news/press-releases/jy2623"}],"labels":["sanctions","ofac","fsb","lockbit","operation-cronos"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--845d7b93-eade-58bd-b790-5d15ba308b1c","created":"2024-10-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"UK NCA unmasks Evil Corp's Aleksandr Ryzhenkov as a LockBit affiliate","description":"The UK National Crime Agency announced that data recovered during Operation Cronos identified Aleksandr Ryzhenkov, Maksim Yakubets' deputy, as a prolific LockBit affiliate responsible for attacks against at least 60 organizations since 2022. The NCA framed the move as evidence that 2019 sanctions had forced Evil Corp to abandon proprietary ransomware brands — WastedLocker, Hades, PhoenixLocker, PayloadBIN, Macaw — in favour of operating under established ransomware-as-a-service programmes.","published":"2024-10-01T00:00:00.000Z","report_types":["announcement"],"object_refs":["intrusion-set--0415fd0d-f09c-5e5b-a0ce-4f264cfd5c7d"],"external_references":[{"source_name":"UK National Crime Agency","url":"https://nca-newsroom.prgloo.com/news/further-members-of-evil-corp-cyber-crime-group-exposed-one-unmasked-as-lockbit-affiliate"}],"labels":["nca","lockbit","operation-cronos","ransomware"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--61a866c6-b9d6-53a0-bd44-7488543ff1dd","created":"2020-07-24T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Garmin global outage attributed to Evil Corp WastedLocker ransomware","description":"BleepingComputer confirmed that the 23 July 2020 outage of Garmin Connect, flyGarmin, inReach and related services was caused by a WastedLocker ransomware infection attributed to Evil Corp. Encrypted files carried a '.garminwasted' extension and the operator-issued ransom notes reportedly demanded $10 million. The incident illustrated Evil Corp's post-sanctions pivot from Dridex banking fraud to big-game ransomware.","published":"2020-07-24T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--0415fd0d-f09c-5e5b-a0ce-4f264cfd5c7d"],"external_references":[{"source_name":"BleepingComputer","url":"https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/"}],"labels":["ransomware","wastedlocker","garmin","big-game"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--a51901fa-3f83-56b9-892f-929101489d13","created":"2020-06-25T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Symantec discloses WastedLocker wave against 31 US organizations","description":"Symantec's Threat Hunter Team disclosed a wave of WastedLocker ransomware attacks attributed to Evil Corp targeting at least 31 US organizations, including eight Fortune 500 companies across manufacturing, IT and media. The intrusion chain began with the SocGholish JavaScript framework delivered through compromised legitimate websites, followed by Cobalt Strike for lateral movement and culminating in WastedLocker deployment.","published":"2020-06-25T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--0415fd0d-f09c-5e5b-a0ce-4f264cfd5c7d"],"external_references":[{"source_name":"Symantec (Broadcom)","url":"https://www.security.com/threat-intelligence/wastedlocker-ransomware-us"}],"labels":["ransomware","wastedlocker","socgholish","cobalt-strike"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--41501edc-dc65-5258-86d4-7c0eac5c2dbd","created":"2019-12-05T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"US Treasury sanctions Evil Corp and designates Maksim Yakubets","description":"The US Treasury's Office of Foreign Assets Control (OFAC) designated Evil Corp together with 17 individuals and seven entities, including alleged leader Maksim Viktorovich Yakubets and administrator Igor Turashev. Treasury attributed the Dridex banking-trojan operation to the group and stated it had caused more than $100 million in theft from financial institutions in over 40 countries. The action was coordinated with the United Kingdom and Australia.","published":"2019-12-05T00:00:00.000Z","report_types":["sanction"],"object_refs":["intrusion-set--0415fd0d-f09c-5e5b-a0ce-4f264cfd5c7d"],"external_references":[{"source_name":"US Department of the Treasury","url":"https://home.treasury.gov/news/press-releases/sm845"}],"labels":["sanctions","ofac","dridex","financial-crime"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--25212c19-fcc5-54f4-892c-2721c0afd83c","created":"2019-12-05T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOJ indicts Maksim Yakubets and Igor Turashev over Bugat/Dridex scheme","description":"A federal grand jury in the Western District of Pennsylvania returned a 10-count indictment charging Maksim Yakubets and Igor Turashev with conspiracy, computer hacking, wire fraud and bank fraud tied to the Bugat / Dridex / Kridex malware family. Yakubets, alias 'aqua', was identified as the leader of Evil Corp; the State Department concurrently announced a $5 million Transnational Organized Crime Rewards Program bounty for information leading to his arrest or conviction — the largest such reward for a cybercriminal to that date.","published":"2019-12-05T00:00:00.000Z","report_types":["indictment"],"object_refs":["intrusion-set--0415fd0d-f09c-5e5b-a0ce-4f264cfd5c7d"],"external_references":[{"source_name":"FBI","url":"https://www.fbi.gov/news/stories/charges-announced-in-malware-conspiracy-120519"}],"labels":["indictment","dridex","bugat","doj"],"x_threatintel_severity":"high"},{"type":"indicator","spec_version":"2.1","id":"indicator--32260e50-876a-5c75-a4fc-c4a86624b950","created":"2020-06-25T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA1 887aac61771af200f7e58bf0d02cb96d9befa11d (WastedLocker)","description":"Second WastedLocker payload hash from Symantec's June 2020 report on Evil Corp's coordinated US ransomware campaign.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-1' = '887aac61771af200f7e58bf0d02cb96d9befa11d']","pattern_type":"stix","valid_from":"2020-06-25T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Symantec (Broadcom)","url":"https://www.security.com/threat-intelligence/wastedlocker-ransomware-us"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--d50c2d0a-2efd-57c0-8764-3e323cc2b331","created":"2020-06-25T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--32260e50-876a-5c75-a4fc-c4a86624b950","target_ref":"intrusion-set--0415fd0d-f09c-5e5b-a0ce-4f264cfd5c7d"},{"type":"indicator","spec_version":"2.1","id":"indicator--0493ca7f-95da-5f90-a564-b70181095e15","created":"2020-06-25T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA1 5cd04805f9753ca08b82e88c27bf5426d1d356bb (WastedLocker)","description":"WastedLocker ransomware sample published in Symantec's June 2020 analysis of Evil Corp attacks against US organizations.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-1' = '5cd04805f9753ca08b82e88c27bf5426d1d356bb']","pattern_type":"stix","valid_from":"2020-06-25T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Symantec (Broadcom)","url":"https://www.security.com/threat-intelligence/wastedlocker-ransomware-us"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--0dbc8305-c011-5e94-854b-c8b6e691f2d4","created":"2020-06-25T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--0493ca7f-95da-5f90-a564-b70181095e15","target_ref":"intrusion-set--0415fd0d-f09c-5e5b-a0ce-4f264cfd5c7d"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--0eec5139-e297-57e8-a8c5-6dab2d03d2d6","created":"2013-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FIN7","description":"Long-running financially-motivated crew historically tied to the Carbanak intrusion set. Initially targeted point-of-sale systems in the U.S. hospitality and retail sectors (300+ companies, 1,000+ locations breached per DOJ). After three operator arrests in 2018 the group reconstituted and pivoted into ransomware affiliate work, including operating its own short-lived DarkSide-derived brand. Used elaborate fake-company personas to recruit unwitting pen-testers.","first_seen":"2013-01-01T00:00:00.000Z","aliases":["Carbanak Group","Sangria Tempest","ITG14"],"goals":["financial gain"],"primary_motivation":"personal-gain","x_threatintel_kind":"cybercrime","x_threatintel_target_sectors":["retail","hospitality","financial","manufacturing"],"x_threatintel_target_countries":["US","GB","AU","FR"],"x_threatintel_attack_techniques":["T1566.001","T1059.003","T1056.001","T1486"]},{"type":"report","spec_version":"2.1","id":"report--9d233daf-77a7-52d1-9742-4c51e7cdd0f9","created":"2024-07-17T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SentinelLabs ties AvNeutralizer EDR-killer to FIN7 and multiple RaaS gangs","description":"SentinelLabs reported that FIN7 had been developing and marketing the 'AvNeutralizer' (a.k.a. AuKill) EDR-tampering tool on Russian-language criminal forums since at least April 2022, abusing the Windows ProcLaunchMon.sys driver to disable endpoint protection. The tool was observed in intrusions deploying AvosLocker, MedusaLocker, BlackCat, and LockBit ransomware, underlining FIN7's shift from operating its own POS-fraud crews toward enabling other ransomware affiliates.","published":"2024-07-17T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--0eec5139-e297-57e8-a8c5-6dab2d03d2d6"],"external_references":[{"source_name":"SentinelOne","url":"https://www.sentinelone.com/labs/fin7-reboot-cybercrime-gang-enhances-ops-with-new-edr-bypasses-and-automated-attacks/"}],"labels":["edr-bypass","tooling","ransomware-affiliate"],"x_threatintel_severity":"medium"},{"type":"report","spec_version":"2.1","id":"report--3b012019-0d3c-5810-835b-708d470bc49f","created":"2023-12-28T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Microsoft links Sangria Tempest (FIN7) to Clop ransomware deployment via App Installer abuse","description":"Microsoft Threat Intelligence reported that Sangria Tempest (ELBRUS / Carbon Spider / FIN7) was abusing the ms-appinstaller URI scheme to distribute the EugenLoader downloader, which in turn delivered the Carbanak backdoor and Gracewire malware as precursors to human-operated ransomware. Microsoft tied the activity to Sangria Tempest's April 2023 Clop ransomware campaign, the group's first ransomware operation since late 2021.","published":"2023-12-28T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--0eec5139-e297-57e8-a8c5-6dab2d03d2d6"],"external_references":[{"source_name":"Microsoft Security Response Center","url":"https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/"}],"labels":["ransomware-affiliate","clop","loader"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--ddd98dda-d86d-541d-9305-58d8c1475ad4","created":"2018-08-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOJ unseals indictments against three FIN7 leaders","description":"DOJ unsealed indictments in the Western District of Washington against Ukrainian nationals Dmytro Fedorov, Fedir Hladyr, and Andrii Kolpakov, all alleged to be senior members of FIN7. The 26-count indictment charged conspiracy, wire fraud, computer intrusion, access-device fraud, and aggravated identity theft tied to the theft of more than 15 million payment-card records from over 6,500 POS terminals at 3,600 U.S. business locations. FIN7 ran a sham penetration-testing firm, 'Combi Security,' to recruit operators.","published":"2018-08-01T00:00:00.000Z","report_types":["indictment"],"object_refs":["intrusion-set--0eec5139-e297-57e8-a8c5-6dab2d03d2d6"],"external_references":[{"source_name":"Federal Bureau of Investigation","url":"https://www.fbi.gov/contact-us/field-offices/seattle/news/stories/how-cyber-crime-group-fin7-attacked-and-stole-data-from-hundreds-of-us-companies"}],"labels":["doj","indictment","carbanak","pos"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--6fe6d6a8-44a0-57e7-80d0-64a410d0656d","created":"2017-05-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"MITRE ATT&CK catalogs FIN7 as financially-motivated intrusion set","description":"MITRE ATT&CK published its FIN7 group profile (G0046), tracking the financially-motivated cluster active since at least 2013 against U.S. retail, restaurant, and hospitality targets. The profile records aliases including GOLD NIAGARA, ITG14, Carbon Spider, ELBRUS, and Microsoft's later 'Sangria Tempest' designation, and links FIN7 to the CARBANAK backdoor (S0030), GRIFFON, POWERSOURCE, and the Lizar/Diceloader implant.","published":"2017-05-01T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--0eec5139-e297-57e8-a8c5-6dab2d03d2d6"],"external_references":[{"source_name":"MITRE ATT&CK","url":"https://attack.mitre.org/groups/G0046/"}],"labels":["attribution","mitre","carbanak"],"x_threatintel_severity":"info"},{"type":"indicator","spec_version":"2.1","id":"indicator--b8d2b1f0-ee7a-5c27-a6f4-d28a31f42094","created":"2017-02-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME POWERSOURCE (POWERSOURCE)","description":"PowerShell-based downloader (a.k.a. heavily modified DNSMessenger) tracked by MITRE ATT&CK as S0145 and attributed to FIN7. Used as a first-stage stager in 2017-era FIN7 phishing campaigns to retrieve the TEXTMATE and Carbanak follow-on payloads.","indicator_types":["malicious-activity"],"pattern":"[file:name = 'POWERSOURCE']","pattern_type":"stix","valid_from":"2017-02-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"MITRE ATT&CK","url":"https://attack.mitre.org/groups/G0046/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--0ab44429-cb7a-5f88-8071-296712e5e568","created":"2017-02-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--b8d2b1f0-ee7a-5c27-a6f4-d28a31f42094","target_ref":"intrusion-set--0eec5139-e297-57e8-a8c5-6dab2d03d2d6"},{"type":"indicator","spec_version":"2.1","id":"indicator--36e38f14-5b2a-5994-84ee-84fbc8d6a34b","created":"2014-12-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME Carbanak (Carbanak)","description":"Full-featured remote backdoor family (a.k.a. Anunak) catalogued by MITRE ATT&CK as S0030 and historically attributed to the Carbanak group (G0008) and FIN7 (G0046). Used by FIN7 as part of post-exploitation toolchains delivered via POWERTRASH / EugenLoader.","indicator_types":["malicious-activity"],"pattern":"[file:name = 'Carbanak']","pattern_type":"stix","valid_from":"2014-12-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"MITRE ATT&CK","url":"https://attack.mitre.org/software/S0030/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--0b6be775-0656-5560-a23d-c09a0df5e5f5","created":"2014-12-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--36e38f14-5b2a-5994-84ee-84fbc8d6a34b","target_ref":"intrusion-set--0eec5139-e297-57e8-a8c5-6dab2d03d2d6"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--b0d70191-2945-5bc5-a387-aa6d7e82f81b","created":"2021-06-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Flax Typhoon","description":"PRC state-affiliated intrusion set operating through Integrity Technology Group — a Beijing-based, publicly-traded cybersecurity contractor sanctioned by the U.S. Treasury OFAC in January 2025. Specialized in compromising internet-facing IoT devices (routers, IP cameras, NVRs, storage devices) to build a residential-IP proxy botnet. The FBI disrupted a 260,000-device botnet attributed to the group on 18 September 2024, freeing devices spread across the United States, Vietnam, Germany, and other countries.","first_seen":"2021-06-01T00:00:00.000Z","aliases":["Ethereal Panda","RedJuliett"],"goals":["espionage","infrastructure"],"primary_motivation":"organizational-gain","labels":["country:CN"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["government","academia","media","telecommunications","manufacturing"],"x_threatintel_target_countries":["US","VN","DE","RO","ZA","FR","GB"],"x_threatintel_attack_techniques":["T1190","T1059.003","T1078","T1090"]},{"type":"report","spec_version":"2.1","id":"report--283bf797-dac3-55d4-9dc9-87ada823d1bc","created":"2024-09-18T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FBI disrupts 260,000-device Flax Typhoon IoT botnet","description":"FBI Director Christopher Wray announced at the Aspen Cyber Summit that the FBI and partners had disrupted a botnet of 260,000+ compromised IoT devices (routers, IP cameras, NVRs, storage devices) operated by PRC-affiliated Flax Typhoon, identified as operating through Integrity Technology Group — a Beijing-based publicly-traded cybersecurity contractor. Of the compromised devices, approximately half were in the United States. Treasury OFAC subsequently sanctioned Integrity Technology Group in January 2025.","published":"2024-09-18T00:00:00.000Z","report_types":["sanction"],"object_refs":["intrusion-set--b0d70191-2945-5bc5-a387-aa6d7e82f81b"],"external_references":[{"source_name":"U.S. Federal Bureau of Investigation","url":"https://www.fbi.gov/news/stories/fbi-director-announces-chinese-botnet-disruption-exposes-flax-typhoon-hacker-group-s-true-identity-at-aspen-cyber-summit"}],"labels":["botnet","takedown","iot","china"],"x_threatintel_severity":"high"},{"type":"indicator","spec_version":"2.1","id":"indicator--03a95b2a-e1ea-5d74-a869-b103321b82c9","created":"2023-08-24T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME vpnbridge.exe","description":"SoftEther VPN bridge binary renamed by Flax Typhoon to `conhost.exe` or `dllhost.exe` to masquerade as Windows system components. Microsoft's August 2023 advisory describes this as the actor's signature persistence mechanism, used to tunnel SoftEther over HTTPS to TCP/443.","indicator_types":["malicious-activity"],"pattern":"[file:name = 'vpnbridge.exe']","pattern_type":"stix","valid_from":"2023-08-24T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Microsoft Threat Intelligence","url":"https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--a3a0b1ba-4c7d-5067-a41c-b555c688f584","created":"2023-08-24T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--03a95b2a-e1ea-5d74-a869-b103321b82c9","target_ref":"intrusion-set--b0d70191-2945-5bc5-a387-aa6d7e82f81b"},{"type":"indicator","spec_version":"2.1","id":"indicator--1e7a27a4-55ca-5dc2-859f-bef97eb74eeb","created":"2023-08-24T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA1 7992c0a816246b287d991c4ecf68f2d32e4bca18","description":"SHA-1 fingerprint of a TLS certificate observed on Flax Typhoon SoftEther VPN bridge infrastructure, published in the August 2023 Microsoft Threat Intelligence disclosure `Flax Typhoon using legitimate software to quietly access Taiwanese organizations`.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-1' = '7992c0a816246b287d991c4ecf68f2d32e4bca18']","pattern_type":"stix","valid_from":"2023-08-24T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Microsoft Threat Intelligence","url":"https://www.microsoft.com/en-us/security/blog/2023/08/24/flax-typhoon-using-legitimate-software-to-quietly-access-taiwanese-organizations/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--675055ca-90c6-5d68-9b87-8e553b8d7b5f","created":"2023-08-24T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--1e7a27a4-55ca-5dc2-859f-bef97eb74eeb","target_ref":"intrusion-set--b0d70191-2945-5bc5-a387-aa6d7e82f81b"},{"type":"indicator","spec_version":"2.1","id":"indicator--e7b19add-a108-59de-b457-bebd5631886e","created":"2023-06-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOMAIN w8510.com","description":"Tier-2 C2 root domain for the `Oriole` campaign of the Raptor Train IoT botnet operated by Flax Typhoon - linked by DOJ/FBI to Beijing-based Integrity Technology Group. Active June 2023 through the FBI takedown announced September 2024; documented by Lumen Black Lotus Labs.","indicator_types":["malicious-activity"],"pattern":"[domain-name:value = 'w8510.com']","pattern_type":"stix","valid_from":"2023-06-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Lumen Black Lotus Labs","url":"https://blog.lumen.com/derailing-the-raptor-train/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--e84c1aa4-c559-55a5-8c20-6e4d86882e0c","created":"2023-06-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--e7b19add-a108-59de-b457-bebd5631886e","target_ref":"intrusion-set--b0d70191-2945-5bc5-a387-aa6d7e82f81b"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--9bd7720b-0c78-51ab-84c4-54b61c882294","created":"2013-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Gamaredon","description":"Russian state-sponsored intrusion set publicly attributed by the Security Service of Ukraine (SBU) to FSB officers based in Russian-occupied Crimea. The longest-running publicly-documented intrusion set targeting Ukraine — heavy spear-phishing volume against Ukrainian government, military, security services, and judiciary, with sustained operational tempo throughout the post-2022 full-scale invasion. Tradecraft is noisy and prolific rather than stealthy — weaponized Office docs and PowerShell loaders updated almost daily.","first_seen":"2013-01-01T00:00:00.000Z","aliases":["Primitive Bear","Aqua Blizzard","ACTINIUM","Armageddon","Shuckworm","Trident Ursa"],"goals":["espionage"],"primary_motivation":"organizational-gain","labels":["country:RU"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["government","military","judiciary","media"],"x_threatintel_target_countries":["UA","PL","LV","LT","BG","BY"],"x_threatintel_attack_techniques":["T1566.001","T1059.001","T1547.001","T1071.001"]},{"type":"report","spec_version":"2.1","id":"report--b8004165-1f00-57c1-968c-a47335c8c01a","created":"2025-04-10T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Shuckworm targets foreign military mission in Ukraine with updated GammaSteel","description":"Symantec disclosed a February–March 2025 Shuckworm campaign against the Ukraine-based mission of a Western military, in which the operators delivered an updated PowerShell variant of the GammaSteel infostealer. Initial access came via an infected removable drive triggering a malicious 'files.lnk' shortcut, with command and control rotated across trycloudflare[.]com tunnels and a Tor-fallback cURL channel for exfiltration.","published":"2025-04-10T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--9bd7720b-0c78-51ab-84c4-54b61c882294"],"external_references":[{"source_name":"Symantec (Broadcom)","url":"https://www.security.com/threat-intelligence/shuckworm-ukraine-gammasteel"}],"labels":["espionage","ukraine","military","gammasteel","usb"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--7802ac61-cc07-5c4b-b091-335c791742ec","created":"2023-06-15T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Symantec details Shuckworm long-running intrusions in Ukrainian military and government","description":"Symantec's Threat Hunter Team reported sustained Shuckworm (Gamaredon) intrusions against Ukrainian security, military and government organizations between February and May 2023, with some intrusions persisting for up to three months. The operators sought reporting on Ukrainian service members, battlefield engagements, air strikes and arsenal inventories, and deployed a new PowerShell USB-propagation script to spread the Pterodo backdoor across air-gapped or removable media.","published":"2023-06-15T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--9bd7720b-0c78-51ab-84c4-54b61c882294"],"external_references":[{"source_name":"Symantec (Broadcom)","url":"https://www.security.com/threat-intelligence/shuckworm-russia-ukraine-military"}],"labels":["espionage","ukraine","military","pterodo","usb"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--63f1d908-76ec-5f9c-a4f9-3f2f613f4422","created":"2022-09-15T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Cisco Talos reports Gamaredon info-stealer campaign against Ukrainian government","description":"Cisco Talos documented an ongoing Gamaredon espionage campaign running through August 2022 that targeted Ukrainian government agencies with malicious LNK files delivered inside RAR archives. The infection chain relied on PowerShell and VBScript loaders to deploy a custom information stealer alongside the GammaLoad and GammaSteel implants, with lure themes referencing the Russian invasion.","published":"2022-09-15T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--9bd7720b-0c78-51ab-84c4-54b61c882294"],"external_references":[{"source_name":"Cisco Talos","url":"https://blog.talosintelligence.com/gamaredon-apt-targets-ukrainian-agencies/"}],"labels":["espionage","ukraine","info-stealer","gammaload"],"x_threatintel_severity":"medium"},{"type":"report","spec_version":"2.1","id":"report--568b8034-5a45-5f82-9354-6b4f856d2a36","created":"2022-04-20T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Five Eyes joint advisory AA22-110A names Primitive Bear (Gamaredon) among Russian threats to critical infrastructure","description":"CISA, FBI, NSA and partner agencies from Australia, Canada, New Zealand and the United Kingdom issued joint advisory AA22-110A on Russian state-sponsored and criminal cyber threats to critical infrastructure. The advisory cited Primitive Bear (Gamaredon) as a long-running FSB-attributed actor targeting Ukrainian government, military and law enforcement entities since at least 2013, reaffirming Ukraine's November 2021 attribution to FSB Center 18.","published":"2022-04-20T00:00:00.000Z","report_types":["advisory"],"object_refs":["intrusion-set--9bd7720b-0c78-51ab-84c4-54b61c882294"],"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-110a"}],"labels":["joint-advisory","five-eyes","critical-infrastructure"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--6334f05e-f21d-5dbd-b8dc-ddbb7f891961","created":"2022-02-04T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Microsoft details ACTINIUM (Gamaredon) operations against Ukrainian organizations","description":"Microsoft Threat Intelligence Center (MSTIC) published a detailed report on ACTINIUM — Microsoft's tracking name at the time for Gamaredon, later renamed Aqua Blizzard. The report documented spear-phishing with malicious remote-template macro documents targeting Ukrainian government, military, judiciary, law enforcement, NGOs and humanitarian coordination bodies since October 2021, and described seven custom malware families including PowerPunch, Pterodo and QuietSieve.","published":"2022-02-04T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--9bd7720b-0c78-51ab-84c4-54b61c882294"],"external_references":[{"source_name":"Microsoft","url":"https://www.microsoft.com/en-us/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/"}],"labels":["espionage","ukraine","phishing","pterodo"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--e120e0cb-77ba-5221-9ac6-f85233e92ddd","created":"2021-11-04T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SBU publicly attributes Gamaredon to FSB Center 18 and names five officers","description":"The Security Service of Ukraine (SBU) publicly attributed the Gamaredon / Armageddon intrusion set to Russia's FSB Center for Information Security (Center 18) operating out of occupied Sevastopol, Crimea. The disclosure named five FSB officers — Sklianko, Chernykh, Starchenko, Miroshnychenko, and Sushchenko — and stated the group had conducted more than 5,000 cyberattacks against Ukrainian government and critical infrastructure systems since 2014.","published":"2021-11-04T00:00:00.000Z","report_types":["announcement"],"object_refs":["intrusion-set--9bd7720b-0c78-51ab-84c4-54b61c882294"],"external_references":[{"source_name":"Recorded Future / The Record","url":"https://therecord.media/ukraine-discloses-identity-of-gamaredon-members-links-it-to-russias-fsb"}],"labels":["attribution","fsb","ukraine","russia"],"x_threatintel_severity":"high"},{"type":"indicator","spec_version":"2.1","id":"indicator--2abc2bcc-fb3b-5e58-83b3-98c40b5954f4","created":"2025-04-10T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 714aeb3d778bbd03d0c9eaa827ae8c91199ef07d916405b7f4acd470f9a2a437 (GammaSteel)","description":"GammaSteel PowerShell infostealer component recovered from the February–March 2025 Shuckworm intrusion into a foreign military mission in Ukraine, documented by Symantec's Threat Hunter Team.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = '714aeb3d778bbd03d0c9eaa827ae8c91199ef07d916405b7f4acd470f9a2a437']","pattern_type":"stix","valid_from":"2025-04-10T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Symantec (Broadcom)","url":"https://www.security.com/threat-intelligence/shuckworm-ukraine-gammasteel"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--efe209fd-233f-5bbe-910a-45f1707912f9","created":"2025-04-10T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--2abc2bcc-fb3b-5e58-83b3-98c40b5954f4","target_ref":"intrusion-set--9bd7720b-0c78-51ab-84c4-54b61c882294"},{"type":"indicator","spec_version":"2.1","id":"indicator--d483ef0e-47e8-5c6a-bf1c-52f997cf5a23","created":"2022-02-04T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 0afce2247ffb53783259b7dc5a0afe04d918767c991db2da906277898fd80be5 (QuietSieve)","description":"QuietSieve information-stealer sample associated with Gamaredon and published in Microsoft's February 2022 ACTINIUM indicator list.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = '0afce2247ffb53783259b7dc5a0afe04d918767c991db2da906277898fd80be5']","pattern_type":"stix","valid_from":"2022-02-04T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Microsoft","url":"https://www.microsoft.com/en-us/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--c6630c63-bcb4-5236-ae32-e1c19a79ab24","created":"2022-02-04T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--d483ef0e-47e8-5c6a-bf1c-52f997cf5a23","target_ref":"intrusion-set--9bd7720b-0c78-51ab-84c4-54b61c882294"},{"type":"indicator","spec_version":"2.1","id":"indicator--274bd85d-4075-5197-997e-1c7eb1042233","created":"2022-02-04T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 51b9e03db53b2d583f66e47af56bb0146630f8a175d4a439369045038d6d2a45 (Pterodo)","description":"Pterodo backdoor sample listed in Microsoft Threat Intelligence Center's February 2022 ACTINIUM report on Gamaredon activity against Ukrainian organizations.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = '51b9e03db53b2d583f66e47af56bb0146630f8a175d4a439369045038d6d2a45']","pattern_type":"stix","valid_from":"2022-02-04T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Microsoft","url":"https://www.microsoft.com/en-us/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--c9daf50a-4859-51d8-8394-8ff71579341f","created":"2022-02-04T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--274bd85d-4075-5197-997e-1c7eb1042233","target_ref":"intrusion-set--9bd7720b-0c78-51ab-84c4-54b61c882294"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--1049fced-68df-533d-87cc-ea14e6798b97","created":"2025-09-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"GTG-1002","description":"PRC state-sponsored intrusion set tracked by Anthropic under the internal designation GTG-1002, publicly disclosed in Anthropic's November 2025 threat-intelligence report as the actor behind the **first publicly-documented case of a large-scale cyberattack executed predominantly by an AI agent** rather than a human operator. The operators jailbroke Claude Code into executing an autonomous agentic-attack workflow — reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, data analysis, exfiltration — against approximately thirty organisations across large technology firms, financial institutions, chemical manufacturers, and government agencies, with a small number of confirmed successful intrusions. Anthropic's assessment is that the AI executed 80-90% of the tactical operations independently, with the human operator confined to high-level direction. GTG-1002 is the first cluster name a frontier-model lab has assigned to a state actor on the basis of *its own model's abuse* rather than downstream telemetry.","first_seen":"2025-09-01T00:00:00.000Z","goals":["espionage"],"primary_motivation":"organizational-gain","labels":["country:CN"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["technology","financial","chemical","government"],"x_threatintel_target_countries":["US","GB","AU","JP"],"x_threatintel_attack_techniques":["T1190","T1078","T1059","T1041"]},{"type":"report","spec_version":"2.1","id":"report--a8e408f2-4469-5363-88cc-d09e4b390cc3","created":"2025-11-13T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Anthropic discloses GTG-1002 — first AI-orchestrated cyber espionage","description":"Anthropic published its first detailed disclosure of a state-aligned actor running an autonomous agentic-attack workflow on its own platform. The PRC-attributed cluster GTG-1002 was detected in September 2025 manipulating Claude Code into reconnaissance, vulnerability discovery, exploitation, lateral movement, credential harvesting, and exfiltration against approximately thirty large technology firms, financial institutions, chemical manufacturers, and government agencies — with Anthropic assessing 80-90% of tactical operations as executed by the AI agent independently of human direction. A small number of intrusions succeeded. The disclosure is widely regarded as the marker event for state-sponsored agentic cyber operations as a category.","published":"2025-11-13T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--1049fced-68df-533d-87cc-ea14e6798b97"],"external_references":[{"source_name":"Anthropic","url":"https://www.anthropic.com/news/disrupting-AI-espionage"}],"labels":["agentic-ai","ai-misuse","china","frontier-model"],"x_threatintel_severity":"critical"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--eed529ad-0059-5b1d-bbda-956726eb7954","created":"2021-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Hafnium","description":"PRC state-sponsored intrusion set named by Microsoft for the January 2021 mass exploitation of on-prem Exchange Server via the ProxyLogon chain (CVE-2021-26855 / -26857 / -26858 / -27065). Hafnium operated targeted intrusions from leased U.S. VPS infrastructure; after Microsoft's March 2 2021 out-of-band patch dropped, dozens of unrelated actors piled into the vulnerability and shelled ~250,000 internet-exposed Exchange servers globally. Microsoft folded Hafnium into the Silk Typhoon designation in its 2023 weather-system taxonomy.","first_seen":"2021-01-01T00:00:00.000Z","aliases":["Silk Typhoon"],"goals":["espionage"],"primary_motivation":"organizational-gain","labels":["country:CN"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["defense","education","ngos","law","research"],"x_threatintel_target_countries":["US","GB","AU"],"x_threatintel_attack_techniques":["T1190","T1505.003","T1059.001","T1114.002"]},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--e0a16a09-a581-5fb3-90b4-db80a69e074c","created":"2023-12-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Handala","description":"Pro-Palestine hacktivist persona operated by the Iranian MOIS-affiliated **Void Manticore** cluster — see the parent actor entry for the full attribution chain. Named for the Naji al-Ali cartoon character; emerged December 2023; claims destructive intrusions and data leaks against Israeli organizations across defense, technology, infrastructure, hospitals, and universities. The March 2026 Stryker compromise (200,000+ devices wiped via abuse of the victim's Microsoft Intune tenant) was the persona's first claimed operation against a major U.S. multinational, expanding the target set beyond Israel. Sister personas operated by Void Manticore include Karma (Israel 2023) and Homeland Justice (Albania 2022).","first_seen":"2023-12-01T00:00:00.000Z","goals":["disruption","information operations"],"primary_motivation":"ideology","labels":["country:IR"],"x_threatintel_kind":"hacktivist","x_threatintel_target_sectors":["defense","technology","healthcare","government","education","manufacturing"],"x_threatintel_target_countries":["IL","US"],"x_threatintel_attack_techniques":["T1486","T1485","T1561","T1078"]},{"type":"report","spec_version":"2.1","id":"report--338acf75-cd82-58c5-9b1e-793fb65b6113","created":"2026-03-11T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Handala wipes 200,000+ Stryker devices via Microsoft Intune abuse","description":"Stryker Corporation — one of the world's largest medical-device manufacturers — disclosed a destructive intrusion that disrupted global internal networks and Microsoft systems. Iran-aligned hacktivist persona Handala (assessed by Check Point and Palo Alto Unit 42 as a MOIS-operated front under the Void Manticore umbrella) claimed responsibility, calling the operation retaliation 'for the brutal attack on the Minab school.' Open-source reporting indicates the operators abused Stryker's Microsoft Intune tenant to issue a remote device-wipe command against enrolled endpoints — a novel TTP for the persona and an early data point in a class of MDM-abuse-as-wiper attacks. Stryker confirmed the incident materially impacted Q1 2026 earnings.","published":"2026-03-11T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--e0a16a09-a581-5fb3-90b4-db80a69e074c"],"external_references":[{"source_name":"Krebs on Security","url":"https://krebsonsecurity.com/2026/03/iran-backed-hackers-claim-wiper-attack-on-medtech-firm-stryker/"}],"labels":["wiper","mdm-abuse","intune","medical-devices","iran"],"x_threatintel_severity":"critical"},{"type":"indicator","spec_version":"2.1","id":"indicator--2a966b45-f263-506c-9f01-1a88f2fdd00d","created":"2024-04-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"MD5 5986ab04dd6b3d259935249741d3eff2 (Handala Wiper)","description":"Handala Wiper executable ('handala.exe') MD5 published in Check Point Research's 2026 'Handala Hack - Unveiling Group's Modus Operandi' follow-up to the May 2024 'Bad Karma, No Justice' report. CPR explicitly attributes the Handala persona to Void Manticore (aka Red Sandstorm / Banished Kitten), affiliated with Iran's MOIS Counter-Terrorism Division.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'MD5' = '5986ab04dd6b3d259935249741d3eff2']","pattern_type":"stix","valid_from":"2024-04-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Check Point Research","url":"https://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--4b6efb78-36f9-5296-8136-048753e3ae3e","created":"2024-04-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--2a966b45-f263-506c-9f01-1a88f2fdd00d","target_ref":"intrusion-set--e0a16a09-a581-5fb3-90b4-db80a69e074c"},{"type":"indicator","spec_version":"2.1","id":"indicator--e0abb9c3-529b-5c38-96d5-f3d419ef297b","created":"2024-04-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"IPV4 82.25.35.25","description":"Handala-controlled VPS IP listed in Check Point Research's 2026 report. Used alongside 31.57.35.223 and 107.189.19.52 for hands-on-keyboard operations via RDP and NetBird remote access tooling during MOIS-attributed destructive intrusions in Israel.","indicator_types":["malicious-activity"],"pattern":"[ipv4-addr:value = '82.25.35.25']","pattern_type":"stix","valid_from":"2024-04-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Check Point Research","url":"https://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--a36dc3c0-3214-54ee-bcfb-c5637137c569","created":"2024-04-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--e0abb9c3-529b-5c38-96d5-f3d419ef297b","target_ref":"intrusion-set--e0a16a09-a581-5fb3-90b4-db80a69e074c"},{"type":"indicator","spec_version":"2.1","id":"indicator--d1ab6896-a019-5cf3-8e99-d5f2c5781d38","created":"2024-04-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"MD5 3cb9dea916432ffb8784ac36d1f2d3cd (Handala Wiper)","description":"Handala PowerShell wiper component MD5 from Check Point Research's 2026 Handala Hack report. Distributed via Group Policy logon scripts as a scheduled task; the batch loader 'handala.bat' chains the executable and the PowerShell script to overwrite files and corrupt the MBR.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'MD5' = '3cb9dea916432ffb8784ac36d1f2d3cd']","pattern_type":"stix","valid_from":"2024-04-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Check Point Research","url":"https://research.checkpoint.com/2026/handala-hack-unveiling-groups-modus-operandi/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--5f79c2a0-b2c8-53cf-9566-d7db4a09419e","created":"2024-04-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--d1ab6896-a019-5cf3-8e99-d5f2c5781d38","target_ref":"intrusion-set--e0a16a09-a581-5fb3-90b4-db80a69e074c"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--c197d6f2-6fd9-51cb-9214-db8affae58be","created":"2021-06-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Hive","description":"Russian-speaking ransomware-as-a-service operation active from mid-2021 through January 2023. Best known publicly for the May 2022 compromise of the Costa Rican government — which prompted Costa Rica's president to declare a national emergency — and for sustained healthcare-sector targeting. The FBI infiltrated Hive's infrastructure in July 2022, covertly captured decryption keys for victims for seven months (preventing approximately $130M in ransom payments), and on 26 January 2023 seized Hive's leak site and command infrastructure in coordination with German and Dutch police.","first_seen":"2021-06-01T00:00:00.000Z","last_seen":"2023-01-26T00:00:00.000Z","goals":["financial gain"],"primary_motivation":"personal-gain","x_threatintel_kind":"ransomware","x_threatintel_target_sectors":["healthcare","government","manufacturing","education"],"x_threatintel_target_countries":["US","CR","GB","DE","ES","FR"],"x_threatintel_attack_techniques":["T1486","T1490","T1567.002","T1133"]},{"type":"report","spec_version":"2.1","id":"report--37311fd6-c2af-5c98-b333-f382665c504d","created":"2023-01-26T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOJ/FBI/Europol disrupt Hive ransomware; seize site + decryptors","description":"U.S. Attorney General Merrick Garland announced that DOJ, FBI, Europol, and German and Dutch police had run a seven-month covert infiltration of Hive's infrastructure, capturing decryption keys and quietly providing them to victims — preventing an estimated $130M in ransom payments. The operation culminated in the seizure of Hive's leak site and command infrastructure, effectively dismantling a brand that had extorted $100M+ from ~1,500 victims across 80 countries since mid-2021.","published":"2023-01-26T00:00:00.000Z","report_types":["sanction"],"object_refs":["intrusion-set--c197d6f2-6fd9-51cb-9214-db8affae58be"],"external_references":[{"source_name":"U.S. Department of Justice","url":"https://www.justice.gov/archives/opa/pr/us-department-justice-disrupts-hive-ransomware-variant"}],"labels":["takedown","ransomware","fbi","europol"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--7c0c2bcd-d237-5680-8e10-94e0eb63c6f7","created":"2022-05-31T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Hive ransomware compromises Costa Rican Social Security Fund","description":"Hive operators encrypted systems at the Caja Costarricense de Seguro Social (CCSS), Costa Rica's social-security fund, weeks after the Conti ransomware-driven national-emergency declaration. CCSS shut down critical systems including the Unified Digital Health File and Centralized Collection System; medical services across hospitals and clinics were disrupted for weeks. The compounding Conti + Hive impacts made Costa Rica a textbook case study in ransomware national-level disruption.","published":"2022-05-31T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--c197d6f2-6fd9-51cb-9214-db8affae58be"],"external_references":[{"source_name":"Caja Costarricense de Seguro Social","url":"https://en.wikipedia.org/wiki/2022_Costa_Rican_ransomware_attack"}],"labels":["healthcare","national-emergency","costa-rica"],"x_threatintel_severity":"critical"},{"type":"indicator","spec_version":"2.1","id":"indicator--38c2b024-c60c-5cef-822d-9c58516537e3","created":"2022-11-17T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME Windows_x64_encrypt.exe (Hive)","description":"Hive ransomware Windows 64-bit encryptor binary listed as a known IOC in Table 2 of AA22-321A. Hive shipped matching Linux, ESXi and FreeBSD variants and victimized over 1,300 organizations for ~$100M in payments before the FBI infiltrated its network in July 2022.","indicator_types":["malicious-activity"],"pattern":"[file:name = 'Windows_x64_encrypt.exe']","pattern_type":"stix","valid_from":"2022-11-17T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-321a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--bb704332-2396-599e-bb9c-6b5ce4ca1e14","created":"2022-11-17T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--38c2b024-c60c-5cef-822d-9c58516537e3","target_ref":"intrusion-set--c197d6f2-6fd9-51cb-9214-db8affae58be"},{"type":"indicator","spec_version":"2.1","id":"indicator--6ee63701-839d-517f-bc4f-028a9b4c50ba","created":"2022-11-17T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOMAIN asq.r77vh0.pw (Hive)","description":"Hive affiliate staging server hosting a malicious HTA file used during intrusions, listed in Table 2 of AA22-321A. The .pw infrastructure cluster was seized alongside the Hive back-end on Jan. 26, 2023 in the DOJ/FBI takedown announcement.","indicator_types":["malicious-activity"],"pattern":"[domain-name:value = 'asq.r77vh0.pw']","pattern_type":"stix","valid_from":"2022-11-17T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-321a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--61449e65-dacb-53c9-85ac-52e665e8d9eb","created":"2022-11-17T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--6ee63701-839d-517f-bc4f-028a9b4c50ba","target_ref":"intrusion-set--c197d6f2-6fd9-51cb-9214-db8affae58be"},{"type":"indicator","spec_version":"2.1","id":"indicator--c0cac1dc-f660-5645-8a4a-81c14b8833e0","created":"2022-11-17T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME HOW_TO_DECRYPT.txt (Hive)","description":"Hive ransom note dropped into every encrypted directory; instructs victims not to modify the *.key file in C:\\ or /root and links to the HiveLeaks Tor chat panel. Listed in Table 2 of joint FBI/CISA/HHS advisory AA22-321A (Nov. 17, 2022).","indicator_types":["malicious-activity"],"pattern":"[file:name = 'HOW_TO_DECRYPT.txt']","pattern_type":"stix","valid_from":"2022-11-17T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-321a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--57a3117e-23e4-5063-b9db-9da27721e3b9","created":"2022-11-17T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--c0cac1dc-f660-5645-8a4a-81c14b8833e0","target_ref":"intrusion-set--c197d6f2-6fd9-51cb-9214-db8affae58be"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--28b50697-3d3e-5bbc-b305-ed7ab5b67d59","created":"2022-07-15T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Homeland Justice","description":"Public-facing hacktivist persona operated by the Iranian MOIS-affiliated Void Manticore cluster, used for the July 2022 destructive intrusion of the Albanian government's central IT infrastructure. The operation deployed bespoke wipers (Cl Wiper, No-Justice / LowEraser) and exfiltrated Albanian state correspondence. The diplomatic consequence was unprecedented: in September 2022 Albania severed all diplomatic relations with Iran and expelled Iranian diplomatic personnel — the **first NATO member to break diplomatic ties with another country over a cyber attack**. Homeland Justice continued sporadic operations against Albanian government and Mujahedin-e-Khalq (MEK) Iranian-opposition targets through 2024.","first_seen":"2022-07-15T00:00:00.000Z","last_seen":"2024-12-01T00:00:00.000Z","goals":["destruction","information operations"],"primary_motivation":"ideology","labels":["country:IR"],"x_threatintel_kind":"hacktivist","x_threatintel_target_sectors":["government","media","ngo"],"x_threatintel_target_countries":["AL"],"x_threatintel_attack_techniques":["T1485","T1561.002","T1190"]},{"type":"report","spec_version":"2.1","id":"report--8453a09e-4780-5769-a1d0-0c76b7560a7d","created":"2022-07-15T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Iran's Homeland Justice persona destructively attacks Albanian government","description":"On 15 July 2022, the Iranian MOIS-affiliated Void Manticore cluster — operating under the Homeland Justice public persona — deployed bespoke wipers (Cl Wiper, No-Justice / LowEraser) against the Albanian government's central IT infrastructure. Initial access was conducted by sister unit Scarred Manticore (Storm-0861) via SharePoint exploitation; Void Manticore then carried out the destructive stage and ran the public-facing leaks. The operation forced multiple Albanian e-government services offline for weeks. **On 7 September 2022 Albanian Prime Minister Edi Rama severed all diplomatic relations with Iran and gave Iranian diplomatic personnel 24 hours to leave** — the first time a NATO member has broken diplomatic ties with another country specifically over a cyber attack.","published":"2022-07-15T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--28b50697-3d3e-5bbc-b305-ed7ab5b67d59"],"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-264a"}],"labels":["wiper","destructive","diplomatic-rupture","ics","nato-precedent","iran"],"x_threatintel_severity":"critical"},{"type":"indicator","spec_version":"2.1","id":"indicator--6b5ab22a-1bff-5d84-a534-75cd51ec91c2","created":"2022-07-15T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"MD5 bbe983dba3bf319621b447618548b740 (ROADSWEEP)","description":"'GoXML.exe' ransomware-style file encryptor MD5 from CISA AA22-264A Appendix A. Drops the ransom note How_To_Unlock_MyFiles.txt and is propagated across the victim print-server network by 'mellona.exe'. Mandiant tracks the same family as ROADSWEEP, which dropped a politically themed anti-MEK note for the HomeLand Justice persona.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'MD5' = 'bbe983dba3bf319621b447618548b740']","pattern_type":"stix","valid_from":"2022-07-15T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-264a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--93244021-ce37-572e-aab5-483ff1d49850","created":"2022-07-15T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--6b5ab22a-1bff-5d84-a534-75cd51ec91c2","target_ref":"intrusion-set--28b50697-3d3e-5bbc-b305-ed7ab5b67d59"},{"type":"indicator","spec_version":"2.1","id":"indicator--0b09ace9-22ee-57c5-b623-4690ebbc515a","created":"2022-07-15T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"MD5 7b71764236f244ae971742ee1bc6b098 (Cl Wiper)","description":"Disk wiper 'cl.exe' MD5 published in Appendix A of CISA AA22-264A on the July 2022 HomeLand Justice destructive attack against the Government of Albania. Pairs with the 'rwdsk.sys' RawDisk driver (MD5 8f6e7653807ebb57ecc549cef991d505) to wipe raw disk drives. Mandiant tracks the same payload as a ZEROCLEAR variant.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'MD5' = '7b71764236f244ae971742ee1bc6b098']","pattern_type":"stix","valid_from":"2022-07-15T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-264a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--920c93dd-4048-5fc7-b937-57134b98cbb0","created":"2022-07-15T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--0b09ace9-22ee-57c5-b623-4690ebbc515a","target_ref":"intrusion-set--28b50697-3d3e-5bbc-b305-ed7ab5b67d59"},{"type":"indicator","spec_version":"2.1","id":"indicator--936c55cb-551c-56b0-bce0-83072184f4c5","created":"2021-07-26T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"MD5 df9ab47726001883b5fcf58b56b34b41 (CHIMNEYSWEEP)","description":"CHIMNEYSWEEP backdoor MD5 published in Mandiant's August 2022 'Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government' report. CHIMNEYSWEEP was deployed alongside ROADSWEEP ransomware and a ZEROCLEAR-variant wiper in the HomeLand Justice operation; Mandiant assesses involvement of one or more actors operating in support of Iranian goals with moderate confidence.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'MD5' = 'df9ab47726001883b5fcf58b56b34b41']","pattern_type":"stix","valid_from":"2021-07-26T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Mandiant (Google Cloud)","url":"https://cloud.google.com/blog/topics/threat-intelligence/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--5f3f7a2f-5ac5-5681-8ee1-59f4f133b993","created":"2021-07-26T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--936c55cb-551c-56b0-bce0-83072184f4c5","target_ref":"intrusion-set--28b50697-3d3e-5bbc-b305-ed7ab5b67d59"},{"type":"indicator","spec_version":"2.1","id":"indicator--7aadb224-b10d-530e-9a8f-a463d9efea1b","created":"2021-05-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"MD5 8f766dea3afd410ebcd5df5994a3c571","description":"'Pickers.aspx' webshell MD5 from CISA AA22-264A Appendix A. Used by the HomeLand Justice operators for persistence after initial access via CVE-2019-0604 on an Internet-facing SharePoint server roughly 14 months before the July 2022 destructive attack on Albanian government networks.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'MD5' = '8f766dea3afd410ebcd5df5994a3c571']","pattern_type":"stix","valid_from":"2021-05-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-264a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--5eb4886d-892c-5d03-acc9-c21660c933f7","created":"2021-05-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--7aadb224-b10d-530e-9a8f-a463d9efea1b","target_ref":"intrusion-set--28b50697-3d3e-5bbc-b305-ed7ab5b67d59"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--1ee00f01-2ba8-5967-a5b1-ed0682fe85b4","created":"2023-07-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"INC Ransom","description":"Russian-speaking ransomware-as-a-service operation active since mid-2023, notable for sustained targeting of UK NHS trusts and U.S. healthcare providers. Major UK incidents: **NHS Dumfries and Galloway** (March 2024 — 3TB exfiltrated, 150,000 patient records subsequently leaked when ransom was refused), **NHS Alder Hey Children's Hospital + Liverpool Heart and Chest** (November 2024). The brand's source code was reportedly sold by an operator on RAMP forum in May 2024 for $300,000 — Lynx ransomware (active since mid-2024) is the suspected derivative.","first_seen":"2023-07-01T00:00:00.000Z","aliases":["Lynx (suspected fork)"],"goals":["financial gain"],"primary_motivation":"personal-gain","labels":["country:RU"],"x_threatintel_kind":"ransomware","x_threatintel_target_sectors":["healthcare","education","government","manufacturing"],"x_threatintel_target_countries":["GB","US","DE","FR"],"x_threatintel_attack_techniques":["T1486","T1490","T1567.002","T1078"]},{"type":"report","spec_version":"2.1","id":"report--7e428e7e-ebaf-5625-9688-7953c7917d6d","created":"2024-11-28T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"INC Ransom claims compromise of Alder Hey Children's + Liverpool Heart NHS","description":"INC Ransom claimed near-simultaneous compromises of two Liverpool-area NHS Foundation Trusts: Alder Hey Children's Hospital (one of the UK's largest paediatric hospitals) and Liverpool Heart and Chest. The operators posted patient documents on their leak site as proof, marking the second sustained INC Ransom campaign against UK NHS trusts in eight months. The Alder Hey targeting — paediatric oncology and cardiology data — drew unusually pointed condemnation from UK government and healthcare-sector commentators.","published":"2024-11-28T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--1ee00f01-2ba8-5967-a5b1-ed0682fe85b4"],"external_references":[{"source_name":"The Register","url":"https://www.theregister.com/2024/11/29/inc_ransom_alder_hey_childrens_hospital/"}],"labels":["healthcare","ransomware","paediatric","uk","nhs"],"x_threatintel_severity":"critical"},{"type":"report","spec_version":"2.1","id":"report--7795f138-d028-5dfe-822f-4f6fa54c0fac","created":"2024-03-15T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"INC Ransom compromises NHS Dumfries and Galloway, leaks 150K patient records","description":"INC Ransom claimed a compromise of NHS Dumfries and Galloway, the regional NHS Scotland trust serving south-west Scotland, on 15 March 2024. The trust contained malware spread to a single regional branch but could not prevent exfiltration; the operators claimed 3TB of stolen data. After the trust refused to pay, INC Ransom published patient records — including medical test results for adults and young children, medication information, and full patient names + home addresses — ultimately exposing approximately 150,000 individuals' data on the operators' leak site.","published":"2024-03-15T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--1ee00f01-2ba8-5967-a5b1-ed0682fe85b4"],"external_references":[{"source_name":"The Register","url":"https://www.theregister.com/2024/03/28/nhs_scotland_cyberattack/"}],"labels":["healthcare","ransomware","uk","nhs","patient-impact"],"x_threatintel_severity":"high"},{"type":"indicator","spec_version":"2.1","id":"indicator--a68b3504-8816-5070-9131-2b1ec6aa5e6e","created":"2023-08-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME INC-README.txt (INC Ransomware)","description":"Ransom note filename dropped per directory by INC Ransom (also seen as INC-README.html / *.inc-readme.txt). Documented in Huntress and Secureworks (GOLD IONIC) analyses.","indicator_types":["malicious-activity"],"pattern":"[file:name = 'INC-README.txt']","pattern_type":"stix","valid_from":"2023-08-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Sophos / Secureworks CTU","url":"https://www.sophos.com/en-us/blog/gold-ionic-deploys-inc-ransomware"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--10461ff9-7faa-5b96-a155-54f7c2a05007","created":"2023-08-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--a68b3504-8816-5070-9131-2b1ec6aa5e6e","target_ref":"intrusion-set--1ee00f01-2ba8-5967-a5b1-ed0682fe85b4"},{"type":"indicator","spec_version":"2.1","id":"indicator--31c12fd7-1820-57b3-822c-956383bd2b34","created":"2023-08-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 accd8bc0d0c2675c15c169688b882ded17e78aed0d914793098337afc57c289c (INC Ransomware)","description":"INC Encryptor binary (PDB string 'C:\\source\\INC Encryptor\\Release\\INC Encryptor.pdb') used in the early INC Ransom intrusions investigated by Huntress and mapped to MITRE ATT&CK software entry S1139.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = 'accd8bc0d0c2675c15c169688b882ded17e78aed0d914793098337afc57c289c']","pattern_type":"stix","valid_from":"2023-08-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Huntress","url":"https://www.huntress.com/blog/investigating-new-inc-ransom-group-activity"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--998deba7-ee68-581c-8398-cecdc827e0d8","created":"2023-08-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--31c12fd7-1820-57b3-822c-956383bd2b34","target_ref":"intrusion-set--1ee00f01-2ba8-5967-a5b1-ed0682fe85b4"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--14c05b59-854f-59c1-b2c9-f9bcc6e723e5","created":"2022-02-26T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"IT Army of Ukraine","description":"Pro-Ukraine volunteer collective established 26 February 2022 by Ukrainian Deputy Prime Minister and Minister of Digital Transformation Mykhailo Fedorov, via a Telegram channel that publishes target lists. Operates a continuous low-level DDoS tempo against Russian government services, banks, payment processors, railways, ISPs, and state media, alongside more intermittent leak operations. The architecture is the mirror of NoName057(16)'s DDoSia — a coordinated volunteer-pool DDoS service driven by daily Telegram target lists.","first_seen":"2022-02-26T00:00:00.000Z","aliases":["ITArmy"],"goals":["disruption","information operations"],"primary_motivation":"ideology","labels":["country:UA"],"x_threatintel_kind":"hacktivist","x_threatintel_target_sectors":["government","financial","media","transportation","telecommunications"],"x_threatintel_target_countries":["RU","BY"],"x_threatintel_attack_techniques":["T1498","T1499"]},{"type":"report","spec_version":"2.1","id":"report--b5071d5c-649e-52f7-a113-949d97c4059b","created":"2024-06-20T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"IT Army claims large-scale DDoS against Russian banks and the Mir payment system","description":"Ukrainska Pravda reported that the IT Army of Ukraine claimed a large-scale DDoS operation against the Russian banking system, including the National Payment Card System (NSPK) which operates Mir cards. According to the group and Russian state media coverage, services at VTB, Sberbank, Tinkoff, Alfa-Bank, Gazprombank and several telecommunications operators were intermittently unavailable, with disruption reported from around 10:00 local time and peaking near 14:00 before being contained. The IT Army described it as 'possibly the largest DDoS attack in history'; NSPK characterised the impact as short-lived.","published":"2024-06-20T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--14c05b59-854f-59c1-b2c9-f9bcc6e723e5"],"external_references":[{"source_name":"Ukrainska Pravda","url":"https://www.pravda.com.ua/eng/news/2024/06/20/7461812/"}],"labels":["ddos","russia","banking","mir-payment-system"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--cd02ba81-394b-5ae2-b166-2d90fa13741f","created":"2023-08-15T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"CSIS documents the evolution of the IT Army into a structured operation","description":"CSIS's Strategic Technologies Blog published an analysis tracing the IT Army's evolution from an ad-hoc volunteer effort into a more structured organisation with ongoing support from Ukrainian officials. The piece reports a public Telegram membership that peaked around 300,000 in March 2022 and declined to roughly 170,000 by August 2023, and cites estimates of around 65,000 active volunteers in May 2022 and approximately 2,000 attacks conducted by June 2022.","published":"2023-08-15T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--14c05b59-854f-59c1-b2c9-f9bcc6e723e5"],"external_references":[{"source_name":"CSIS","url":"https://www.csis.org/blogs/strategic-technologies-blog/it-army-ukraine"}],"labels":["report","ukraine","telegram","ddos"],"x_threatintel_severity":"info"},{"type":"report","spec_version":"2.1","id":"report--c799b220-935d-5c5e-b9b3-b6bd89537e85","created":"2022-06-22T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"CSS Zurich publishes first comprehensive analysis of the IT Army of Ukraine","description":"The Center for Security Studies (CSS) at ETH Zurich published 'The IT Army of Ukraine: Structure, Tasking, and Ecosystem' by Stefan Soesanto, describing the initiative as a hybrid construct that is 'neither civilian nor military, neither public nor private, neither local nor international, and neither lawful nor unlawful'. The report documents how, in the absence of a dedicated Ukrainian military cyber command, Kyiv merged emerging state cyber capabilities with a large international volunteer community and an ad-hoc Telegram-based tasking model.","published":"2022-06-22T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--14c05b59-854f-59c1-b2c9-f9bcc6e723e5"],"external_references":[{"source_name":"Center for Security Studies, ETH Zurich","url":"https://css.ethz.ch/en/center/CSS-news/2022/06/the-it-army-of-ukraine.html"}],"labels":["report","academic","css-zurich","ukraine"],"x_threatintel_severity":"info"},{"type":"report","spec_version":"2.1","id":"report--5e58241c-3fd6-5356-8459-375af8a37b69","created":"2022-02-26T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Ukrainian minister Fedorov announces creation of an 'IT Army'","description":"Two days after Russia's full-scale invasion, Ukraine's Vice Prime Minister and Minister of Digital Transformation Mykhailo Fedorov announced via social media the creation of an 'IT Army' and pointed volunteers to a dedicated Telegram channel publishing operational tasks. Ukrainska Pravda quoted Fedorov: 'We are creating an IT Army. All operational tasks will be posted [here]. There's plenty to do for everyone. We continue our fight at the cyber-front.' The channel grew rapidly and an initial target list focused on Russian government, banking and corporate sites including Sberbank and the Moscow Stock Exchange.","published":"2022-02-26T00:00:00.000Z","report_types":["announcement"],"object_refs":["intrusion-set--14c05b59-854f-59c1-b2c9-f9bcc6e723e5"],"external_references":[{"source_name":"Ukrainska Pravda","url":"https://www.pravda.com.ua/eng/news/2022/02/26/7326225/"}],"labels":["announcement","ukraine","ddos","volunteer"],"x_threatintel_severity":"info"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--d927ee74-5c3a-55da-add5-e45396ba8950","created":"2021-10-19T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Jia Tan","description":"Persona behind a multi-year software supply-chain operation targeting xz-utils, a widely-deployed open-source data-compression library. The 'Jia Tan' account contributed to xz-utils from October 2021, steadily building credibility and commit access before inserting a sophisticated backdoor in versions 5.6.0 and 5.6.1 (CVE-2024-3094, CVSS 10.0). The backdoor, discovered on 29 March 2024 by Andres Freund, modified liblzma to intercept SSH RSA key authentication on affected systemd-linked Linux systems, enabling unauthorized remote access to any host running the compromised package. Multiple researchers assessed the operation as state-sponsored based on its sophistication and multi-year patience, but no public attribution to a specific government has been made.","first_seen":"2021-10-19T00:00:00.000Z","aliases":["JiaT75"],"last_seen":"2024-03-29T00:00:00.000Z","goals":["espionage","pre-positioning"],"primary_motivation":"organizational-gain","x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["technology","linux infrastructure"],"x_threatintel_target_countries":["US","DE","GB","FR","CA","JP"],"x_threatintel_attack_techniques":["T1195.001","T1554","T1059.004","T1027"]},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--f103d569-8273-5948-9afd-58ee03d2eda6","created":"2022-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"KillNet","description":"Pro-Russia hacktivist collective; brand reorganized multiple times since its emergence around January 2022. Conducts performative DDoS against Western government, healthcare, and airport sites timed to political flashpoints (U.S. state government sites, the Eurovision 2022 final, hospital networks during the U.S. Healthcare DDoS campaign of early 2023). Impact is typically short-duration website unavailability rather than data loss; the political-signalling value is the point.","first_seen":"2022-01-01T00:00:00.000Z","aliases":["KillMilk's collective"],"goals":["disruption","information operations"],"primary_motivation":"ideology","labels":["country:RU"],"x_threatintel_kind":"hacktivist","x_threatintel_target_sectors":["government","healthcare","transportation","media"],"x_threatintel_target_countries":["US","GB","DE","IT","ES","PL","LT","LV","EE","RO","JP"],"x_threatintel_attack_techniques":["T1498","T1499"]},{"type":"report","spec_version":"2.1","id":"report--a702bfb9-28c1-5fe2-9032-c68a770a0b93","created":"2023-11-21T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Russian outlet Gazeta.ru names Killnet leader Killmilk as Nikolai Serafimov","description":"Russian media outlet Gazeta.ru published a report identifying Killmilk, the public leader of the Killnet collective, as a 30-year-old Russian citizen named Nikolai Serafimov, citing other hacktivists and an unnamed law-enforcement source. The Record from Recorded Future News reported the disclosure and noted it could not independently verify the identification. The exposure was followed weeks later by a Telegram post in which Killmilk announced he was 'retiring' from Killnet and handing leadership to Deanon Club.","published":"2023-11-21T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--f103d569-8273-5948-9afd-58ee03d2eda6"],"external_references":[{"source_name":"The Record (Recorded Future News)","url":"https://therecord.media/killmilk-identity-revealed-gazeta-ru-killnet-russia"}],"labels":["killmilk","doxxing","leadership"],"x_threatintel_severity":"low"},{"type":"report","spec_version":"2.1","id":"report--636e973b-8f58-5511-98f2-33d5ae347463","created":"2023-07-20T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Mandiant: Killnet collective shows new capabilities via Anonymous Sudan affiliation","description":"Mandiant published an analysis of the Killnet collective covering activity from January 2022 onward. The report tracks more than 500 distinct victims between January 1 and June 20, 2023, documents Killnet's shift from a squad-based structure to higher-profile affiliates including Anonymous Sudan, Zarya, Anonymous Russia and Devils Sec, and notes that Anonymous Sudan accounted for roughly 63% of identified DDoS attacks claimed by the collective in 2023. Mandiant assessed with high confidence that operations claimed by Killnet consistently mirror Russian strategic objectives, while stating that direct ties to Russian security services remained unproven.","published":"2023-07-20T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--f103d569-8273-5948-9afd-58ee03d2eda6"],"external_references":[{"source_name":"Mandiant","url":"https://cloud.google.com/blog/topics/threat-intelligence/killnet-new-capabilities-older-tactics"}],"labels":["ddos","anonymous-sudan","killmilk","report"],"x_threatintel_severity":"medium"},{"type":"report","spec_version":"2.1","id":"report--00c28cac-2e5a-5fef-b5ec-6839a2303144","created":"2023-03-13T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Killmilk announces 'Black Skills' private military hacking company","description":"Killnet founder Killmilk announced on Telegram the creation of 'Black Skills', described as a 'Private Military Hacking Company' modelled on Russian PMCs such as Wagner. According to Flashpoint, the planned structure included subgroups for payroll, public relations, pen testing, data collection, information operations and operations against priority targets, with applicants required to declare prior army or public-service experience. Flashpoint assessed the move as an attempt to make Killnet's capabilities easier to monetise and to position the collective as a cyber-mercenary option for the Russian state.","published":"2023-03-13T00:00:00.000Z","report_types":["announcement"],"object_refs":["intrusion-set--f103d569-8273-5948-9afd-58ee03d2eda6"],"external_references":[{"source_name":"Flashpoint","url":"https://flashpoint.io/blog/killnet-killmilk-private-military-hacking-company/"}],"labels":["ddos-as-a-service","killmilk","rebrand","pro-russian"],"x_threatintel_severity":"medium"},{"type":"report","spec_version":"2.1","id":"report--2e157b6f-c0e4-5893-abcc-c7ebbba93f01","created":"2022-12-22T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"HHS HC3 analyst note warns of Killnet threat to US healthcare sector","description":"The U.S. Department of Health and Human Services Health Sector Cybersecurity Coordination Center (HC3) published a TLP:CLEAR analyst note characterising Killnet as a pro-Russian hacktivist group active since at least January 2022 that conducts DDoS attacks against nations perceived as hostile to Russia. The note cites recent targeting of a U.S. healthcare organisation and assesses Killnet as a continuing threat to government and critical infrastructure, including the health and public health (HPH) sector. Ties to the FSB or SVR are described as unconfirmed.","published":"2022-12-22T00:00:00.000Z","report_types":["advisory"],"object_refs":["intrusion-set--f103d569-8273-5948-9afd-58ee03d2eda6"],"external_references":[{"source_name":"HHS HC3","url":"https://www.aha.org/cybersecurity-government-intelligence-reports/2022-12-22-hc3-analyst-note-tlp-clear-pro-russian-hacktivist-group-killnet-threat"}],"labels":["ddos","healthcare","hc3","advisory"],"x_threatintel_severity":"medium"},{"type":"report","spec_version":"2.1","id":"report--dc3ce4ef-3721-5cb5-9f2a-9ea432e86e9e","created":"2022-05-14T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Italian police mitigate Killnet DDoS attempts against Eurovision 2022 grand final","description":"Italian police said the pro-Russian Killnet collective targeted the Eurovision 2022 grand final and the two earlier semi-finals with DDoS attacks aimed at the contest's network infrastructure during voting and performances. The attempts were mitigated by the Polizia Postale together with ICT Rai and Eurovision TV. Killnet denied the attribution on Telegram and shortly afterwards posted a video declaring 'cyber war' on ten countries supporting Ukraine.","published":"2022-05-14T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--f103d569-8273-5948-9afd-58ee03d2eda6"],"external_references":[{"source_name":"Euronews","url":"https://www.euronews.com/culture/2022/05/16/eurovision-2022-russian-hackers-targeted-contest-say-italian-police"}],"labels":["ddos","italy","eurovision","pro-russian"],"x_threatintel_severity":"medium"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--a3b05b37-f3aa-582b-856c-169b6efecf8e","created":"2012-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Kimsuky","description":"DPRK state-sponsored actor focused on intelligence collection against South Korean and Western policy targets — diplomats, academics, journalists, and think-tank researchers working on Korean Peninsula affairs. Tradecraft centers on long-running spear-phishing with elaborate, persona-driven social engineering.","first_seen":"2012-01-01T00:00:00.000Z","aliases":["Velvet Chollima","Emerald Sleet","THALLIUM","Black Banshee","APT43"],"goals":["espionage"],"primary_motivation":"organizational-gain","labels":["country:KP"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["diplomatic","academia","think tanks","journalism","government"],"x_threatintel_target_countries":["KR","US","JP","GB","DE"],"x_threatintel_attack_techniques":["T1566.001","T1566.002","T1059.001","T1059.005"]},{"type":"report","spec_version":"2.1","id":"report--6ee92d2e-0bc4-5fea-9888-c7b49514ba0c","created":"2020-10-27T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Joint advisory AA20-301A on Kimsuky tradecraft","description":"CISA, FBI, and U.S. Cyber Command's CNMF released a joint advisory characterising Kimsuky's intelligence-collection operations against South Korean and Western policy targets, providing observed tradecraft (spear-phishing, fake-persona social engineering) and detection guidance.","published":"2020-10-27T00:00:00.000Z","report_types":["advisory"],"object_refs":["intrusion-set--a3b05b37-f3aa-582b-856c-169b6efecf8e"],"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-301a"}],"labels":["five-eyes","attribution","dprk"],"x_threatintel_severity":"high"},{"type":"indicator","spec_version":"2.1","id":"indicator--51dd8226-9385-5c62-b274-35c71592d5db","created":"2020-10-27T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOMAIN nidnaver.net","description":"Kimsuky credential-phishing domain impersonating Naver (Korean portal). Listed in CISA / FBI / CNMF advisory AA20-301A, Table 1 (Domains used by Kimsuky). The campaign registered many lookalikes of Naver, Daum and Hanmail to harvest webmail credentials from South Korean targets.","indicator_types":["malicious-activity"],"pattern":"[domain-name:value = 'nidnaver.net']","pattern_type":"stix","valid_from":"2020-10-27T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-301a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--9d41ba0a-e16b-5755-98d6-95e2475fb926","created":"2020-10-27T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--51dd8226-9385-5c62-b274-35c71592d5db","target_ref":"intrusion-set--a3b05b37-f3aa-582b-856c-169b6efecf8e"},{"type":"indicator","spec_version":"2.1","id":"indicator--9df49acc-4f15-56ff-906b-0741e17ed1e6","created":"2020-10-27T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOMAIN naver.pw","description":"Kimsuky lookalike domain (.pw ccTLD spoofing the Naver portal). Listed in CISA / FBI / CNMF advisory AA20-301A, Table 1.","indicator_types":["malicious-activity"],"pattern":"[domain-name:value = 'naver.pw']","pattern_type":"stix","valid_from":"2020-10-27T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-301a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--6dd504dd-6673-5b01-b996-1bcb2328c543","created":"2020-10-27T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--9df49acc-4f15-56ff-906b-0741e17ed1e6","target_ref":"intrusion-set--a3b05b37-f3aa-582b-856c-169b6efecf8e"},{"type":"indicator","spec_version":"2.1","id":"indicator--cbe17f6b-7a73-53cd-9dcf-9165b7ab200c","created":"2018-11-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME BabyShark (BabyShark)","description":"VBS-based first-stage loader staged via mshta.exe and HTA files. CISA / FBI / CNMF advisory AA20-301A (27 October 2020) attributes BabyShark to Kimsuky and documents its delivery via spearphishing against U.S. and South Korean think tanks, nuclear-policy experts and the cryptocurrency industry.","indicator_types":["malicious-activity"],"pattern":"[file:name = 'BabyShark']","pattern_type":"stix","valid_from":"2018-11-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-301a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--8f314de4-7852-5c74-91f4-2b9cc3431a5a","created":"2018-11-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--cbe17f6b-7a73-53cd-9dcf-9165b7ab200c","target_ref":"intrusion-set--a3b05b37-f3aa-582b-856c-169b6efecf8e"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--4471a632-d0d3-5cc2-b8e2-51edc5e84235","created":"2009-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Lazarus Group","description":"DPRK state-sponsored umbrella set associated with the Reconnaissance General Bureau. Mixes financially-motivated operations (including major cryptocurrency exchange thefts and SWIFT-network bank intrusions) with espionage and destructive operations such as the 2014 Sony Pictures intrusion and the 2017 WannaCry outbreak.","first_seen":"2009-01-01T00:00:00.000Z","aliases":["HIDDEN COBRA","LABYRINTH CHOLLIMA","Diamond Sleet"],"goals":["financial gain","espionage","destruction"],"primary_motivation":"personal-gain","labels":["country:KP"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["financial","cryptocurrency","defense","media","energy"],"x_threatintel_target_countries":["US","KR","JP","GB","IN","BD","VN","ES","MX","AR"],"x_threatintel_attack_techniques":["T1566.001","T1059.001","T1486","T1071.001"]},{"type":"report","spec_version":"2.1","id":"report--a2bf70e1-294c-59ab-9eaa-f6503dec82a5","created":"2026-04-18T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Lazarus / TraderTraitor steals $577M from Drift + KelpDAO inside three weeks","description":"North Korean operators hit two DeFi protocols inside a seventeen-day window in April 2026: Drift Protocol on 1 April ($285M) and KelpDAO's LayerZero bridge on 18 April ($292M). The combined $577M, combined with the February 2025 Bybit theft, drove North Korea's share of all cryptocurrency-hack value to 76% in 2026 through April per TRM Labs tracking — the highest single-actor concentration of crypto-theft attribution since continuous tracking began. Initial access for both incidents traced to the same TraderTraitor recruiter- persona social-engineering of engineers at the victim ecosystem (a continuation of the DMM Bitcoin / Ginco LinkedIn-lure tradecraft pattern from 2024).","published":"2026-04-18T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--4471a632-d0d3-5cc2-b8e2-51edc5e84235"],"external_references":[{"source_name":"TRM Labs","url":"https://www.trmlabs.com/resources/blog/north-korea-stole-76-of-all-crypto-hack-value-in-2026-with-just-two-attacks"}],"labels":["cryptocurrency","defi","social-engineering","dprk","supply-chain"],"x_threatintel_severity":"critical"},{"type":"report","spec_version":"2.1","id":"report--48b34d74-6491-534a-aff8-823a80211b2e","created":"2025-02-21T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Lazarus / TraderTraitor executes $1.5B Bybit heist — largest crypto theft in history","description":"On 21 February 2025, North Korean operators tracked as TraderTraitor (assessed by FBI as Lazarus / APT38) transferred approximately $1.5B in Ethereum and ERC-20 tokens out of Bybit during a routine cold-wallet-to-hot- wallet rotation. The operation eclipsed the 2022 Ronin Bridge hack ($625M) as the single largest cryptocurrency theft on record. ZachXBT and subsequent FBI confirmation linked the wallets to the earlier Phemex, BingX, and Poloniex hacks attributed to the same cluster. The Bybit heist alone roughly tripled North Korea's running annual crypto take and forced multi-week downstream response from cryptocurrency exchanges attempting to block onward laundering.","published":"2025-02-21T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--4471a632-d0d3-5cc2-b8e2-51edc5e84235"],"external_references":[{"source_name":"U.S. Federal Bureau of Investigation","url":"https://www.fbi.gov/news/press-releases/north-korea-responsible-for-1-billion-bybit-hack"}],"labels":["cryptocurrency","supply-chain","dprk","record-theft"],"x_threatintel_severity":"critical"},{"type":"report","spec_version":"2.1","id":"report--e5e4ada6-6b81-5f3e-a493-799c301b438a","created":"2024-12-23T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FBI attributes $308M DMM Bitcoin theft to DPRK TraderTraitor","description":"FBI, DC3, and Japan's NPA jointly attributed the May 2024 theft of 4,502.9 BTC (~$308M at time of theft) from Japanese exchange DMM Bitcoin to North Korean TraderTraitor activity, overlapping with Lazarus / APT38 reporting. The operation started with a LinkedIn-delivered fake pre-employment test targeting an employee at Ginco, DMM's wallet-software vendor; operators rode that access to manipulate a legitimate withdrawal request from a DMM employee. DMM ultimately announced closure following the loss.","published":"2024-12-23T00:00:00.000Z","report_types":["announcement"],"object_refs":["intrusion-set--4471a632-d0d3-5cc2-b8e2-51edc5e84235"],"external_references":[{"source_name":"U.S. Federal Bureau of Investigation","url":"https://www.fbi.gov/news/press-releases/fbi-dc3-and-npa-identification-of-north-korean-cyber-actors-tracked-as-tradertraitor-responsible-for-theft-of-308-million-from-bitcoindmmcom"}],"labels":["cryptocurrency","supply-chain","attribution","japan"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--3ce87056-e39c-5aa1-b7ea-6cb3f81431c6","created":"2023-03-29T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"3CX Desktop App supply-chain compromise","description":"Trojanized installers of 3CX's desktop softphone application were distributed via 3CX's official channels. Multiple vendors attributed the operation to a Lazarus subcluster (UNC4736 / Labyrinth Chollima), with downstream second-stage targeting observed against cryptocurrency-related entities.","published":"2023-03-29T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--4471a632-d0d3-5cc2-b8e2-51edc5e84235"],"external_references":[{"source_name":"Mandiant","url":"https://cloud.google.com/blog/topics/threat-intelligence/3cx-software-supply-chain-compromise"}],"labels":["supply-chain","3cx","cryptocurrency"],"x_threatintel_severity":"critical"},{"type":"report","spec_version":"2.1","id":"report--ea95bdb2-cecd-59b5-a878-8d7af2d9a97e","created":"2022-03-29T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Ronin Network bridge theft (~$620M)","description":"An attacker drained the Ronin cross-chain bridge supporting the Axie Infinity game of approximately 173,600 ETH and 25.5M USDC — roughly $620M at the time. The U.S. Treasury subsequently linked the address to Lazarus Group.","published":"2022-03-29T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--4471a632-d0d3-5cc2-b8e2-51edc5e84235"],"external_references":[{"source_name":"U.S. Department of the Treasury","url":"https://home.treasury.gov/news/press-releases/jy0731"}],"labels":["cryptocurrency","bridge","ronin"],"x_threatintel_severity":"critical"},{"type":"report","spec_version":"2.1","id":"report--f7760198-e3f6-5933-8c4c-738c3fb05f79","created":"2017-05-12T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"WannaCry global ransomware outbreak","description":"Worm-propagating ransomware leveraging the EternalBlue SMB exploit infected over 200,000 systems in 150+ countries — most notably crippling parts of the UK NHS. The U.S., UK, Australia, and others publicly attributed the outbreak to the DPRK / Lazarus.","published":"2017-05-12T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--4471a632-d0d3-5cc2-b8e2-51edc5e84235"],"external_references":[{"source_name":"The White House","url":"https://trumpwhitehouse.archives.gov/briefings-statements/press-briefing-on-the-attribution-of-the-wannacry-malware-attack-to-north-korea-121917/"}],"labels":["ransomware","wannacry","eternalblue"],"x_threatintel_severity":"critical"},{"type":"report","spec_version":"2.1","id":"report--cbde5a93-5052-5d3e-b790-c472f8608eff","created":"2016-02-04T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Bangladesh Bank SWIFT heist","description":"Attackers issued fraudulent SWIFT messages from Bangladesh Bank's account at the Federal Reserve Bank of New York, attempting transfers of nearly $1B and successfully moving $81M to accounts in the Philippines. Multiple analyses — including the BAE Systems / SWIFT joint report — link the tradecraft and tooling to Lazarus.","published":"2016-02-04T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--4471a632-d0d3-5cc2-b8e2-51edc5e84235"],"external_references":[{"source_name":"BAE Systems Threat Research","url":"https://baesystemsai.blogspot.com/2016/04/two-bytes-to-951m.html"}],"labels":["financial","swift","bangladesh-bank"],"x_threatintel_severity":"critical"},{"type":"report","spec_version":"2.1","id":"report--a3a2f821-c846-5544-a2ff-3e437d81977d","created":"2014-11-24T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Sony Pictures Entertainment destructive intrusion","description":"A destructive intrusion at Sony Pictures wiped large portions of the corporate network and leaked unreleased films, employee data, and executive correspondence. The U.S. government formally attributed the operation to North Korea.","published":"2014-11-24T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--4471a632-d0d3-5cc2-b8e2-51edc5e84235"],"external_references":[{"source_name":"FBI","url":"https://www.fbi.gov/news/press-releases/update-on-sony-investigation"}],"labels":["destructive","sony","dprk"],"x_threatintel_severity":"critical"},{"type":"indicator","spec_version":"2.1","id":"indicator--10747399-9bc6-5ad8-b7c5-ecdc77944a76","created":"2017-05-12T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOMAIN iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com (WannaCry)","description":"WannaCry kill-switch domain. Discovery and sinkholing by a security researcher (\"MalwareTech\") on 12 May 2017 halted the ransomware's worldwide spread within hours of the outbreak.","indicator_types":["malicious-activity"],"pattern":"[domain-name:value = 'iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com']","pattern_type":"stix","valid_from":"2017-05-12T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"MalwareTech","url":"https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--6b1fb4ce-fb65-53ac-8df5-737adaab7a4e","created":"2017-05-12T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--10747399-9bc6-5ad8-b7c5-ecdc77944a76","target_ref":"intrusion-set--4471a632-d0d3-5cc2-b8e2-51edc5e84235"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--b17aaaf5-c674-53af-bc75-93f12c34adcd","created":"2019-09-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"LockBit","description":"Russian-speaking ransomware-as-a-service operation that by mid-2023 was the most prolific ransomware brand on public leak-site tracking by victim count. Disrupted in February 2024 by Operation Cronos (UK NCA-led) which seized the leak site and decryption keys. In May 2024 the US DOJ unsealed an indictment of Dmitry Khoroshev ('LockBitSupp') as the operation's administrator. Affiliate program model; victims span manufacturing, healthcare, government, and education globally.","first_seen":"2019-09-01T00:00:00.000Z","aliases":["LockBit 3.0","LockBit Black","LockBit Green","Bitwise Spider"],"last_seen":"2024-05-01T00:00:00.000Z","goals":["financial gain"],"primary_motivation":"personal-gain","labels":["country:RU"],"x_threatintel_kind":"ransomware","x_threatintel_target_sectors":["manufacturing","healthcare","government","education","professional services"],"x_threatintel_target_countries":["US","GB","FR","DE","IT","CA","AU","BR","MX","JP","IN"],"x_threatintel_attack_techniques":["T1486","T1490","T1567.002","T1059.001"]},{"type":"report","spec_version":"2.1","id":"report--41053322-d4c7-5e16-8e7e-22e92930a754","created":"2024-05-07T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOJ unseals 26-count indictment of LockBit administrator Khoroshev","description":"U.S. DOJ unsealed a 26-count indictment of Dmitry Yuryevich Khoroshev (LockBitSupp), 31, of Voronezh, Russia, naming him as LockBit's creator, developer, and administrator. The indictment alleges Khoroshev received approximately $100M in BTC from his 20% share of LockBit ransoms; State announced a $10M reward for information leading to his arrest. The action followed February 2024's NCA-led Operation Cronos seizure of LockBit infrastructure.","published":"2024-05-07T00:00:00.000Z","report_types":["indictment"],"object_refs":["intrusion-set--b17aaaf5-c674-53af-bc75-93f12c34adcd"],"external_references":[{"source_name":"U.S. Department of Justice","url":"https://www.justice.gov/usao-nj/pr/us-charges-russian-national-developing-and-operating-lockbit-ransomware"}],"labels":["indictment","ransomware","russia","operation-cronos"],"x_threatintel_severity":"high"},{"type":"indicator","spec_version":"2.1","id":"indicator--e4dd8300-e9f2-5aaf-b243-3dce02f5bd97","created":"2023-11-21T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 cc21c77e1ee7e916c9c48194fad083b2d4b2023df703e544ffb2d6a0bfc90a63 (LockBit)","description":"SHA256 of Mag.dll, the persistence module identified running within the UpdateAdobeTask scheduled job on victims of the LockBit 3.0 Citrix Bleed campaign. Table 3 of AA23-325A.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = 'cc21c77e1ee7e916c9c48194fad083b2d4b2023df703e544ffb2d6a0bfc90a63']","pattern_type":"stix","valid_from":"2023-11-21T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--71012370-cda6-5502-b510-c6b7ed9dd127","created":"2023-11-21T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--e4dd8300-e9f2-5aaf-b243-3dce02f5bd97","target_ref":"intrusion-set--b17aaaf5-c674-53af-bc75-93f12c34adcd"},{"type":"indicator","spec_version":"2.1","id":"indicator--c4e15b78-6e67-5947-8727-0c66d3b71fc0","created":"2023-11-21T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME CVE-2023-4966 (Citrix Bleed) (LockBit)","description":"LockBit 3.0 affiliates' primary initial-access vector during the October-November 2023 wave documented in joint CISA/FBI/MS-ISAC/ACSC advisory AA23-325A - NetScaler ADC and Gateway session-token theft used against Boeing, ICBC, Allen & Overy, and DP World.","indicator_types":["malicious-activity"],"pattern":"[file:name = 'CVE-2023-4966 (Citrix Bleed)']","pattern_type":"stix","valid_from":"2023-11-21T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--bdc28a32-ec68-53d3-b733-fc6a7adb547c","created":"2023-11-21T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--c4e15b78-6e67-5947-8727-0c66d3b71fc0","target_ref":"intrusion-set--b17aaaf5-c674-53af-bc75-93f12c34adcd"},{"type":"indicator","spec_version":"2.1","id":"indicator--383b6bbf-59ec-543a-8308-cb82274a6be0","created":"2023-11-21T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 ed5d694d561c97b4d70efe934936286fe562addf7d6836f795b336d9791a5c44 (LockBit)","description":"SHA256 of adobelib.dll dropped to C:\\Users\\Public\\ by the 123.ps1 PowerShell loader during the LockBit 3.0 Citrix Bleed campaign, executed via rundll32 with a 104-hex-character key. Table 3 of AA23-325A.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = 'ed5d694d561c97b4d70efe934936286fe562addf7d6836f795b336d9791a5c44']","pattern_type":"stix","valid_from":"2023-11-21T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--bf6bcf37-cced-5b06-bb3f-9e0627510fdc","created":"2023-11-21T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--383b6bbf-59ec-543a-8308-cb82274a6be0","target_ref":"intrusion-set--b17aaaf5-c674-53af-bc75-93f12c34adcd"},{"type":"indicator","spec_version":"2.1","id":"indicator--92d73492-c21f-5151-af12-4d9ca93e5612","created":"2023-11-16T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOMAIN adobe-us-updatefiles.digital (LockBit)","description":"Tool-download domain contacted by adobelib.dll POST requests in the LockBit 3.0 Citrix Bleed campaign; resolved to 172.67.129.176 and 104.21.1.180 as of November 16, 2023. Table 3 of AA23-325A.","indicator_types":["malicious-activity"],"pattern":"[domain-name:value = 'adobe-us-updatefiles.digital']","pattern_type":"stix","valid_from":"2023-11-16T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--e763572b-877c-558e-8a72-65abb86b202a","created":"2023-11-16T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--92d73492-c21f-5151-af12-4d9ca93e5612","target_ref":"intrusion-set--b17aaaf5-c674-53af-bc75-93f12c34adcd"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--fe0e8123-187d-5b9c-83a2-d695c2b9b6b4","created":"2017-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"MuddyWater","description":"Iranian state-sponsored actor publicly attributed in 2022 by U.S. Cyber Command to subordinates of the Ministry of Intelligence and Security (MOIS). Conducts espionage and access operations against telecommunications, government, defense, and oil-and-gas targets, primarily across the Middle East but with operations reported in North America, Europe, and Asia.","first_seen":"2017-01-01T00:00:00.000Z","aliases":["MERCURY","Mango Sandstorm","Static Kitten","TEMP.Zagros","Earth Vetala"],"goals":["espionage"],"primary_motivation":"organizational-gain","labels":["country:IR"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["telecommunications","government","defense","energy"],"x_threatintel_target_countries":["SA","AE","IL","TR","JO","US","GB"],"x_threatintel_attack_techniques":["T1566.001","T1059.001","T1218.005","T1219"]},{"type":"report","spec_version":"2.1","id":"report--86476424-4975-5f6c-b146-a6ca68880c59","created":"2022-02-24T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Joint advisory AA22-055A attributes MuddyWater to Iranian MOIS","description":"CISA, FBI, NSA, U.S. Cyber Command, and the U.K. National Cyber Security Centre released a joint advisory publicly attributing MuddyWater to subordinate elements of Iran's Ministry of Intelligence and Security (MOIS), and providing technical indicators and mitigations for the group's ongoing intrusion campaigns against government and private-sector targets.","published":"2022-02-24T00:00:00.000Z","report_types":["advisory"],"object_refs":["intrusion-set--fe0e8123-187d-5b9c-83a2-d695c2b9b6b4"],"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-055a"}],"labels":["five-eyes","mois","attribution"],"x_threatintel_severity":"high"},{"type":"indicator","spec_version":"2.1","id":"indicator--ab2ff247-c949-5e7d-819f-28ba1ab3f8d2","created":"2022-02-24T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 bf090cf7078414c9e157da7002ca727f06053b39fa4e377f9a0050f2af37d3a2 (Small Sieve)","description":"Small Sieve Python backdoor payload 'index.exe' (PyInstaller-bundled Python 3.9) - hash published in Appendix B Table 3 of CISA AA22-055A. Beacons via the Telegram Bot API with hex byte-shuffling traffic obfuscation.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = 'bf090cf7078414c9e157da7002ca727f06053b39fa4e377f9a0050f2af37d3a2']","pattern_type":"stix","valid_from":"2022-02-24T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-055a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--be49a310-1fd2-5337-985b-3c4afac80611","created":"2022-02-24T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--ab2ff247-c949-5e7d-819f-28ba1ab3f8d2","target_ref":"intrusion-set--fe0e8123-187d-5b9c-83a2-d695c2b9b6b4"},{"type":"indicator","spec_version":"2.1","id":"indicator--0f9e4d60-0521-5759-899f-4bbda79ba496","created":"2022-02-24T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 b75208393fa17c0bcbc1a07857686b8c0d7e0471d00a167a07fd0d52e1fc9054 (Small Sieve)","description":"Small Sieve NSIS installer 'gram_app.exe' analyzed by NCSC-UK and published in Appendix B of CISA AA22-055A. Drops the Python-based Telegram-Bot-API backdoor index.exe and persists via the registry Run key OutlookMicrosift.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = 'b75208393fa17c0bcbc1a07857686b8c0d7e0471d00a167a07fd0d52e1fc9054']","pattern_type":"stix","valid_from":"2022-02-24T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-055a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--40161770-c529-5c62-9294-4ec82d6e7e7d","created":"2022-02-24T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--0f9e4d60-0521-5759-899f-4bbda79ba496","target_ref":"intrusion-set--fe0e8123-187d-5b9c-83a2-d695c2b9b6b4"},{"type":"indicator","spec_version":"2.1","id":"indicator--6e8ea1c5-9757-5d59-a0bb-79c3cdf425fa","created":"2022-02-24T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME POWERSTATS (POWERSTATS)","description":"PowerShell backdoor family attributed to MuddyWater in joint CISA/FBI/CNMF/NCSC-UK advisory AA22-055A, which catalogues POWERSTATS, Small Sieve, Mori, Canopy/Starwhale and PowGoop tooling used since approximately 2018 by this MOIS subordinate APT group (also tracked as Static Kitten, Mango Sandstorm, MERCURY, Seedworm, TEMP.Zagros).","indicator_types":["malicious-activity"],"pattern":"[file:name = 'POWERSTATS']","pattern_type":"stix","valid_from":"2022-02-24T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-055a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--ed1ea6e9-704b-54a5-9a89-85c349a0f822","created":"2022-02-24T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--6e8ea1c5-9757-5d59-a0bb-79c3cdf425fa","target_ref":"intrusion-set--fe0e8123-187d-5b9c-83a2-d695c2b9b6b4"},{"type":"indicator","spec_version":"2.1","id":"indicator--cd23f1dd-93e4-50e6-aa23-64681f745b6c","created":"2022-02-24T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"IPV4 95.181.161.49 (POWERSTATS)","description":"Adversary-controlled C2 IP hard-coded in the newly identified MuddyWater PowerShell backdoor sample published in CISA AA22-055A; the script encrypts traffic with a single-byte XOR key 0x02 and beacons over HTTP to /index.php with a victim identifier.","indicator_types":["malicious-activity"],"pattern":"[ipv4-addr:value = '95.181.161.49']","pattern_type":"stix","valid_from":"2022-02-24T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-055a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--41974d92-0241-5f59-865a-f9be08a8955f","created":"2022-02-24T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--cd23f1dd-93e4-50e6-aa23-64681f745b6c","target_ref":"intrusion-set--fe0e8123-187d-5b9c-83a2-d695c2b9b6b4"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--43082212-c31a-57d5-a9df-43dd351e7c3d","created":"2014-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Mustang Panda","description":"PRC state-aligned intrusion set focused on espionage against European government and NGO targets, Southeast Asian government and military targets (especially around the South China Sea), Mongolia, Taiwan, and Tibetan and Uyghur diaspora communities. Heavy use of trojanized RAR/PlugX-laden archives as the primary first-stage delivery.","first_seen":"2014-01-01T00:00:00.000Z","aliases":["Bronze President","HoneyMyte","Earth Preta","RedDelta","TWILL TYPHOON"],"goals":["espionage"],"primary_motivation":"organizational-gain","labels":["country:CN"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["government","ngo","defense","diplomatic","dissidents"],"x_threatintel_target_countries":["MM","VN","MN","PH","TH","KH","TW","DE","GB","BE"],"x_threatintel_attack_techniques":["T1566.001","T1059.001","T1547.001","T1071.001"]},{"type":"report","spec_version":"2.1","id":"report--8cf996cc-2dad-54d2-9d64-d7449e1ee27f","created":"2022-11-18T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Earth Preta spear-phishes Asia-Pacific governments at scale","description":"Trend Micro documented Earth Preta (Mustang Panda) running a broad spear-phishing campaign against Asia-Pacific government and academic targets, delivering trojanised archives that side-loaded the TONEINS, TONESHELL, and PUBLOAD malware families on victims of interest.","published":"2022-11-18T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--43082212-c31a-57d5-a9df-43dd351e7c3d"],"external_references":[{"source_name":"Trend Micro","url":"https://www.trendmicro.com/en_us/research/22/k/earth-preta-spear-phishing-governments-worldwide.html"}],"labels":["spear-phishing","china","plugx"],"x_threatintel_severity":"high"},{"type":"indicator","spec_version":"2.1","id":"indicator--701f7b77-ce31-58e6-9092-19a6ac4adc3e","created":"2023-09-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"IPV4 45.142.166.112 (PlugX)","description":"PlugX USB-worm command-and-control IP attributed to Mustang Panda. Sinkholed by Sekoia in September 2023 (the address had lapsed and was re-registered for USD 7). This is the same C2 the FBI/DOJ used for the court-authorized self-delete operation that cleaned ~4,258 U.S. hosts (announced Jan 2025).","indicator_types":["malicious-activity"],"pattern":"[ipv4-addr:value = '45.142.166.112']","pattern_type":"stix","valid_from":"2023-09-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Sekoia.io","url":"https://blog.sekoia.io/unplugging-plugx-sinkholing-the-plugx-usb-worm-botnet/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--c6a1eb08-458d-521b-afe8-b484b4a115d3","created":"2023-09-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--701f7b77-ce31-58e6-9092-19a6ac4adc3e","target_ref":"intrusion-set--43082212-c31a-57d5-a9df-43dd351e7c3d"},{"type":"indicator","spec_version":"2.1","id":"indicator--2c15d365-6ed9-5f83-bf9e-c40cfa5b0fca","created":"2023-03-09T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 e8f55d0f327fd1d5f26428b890ef7fe878e135d494acda24ef01c695a2e9136d (PlugX)","description":"SHA-256 of the malicious `wsc.dll` PlugX loader from the border-hopping USB-worm variant attributed by Sophos X-Ops to PKPLUG / Mustang Panda. Listed in the IOC table of the March 2023 Sophos News disclosure and re-confirmed by Sekoia's September 2023 sinkholing report.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = 'e8f55d0f327fd1d5f26428b890ef7fe878e135d494acda24ef01c695a2e9136d']","pattern_type":"stix","valid_from":"2023-03-09T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Sophos X-Ops","url":"https://news.sophos.com/en-us/2023/03/09/border-hopping-plugx-usb-worm/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--354295bc-c426-5592-a43c-ab621c3da52f","created":"2023-03-09T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--2c15d365-6ed9-5f83-bf9e-c40cfa5b0fca","target_ref":"intrusion-set--43082212-c31a-57d5-a9df-43dd351e7c3d"},{"type":"indicator","spec_version":"2.1","id":"indicator--72d6e557-017f-5b0d-a449-e0e4298e6a87","created":"2023-03-09T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 85ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654 (PlugX)","description":"SHA-256 of `AvastSvc.exe`, the legitimate Avast binary abused for DLL side-loading by the Mustang Panda PlugX USB worm. Listed alongside the malicious DLL in the Sophos IOC table; drops the side-load triad into `%userprofile%/AvastSvcpCP/`.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = '85ca20eeec3400c68a62639a01928a5dab824d2eadf589e5cbfe5a2bc41d9654']","pattern_type":"stix","valid_from":"2023-03-09T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Sophos X-Ops","url":"https://news.sophos.com/en-us/2023/03/09/border-hopping-plugx-usb-worm/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--2c87712e-c8f7-5027-bbba-efc7d58647cb","created":"2023-03-09T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--72d6e557-017f-5b0d-a449-e0e4298e6a87","target_ref":"intrusion-set--43082212-c31a-57d5-a9df-43dd351e7c3d"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--870c20b9-9e4f-5e97-b042-347782c6f533","created":"2010-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Naikon","description":"PRC state-sponsored intrusion set publicly attributed by ThreatConnect and Defense Group Inc. to the People's Liberation Army Unit 78020 (Chengdu Military Region Second Technical Reconnaissance Bureau), primarily targeting ASEAN-region military, diplomatic, and government organizations. One of the longest-running publicly-documented PRC intrusion sets — Bitdefender re-disclosed sustained operations against ASEAN governments through 2020 using the Aria-body backdoor.","first_seen":"2010-01-01T00:00:00.000Z","aliases":["APT30","Override Panda","Lotus Panda"],"goals":["espionage"],"primary_motivation":"organizational-gain","labels":["country:CN"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["government","military","diplomatic"],"x_threatintel_target_countries":["ID","VN","PH","TH","MM","MY","SG","LA","KH","AU"],"x_threatintel_attack_techniques":["T1566.001","T1547.001","T1059.001","T1071.001"]},{"type":"report","spec_version":"2.1","id":"report--5d1ac4d2-14f9-585b-9e7e-31b477f14ec7","created":"2021-04-27T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Bitdefender details Naikon RainyDay and Nebulae backdoors used against Southeast Asian militaries","description":"Bitdefender's Cyber Threat Intelligence Lab published 'NAIKON — Traces from a Military Cyber-Espionage Operation', documenting a June 2019 to March 2021 campaign against military organisations in Southeast Asia. The operators used the Aria-body loader and the Nebulae backdoor for initial compromise and added the RainyDay backdoor starting in September 2020, abusing DLL side-loading against legitimate binaries from McAfee, Sandboxie, Outlook, and Quick Heal to evade detection.","published":"2021-04-27T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--870c20b9-9e4f-5e97-b042-347782c6f533"],"external_references":[{"source_name":"Bitdefender","url":"https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf"}],"labels":["report","rainyday","nebulae","southeast-asia"],"x_threatintel_severity":"medium"},{"type":"report","spec_version":"2.1","id":"report--ae99c605-5a6e-5add-910d-c60ed09aa26c","created":"2020-05-07T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Check Point exposes Naikon's Aria-body backdoor in five-year APAC government campaign","description":"Check Point Research published 'Naikon APT: Cyber Espionage Reloaded', detailing a previously undocumented backdoor called Aria-body deployed against ministries of foreign affairs, science and technology, and government-owned companies in Australia, Indonesia, the Philippines, Vietnam, Thailand, Myanmar, and Brunei. Check Point attributed the activity to Naikon via shared infrastructure with prior Naikon campaigns, debug-string overlap with the XsFunction backdoor, and reuse of the djb2 hashing algorithm.","published":"2020-05-07T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--870c20b9-9e4f-5e97-b042-347782c6f533"],"external_references":[{"source_name":"Check Point Research","url":"https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/"}],"labels":["report","aria-body","apac","espionage"],"x_threatintel_severity":"medium"},{"type":"report","spec_version":"2.1","id":"report--84860eb7-ecd8-52c8-89d2-44eca343005a","created":"2017-05-31T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"MITRE ATT&CK adds Naikon as Group G0019","description":"MITRE published the Naikon group entry (G0019) in ATT&CK, characterising the actor as a state-sponsored Chinese cyber-espionage group active since at least 2010 and primarily targeting government, military, and civil organisations in Southeast Asia along with international bodies including the UN Development Programme and ASEAN. The page consolidates associated software including Aria-body, RainyDay, Nebulae, SslMM, WinMM, and RARSTONE.","published":"2017-05-31T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--870c20b9-9e4f-5e97-b042-347782c6f533"],"external_references":[{"source_name":"MITRE","url":"https://attack.mitre.org/groups/G0019/"}],"labels":["reference","mitre-attack","asean"],"x_threatintel_severity":"info"},{"type":"report","spec_version":"2.1","id":"report--dbc2e678-80ee-5744-9a12-e8896f326832","created":"2015-09-23T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"ThreatConnect and Defense Group publish Project CAMERASHY attributing Naikon to PLA Unit 78020","description":"ThreatConnect and Defense Group Inc. released Project CAMERASHY, attributing the Naikon APT to the Chinese People's Liberation Army Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020) based on technical analysis of intrusion infrastructure and native-language research that linked the greensky27.vicp.net handle to Ge Xing, an officer assessed to be a member of Unit 78020. The report documented five-plus years of espionage against South China Sea claimant states and ASEAN.","published":"2015-09-23T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--870c20b9-9e4f-5e97-b042-347782c6f533"],"external_references":[{"source_name":"ThreatConnect / Defense Group Inc.","url":"https://threatconnect.com/wp-content/uploads/ThreatConnect-Project-Camera-Shy-Report.pdf"}],"labels":["report","attribution","pla-unit-78020","south-china-sea"],"x_threatintel_severity":"medium"},{"type":"indicator","spec_version":"2.1","id":"indicator--9cf89875-4587-5fa3-9347-79e5dd25ec88","created":"2021-04-27T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 78782a24805b52713cb63ba3cad2569b905edea96ca3609f8464f1b7c1ba05dc (RainyDay)","description":"RainyDay rdmin.src encrypted payload sample (C2 asp.asphspes.com) published in Bitdefender's 2021 Naikon whitepaper IOC section.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = '78782a24805b52713cb63ba3cad2569b905edea96ca3609f8464f1b7c1ba05dc']","pattern_type":"stix","valid_from":"2021-04-27T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Bitdefender","url":"https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--a20e8b29-6d67-59e6-9c14-ff080459cf19","created":"2021-04-27T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--9cf89875-4587-5fa3-9347-79e5dd25ec88","target_ref":"intrusion-set--870c20b9-9e4f-5e97-b042-347782c6f533"},{"type":"indicator","spec_version":"2.1","id":"indicator--3c9cdc21-4d9e-56cc-83d6-70afc9bb533d","created":"2020-05-07T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 4cab6bf0b63cea04c4a44af1cf25e214771c4220ed48fff5fca834efa117e5db (Aria-body)","description":"Aria-body backdoor payload sample published in Appendix C of Check Point's 2020 Naikon report.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = '4cab6bf0b63cea04c4a44af1cf25e214771c4220ed48fff5fca834efa117e5db']","pattern_type":"stix","valid_from":"2020-05-07T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Check Point Research","url":"https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--f63aa016-4403-57d7-9c41-d4fe3f2c0a2b","created":"2020-05-07T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--3c9cdc21-4d9e-56cc-83d6-70afc9bb533d","target_ref":"intrusion-set--870c20b9-9e4f-5e97-b042-347782c6f533"},{"type":"indicator","spec_version":"2.1","id":"indicator--097b1323-1357-595e-a988-3fcc94a862a6","created":"2020-05-07T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOMAIN spool.jtjewifyn.com (Aria-body)","description":"Naikon Aria-body command-and-control domain identified by Check Point Research in the 2020 'Cyber Espionage Reloaded' campaign against APAC government targets.","indicator_types":["malicious-activity"],"pattern":"[domain-name:value = 'spool.jtjewifyn.com']","pattern_type":"stix","valid_from":"2020-05-07T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Check Point Research","url":"https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--107f2825-7699-5a0f-9e52-2ee9268c1212","created":"2020-05-07T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--097b1323-1357-595e-a988-3fcc94a862a6","target_ref":"intrusion-set--870c20b9-9e4f-5e97-b042-347782c6f533"},{"type":"indicator","spec_version":"2.1","id":"indicator--c0cd83e0-a2df-598a-ab0d-c424caa70e9c","created":"2020-05-07T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOMAIN blog.toptogear.com (Aria-body)","description":"Naikon Aria-body C2 domain listed in Check Point's 2020 Aria-body IOC appendix.","indicator_types":["malicious-activity"],"pattern":"[domain-name:value = 'blog.toptogear.com']","pattern_type":"stix","valid_from":"2020-05-07T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Check Point Research","url":"https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--0991032d-7fdd-5305-80fd-fc38d58ea9e3","created":"2020-05-07T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--c0cd83e0-a2df-598a-ab0d-c424caa70e9c","target_ref":"intrusion-set--870c20b9-9e4f-5e97-b042-347782c6f533"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--2cc365be-bcbd-5f18-b9a3-0a5f00bd286f","created":"2022-03-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"NoName057(16)","description":"Pro-Russia hacktivist collective emerged within weeks of the February 2024 full-scale invasion of Ukraine. Operates 'DDoSia' — a paid crowdsourced DDoS platform where Russian-speaking volunteers run a client that targets a continuously updated list of European, NATO-member, and Ukrainian government and infrastructure sites. Sustained low-impact disruption rather than intrusion: site outages timed to political news cycles (NATO summits, weapons deliveries, election days).","first_seen":"2022-03-01T00:00:00.000Z","aliases":["NoName057","DDoSia"],"goals":["disruption","information operations"],"primary_motivation":"ideology","labels":["country:RU"],"x_threatintel_kind":"hacktivist","x_threatintel_target_sectors":["government","financial","transportation","media","defense"],"x_threatintel_target_countries":["UA","PL","DE","FR","IT","LT","LV","EE","FI","CZ","GB"],"x_threatintel_attack_techniques":["T1498","T1499"]},{"type":"report","spec_version":"2.1","id":"report--c949ec0d-a9d5-587b-982d-50809cfa2d39","created":"2025-07-16T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Eurojust and Europol announce Operation Eastwood takedown of NoName057(16)","description":"Eurojust and Europol announced the results of Operation Eastwood, a coordinated international action against NoName057(16) carried out between 14 and 17 July 2025. Authorities disrupted more than 100 servers worldwide, executed house searches in Germany, Latvia, Spain, Italy, Czechia, Poland and France, and issued seven international arrest warrants (six from Germany) including for two alleged main instigators based in the Russian Federation. Investigators also notified about 1,100 supporters and 17 administrators of their potential criminal liability. The group recruited roughly 4,000 supporters running DDoSia and had attacked critical infrastructure across the EU.","published":"2025-07-16T00:00:00.000Z","report_types":["indictment"],"object_refs":["intrusion-set--2cc365be-bcbd-5f18-b9a3-0a5f00bd286f"],"external_references":[{"source_name":"Eurojust","url":"https://www.eurojust.europa.eu/news/hacktivist-group-responsible-cyberattacks-critical-infrastructure-europe-taken-down"}],"labels":["ddosia","operation-eastwood","europol","law-enforcement"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--b4605412-e96d-530f-be96-5383b24a3b2c","created":"2024-07-20T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Spanish Civil Guard arrests three suspected DDoSia participants","description":"Spain's Civil Guard arrested three individuals in Manacor, Huelva and Seville on suspicion of participating in DDoS attacks targeting public institutions and strategic sectors in Spain and other NATO countries supporting Ukraine. According to Spain's Ministry of the Interior the suspects had used DDoSia, the custom DDoS platform developed and operated by NoName057(16). Computer equipment and documents were seized; the group responded on Telegram by declaring a 'vendetta' against the Spanish authorities and launching follow-on DDoS waves against Spanish targets.","published":"2024-07-20T00:00:00.000Z","report_types":["indictment"],"object_refs":["intrusion-set--2cc365be-bcbd-5f18-b9a3-0a5f00bd286f"],"external_references":[{"source_name":"BleepingComputer","url":"https://www.bleepingcomputer.com/news/security/spain-arrests-three-for-using-ddosia-hacktivist-platform/"}],"labels":["ddosia","arrests","spain","law-enforcement"],"x_threatintel_severity":"medium"},{"type":"report","spec_version":"2.1","id":"report--2554f27f-c301-5642-8acf-f7d58f2da244","created":"2023-06-29T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Sekoia tracks DDoSia targeting across NATO and Western Europe","description":"Sekoia.io published a detailed analysis of NoName057(16)'s DDoSia project covering May and June 2023, identifying 486 distinct victim websites concentrated in Ukraine and NATO Eastern Flank countries (Lithuania, Poland, Czech Republic, Latvia) with secondary targeting of France, the UK, Italy and Canada. The report documents the project's Telegram-based recruitment (45,000+ subscribers on the main channel by June 2023), cryptocurrency rewards via TON, and rapid retargeting in response to political events such as French air-defence support to Kyiv.","published":"2023-06-29T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--2cc365be-bcbd-5f18-b9a3-0a5f00bd286f"],"external_references":[{"source_name":"Sekoia.io","url":"https://blog.sekoia.io/following-noname05716-ddosia-projects-targets/"}],"labels":["ddosia","ddos","nato","report"],"x_threatintel_severity":"medium"},{"type":"report","spec_version":"2.1","id":"report--dce64457-8a48-5a04-ac71-70ec60f63c28","created":"2023-01-12T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SentinelLabs profiles NoName057(16) and the DDoSia toolkit","description":"SentinelLabs published a profile of NoName057(16), characterising it as a pro-Russian hacktivist collective conducting DDoS campaigns against Ukraine and NATO-aligned entities since March 2022. The analysis dissected two implementations of the group's DDoSia toolkit — an initial Python build and a newer Golang variant internally named 'Go Stresser' — and documented recent targeting of Polish government, Danish financial sector and Czech presidential-candidate websites in December 2022 and January 2023.","published":"2023-01-12T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--2cc365be-bcbd-5f18-b9a3-0a5f00bd286f"],"external_references":[{"source_name":"SentinelOne (SentinelLabs)","url":"https://www.sentinelone.com/labs/noname05716-the-pro-russian-hacktivist-group-targeting-nato/"}],"labels":["ddosia","ddos","telegram","report"],"x_threatintel_severity":"medium"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--bce2294f-fff8-56ad-a0b1-e51078d55407","created":"2021-09-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Operation Zero","description":"Russian exploit-acquisition firm publicly sanctioned by the U.S. Treasury OFAC in February 2026, alongside its founder Sergey Zelenyuk, for operating a market in zero-day vulnerabilities and exploit kits. Treasury's designation named Operation Zero as the buyer of eight proprietary U.S. Government cyber tools stolen by an American insider (Williams), who pleaded guilty in October 2025 and was sentenced February 2026 to 87 months. Operation Zero is publicly known as the highest-paying exploit acquisition programme in the post-2022 market — bounty offers of $20M for Android / iOS chains. The OFAC action is the first U.S. government sanctioning of a commercial exploit broker, and signals a category extension of cyber-sanctions to the offensive-tooling supply chain rather than only the operator end.","first_seen":"2021-09-01T00:00:00.000Z","goals":["financial gain"],"primary_motivation":"personal-gain","labels":["country:RU"],"x_threatintel_kind":"cybercrime","x_threatintel_target_sectors":["technology","research"],"x_threatintel_target_countries":["US","GB","FR","DE","IL"],"x_threatintel_attack_techniques":["T1588.005","T1588.006"]},{"type":"report","spec_version":"2.1","id":"report--65c94ca3-0fc6-5680-83ec-de5d4393e485","created":"2026-02-24T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"OFAC sanctions Operation Zero and Sergey Zelenyuk for exploit-broker activity","description":"U.S. Treasury OFAC sanctioned Russian national Sergey Zelenyuk and his firm Operation Zero — alongside named affiliates — for operating an exploit-acquisition market that received and resold eight proprietary U.S. Government cyber tools stolen by an American insider. The insider, Williams, pleaded guilty 29 October 2025 to two counts of theft of trade secrets and was sentenced 24 February 2026 to 87 months in federal prison. The action is the **first U.S. cyber-sanctions designation of a commercial zero-day broker**, extending the cyber-sanctions regime from operators (Evil Corp, LockBit, Salt Typhoon's MSS contractor) to the offensive-tooling supply chain that feeds them.","published":"2026-02-24T00:00:00.000Z","report_types":["sanction"],"object_refs":["intrusion-set--bce2294f-fff8-56ad-a0b1-e51078d55407"],"external_references":[{"source_name":"U.S. Department of the Treasury","url":"https://home.treasury.gov/news/press-releases/sb0404"}],"labels":["sanctions","exploit-broker","zero-day","supply-chain"],"x_threatintel_severity":"high"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--a90932cf-573c-5bd3-bbed-96fc021d6e84","created":"2017-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Pioneer Kitten","description":"Iranian state-affiliated intrusion set publicly attributed by FBI, CISA, and DC3 in joint advisory AA24-241A as connected to the Government of Iran and operating partly through an Iranian IT-services front company. Operates as an initial-access broker: weaponizes edge-device n-days (Citrix NetScaler, F5 BIG-IP, Pulse Connect Secure, Check Point Security Gateways) to obtain footholds at U.S., Israeli, and UAE targets, then sells access to or collaborates with ransomware affiliates including ALPHV/BlackCat and NoEscape to deploy ransomware downstream.","first_seen":"2017-01-01T00:00:00.000Z","aliases":["Fox Kitten","Lemon Sandstorm","UNC757","Parisite","RUBIDIUM"],"goals":["espionage","financial gain","access brokerage"],"primary_motivation":"personal-gain","labels":["country:IR"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["education","financial","healthcare","defense","government"],"x_threatintel_target_countries":["US","IL","AE","AZ","GB"],"x_threatintel_attack_techniques":["T1190","T1133","T1078","T1486"]},{"type":"report","spec_version":"2.1","id":"report--f9547d6b-f91f-5d55-884f-50bab15cf67b","created":"2024-08-28T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"CISA/FBI/DC3 joint advisory AA24-241A names Pioneer Kitten as IAB","description":"FBI, CISA, and the DoD Cyber Crime Center issued joint advisory AA24-241A attributing a campaign of edge-device exploitation and subsequent access-brokering to ransomware affiliates (including ALPHV/BlackCat and NoEscape) to Iran-based Pioneer Kitten / Fox Kitten, assessed as connected to the Government of Iran. The advisory called out exploitation of Check Point Security Gateway CVE-2024-24919, Palo Alto PAN-OS CVE-2024-3400, and Citrix and F5 n-days as the primary access vectors.","published":"2024-08-28T00:00:00.000Z","report_types":["advisory"],"object_refs":["intrusion-set--a90932cf-573c-5bd3-bbed-96fc021d6e84"],"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a"}],"labels":["iran","access-broker","edge-devices","joint-advisory"],"x_threatintel_severity":"high"},{"type":"indicator","spec_version":"2.1","id":"indicator--6d83b86b-d8d3-5062-a817-e10f8640c981","created":"2024-02-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOMAIN githubapp.net","description":"Pioneer Kitten infrastructure domain listed in CISA AA24-241A Table 10 (Indicators of Compromise - Recent). First observed February 2024 and still active through August 2024 per the joint FBI/CISA/DC3 advisory.","indicator_types":["malicious-activity"],"pattern":"[domain-name:value = 'githubapp.net']","pattern_type":"stix","valid_from":"2024-02-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--8eadfcd4-c436-55bc-9b96-386379732162","created":"2024-02-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--6d83b86b-d8d3-5062-a817-e10f8640c981","target_ref":"intrusion-set--a90932cf-573c-5bd3-bbed-96fc021d6e84"},{"type":"indicator","spec_version":"2.1","id":"indicator--db736f81-c330-597f-a0f4-00ff3bc53e02","created":"2024-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"IPV4 138.68.90.19","description":"DigitalOcean-hosted IP observed by FBI in Pioneer Kitten operations January-August 2024, listed in Table 10 of CISA AA24-241A. The group exploits edge devices (Citrix Netscaler CVE-2019-19781/CVE-2023-3519, F5 BIG-IP CVE-2022-1388, Ivanti CVE-2024-21887, PanOS CVE-2024-3400, Check Point CVE-2024-24919) for initial access.","indicator_types":["malicious-activity"],"pattern":"[ipv4-addr:value = '138.68.90.19']","pattern_type":"stix","valid_from":"2024-01-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--c0099bda-708a-515b-af6b-18728ce3503b","created":"2024-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--db736f81-c330-597f-a0f4-00ff3bc53e02","target_ref":"intrusion-set--a90932cf-573c-5bd3-bbed-96fc021d6e84"},{"type":"indicator","spec_version":"2.1","id":"indicator--6565b979-7999-5663-8784-8c97790d0399","created":"2023-10-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME netscaler.1","description":"Credential-capturing webshell artifact dropped by Pioneer Kitten on compromised Citrix Netscaler appliances - the file collects login credentials and is placed in the same directory as a PHP webshell (ctxHeaderLogon.php / netscaler.php) per CISA AA24-241A.","indicator_types":["malicious-activity"],"pattern":"[file:name = 'netscaler.1']","pattern_type":"stix","valid_from":"2023-10-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--1beeb950-3f68-58aa-aae9-879aedb941dc","created":"2023-10-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--6565b979-7999-5663-8784-8c97790d0399","target_ref":"intrusion-set--a90932cf-573c-5bd3-bbed-96fc021d6e84"},{"type":"indicator","spec_version":"2.1","id":"indicator--aa9a5fa6-aa53-54ad-959e-8c92c8c5dbc7","created":"2022-09-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOMAIN api.gupdate.net","description":"Recent infrastructure domain listed in Table 10 of CISA AA24-241A (FBI/CISA/DC3 joint advisory, 28 Aug 2024) on Iran-based Pioneer Kitten / Fox Kitten / UNC757 / Parisite / Lemon Sandstorm / Br0k3r enabling ransomware affiliates NoEscape, RansomHouse and ALPHV/BlackCat. First observed September 2022, most recently August 2024.","indicator_types":["malicious-activity"],"pattern":"[domain-name:value = 'api.gupdate.net']","pattern_type":"stix","valid_from":"2022-09-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--aec681d9-e5c0-5fbd-9766-3c3d7fc8f4fb","created":"2022-09-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--aa9a5fa6-aa53-54ad-959e-8c92c8c5dbc7","target_ref":"intrusion-set--a90932cf-573c-5bd3-bbed-96fc021d6e84"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--7cc6cf67-24be-5f94-a19f-6e88732a0356","created":"2017-05-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"PLA Unit 54466","description":"PLA 54th Research Institute (Strategic Support Force Unit 54466) members indicted by the U.S. DOJ on 10 February 2020 for the Equifax data breach of May–July 2017. Four military personnel — Wu Zhiyong, Wang Qian, Xu Ke, and Liu Lei — exploited a known Apache Struts vulnerability (CVE-2017-5638) to exfiltrate personal data on 145.5 million Americans from Equifax's servers. The operation routed traffic through approximately 20 countries to obscure its origin and used 34 servers in nearly a dozen nations. The breach also targeted Equifax employees in the UK and Canada.","first_seen":"2017-05-01T00:00:00.000Z","aliases":["54th Research Institute"],"last_seen":"2017-07-31T00:00:00.000Z","goals":["espionage"],"primary_motivation":"organizational-gain","labels":["country:CN"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["financial","technology"],"x_threatintel_target_countries":["US","GB","CA"],"x_threatintel_attack_techniques":["T1190","T1041","T1070.004","T1078"]},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--0b56bfe1-a2ee-5f9d-b866-0b5a4895f460","created":"2022-06-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Play","description":"Closed-group ransomware operation (no public affiliate program) active since mid-2022, named for the '.play' extension appended to encrypted files. Heavy exploitation of FortiOS SSL-VPN flaws and Microsoft Exchange ProxyNotShell for initial access. CISA joint advisory in December 2023 estimated 300+ victims across North America, South America, and Europe.","first_seen":"2022-06-01T00:00:00.000Z","aliases":["PlayCrypt","Balloonfly"],"goals":["financial gain"],"primary_motivation":"personal-gain","x_threatintel_kind":"ransomware","x_threatintel_target_sectors":["state and local government","education","healthcare","manufacturing"],"x_threatintel_target_countries":["US","BR","AR","GB","DE"],"x_threatintel_attack_techniques":["T1190","T1133","T1486","T1490"]},{"type":"report","spec_version":"2.1","id":"report--ab7bc068-3c93-57b7-8bc6-0e71ed6af8d7","created":"2025-06-04T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"CISA documents Play ESXi variant and per-victim recompilation","description":"The June 2025 update to AA23-352A formally documented Play's ESXi variant, which powers off virtual machines and encrypts VM-related files (.vmdk, .vmem, .vmsn, .vmx, .nvram, etc.) with AES-256, and confirmed that the Windows binary is recompiled for every attack to defeat hash-based detection. Each victim now receives a unique @gmx.de or @web.de contact address.","published":"2025-06-04T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--0b56bfe1-a2ee-5f9d-b866-0b5a4895f460"],"external_references":[{"source_name":"CISA","url":"https://www.ic3.gov/CSA/2025/250604.pdf"}],"labels":["esxi","advisory-update","ttps"],"x_threatintel_severity":"medium"},{"type":"report","spec_version":"2.1","id":"report--79283a2f-1e66-5bd5-a938-f2ea751a14fa","created":"2023-12-18T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Joint CISA/FBI/ASD advisory AA23-352A on Play ransomware","description":"FBI, CISA, and the Australian Cyber Security Centre published joint advisory AA23-352A on the Play (Playcrypt) ransomware group, documenting initial-access via FortiOS (CVE-2018-13379, CVE-2020-12812) and Microsoft Exchange ProxyNotShell (CVE-2022-41040, CVE-2022-41082) bugs and the group's intermittent-encryption / double-extortion tradecraft. The advisory was updated on 4 June 2025 to note approximately 900 victims as of May 2025 and Play's exploitation of SimpleHelp CVE-2024-57727.","published":"2023-12-18T00:00:00.000Z","report_types":["advisory"],"object_refs":["intrusion-set--0b56bfe1-a2ee-5f9d-b866-0b5a4895f460"],"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a"}],"labels":["advisory","ransomware","proxynotshell","fortios"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--18272952-e208-5a7a-b89d-6e6fd252ba06","created":"2023-02-08T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"City of Oakland ransomware attack claimed by Play","description":"The City of Oakland, California disclosed a ransomware attack on 10 February 2023 that took most non-emergency municipal systems offline and prompted a local state of emergency. The Play group listed Oakland on its extortion site on 1 March 2023 and subsequently leaked data including employee personal information; the city later settled litigation covering more than 13,000 affected current and former employees.","published":"2023-02-08T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--0b56bfe1-a2ee-5f9d-b866-0b5a4895f460"],"external_references":[{"source_name":"BleepingComputer","url":"https://www.bleepingcomputer.com/news/security/play-ransomware-claims-disruptive-attack-on-city-of-oakland/"}],"labels":["municipal","data-extortion","us"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--cacb5429-0430-524b-a374-2b1d0a2e7305","created":"2023-01-23T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"A10 Networks breached by Play ransomware affiliates","description":"Networking-hardware vendor A10 Networks disclosed that a Play ransomware affiliate accessed its shared drives and exfiltrated human-resources, finance, and legal data during a brief intrusion on 23 January 2023. A10 said operational systems and customers were not affected; Play listed the company on its leak site shortly afterwards.","published":"2023-01-23T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--0b56bfe1-a2ee-5f9d-b866-0b5a4895f460"],"external_references":[{"source_name":"BleepingComputer","url":"https://www.bleepingcomputer.com/news/security/a10-networks-confirms-data-breach-after-play-ransomware-attack/"}],"labels":["data-extortion","vendor"],"x_threatintel_severity":"medium"},{"type":"report","spec_version":"2.1","id":"report--5a86a5b6-6ba2-5aa8-a3c0-10a2ada22235","created":"2022-12-23T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Arnold Clark customer data stolen in Play ransomware attack","description":"UK car retailer Arnold Clark was hit on 23 December 2022 by a double-extortion attack later claimed by the Play group, which asserted it had exfiltrated 467 GB of data. The stolen records included names, contact details, ID documents, and in some cases National Insurance numbers and bank account data; staff reverted to pen and paper while systems were rebuilt.","published":"2022-12-23T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--0b56bfe1-a2ee-5f9d-b866-0b5a4895f460"],"external_references":[{"source_name":"Computer Weekly","url":"https://www.computerweekly.com/news/365530199/Arnold-Clark-customer-data-was-stolen-in-Play-ransomware-attack"}],"labels":["uk","data-extortion","retail"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--5ce28d51-008b-5463-91f6-77fbd93826d1","created":"2022-12-02T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Rackspace Hosted Exchange outage caused by Play ransomware","description":"Rackspace's Hosted Exchange service went down on 2 December 2022, knocking email offline for approximately 30,000 SMB customers. A CrowdStrike-led investigation confirmed in early January 2023 that the Play ransomware group was responsible, using a previously unknown Exchange exploit chain dubbed 'OWASSRF' (CVE-2022-41080 + CVE-2022-41082). Rackspace later wound down the Hosted Exchange product.","published":"2022-12-02T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--0b56bfe1-a2ee-5f9d-b866-0b5a4895f460"],"external_references":[{"source_name":"Cybersecurity Dive","url":"https://www.cybersecuritydive.com/news/rackspace-play-ransomware-exchange/639509/"}],"labels":["exchange","owassrf","msp"],"x_threatintel_severity":"high"},{"type":"indicator","spec_version":"2.1","id":"indicator--5e8e2d1d-2dc4-5720-a548-0852404eda01","created":"2025-06-04T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 7DEA671BE77A2CA5772B86CF8831B02BFF0567BCE6A3AE023825AA40354F8ACA (SystemBC)","description":"SHA-256 of a SystemBC malware DLL used by Play ransomware actors for SOCKS proxy / C2 traffic, listed in the June 2025 update to CISA/FBI/ACSC joint advisory AA23-352A (Table 2).","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = '7DEA671BE77A2CA5772B86CF8831B02BFF0567BCE6A3AE023825AA40354F8ACA']","pattern_type":"stix","valid_from":"2025-06-04T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--b0959bec-898f-5ffb-832a-c84d58764909","created":"2025-06-04T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--5e8e2d1d-2dc4-5720-a548-0852404eda01","target_ref":"intrusion-set--0b56bfe1-a2ee-5f9d-b866-0b5a4895f460"},{"type":"indicator","spec_version":"2.1","id":"indicator--ed3b05fd-6129-5d55-bfeb-a5ea9f76d852","created":"2025-06-04T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 47B7B2DD88959CD7224A5542AE8D5BCE928BFC986BF0D0321532A7515C244A1E (Playcrypt)","description":"SHA-256 of an SVCHost.dll backdoor associated with Play ransomware operators, published in the June 2025 update to CISA/FBI/ACSC joint advisory AA23-352A (Table 2).","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = '47B7B2DD88959CD7224A5542AE8D5BCE928BFC986BF0D0321532A7515C244A1E']","pattern_type":"stix","valid_from":"2025-06-04T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--f46cb033-5265-5015-a343-c3d48d81340b","created":"2025-06-04T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--ed3b05fd-6129-5d55-bfeb-a5ea9f76d852","target_ref":"intrusion-set--0b56bfe1-a2ee-5f9d-b866-0b5a4895f460"},{"type":"indicator","spec_version":"2.1","id":"indicator--3ca91f54-7b5e-5aad-aff4-c2b4ba3e50ad","created":"2025-06-04T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 75B525B220169F07AECFB3B1991702FBD9A1E170CAF0040D1FCB07C3E819F54A (Grixba)","description":"SHA-256 of the GRIXBA information-stealer / custom data gathering tool used by Play ransomware affiliates, published in the June 2025 update to CISA/FBI/ACSC advisory AA23-352A.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = '75B525B220169F07AECFB3B1991702FBD9A1E170CAF0040D1FCB07C3E819F54A']","pattern_type":"stix","valid_from":"2025-06-04T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--fa989f02-8a24-5538-91de-78437056caf9","created":"2025-06-04T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--3ca91f54-7b5e-5aad-aff4-c2b4ba3e50ad","target_ref":"intrusion-set--0b56bfe1-a2ee-5f9d-b866-0b5a4895f460"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--281d87f0-702c-5366-8404-63b4df532556","created":"2021-07-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Predatory Sparrow","description":"Pro-Israel hacktivist persona widely assessed by researchers and Israeli media as linked to Israeli military intelligence, though no government has publicly confirmed the relationship. Has claimed responsibility for a series of physically-consequential cyber-physical attacks against Iranian infrastructure: the July 2021 Iranian-railway disruption, the October 2021 nationwide gas-station outage, the 27 June 2022 fire at the Khouzestan steel mill (caught on internal CCTV the group released), the December 2023 second gas-station outage, and the June 2025 attacks on Bank Sepah and the Nobitex cryptocurrency exchange.","first_seen":"2021-07-01T00:00:00.000Z","aliases":["Gonjeshke Darande"],"goals":["disruption","information operations"],"primary_motivation":"ideology","labels":["country:IL"],"x_threatintel_kind":"hacktivist","x_threatintel_target_sectors":["energy","transportation","financial","ics","manufacturing"],"x_threatintel_target_countries":["IR"],"x_threatintel_attack_techniques":["T0831","T0827","T1485","T1561"]},{"type":"report","spec_version":"2.1","id":"report--03c8858b-a557-533d-99a3-bcb18f937c59","created":"2025-06-17T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Predatory Sparrow attacks Bank Sepah and Nobitex crypto exchange","description":"Predatory Sparrow claimed responsibility for compromises of two major Iranian financial institutions amid the broader June 2025 Israel-Iran exchange of strikes. The Bank Sepah attack disrupted retail banking services nationwide; the Nobitex incident leaked the cryptocurrency exchange's internal codebase and saw $90M+ of customer funds burned to dead addresses with vanity prefixes (e.g. F***IRGC) — an ostentatious anti-IRGC signal rather than a financially-motivated theft.","published":"2025-06-17T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--281d87f0-702c-5366-8404-63b4df532556"],"external_references":[{"source_name":"TechCrunch","url":"https://techcrunch.com/2025/06/17/pro-israel-hacktivist-group-claims-responsibility-for-alleged-iranian-bank-hack/"}],"labels":["financial","cryptocurrency","iran","information-operations"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--859d20e4-813d-594d-8bc1-7b2e3deb7680","created":"2022-06-27T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Predatory Sparrow caused fire at Iran's Khouzestan steel mill","description":"Predatory Sparrow (Gonjeshke Darande) claimed responsibility for a cyber-physical attack at Iran's Khouzestan Steel Company that caused a major industrial fire. The group released internal CCTV footage from inside the mill showing the moment a vat of molten metal overflowed onto the factory floor, sparking the blaze — among the most consequential public cyber-physical attacks attributed to any actor outside the Sandworm Industroyer / Ukrainian power-grid lineage.","published":"2022-06-27T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--281d87f0-702c-5366-8404-63b4df532556"],"external_references":[{"source_name":"WIRED","url":"https://www.wired.com/story/predatory-sparrow-cyberattack-timeline/"}],"labels":["cyber-physical","ics","iran","destructive"],"x_threatintel_severity":"critical"},{"type":"indicator","spec_version":"2.1","id":"indicator--94532141-7105-58f7-91ad-91d7e4a12260","created":"2021-07-09T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 68e95a3ccde3ea22b8eb8adcf0ad53c7993b2ea5316948e31d9eadd11b5151d7 (Meteor)","description":"'Meteor' wiper sample documented in Check Point Research's August 2021 analysis of the 9-10 July 2021 cyberattack on Iranian Railways and the Ministry of Roads and Urban Development. The payload 'msapp.exe' writes 'Meteor has started.' to its encrypted log file, locks the host and wipes contents. Check Point ties the campaign to a self-identified 'Indra' persona that the wider community tracks as Predatory Sparrow / Gonjeshke Darande.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = '68e95a3ccde3ea22b8eb8adcf0ad53c7993b2ea5316948e31d9eadd11b5151d7']","pattern_type":"stix","valid_from":"2021-07-09T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Check Point Research","url":"https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--6dbd532f-d3dc-5bf3-8818-7376a5abb3b5","created":"2021-07-09T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--94532141-7105-58f7-91ad-91d7e4a12260","target_ref":"intrusion-set--281d87f0-702c-5366-8404-63b4df532556"},{"type":"indicator","spec_version":"2.1","id":"indicator--ed698bc9-478b-5d77-834e-3764696093bd","created":"2020-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 6709d332fbd5cde1d8e5b0373b6ff70c85fee73bd911ab3f1232bb5db9242dd4 (Stardust)","description":"'Stardust' wiper variant documented by Check Point Research from earlier Indra/Predatory Sparrow operations against Syrian targets (Katerji Group, Arfada Petroleum, Cham Wings) in 2019-2020. Listed alongside Meteor and Comet in the August 2021 attribution of the Iran Railways attack.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = '6709d332fbd5cde1d8e5b0373b6ff70c85fee73bd911ab3f1232bb5db9242dd4']","pattern_type":"stix","valid_from":"2020-01-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Check Point Research","url":"https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--7f844d38-e186-51dd-9429-af7fddfa75a7","created":"2020-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--ed698bc9-478b-5d77-834e-3764696093bd","target_ref":"intrusion-set--281d87f0-702c-5366-8404-63b4df532556"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--23d1403e-6a25-5c3d-809b-d57d5d206a0f","created":"2022-07-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Qilin","description":"Russian-speaking ransomware-as-a-service operation tracked by vendors as Qilin (and earlier as Agenda). Best known publicly for the 3 June 2024 compromise of Synnovis — the pathology-services provider to multiple London NHS trusts — which forced cancellation of 1,134 planned operations and 2,194 outpatient appointments and was cited by SCMP UK as a contributing factor in a patient death. Synnovis refused the $50M ransom; 400GB of patient data was published on Qilin's DLS on 20 June 2024.","first_seen":"2022-07-01T00:00:00.000Z","aliases":["Agenda"],"goals":["financial gain"],"primary_motivation":"personal-gain","x_threatintel_kind":"ransomware","x_threatintel_target_sectors":["healthcare","manufacturing","education","professional services"],"x_threatintel_target_countries":["GB","US","FR","DE","AU","CA"],"x_threatintel_attack_techniques":["T1486","T1490","T1567.002","T1133"]},{"type":"report","spec_version":"2.1","id":"report--3d886ae8-ab9b-5c67-a55e-f1cd16dc3c11","created":"2026-04-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Qilin emerges as the most-active healthcare ransomware brand of Q1 2026","description":"Q1 2026 healthcare ransomware tracking attributed 23 claimed attacks (4 confirmed) to Qilin across U.S. and German healthcare providers — making Qilin the most- active brand against the sector for the quarter. Aggregate Q1 2026 healthcare-sector tracking recorded 120 ransomware attacks across all brands (a 14% decline from Q4 2025) but the average ransom demand surged to $16.9M, up from $577,800 the prior quarter — a strategic shift toward fewer, more-selective targets with higher capacity to pay. Qilin's persistent healthcare focus since the June 2024 Synnovis incident represents the clearest sustained vendor-style specialisation in the post-2024 ransomware market.","published":"2026-04-01T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--23d1403e-6a25-5c3d-809b-d57d5d206a0f"],"external_references":[{"source_name":"Comparitech / Paubox aggregated tracking","url":"https://www.paubox.com/blog/average-ransom-demands-surge-in-healthcare-ransomware-attacks-in-2026"}],"labels":["healthcare","sector-trend","ransom-demand"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--9ca3c366-a43a-59f2-b5b7-75feb79df94e","created":"2024-06-03T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Qilin ransomware compromise of Synnovis disrupts London NHS care","description":"Qilin operators compromised Synnovis, the pathology-services joint venture serving Guy's and St Thomas', King's College Hospital, and Lewisham and Greenwich NHS Trusts in London. Synnovis-dependent blood testing across seven hospitals was knocked offline; trusts cancelled 1,134 planned operations and 2,194 outpatient appointments in the first 13 days. Qilin published 400GB of patient data on its DLS on 20 June 2024 after Synnovis refused a $50M ransom demand. UK regulators later cited the incident as a contributing factor in a patient death.","published":"2024-06-03T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--23d1403e-6a25-5c3d-809b-d57d5d206a0f"],"external_references":[{"source_name":"Synnovis","url":"https://www.synnovis.co.uk/news-and-press/synnovis-cyberattack"}],"labels":["healthcare","ransomware","uk","patient-impact"],"x_threatintel_severity":"critical"},{"type":"indicator","spec_version":"2.1","id":"indicator--643bb327-75fc-5fbd-8aca-60710ff8b553","created":"2024-07-17T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527 (Agenda/Qilin)","description":"Qilin ransomware Windows sample referenced in vendor emulation packs (AttackIQ, MyCERT) drawing on Group-IB's Qilin Revisited 2024 technical analysis.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = 'e90bdaaf5f9ca900133b699f18e4062562148169b29cb4eb37a0577388c22527']","pattern_type":"stix","valid_from":"2024-07-17T00:00:00.000Z","confidence":50,"external_references":[{"source_name":"Group-IB","url":"https://www.group-ib.com/blog/qilin-revisited/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--43bafb03-8ead-53ed-9c61-29faafbd5638","created":"2024-07-17T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--643bb327-75fc-5fbd-8aca-60710ff8b553","target_ref":"intrusion-set--23d1403e-6a25-5c3d-809b-d57d5d206a0f"},{"type":"indicator","spec_version":"2.1","id":"indicator--12b86afc-1f0f-51f4-a006-6d03c42e8f99","created":"2022-08-25T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME Agenda (Agenda/Qilin)","description":"Original Go-based ransomware family name used by Qilin affiliates from mid-2022 before the Rust rewrite. Group-IB and SentinelOne both track Qilin/Agenda as one lineage; the operators encrypted Synnovis pathology systems on 3 June 2024 causing the south-London NHS hospital outage.","indicator_types":["malicious-activity"],"pattern":"[file:name = 'Agenda']","pattern_type":"stix","valid_from":"2022-08-25T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"SentinelOne","url":"https://www.sentinelone.com/anthology/agenda-qilin/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--db123e65-9e02-5357-9a3f-10c16ab39c2e","created":"2022-08-25T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--12b86afc-1f0f-51f4-a006-6d03c42e8f99","target_ref":"intrusion-set--23d1403e-6a25-5c3d-809b-d57d5d206a0f"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--ee1273ab-5c7d-5d9f-87cc-04cd633ad88c","created":"2024-02-02T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"RansomHub","description":"Russian-speaking ransomware-as-a-service operation announced via RAMP forum on 2 February 2024 by a user 'koley', widely assessed as the primary destination for displaced ALPHV/BlackCat and LockBit affiliates after those operations were disrupted in early 2024. By end of 2024 RansomHub was the most-claiming ransomware brand on public leak-site tracking with 593+ victims. Codebase shares lineage with Knight ransomware. FBI/CISA/MS-ISAC/HHS joint advisory AA24-242A issued 29 August 2024.","first_seen":"2024-02-02T00:00:00.000Z","aliases":["Greenbottle","Cyclops"],"goals":["financial gain"],"primary_motivation":"personal-gain","x_threatintel_kind":"ransomware","x_threatintel_target_sectors":["healthcare","manufacturing","government","financial","education","communications"],"x_threatintel_target_countries":["US","GB","DE","BR","IT","CA","AU","ES","FR"],"x_threatintel_attack_techniques":["T1486","T1490","T1567.002","T1133"]},{"type":"report","spec_version":"2.1","id":"report--16ab91be-8b4a-5517-8a0c-a2e5aed2c233","created":"2024-08-29T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FBI/CISA/MS-ISAC/HHS joint advisory on RansomHub (AA24-242A)","description":"FBI, CISA, MS-ISAC, and HHS released joint cybersecurity advisory AA24-242A disseminating RansomHub indicators of compromise and TTPs identified through FBI threat-response activities and third-party reporting through August 2024. The advisory followed RansomHub's emergence in February 2024 as the destination for displaced ALPHV/BlackCat and LockBit affiliates, by which point the brand had become the most prolific ransomware operation on public leak-site tracking.","published":"2024-08-29T00:00:00.000Z","report_types":["advisory"],"object_refs":["intrusion-set--ee1273ab-5c7d-5d9f-87cc-04cd633ad88c"],"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a"}],"labels":["ransomware","joint-advisory","ttps"],"x_threatintel_severity":"high"},{"type":"indicator","spec_version":"2.1","id":"indicator--8a8fad6a-01f0-5683-b662-e23b8f8d7cc7","created":"2024-08-29T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"EMAIL brahma2023@onionmail.org (RansomHub)","description":"RansomHub affiliate contact address listed in Table 5 of CISA AA24-242A (2023-2024).","indicator_types":["malicious-activity"],"pattern":"[email-addr:value = 'brahma2023@onionmail.org']","pattern_type":"stix","valid_from":"2024-08-29T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--bfde3918-e463-5f74-af18-8f95dfaabc09","created":"2024-08-29T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--8a8fad6a-01f0-5683-b662-e23b8f8d7cc7","target_ref":"intrusion-set--ee1273ab-5c7d-5d9f-87cc-04cd633ad88c"},{"type":"indicator","spec_version":"2.1","id":"indicator--b9cdfb6e-36fa-5fc6-9773-71d97ec59660","created":"2024-08-29T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"IPV4 188.34.188.7 (RansomHub)","description":"RansomHub affiliate staging host serving second-stage payloads (NEWOFFICIALPROGRAMCAUSEOFNEWUPDATE.exe and helper DLLs under /555/) per Table 4 of CISA joint advisory AA24-242A.","indicator_types":["malicious-activity"],"pattern":"[ipv4-addr:value = '188.34.188.7']","pattern_type":"stix","valid_from":"2024-08-29T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-242a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--c273623d-8ff8-536a-84d9-4fcb8149ed5a","created":"2024-08-29T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--b9cdfb6e-36fa-5fc6-9773-71d97ec59660","target_ref":"intrusion-set--ee1273ab-5c7d-5d9f-87cc-04cd633ad88c"},{"type":"indicator","spec_version":"2.1","id":"indicator--32b21838-32a9-5fd5-8c28-ddf6a10e5c32","created":"2024-08-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 02e9f0fbb7f3acea4fcf155dc7813e15c1c8d1c77c3ae31252720a9fa7454292 (RansomHub)","description":"RansomHub Windows encryptor sample published in Symantec's August 2024 analysis tying the family back to its Knight / Cyclops origins. Sample uses Curve25519 with intermittent encryption as described in CISA AA24-242A.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = '02e9f0fbb7f3acea4fcf155dc7813e15c1c8d1c77c3ae31252720a9fa7454292']","pattern_type":"stix","valid_from":"2024-08-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Symantec","url":"https://www.security.com/threat-intelligence/ransomhub-knight-ransomware"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--91f94e03-d4f2-58ab-a5ad-32cfe8e3fdac","created":"2024-08-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--32b21838-32a9-5fd5-8c28-ddf6a10e5c32","target_ref":"intrusion-set--ee1273ab-5c7d-5d9f-87cc-04cd633ad88c"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--8d78636b-6595-571a-969a-e8f9ef5bfbac","created":"2019-04-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"REvil","description":"Russian ransomware-as-a-service operation derived from GandCrab in April 2019. Conducted the 2021 Kaseya VSA supply-chain compromise (~1,500 downstream victims via 60 MSPs), the JBS Foods $11M ransom, and the Colonial Pipeline-era spike of double-extortion. The operation went dark in mid-July 2021 following intense U.S. pressure, briefly returned in September 2021, and was decisively disrupted on 14 January 2022 when Russia's FSB announced raids and arrests of 14 REvil members at the U.S. government's request — the first and last such cooperation.","first_seen":"2019-04-01T00:00:00.000Z","aliases":["Sodinokibi","Pinchy Spider","Gold Southfield"],"last_seen":"2022-01-14T00:00:00.000Z","goals":["financial gain"],"primary_motivation":"personal-gain","labels":["country:RU"],"x_threatintel_kind":"ransomware","x_threatintel_target_sectors":["managed service providers","manufacturing","professional services"],"x_threatintel_target_countries":["US","GB","DE","BR","IT","CA"],"x_threatintel_attack_techniques":["T1195.002","T1486","T1490","T1567.002"]},{"type":"report","spec_version":"2.1","id":"report--887add22-c753-571e-a350-f91225fec68d","created":"2022-01-14T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Russia's FSB announces arrest of 14 REvil members at U.S. request","description":"Russia's Federal Security Service announced raids across 25 addresses, the arrest of 14 individuals identified as REvil members, and the seizure of 426 million roubles, $600,000, €500,000, cryptocurrency wallets, 20 luxury vehicles, and computer hardware. The FSB stated the action was taken at the request of the U.S. government — the first and last such public ransomware-takedown cooperation. Russia subsequently withdrew the cases after the February 2022 invasion of Ukraine.","published":"2022-01-14T00:00:00.000Z","report_types":["sanction"],"object_refs":["intrusion-set--8d78636b-6595-571a-969a-e8f9ef5bfbac"],"external_references":[{"source_name":"Federal Security Service of the Russian Federation","url":"http://www.fsb.ru/fsb/press/message/single.htm!id%3D10439388%40fsbMessage.html"}],"labels":["takedown","ransomware","russia","arrest"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--80edb3c8-f882-52a1-b821-56386c3f6051","created":"2021-07-02T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"REvil Kaseya VSA supply-chain ransomware compromise","description":"REvil affiliates exploited a zero-day authentication bypass in Kaseya's VSA RMM platform (CVE-2021-30116) and pushed a malicious update to ~60 managed service providers, encrypting an estimated 1,500 downstream customer networks in a single weekend. REvil initially demanded a $70M lump-sum decryptor; Kaseya later obtained a universal decryptor key from an undisclosed source. The operation triggered the U.S. pressure that led to REvil's mid-July 2021 disappearance and to the FSB's January 2022 arrest of 14 alleged members.","published":"2021-07-02T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--8d78636b-6595-571a-969a-e8f9ef5bfbac"],"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-187a"}],"labels":["supply-chain","msp","ransomware","zero-day"],"x_threatintel_severity":"critical"},{"type":"indicator","spec_version":"2.1","id":"indicator--41eb7193-c66f-54f7-8a43-013ccc36ddcb","created":"2021-07-02T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME Sodinokibi/REvil ransomware (REvil)","description":"Malware family DOJ identified by name in the November 8, 2021 unsealed indictment of Ukrainian national Yaroslav Vasinskyi as the payload deployed through the Kaseya VSA agent on July 2, 2021. Vasinskyi was sentenced May 1, 2024 to 13 years 7 months and $16M restitution.","indicator_types":["malicious-activity"],"pattern":"[file:name = 'Sodinokibi/REvil ransomware']","pattern_type":"stix","valid_from":"2021-07-02T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"DOJ","url":"https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--34f1745e-1af7-5b6b-a729-100f8dce9d0a","created":"2021-07-02T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--41eb7193-c66f-54f7-8a43-013ccc36ddcb","target_ref":"intrusion-set--8d78636b-6595-571a-969a-e8f9ef5bfbac"},{"type":"indicator","spec_version":"2.1","id":"indicator--f9ef10d4-24fa-51b3-be8d-0976127d0e91","created":"2021-07-02T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME mpsvc.dll (REvil)","description":"Sodinokibi/REvil encryptor DLL side-loaded by a renamed MsMpEng.exe in the July 2, 2021 Kaseya VSA supply-chain compromise. Vasinskyi was indicted Nov. 8, 2021 by DOJ for deploying this code through Kaseya's auto-update channel to roughly 1,500 downstream customers.","indicator_types":["malicious-activity"],"pattern":"[file:name = 'mpsvc.dll']","pattern_type":"stix","valid_from":"2021-07-02T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"DOJ","url":"https://www.justice.gov/opa/pr/ukrainian-arrested-and-charged-ransomware-attack-kaseya"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--05f37f09-75e2-52b3-8a90-b7b11e10fea1","created":"2021-07-02T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--f9ef10d4-24fa-51b3-be8d-0976127d0e91","target_ref":"intrusion-set--8d78636b-6595-571a-969a-e8f9ef5bfbac"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--61cf04d1-8f76-5fef-88e4-180a370f811b","created":"2022-06-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"RomCom","description":"Russia-aligned intrusion set conducting hybrid espionage and financially-motivated operations — ESET, Microsoft, and Unit 42 track it as a single actor straddling state-objective targeting (Ukrainian government, NATO summit attendees, European defense and energy organizations) and cybercrime (the Industrial Spy and Underground extortion brands). Repeated zero-day exploitation: WinRAR CVE-2023-38831 in 2023, a chained Firefox + Windows zero-day in November 2024, and a new WinRAR zero-day in August 2025.","first_seen":"2022-06-01T00:00:00.000Z","aliases":["Storm-0978","Tropical Scorpius","UNC2596","Void Rabisu","Underground Team"],"goals":["espionage","financial gain"],"primary_motivation":"personal-gain","labels":["country:RU"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["government","defense","energy","pharmaceutical","insurance","legal"],"x_threatintel_target_countries":["UA","US","DE","PL","CA","GB"],"x_threatintel_attack_techniques":["T1190","T1203","T1566.001","T1059.001"]},{"type":"report","spec_version":"2.1","id":"report--3efd9ee7-eee2-5144-b3e7-4d1a183991b8","created":"2025-08-11T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"RomCom exploits WinRAR zero-day in spear-phishing against EU + Canada","description":"ESET disclosed that RomCom had exploited a previously-unknown WinRAR vulnerability (CVE-2025-8088) in spear-phishing campaigns 18-21 July 2025 targeting financial, manufacturing, defense, and logistics organizations across Europe and Canada. The lure was malicious WinRAR archives delivering a cyber-espionage payload; WinRAR patched the bug in version 7.13 on 30 July 2025.","published":"2025-08-11T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--61cf04d1-8f76-5fef-88e4-180a370f811b"],"external_references":[{"source_name":"ESET Research","url":"https://www.eset.com/us/about/newsroom/research/eset-research-russian-romcom-group-exploits-new-vulnerability-targets-companies-in-europe-and-canada/"}],"labels":["zero-day","winrar","russia","espionage"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--f4f0a2ee-cec9-5a58-815e-84c31fcc484b","created":"2024-11-26T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"RomCom chains Firefox + Windows zero-days for click-less backdoor delivery","description":"ESET disclosed that RomCom chained two zero-days — a Firefox use-after-free (CVE-2024-9680) and a Windows local privilege escalation (CVE-2024-49039) — into a true zero-click exploit chain delivering the RomCom backdoor. The campaign targeted European and North American defense, energy, pharma, insurance, and legal organizations. Mozilla patched the Firefox bug on 9 October 2024; Microsoft patched the Windows escalation in the November 2024 cycle.","published":"2024-11-26T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--61cf04d1-8f76-5fef-88e4-180a370f811b"],"external_references":[{"source_name":"ESET Research","url":"https://www.welivesecurity.com/en/eset-research/romcom-exploits-firefox-and-windows-zero-days-in-the-wild/"}],"labels":["zero-day","zero-click","browser","russia"],"x_threatintel_severity":"high"},{"type":"indicator","spec_version":"2.1","id":"indicator--a1586834-3471-58ed-aa90-2398e70ec4f2","created":"2023-07-11T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOMAIN advanced-ip-scaner.com (RomCom RAT)","description":"Typosquat of advanced-ip-scanner.com used by Storm-0978 (Microsoft's tracker for the RomCom operator) to deliver trojanized installers - documented in the Microsoft Security Blog write-up that disclosed CVE-2023-36884 exploitation.","indicator_types":["malicious-activity"],"pattern":"[domain-name:value = 'advanced-ip-scaner.com']","pattern_type":"stix","valid_from":"2023-07-11T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Microsoft Threat Intelligence","url":"https://www.microsoft.com/en-us/security/blog/2023/07/11/storm-0978-attacks-reveal-financial-and-espionage-motives/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--e814d60d-d23b-5f90-863e-db4bc4759869","created":"2023-07-11T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--a1586834-3471-58ed-aa90-2398e70ec4f2","target_ref":"intrusion-set--61cf04d1-8f76-5fef-88e4-180a370f811b"},{"type":"indicator","spec_version":"2.1","id":"indicator--af14ac5b-c608-5d7a-9be8-8cdb085ab878","created":"2022-08-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 b5978cf7d0c275d09bedf09f07667e139ad7fed8f9e47742e08c914c5cf44a53 (RomCom RAT)","description":"ROMCOM RAT sample observed by Palo Alto Networks Unit 42 in the August 2022 Tropical Scorpius / Cuba ransomware intrusions - the first public attribution of the backdoor to this operator.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = 'b5978cf7d0c275d09bedf09f07667e139ad7fed8f9e47742e08c914c5cf44a53']","pattern_type":"stix","valid_from":"2022-08-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Palo Alto Networks Unit 42","url":"https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--0b7445d1-a6f6-55bb-88e2-980209f58c98","created":"2022-08-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--af14ac5b-c608-5d7a-9be8-8cdb085ab878","target_ref":"intrusion-set--61cf04d1-8f76-5fef-88e4-180a370f811b"},{"type":"indicator","spec_version":"2.1","id":"indicator--b258a845-094d-57f4-96d7-645ea5e37c81","created":"2022-08-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOMAIN combinedresidency.org (RomCom RAT)","description":"Tropical Scorpius staging domain documented by Unit 42 in their August 2022 Cuba ransomware / ROMCOM report. Listed alongside optasko[.]com as actor-controlled infrastructure.","indicator_types":["malicious-activity"],"pattern":"[domain-name:value = 'combinedresidency.org']","pattern_type":"stix","valid_from":"2022-08-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Palo Alto Networks Unit 42","url":"https://unit42.paloaltonetworks.com/cuba-ransomware-tropical-scorpius/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--09a35d6a-2a0d-55c9-81e4-7337ceebdcb9","created":"2022-08-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--b258a845-094d-57f4-96d7-645ea5e37c81","target_ref":"intrusion-set--61cf04d1-8f76-5fef-88e4-180a370f811b"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--548b00e6-0c36-5bd9-8de7-b2e007a5bdae","created":"2019-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Salt Typhoon","description":"PRC state-backed actor responsible for the 2024 intrusions into U.S. commercial telecommunications providers — among the most consequential telecom-targeted operations on the public record. Operates against ISP and telecom network infrastructure to enable lawful-intercept abuse and broad collection against U.S. policy and political targets. CISA and the FBI confirmed the campaign in joint guidance throughout late 2024 and early 2025.","first_seen":"2019-01-01T00:00:00.000Z","aliases":["GhostEmperor","UNC2286","FamousSparrow"],"goals":["espionage","collection"],"primary_motivation":"organizational-gain","labels":["country:CN"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["telecommunications","isp","government"],"x_threatintel_target_countries":["US"],"x_threatintel_attack_techniques":["T1190","T1078.004","T1556","T1071.001"]},{"type":"report","spec_version":"2.1","id":"report--0371ca93-3c10-5024-a120-ac97eb477a15","created":"2025-08-27T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"13-nation joint advisory AA25-239A on PRC global telecom espionage","description":"CISA, FBI, NSA and 12 partner-nation cyber agencies issued joint cybersecurity advisory AA25-239A, attributing the long-running global compromise of telecommunications, government, transportation, lodging, and military networks to PRC state-sponsored activity that partially overlaps with the cluster vendor reporting calls Salt Typhoon (also OPERATOR PANDA, RedMike, UNC5807, GhostEmperor).","published":"2025-08-27T00:00:00.000Z","report_types":["advisory"],"object_refs":["intrusion-set--548b00e6-0c36-5bd9-8de7-b2e007a5bdae"],"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a"}],"labels":["five-eyes","telecom","espionage","joint-advisory"],"x_threatintel_severity":"critical"},{"type":"report","spec_version":"2.1","id":"report--537e68a7-e23c-5dfe-9a88-159facc2efa9","created":"2024-12-04T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"CISA + partners issue Salt Typhoon defender guidance to telecom sector","description":"CISA, NSA, FBI, and Five Eyes partners released joint guidance to U.S. and allied communications-infrastructure operators on hardening against the PRC-attributed Salt Typhoon campaign. Wall Street Journal reporting in early October 2024 had already disclosed compromises at AT&T, Verizon, Lumen, and T-Mobile; Senate Intelligence Chair Mark Warner characterized the campaign as 'the worst telecom hack in our nation's history,' citing access to call metadata, unencrypted SMS, and lawful-intercept systems.","published":"2024-12-04T00:00:00.000Z","report_types":["advisory"],"object_refs":["intrusion-set--548b00e6-0c36-5bd9-8de7-b2e007a5bdae"],"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/news/enhanced-visibility-and-hardening-guidance-communications-infrastructure"}],"labels":["telecom","espionage","five-eyes","lawful-intercept"],"x_threatintel_severity":"critical"},{"type":"indicator","spec_version":"2.1","id":"indicator--c42a0a22-2084-55f8-a034-d76612ee3ba0","created":"2025-08-27T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"MD5 eba9ae70d1b22de67b0eba160a6762d8","description":"MD5 of `cmd3`, a Linux/Go SFTP staging client paired with `cmd1` in Salt Typhoon intrusions. Listed in Table 4 of the joint AA25-239A advisory; written by the same developer as `cmd1` based on shared Go build paths (`C:/work/sync/cmd/...`).","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'MD5' = 'eba9ae70d1b22de67b0eba160a6762d8']","pattern_type":"stix","valid_from":"2025-08-27T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA / NSA / FBI","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--58029d8b-3efb-5803-823e-dcabf2cd9f4e","created":"2025-08-27T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--c42a0a22-2084-55f8-a034-d76612ee3ba0","target_ref":"intrusion-set--548b00e6-0c36-5bd9-8de7-b2e007a5bdae"},{"type":"indicator","spec_version":"2.1","id":"indicator--d2b0942d-f56a-5f84-87d3-1989659cff41","created":"2025-08-27T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 f2bbba1ea0f34b262f158ff31e00d39d89bbc471d04e8fca60a034cabe18e4f4","description":"SHA-256 of `cmd1`, a Linux/Go custom SFTP client used by the Salt Typhoon / GhostEmperor cluster to stage and exfiltrate encrypted archives. Listed in Table 5 of the September 2025 joint advisory `Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage System` (AA25-239A).","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = 'f2bbba1ea0f34b262f158ff31e00d39d89bbc471d04e8fca60a034cabe18e4f4']","pattern_type":"stix","valid_from":"2025-08-27T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA / NSA / FBI","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-239a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--c6d6854f-ad2d-5426-b0d0-ca00085627fe","created":"2025-08-27T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--d2b0942d-f56a-5f84-87d3-1989659cff41","target_ref":"intrusion-set--548b00e6-0c36-5bd9-8de7-b2e007a5bdae"},{"type":"indicator","spec_version":"2.1","id":"indicator--cdbd11fc-f6f5-5617-8520-1a669359ece9","created":"2021-09-30T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"MD5 7394229455151a9cd036383027a1536b (Demodex)","description":"MD5 of the Demodex kernel-mode rootkit driver published by Kaspersky in the September 2021 disclosure that originally named the actor `GhostEmperor` - the cluster now publicly tracked by U.S. agencies as Salt Typhoon. Loaded by bypassing Driver Signature Enforcement via the signed Cheat Engine driver `dbk64.sys`.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'MD5' = '7394229455151a9cd036383027a1536b']","pattern_type":"stix","valid_from":"2021-09-30T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Kaspersky (Securelist)","url":"https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--4a0d2e02-c399-5afe-bcb5-4a1b12ddcc21","created":"2021-09-30T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--cdbd11fc-f6f5-5617-8520-1a669359ece9","target_ref":"intrusion-set--548b00e6-0c36-5bd9-8de7-b2e007a5bdae"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--a74dace9-572b-58d1-a24d-d9143b5a8eff","created":"2009-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Sandworm","description":"Russian military-intelligence (GRU Unit 74455) intrusion set responsible for some of the most destructive cyberattacks publicly attributed to a nation-state: the 2015 and 2016 Ukrainian power-grid outages, the 2017 NotPetya wiper outbreak (the costliest cyberattack in history), and the 2018 Olympic Destroyer attack against the Winter Olympics. Operations continue against Ukrainian critical infrastructure, including the 2022 Industroyer2 attempt.","first_seen":"2009-01-01T00:00:00.000Z","aliases":["Voodoo Bear","Seashell Blizzard","IRIDIUM","TeleBots","BlackEnergy Group"],"goals":["destruction","disruption","espionage"],"primary_motivation":"organizational-gain","labels":["country:RU"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["energy","government","transportation","media","ics"],"x_threatintel_target_countries":["UA","GE","US","FR","KR","PL"],"x_threatintel_attack_techniques":["T0827","T1485","T1486","T0817"]},{"type":"report","spec_version":"2.1","id":"report--006f32de-dad8-55ea-b182-0d8d3eb312aa","created":"2025-02-12T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Microsoft details Seashell Blizzard 'BadPilot' subgroup multi-year access ops","description":"Microsoft Threat Intelligence published research on a Sandworm (Seashell Blizzard) subgroup it tracks as BadPilot, active since at least 2021, that opportunistically exploits internet-facing appliances (notably ConnectWise ScreenConnect and Fortinet FortiClient EMS since early 2024) to establish persistent access for follow-on Sandworm operations. Targets since 2024 expanded to U.S. and U.K. organizations across energy, oil and gas, telecommunications, shipping, arms manufacturing, and government.","published":"2025-02-12T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--a74dace9-572b-58d1-a24d-d9143b5a8eff"],"external_references":[{"source_name":"Microsoft Threat Intelligence","url":"https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/"}],"labels":["initial-access","edge-devices","gru","us","uk"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--6e037fbc-95d7-57a1-98af-22ea254ddcae","created":"2020-10-19T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOJ indicts six GRU Unit 74455 officers","description":"The U.S. Department of Justice unsealed an indictment charging six officers of the Russian GRU's Unit 74455 (Sandworm) in connection with a years-long campaign that included the 2015 and 2016 Ukraine power-grid attacks, the 2017 NotPetya outbreak, the 2018 Olympic Destroyer attack against the PyeongChang Winter Olympics, and operations against the 2017 French elections.","published":"2020-10-19T00:00:00.000Z","report_types":["indictment"],"object_refs":["intrusion-set--a74dace9-572b-58d1-a24d-d9143b5a8eff"],"external_references":[{"source_name":"U.S. Department of Justice","url":"https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-deployment-destructive-malware-and"}],"labels":["doj","indictment","gru"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--97f74208-5e71-57d3-9218-00973e49a21c","created":"2017-06-27T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"NotPetya wiper outbreak via M.E.Doc supply chain","description":"A destructive wiper masquerading as ransomware spread globally via a trojanized update to M.E.Doc, a Ukrainian accounting software package. Damages were later estimated at over USD 10 billion, making NotPetya the costliest cyberattack on record. The U.S., U.K., and other governments publicly attributed the operation to the Russian GRU.","published":"2017-06-27T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--a74dace9-572b-58d1-a24d-d9143b5a8eff"],"external_references":[{"source_name":"UK National Cyber Security Centre","url":"https://www.ncsc.gov.uk/news/russian-military-almost-certainly-responsible-destructive-2017-cyber-attack"}],"labels":["wiper","supply-chain","ukraine","destruction"],"x_threatintel_severity":"critical"},{"type":"report","spec_version":"2.1","id":"report--1ad80aec-8a63-537c-8378-d89c1029c43d","created":"2015-12-23T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Coordinated attack on Ukrainian electricity distribution","description":"Three Ukrainian regional electricity distribution companies (oblenergos) were simultaneously attacked, cutting power to approximately 225,000 customers for several hours. ICS-CERT and later attribution work tied the operation to Sandworm; this is widely regarded as the first publicly confirmed cyberattack to cause a power outage.","published":"2015-12-23T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--a74dace9-572b-58d1-a24d-d9143b5a8eff"],"external_references":[{"source_name":"CISA (ICS-CERT)","url":"https://www.cisa.gov/news-events/ics-alerts/ir-alert-h-16-056-01"}],"labels":["ics","ukraine","destruction","energy"],"x_threatintel_severity":"critical"},{"type":"indicator","spec_version":"2.1","id":"indicator--ec4414c8-b3c9-5b77-8bba-c0ea090c426c","created":"2022-04-08T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA1 fd9c17c35a68fc505235e20c6e50c622aed8dea0 (Industroyer2)","description":"Industroyer2 sample (108_100.exe), an IEC-104 ICS-disruption tool that Sandworm deployed against a Ukrainian energy provider on 8 April 2022. Discovery and IOC publication by ESET working with CERT-UA; ESET assesses Sandworm responsibility with high confidence.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-1' = 'fd9c17c35a68fc505235e20c6e50c622aed8dea0']","pattern_type":"stix","valid_from":"2022-04-08T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"ESET","url":"https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--b1dee4cf-b5a3-5f41-a4f4-5df7eaccd589","created":"2022-04-08T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--ec4414c8-b3c9-5b77-8bba-c0ea090c426c","target_ref":"intrusion-set--a74dace9-572b-58d1-a24d-d9143b5a8eff"},{"type":"indicator","spec_version":"2.1","id":"indicator--e2c708f6-a14f-5eb9-9254-ef3010dc25ea","created":"2022-02-24T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 9b4dfaca873961174ba935fddaf696145afe7bbf5734509f95feb54f3584fd9a (AcidRain)","description":"AcidRain - MIPS ELF wiper (filename 'ukrop') that bricked modems on Viasat's KA-SAT network on 24 February 2022, disrupting service across Ukraine and downstream wind-turbine telemetry in Germany. SentinelLabs published the hash and noted code overlap with VPNFilter (attributed to Sandworm).","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = '9b4dfaca873961174ba935fddaf696145afe7bbf5734509f95feb54f3584fd9a']","pattern_type":"stix","valid_from":"2022-02-24T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"SentinelLabs","url":"https://www.sentinelone.com/labs/acidrain-a-modem-wiper-rains-down-on-europe/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--b2434772-57b4-5658-8106-83ca5603fb2e","created":"2022-02-24T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--e2c708f6-a14f-5eb9-9254-ef3010dc25ea","target_ref":"intrusion-set--a74dace9-572b-58d1-a24d-d9143b5a8eff"},{"type":"indicator","spec_version":"2.1","id":"indicator--007b613f-92db-578f-93b5-7cd783f696c8","created":"2022-02-23T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591 (HermeticWiper)","description":"HermeticWiper / Trojan.Killdisk sample (Symantec Threat Hunter Team), deployed against Ukrainian organisations from 23 February 2022. Listed in CISA / FBI joint advisory AA22-057A appendix Table 2. The campaign is widely attributed to GRU Unit 74455 (Sandworm).","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = '1bc44eef75779e3ca1eefb8ff5a64807dbc942b1e4a2672d77b9f6928d292591']","pattern_type":"stix","valid_from":"2022-02-23T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-057a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--5f9ae9a1-3207-5462-8827-ec264bf7120b","created":"2022-02-23T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--007b613f-92db-578f-93b5-7cd783f696c8","target_ref":"intrusion-set--a74dace9-572b-58d1-a24d-d9143b5a8eff"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--a0f33e7d-b939-56ec-ab00-f57857e72a3d","created":"2022-05-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Scattered Spider","description":"Native-English-speaking financially-motivated crew, assessed to include members in the United States, United Kingdom, and Canada. Tradecraft centers on SIM-swap and voice-phishing of IT helpdesks to bypass MFA, followed by Okta and Azure AD identity-provider abuse. Most visible 2023 operations: the September 2023 intrusions into MGM Resorts (week-long casino floor disruption) and Caesars Entertainment ($15M ransom). Pivoted into BlackCat and later RansomHub affiliate work. Multiple arrests in 2024.","first_seen":"2022-05-01T00:00:00.000Z","aliases":["UNC3944","Octo Tempest","0ktapus","Roasted 0ktapus","Muddled Libra"],"goals":["financial gain"],"primary_motivation":"personal-gain","x_threatintel_kind":"cybercrime","x_threatintel_target_sectors":["telecommunications","hospitality","financial","technology","retail"],"x_threatintel_target_countries":["US","GB","CA","AU"],"x_threatintel_attack_techniques":["T1566.004","T1078.004","T1199","T1556"]},{"type":"report","spec_version":"2.1","id":"report--bf4212f3-7f76-56bd-8fed-8152bfb0652e","created":"2025-06-30T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Scattered Spider summer-2025 airline-sector wave: WestJet, Hawaiian, Qantas","description":"Two months after the April 2025 UK retail-sector wave, Scattered Spider operators pivoted to the aviation industry during the Northern-Hemisphere peak travel season. Confirmed compromises: **WestJet** (initial access 13 June, 1M+ customer records affected), **Hawaiian Airlines** (June 2025), and **Qantas** (third-party contact-centre platform, 30 June 2025; up to 6M passenger PII records exposed). Operationally identical to the M&S / Co-op wave: voice-phishing of help-desk and contact-centre staff, MFA-bypass through device- enrolment, supplier / SaaS pivot. The FBI issued a sector-specific advisory on Scattered Spider's airline targeting in late June 2025.","published":"2025-06-30T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--a0f33e7d-b939-56ec-ab00-f57857e72a3d"],"external_references":[{"source_name":"FBI Internet Crime Complaint Center (IC3)","url":"https://www.ic3.gov/PSA/2025/PSA250627"}],"labels":["aviation","social-engineering","saas-pivot","third-party","peak-season-targeting"],"x_threatintel_severity":"critical"},{"type":"report","spec_version":"2.1","id":"report--f274c2b4-9092-5e94-98d9-7f95c666bf1d","created":"2025-04-24T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Scattered Spider compromises Marks & Spencer, Co-op, Harrods","description":"Scattered Spider operators executed coordinated intrusions against three of the UK's largest retailers in April 2025, ultimately deploying DragonForce ransomware against Marks & Spencer on 24 April. M&S subsequently disclosed an estimated £300M revenue impact (~$400M) — the costliest UK retail cyberattack on public record — with the Co-op disclosing £206M (~$277M). Initial access at M&S used compromised credentials from outsourced IT provider Tata Consultancy Services (TCS), a textbook Scattered Spider social-engineering pivot through a managed-services supplier. Active Directory contents were stolen during months of dwell time before encryption. UK NCA arrested four individuals, three of them teenagers, in July 2025.","published":"2025-04-24T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--a0f33e7d-b939-56ec-ab00-f57857e72a3d"],"external_references":[{"source_name":"UK National Crime Agency / National Cyber Security Centre","url":"https://www.nationalcrimeagency.gov.uk/news/four-arrested-in-connection-with-cyber-attacks"}],"labels":["supply-chain","managed-services","uk-retail","dragonforce","social-engineering"],"x_threatintel_severity":"critical"},{"type":"indicator","spec_version":"2.1","id":"indicator--f7b1ddb1-09fb-5a5a-8b54-e05d1222506a","created":"2023-11-16T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME AveMaria (AveMaria/WarZone)","description":"Commodity remote-access trojan (also tracked as WarZone, MITRE S0670) used by Scattered Spider for hands-on-keyboard access post-compromise, per Table 2 of CISA AA23-320A.","indicator_types":["malicious-activity"],"pattern":"[file:name = 'AveMaria']","pattern_type":"stix","valid_from":"2023-11-16T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--6da823c9-6de9-5487-8c3f-65d4aeb05796","created":"2023-11-16T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--f7b1ddb1-09fb-5a5a-8b54-e05d1222506a","target_ref":"intrusion-set--a0f33e7d-b939-56ec-ab00-f57857e72a3d"},{"type":"indicator","spec_version":"2.1","id":"indicator--e0aa4008-d4f5-5c9f-8a7d-669330d705c7","created":"2023-11-16T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME VIDAR Stealer (VIDAR)","description":"Information stealer listed in Table 2 of CISA AA23-320A as used by Scattered Spider for credential and cookie theft after initial help-desk social engineering.","indicator_types":["malicious-activity"],"pattern":"[file:name = 'VIDAR Stealer']","pattern_type":"stix","valid_from":"2023-11-16T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--2b2dc83f-1d46-524d-b415-27658c46a838","created":"2023-11-16T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--e0aa4008-d4f5-5c9f-8a7d-669330d705c7","target_ref":"intrusion-set--a0f33e7d-b939-56ec-ab00-f57857e72a3d"},{"type":"indicator","spec_version":"2.1","id":"indicator--4600c44a-4b18-587d-86e1-2652be13df20","created":"2023-11-16T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME Raccoon Stealer (Raccoon Stealer)","description":"Information stealer (credentials, browser history, cookies) named in Table 2 of CISA/FBI joint advisory AA23-320A as part of Scattered Spider's post-access toolset.","indicator_types":["malicious-activity"],"pattern":"[file:name = 'Raccoon Stealer']","pattern_type":"stix","valid_from":"2023-11-16T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--a8e38761-e07d-54c2-9b04-94ce8b9bd0ea","created":"2023-11-16T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--4600c44a-4b18-587d-86e1-2652be13df20","target_ref":"intrusion-set--a0f33e7d-b939-56ec-ab00-f57857e72a3d"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--c1529841-8b64-56c6-bdb4-3305e6f19094","created":"2020-04-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"ShinyHunters","description":"Financially-motivated cybercrime collective active since April 2020, responsible for some of the largest data-theft and extortion incidents of the post-2020 era. Operationally blends credential-stuffing of cloud-data platforms (Snowflake in 2024, Salesforce in 2025-2026) with traditional database exfiltration. Notable victim list includes AT&T (70M wireless subscribers, 2021 theft / 2024 disclosure), Tokopedia, Microsoft GitHub, Pixlr, the 2024 Snowflake-customer wave (Ticketmaster, Santander, Neiman Marcus, Advance Auto Parts, Pure Storage, Cylance), and the 2026 Salesforce-customer wave (McGraw Hill, plus others). Operators arrested in France, Morocco, Turkey, and Canada — Sébastien Raoult sentenced to three years (2024); Connor Riley Moucka ('Judische') arrested Ontario Oct 2024; John Erin Binns arrested Turkey May 2024; four additional members arrested in France Jun 2025. Mandiant tracks the Snowflake-wave subset as UNC5537.","first_seen":"2020-04-01T00:00:00.000Z","aliases":["ShinyCorp","UNC5537"],"goals":["financial gain"],"primary_motivation":"personal-gain","x_threatintel_kind":"cybercrime","x_threatintel_target_sectors":["technology","financial","education","retail","telecommunications"],"x_threatintel_target_countries":["US","GB","ES","CL","UY","FR","AU","CA"],"x_threatintel_attack_techniques":["T1078","T1530","T1567.002","T1213"]},{"type":"report","spec_version":"2.1","id":"report--68cbecff-a1b7-55fb-bebf-d934f7064ce9","created":"2026-04-16T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"ShinyHunters extorts McGraw Hill via Salesforce misconfiguration","description":"ShinyHunters leaked 13.5 million McGraw Hill user accounts after exploiting a misconfigured Salesforce-hosted webpage to extract internal data. The leak — totalling 100GB+ of PII across customer-account records — followed the same operational pattern as the group's mid-2024 Snowflake-customer wave: credential-replay or misconfiguration exploitation against a cloud-data platform, mass exfiltration, and public extortion via leak-forum posting. McGraw Hill is one of several confirmed 2026 Salesforce-platform victims; researchers assess the broader campaign as ongoing.","published":"2026-04-16T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--c1529841-8b64-56c6-bdb4-3305e6f19094"],"external_references":[{"source_name":"The Register","url":"https://www.theregister.com/2026/04/16/mcgraw_hill_salesforce/"}],"labels":["salesforce","misconfiguration","extortion","education"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--0ce2d0f6-8421-51b1-91ec-161f381a1778","created":"2025-10-06T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"ShinyHunters launches 'Trinity of Chaos' Salesforce leak site, 39 victims listed","description":"Operators self-styling as 'Scattered Lapsus$ Hunters' — an explicit cross-brand merger of ShinyHunters, Scattered Spider, and Lapsus$ — launched a Salesforce-themed data- leak site naming 39 victim companies and claiming 1B+ stolen records in aggregate. Confirmed names on the site included Disney/Hulu, Toyota, Adidas, FedEx, Marriott, Google, Cisco, McDonald's, Walgreens, Instacart, HBO Max, Cartier, Air France-KLM, IKEA, TransUnion (4.4M consumer records), and others. Initial access vectors split between malicious-OAuth-app social engineering and exploitation of misconfigured public-facing Salesforce sites. The U.S. government later seized the leak-site domain; victim additions continued through Q1 2026.","published":"2025-10-06T00:00:00.000Z","report_types":["announcement"],"object_refs":["intrusion-set--c1529841-8b64-56c6-bdb4-3305e6f19094"],"external_references":[{"source_name":"BleepingComputer","url":"https://www.bleepingcomputer.com/news/security/shinyhunters-starts-leaking-data-stolen-in-salesforce-attacks/"}],"labels":["salesforce","oauth-abuse","extortion","leak-site","brand-merge"],"x_threatintel_severity":"critical"},{"type":"report","spec_version":"2.1","id":"report--6019a74c-64a9-5eea-ab14-b89357c6bfd6","created":"2024-05-30T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"ShinyHunters / UNC5537 Snowflake-customer mass-extortion wave","description":"Mandiant documented a sustained credential-stuffing campaign — tracked as UNC5537 with significant overlap to ShinyHunters — against Snowflake customer tenants lacking MFA. Credentials were harvested from prior infostealer infections on contractor and employee laptops, then replayed against ~165 Snowflake instances. The campaign produced the year's biggest data-breach headlines: Ticketmaster (560M records), Santander (30M customers across Spain / Chile / Uruguay), AT&T (call/SMS metadata for ~109M subscribers), Neiman Marcus, Advance Auto Parts, Pure Storage, and others. Alleged ringleader Connor Riley Moucka ('Judische') was arrested in Ontario on 30 October 2024.","published":"2024-05-30T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--c1529841-8b64-56c6-bdb4-3305e6f19094"],"external_references":[{"source_name":"Google Cloud / Mandiant","url":"https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion"}],"labels":["credential-stuffing","cloud-data-platform","mass-extortion","infostealer-supply-chain"],"x_threatintel_severity":"critical"},{"type":"indicator","spec_version":"2.1","id":"indicator--7f72fdde-25ad-5f3b-bd2d-a393d668ca4a","created":"2025-08-08T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME shinysp1d3r (ShinySp1d3r)","description":"RaaS brand launched on a Scattered Lapsus$ Hunters Telegram channel in August 2025, marketed alongside the Trinity of Chaos data-leak site that went live on the TOR network on 3 October 2025 listing 39 Salesforce/Salesloft victims.","indicator_types":["malicious-activity"],"pattern":"[file:name = 'shinysp1d3r']","pattern_type":"stix","valid_from":"2025-08-08T00:00:00.000Z","confidence":50,"external_references":[{"source_name":"Resecurity","url":"https://www.resecurity.com/blog/article/shinyhunters-launches-data-leak-site-trinity-of-chaos-announces-new-ransomware-victims"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--303d2211-7598-5099-914e-220b0c7511fd","created":"2025-08-08T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--7f72fdde-25ad-5f3b-bd2d-a393d668ca4a","target_ref":"intrusion-set--c1529841-8b64-56c6-bdb4-3305e6f19094"},{"type":"indicator","spec_version":"2.1","id":"indicator--6505f044-1982-5a59-b262-d891138ca674","created":"2024-05-22T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"IPV4 45.27.26.205","description":"Sample VPS exfiltration IP (ALEXHOST SRL, AS200019) used by UNC5537 to stage stolen Snowflake-customer data. Listed in Mandiant's June 2024 disclosure.","indicator_types":["malicious-activity"],"pattern":"[ipv4-addr:value = '45.27.26.205']","pattern_type":"stix","valid_from":"2024-05-22T00:00:00.000Z","confidence":50,"external_references":[{"source_name":"Mandiant (Google Cloud)","url":"https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--c4cb487f-8344-5a01-9b66-1cdb4ba718a5","created":"2024-05-22T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--6505f044-1982-5a59-b262-d891138ca674","target_ref":"intrusion-set--c1529841-8b64-56c6-bdb4-3305e6f19094"},{"type":"indicator","spec_version":"2.1","id":"indicator--6936c3f4-0976-57a8-88de-97d2307d65a1","created":"2024-04-14T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME FROSTBITE (FROSTBITE)","description":"Custom Snowflake reconnaissance utility (.NET and Java variants, attacker-named 'rapeflake') deployed by UNC5537 / ShinyHunters during the 2024 Snowflake-customer extortion campaign disclosed by Mandiant in June 2024.","indicator_types":["malicious-activity"],"pattern":"[file:name = 'FROSTBITE']","pattern_type":"stix","valid_from":"2024-04-14T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Mandiant (Google Cloud)","url":"https://cloud.google.com/blog/topics/threat-intelligence/unc5537-snowflake-data-theft-extortion"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--f6d78ff4-7523-57c2-bced-2bf163c6eb82","created":"2024-04-14T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--6936c3f4-0976-57a8-88de-97d2307d65a1","target_ref":"intrusion-set--c1529841-8b64-56c6-bdb4-3305e6f19094"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--2f71d1b1-c7cd-5c3a-8c3a-32d6eda1f774","created":"2017-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Spamouflage","description":"PRC state-coordinated influence operation publicly attributed by Meta and Microsoft as the largest known covert online influence operation, with infrastructure and behavioural overlap with the Chinese Ministry of Public Security. Pushes pro-PRC and anti-U.S. narratives across 50+ platforms and dozens of languages, with a heavy push during Taiwanese and U.S. elections. OpenAI banned Spamouflage-linked accounts in May 2024 for using ChatGPT to generate short multi-language social-media commentary.","first_seen":"2017-01-01T00:00:00.000Z","aliases":["Dragonbridge","Storm-1376","Taizi Flood","HaiEnergy"],"goals":["information operations"],"primary_motivation":"organizational-gain","labels":["country:CN"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["media","elections","civil society"],"x_threatintel_target_countries":["US","TW","GB","AU","CA","JP"],"x_threatintel_attack_techniques":["T1583.001","T1585.001"]},{"type":"report","spec_version":"2.1","id":"report--35005173-35cd-5bbb-832c-714080b6aefc","created":"2024-11-22T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Google exposes GLASSBRIDGE, a network of PRC PR firms laundering DRAGONBRIDGE narratives via fake news sites","description":"Google Threat Intelligence Group and Mandiant published a report on GLASSBRIDGE, an umbrella of four China-based commercial PR firms — Shanghai Haixun, Shenzhen Haimai Yunxiang, Shenzhen Bowen, and DURINBRIDGE — that operate hundreds of inauthentic websites posing as independent outlets from 30-plus countries. Google has blocked over 1,000 GLASSBRIDGE-operated sites from Google News and Discover since 2022, with DRAGONBRIDGE-aligned content — including signature attacks on Guo Wengui and Taiwan election narratives — identified on multiple GLASSBRIDGE properties.","published":"2024-11-22T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--2f71d1b1-c7cd-5c3a-8c3a-32d6eda1f774"],"external_references":[{"source_name":"Google Threat Intelligence Group / Mandiant","url":"https://cloud.google.com/blog/topics/threat-intelligence/glassbridge-pro-prc-influence-operations"}],"labels":["report","glassbridge","influence-laundering","fake-news-sites"],"x_threatintel_severity":"medium"},{"type":"report","spec_version":"2.1","id":"report--3dea9f9f-2f31-5262-b5df-c244c8a026bb","created":"2024-06-26T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Google TAG reports disrupting over 10,000 DRAGONBRIDGE instances in Q1 2024","description":"Google Threat Analysis Group reported disrupting more than 10,000 instances of DRAGONBRIDGE (Spamouflage) activity across YouTube and Blogger in the first quarter of 2024, bringing the lifetime total to over 175,000 disrupted instances. TAG observed the operation experimenting with AI-generated news anchors and synthetic audio while targeting Taiwan's January 2024 election, US social divisions, and economic narratives, but found organic engagement remained negligible.","published":"2024-06-26T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--2f71d1b1-c7cd-5c3a-8c3a-32d6eda1f774"],"external_references":[{"source_name":"Google Threat Analysis Group","url":"https://blog.google/threat-analysis-group/google-disrupted-dragonbridge-activity-q1-2024/"}],"labels":["report","dragonbridge","google-tag","ai-generated"],"x_threatintel_severity":"medium"},{"type":"report","spec_version":"2.1","id":"report--f79b5d17-0e04-5f1d-a096-5c58a70e678d","created":"2024-04-04T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Microsoft documents Storm-1376 AI-driven influence operations targeting Taiwan election and Maui wildfires","description":"Microsoft Threat Analysis Center's April 2024 East Asia report described Storm-1376 — Microsoft's designation for Spamouflage/DRAGONBRIDGE — using AI-generated content at scale. The group circulated deepfake audio of Foxconn founder Terry Gou falsely endorsing a Taiwanese presidential candidate ahead of the January 2024 election (removed by YouTube), and during the August 2023 Maui wildfires pushed a 'weather weapon' conspiracy in at least 31 languages with AI-generated imagery. Microsoft assessed it as the first observed nation-state use of AI content to influence a foreign election.","published":"2024-04-04T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--2f71d1b1-c7cd-5c3a-8c3a-32d6eda1f774"],"external_references":[{"source_name":"Microsoft Threat Analysis Center","url":"https://www.microsoft.com/en-us/security/security-insider/threat-landscape/east-asia-threat-actors-employ-unique-methods"}],"labels":["report","storm-1376","ai-influence","taiwan-election"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--2235b47b-6994-5d5c-a64f-82aed09a9eba","created":"2023-08-29T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Meta links Spamouflage to Chinese law enforcement and removes 7,704 Facebook accounts","description":"Meta announced in its Q2 2023 Adversarial Threat Report the removal of 7,704 Facebook accounts, 954 Pages, 15 Groups, and 15 Instagram accounts attributed to Spamouflage in what the company called its largest single takedown to date. For the first time Meta publicly linked the operation to individuals associated with Chinese law enforcement, describing it as the largest known cross-platform covert influence operation in the world, active across more than 50 platforms and targeting Taiwan, the US, UK, Australia, Japan, and global Chinese-speaking audiences.","published":"2023-08-29T00:00:00.000Z","report_types":["announcement"],"object_refs":["intrusion-set--2f71d1b1-c7cd-5c3a-8c3a-32d6eda1f774"],"external_references":[{"source_name":"Meta","url":"https://about.fb.com/news/2023/08/raising-online-defenses/"}],"labels":["announcement","takedown","meta","coordinated-inauthentic-behavior"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--51b580fa-1ac9-5219-87b6-4a362494ec5b","created":"2021-02-04T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Graphika publishes 'Spamouflage Breakout' documenting expanded US-targeted activity","description":"Graphika released 'Spamouflage Breakout', tracking the pro-Beijing influence network's pivot toward US-focused content between summer 2020 and January 2021. The report found Spamouflage produced more than 1,400 videos in the period, attacking President Trump, Secretary of State Pompeo, and after the inauguration the Democratic Party, while pushing the narrative that 'American democracy is not a model that any country should emulate'. Graphika noted growing persona sophistication but still limited authentic reach.","published":"2021-02-04T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--2f71d1b1-c7cd-5c3a-8c3a-32d6eda1f774"],"external_references":[{"source_name":"Graphika","url":"https://graphika.com/reports/spamouflage-breakout"}],"labels":["report","influence-operation","graphika"],"x_threatintel_severity":"medium"},{"type":"indicator","spec_version":"2.1","id":"indicator--e5c7432e-e832-5919-9ea3-ce6b838e7587","created":"2024-11-22T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOMAIN taiwanweekly.com","description":"Inauthentic news site operated by Shanghai Haixun Technology within the GLASSBRIDGE network and used to distribute pro-PRC content amplifying DRAGONBRIDGE narratives, per Google/Mandiant November 2024 reporting.","indicator_types":["malicious-activity"],"pattern":"[domain-name:value = 'taiwanweekly.com']","pattern_type":"stix","valid_from":"2024-11-22T00:00:00.000Z","confidence":50,"external_references":[{"source_name":"Google Threat Intelligence Group / Mandiant","url":"https://cloud.google.com/blog/topics/threat-intelligence/glassbridge-pro-prc-influence-operations"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--41b68a41-b6b1-559d-bae9-dda124bd64ab","created":"2024-11-22T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--e5c7432e-e832-5919-9ea3-ce6b838e7587","target_ref":"intrusion-set--2f71d1b1-c7cd-5c3a-8c3a-32d6eda1f774"},{"type":"indicator","spec_version":"2.1","id":"indicator--90c930d1-89ef-5c8a-942c-1ddff8cdbcfc","created":"2024-11-22T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOMAIN japandigest.net","description":"Inauthentic news site operated by Shenzhen Bowen Media as part of the GLASSBRIDGE network used to launder pro-PRC and DRAGONBRIDGE narratives, per Google Threat Intelligence Group's November 2024 disclosure.","indicator_types":["malicious-activity"],"pattern":"[domain-name:value = 'japandigest.net']","pattern_type":"stix","valid_from":"2024-11-22T00:00:00.000Z","confidence":50,"external_references":[{"source_name":"Google Threat Intelligence Group","url":"https://cloud.google.com/blog/topics/threat-intelligence/glassbridge-pro-prc-influence-operations"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--a79cfa2a-dea2-5fc7-b332-a8a4d1f483dc","created":"2024-11-22T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--90c930d1-89ef-5c8a-942c-1ddff8cdbcfc","target_ref":"intrusion-set--2f71d1b1-c7cd-5c3a-8c3a-32d6eda1f774"},{"type":"indicator","spec_version":"2.1","id":"indicator--71231a69-33ae-5470-938c-78837a2495e1","created":"2024-11-22T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOMAIN dailydispatcher.com","description":"Inauthentic outlet operated by DURINBRIDGE, identified by Google Threat Intelligence Group as republishing DRAGONBRIDGE articles within the broader GLASSBRIDGE ecosystem of PRC-aligned fake news sites.","indicator_types":["malicious-activity"],"pattern":"[domain-name:value = 'dailydispatcher.com']","pattern_type":"stix","valid_from":"2024-11-22T00:00:00.000Z","confidence":50,"external_references":[{"source_name":"Google Threat Intelligence Group","url":"https://cloud.google.com/blog/topics/threat-intelligence/glassbridge-pro-prc-influence-operations"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--340b7b0b-45be-5f8f-9b04-ad290ae927b0","created":"2024-11-22T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--71231a69-33ae-5470-938c-78837a2495e1","target_ref":"intrusion-set--2f71d1b1-c7cd-5c3a-8c3a-32d6eda1f774"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--dfb91116-4185-5e4c-8e9b-296e35270848","created":"2023-05-15T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Storm-0558","description":"PRC-attributed intrusion set identified by Microsoft in July 2023 after it forged authentication tokens using a stolen Microsoft MSA consumer signing key, enabling access to the Exchange Online mailboxes of approximately 25 organizations including the U.S. State Department and Commerce Department. The Cyber Safety Review Board's April 2024 report concluded Microsoft's security culture was inadequate and that the intrusion was 'preventable'. Microsoft revoked the compromised key and migrated Exchange Online token signing to more secure infrastructure. The exact method by which the adversary obtained the signing key has not been fully disclosed publicly.","first_seen":"2023-05-15T00:00:00.000Z","last_seen":"2023-07-11T00:00:00.000Z","goals":["espionage","collection"],"primary_motivation":"organizational-gain","labels":["country:CN"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["government","diplomatic","technology"],"x_threatintel_target_countries":["US","GB"],"x_threatintel_attack_techniques":["T1550.001","T1078.004","T1114.002","T1606.002"]},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--ea01cb6c-b5bb-5040-a376-568812f57791","created":"2004-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Turla","description":"Russian state-sponsored actor publicly attributed to FSB Center 16. One of the longest-running espionage sets on record, known for the Snake (Uroburos) implant — a sophisticated peer-to-peer covert communications framework used against diplomatic, military, and research targets in NATO countries. The U.S. DOJ disrupted the Snake network in 2023 via Operation MEDUSA.","first_seen":"2004-01-01T00:00:00.000Z","aliases":["Snake","Venomous Bear","Secret Blizzard","Iron Hunter","Waterbug"],"goals":["espionage"],"primary_motivation":"organizational-gain","labels":["country:RU"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["government","diplomatic","military","research"],"x_threatintel_target_countries":["US","DE","GB","FR","AT","CH","BE"],"x_threatintel_attack_techniques":["T1071.001","T1090.003","T1027","T1098"]},{"type":"report","spec_version":"2.1","id":"report--eaf2f32d-c0ab-5dec-a178-fcc069e03166","created":"2023-05-09T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOJ disrupts Snake malware network (Operation MEDUSA)","description":"The U.S. Department of Justice announced a court-authorized operation that disrupted the Snake malware peer-to-peer network operated by FSB Center 16 (Turla). The operation used a tool called PERSEUS to issue commands that caused Snake implants on compromised computers worldwide to overwrite themselves.","published":"2023-05-09T00:00:00.000Z","report_types":["announcement"],"object_refs":["intrusion-set--ea01cb6c-b5bb-5040-a376-568812f57791"],"external_references":[{"source_name":"U.S. Department of Justice","url":"https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-snake-malware-network-controlled"}],"labels":["doj","disruption","snake","fsb"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--80d36ed6-febf-5298-bdd0-b9df8d632054","created":"2023-05-09T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Joint advisory AA23-129A: Hunting Russian Intelligence Snake Malware","description":"CISA, FBI, NSA, and Five Eyes partners released a joint advisory publicly attributing the Snake implant to FSB Center 16, describing the architecture of the global peer-to-peer network, and providing technical detection guidance for defenders.","published":"2023-05-09T00:00:00.000Z","report_types":["advisory"],"object_refs":["intrusion-set--ea01cb6c-b5bb-5040-a376-568812f57791"],"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a"}],"labels":["five-eyes","snake","fsb"],"x_threatintel_severity":"high"},{"type":"indicator","spec_version":"2.1","id":"indicator--89256b50-7078-589e-b246-48437c2a56a4","created":"2014-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME Snake (Uroburos) (Snake)","description":"Sophisticated modular peer-to-peer implant attributed to FSB Center 16 (Turla). Known under multiple names — Snake, Uroburos, Turla, EkulturaFS — across ~20 years of operation. Disrupted by the U.S. DOJ's Operation MEDUSA in May 2023.","indicator_types":["malicious-activity"],"pattern":"[file:name = 'Snake (Uroburos)']","pattern_type":"stix","valid_from":"2014-01-01T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--c8159425-dba9-5b7c-b9b5-49a47c66d859","created":"2014-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--89256b50-7078-589e-b246-48437c2a56a4","target_ref":"intrusion-set--ea01cb6c-b5bb-5040-a376-568812f57791"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--7b266422-ebd6-5039-9351-5fc96a0c79d8","created":"2022-07-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Void Manticore","description":"Iranian state-sponsored intrusion set publicly attributed to the Ministry of Intelligence and Security (MOIS), specialised in destructive operations and conducting them under a rotating set of public-facing hacktivist personas — most prominently **Homeland Justice** (Albania 2022), **Karma** (Israel 2023), and **Handala** (Israel + U.S. 2023-2026). Tradecraft splits across two MOIS units: Scarred Manticore (Storm-0861) gains initial access and exfiltrates, then Void Manticore deploys destructive wipers (Cl Wiper, No-Justice / LowEraser) and orchestrates the persona-driven leak / branding stage. The MITRE ATT&CK G1055 entry consolidates the persona ecosystem under this name. The March 2026 Stryker compromise (claimed by Handala) is the operation's first confirmed major U.S. multinational victim outside Israel.","first_seen":"2022-07-01T00:00:00.000Z","aliases":["Storm-0842","DEV-0842","BANISHED KITTEN","Red Sandstorm","Cobalt Mystique"],"goals":["destruction","information operations","espionage"],"primary_motivation":"organizational-gain","labels":["country:IR"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["government","defense","technology","manufacturing","healthcare","education"],"x_threatintel_target_countries":["IL","AL","US","AE"],"x_threatintel_attack_techniques":["T1485","T1561.002","T1190","T1078"]},{"type":"report","spec_version":"2.1","id":"report--4164b6f2-4366-54b6-b3c4-d2e01f96ebc4","created":"2024-05-20T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Check Point documents Void Manticore / Scarred Manticore MOIS handoff","description":"In a companion blog post Check Point described a systematic handoff procedure between two MOIS-affiliated groups: Scarred Manticore (Storm-0861) gains initial access and exfiltrates data over extended dwell times, then transfers the foothold to Void Manticore (Storm-0842) which executes destructive wipes paired with leak-site disclosure. The pattern was observed in the 2022 Albanian government intrusions ('Homeland Justice') and again across 2023-2024 attacks on Israeli targets under the 'Karma' persona.","published":"2024-05-20T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--7b266422-ebd6-5039-9351-5fc96a0c79d8"],"external_references":[{"source_name":"Check Point","url":"https://blog.checkpoint.com/research/unveiling-void-manticore-structured-collaboration-between-espionage-and-destruction-in-mois/"}],"labels":["mois","scarred-manticore","wiper","albania","israel"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--b7b8821d-7b41-5b61-a982-551a1fe43529","created":"2024-05-20T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Check Point Research details Void Manticore wipers and Karma persona","description":"Check Point Research published 'Bad Karma, No Justice,' attributing destructive wiper operations against Israeli organisations to Void Manticore — an Iranian MOIS-linked actor that Microsoft tracks as Storm-0842. The report catalogues custom wipers including BiBi (Windows and Linux variants), CIWiper, LowEraser/Pinky, and JustMBR, alongside manual destruction using Windows Format and SDelete. Void Manticore fronts the Karma and Homeland Justice leak-and-influence personas in Israel and Albania respectively.","published":"2024-05-20T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--7b266422-ebd6-5039-9351-5fc96a0c79d8"],"external_references":[{"source_name":"Check Point Research","url":"https://research.checkpoint.com/2024/bad-karma-no-justice-void-manticore-destructive-activities-in-israel/"}],"labels":["wiper","bibi-wiper","karma","homeland-justice","mois"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--492c93eb-92cf-529f-9500-914b87d5f941","created":"2022-07-15T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Homeland Justice persona disrupts Albanian government IT under MOIS direction","description":"In mid-July 2022 destructive intrusions disrupted Albanian government services and the Total Information Management System (TIMS) used at border crossings, claimed via the 'Homeland Justice' leak site. Albania severed diplomatic relations with Iran in September 2022, and subsequent vendor reporting (Microsoft, Check Point, Mandiant) attributed the destructive component to the MOIS cluster now tracked as Void Manticore / Storm-0842, with initial access handed off from Scarred Manticore.","published":"2022-07-15T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--7b266422-ebd6-5039-9351-5fc96a0c79d8"],"external_references":[{"source_name":"Check Point Research","url":"https://research.checkpoint.com/2024/bad-karma-no-justice-void-manticore-destructive-activities-in-israel/"}],"labels":["albania","homeland-justice","wiper","government"],"x_threatintel_severity":"high"},{"type":"indicator","spec_version":"2.1","id":"indicator--8b932c43-8d4c-53f4-8541-51bf48643fee","created":"2024-05-20T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"IPV4 64.176.169.22","description":"IP address listed in Check Point Research's Void Manticore IOC appendix (May 2024 report on destructive activities in Israel).","indicator_types":["malicious-activity"],"pattern":"[ipv4-addr:value = '64.176.169.22']","pattern_type":"stix","valid_from":"2024-05-20T00:00:00.000Z","confidence":50,"external_references":[{"source_name":"Check Point Research","url":"https://research.checkpoint.com/2024/bad-karma-no-justice-void-manticore-destructive-activities-in-israel/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--589644d0-9a06-5b76-a3b0-c92c6e3fe498","created":"2024-05-20T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--8b932c43-8d4c-53f4-8541-51bf48643fee","target_ref":"intrusion-set--7b266422-ebd6-5039-9351-5fc96a0c79d8"},{"type":"indicator","spec_version":"2.1","id":"indicator--e31a9764-c4b4-512f-94c4-9db32aeb0679","created":"2024-05-20T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"SHA256 D0C03D40772CD468325BBC522402F7B737F18B8F37A89BACC5C8A00C2B87BFC6 (BiBi Wiper)","description":"SHA-256 listed in Check Point Research's May 2024 'Bad Karma, No Justice' report on Void Manticore. The actor uses BiBi wiper (Linux and Windows variants) along with CIWiper and partition wipers in destructive operations against Israeli and Albanian targets.","indicator_types":["malicious-activity"],"pattern":"[file:hashes.'SHA-256' = 'D0C03D40772CD468325BBC522402F7B737F18B8F37A89BACC5C8A00C2B87BFC6']","pattern_type":"stix","valid_from":"2024-05-20T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"Check Point Research","url":"https://research.checkpoint.com/2024/bad-karma-no-justice-void-manticore-destructive-activities-in-israel/"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--0e70b141-b7a1-5b49-ad54-7817997d37e9","created":"2024-05-20T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--e31a9764-c4b4-512f-94c4-9db32aeb0679","target_ref":"intrusion-set--7b266422-ebd6-5039-9351-5fc96a0c79d8"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--8da23e49-ca00-5c41-9869-0d795a9187ea","created":"2021-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Volt Typhoon","description":"PRC state-sponsored actor focused on pre-positioning in U.S. critical infrastructure (communications, energy, transportation, water). Heavy use of living-off-the-land techniques and small-office/home-office router botnets to obscure command-and-control. Joint CISA/NSA/FBI advisory in 2024 assessed the activity as preparation for disruptive or destructive cyberattacks against U.S. infrastructure in a crisis.","first_seen":"2021-01-01T00:00:00.000Z","aliases":["VANGUARD PANDA","BRONZE SILHOUETTE"],"goals":["espionage","pre-positioning"],"primary_motivation":"organizational-gain","labels":["country:CN"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["communications","energy","transportation","water"],"x_threatintel_target_countries":["US","GU"],"x_threatintel_attack_techniques":["T1059.003","T1021.001","T1090.003","T1556"]},{"type":"report","spec_version":"2.1","id":"report--589941c5-e019-538a-a67b-77d7ec509827","created":"2024-08-22T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Volt Typhoon exploits Versa Director zero-day (CVE-2024-39717)","description":"Lumen Black Lotus Labs disclosed that Volt Typhoon had been exploiting a zero-day in Versa Director (CVE-2024-39717) since at least 12 June 2024 to drop a custom Java web shell, VersaMem, on internet-facing SD-WAN management appliances at U.S. ISPs and MSPs and one non-U.S. provider. The web shell harvested credentials in process memory to enable downstream access — consistent with Volt Typhoon's pattern of stealthy pre-positioning in critical-infrastructure adjacent networks.","published":"2024-08-22T00:00:00.000Z","report_types":["compromise"],"object_refs":["intrusion-set--8da23e49-ca00-5c41-9869-0d795a9187ea"],"external_references":[{"source_name":"Lumen Black Lotus Labs","url":"https://blog.lumen.com/uncovering-the-versa-director-zero-day-exploitation/"}],"labels":["zero-day","isp","sd-wan","living-off-the-land"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--d35d5429-9d87-5623-af89-9db48a5aa71b","created":"2024-02-07T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Joint CISA/NSA/FBI advisory AA24-038A on Volt Typhoon","description":"CISA, NSA, FBI, and partners assessed with high confidence that Volt Typhoon's pre-positioning in U.S. critical infrastructure is intended to enable disruptive or destructive cyberattacks in the event of a major crisis or conflict — a notable shift in stated PRC intent.","published":"2024-02-07T00:00:00.000Z","report_types":["advisory"],"object_refs":["intrusion-set--8da23e49-ca00-5c41-9869-0d795a9187ea"],"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a"}],"labels":["aa24-038a","critical-infrastructure","pre-positioning"],"x_threatintel_severity":"critical"},{"type":"report","spec_version":"2.1","id":"report--d28f44a0-b072-5ca6-863c-5a9c0544ce62","created":"2024-01-31T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"DOJ disrupts KV-botnet of compromised SOHO routers","description":"DOJ and FBI announced a court-authorized operation that removed Volt Typhoon malware from hundreds of U.S.-based end-of-life Cisco and NetGear SOHO routers that had been co-opted into the KV-botnet used to obscure the actor's operational traffic.","published":"2024-01-31T00:00:00.000Z","report_types":["announcement"],"object_refs":["intrusion-set--8da23e49-ca00-5c41-9869-0d795a9187ea"],"external_references":[{"source_name":"U.S. Department of Justice","url":"https://www.justice.gov/opa/pr/us-government-disrupts-botnet-peoples-republic-china-used-conceal-hacking-us-critical"}],"labels":["botnet-takedown","soho-router","kv-botnet"],"x_threatintel_severity":"high"},{"type":"report","spec_version":"2.1","id":"report--9d458505-5aeb-5874-8ea0-17bfa9b9f6cb","created":"2023-05-24T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"Volt Typhoon publicly named, targeting U.S. critical infrastructure","description":"Microsoft publicly disclosed Volt Typhoon, a PRC state-sponsored actor pre-positioning in U.S. critical infrastructure networks — communications, manufacturing, utilities, transportation, construction, maritime, government, IT, and education — with heavy use of living-off-the-land binaries.","published":"2023-05-24T00:00:00.000Z","report_types":["report"],"object_refs":["intrusion-set--8da23e49-ca00-5c41-9869-0d795a9187ea"],"external_references":[{"source_name":"Microsoft Threat Intelligence","url":"https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/"}],"labels":["lotl","critical-infrastructure","pre-positioning"],"x_threatintel_severity":"critical"},{"type":"indicator","spec_version":"2.1","id":"indicator--989e2b83-42a8-56f1-9be0-7cd8dceab3ef","created":"2024-01-31T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"FILE_NAME KV-botnet (KV-botnet)","description":"Operator-named botnet family running on compromised end-of-life SOHO routers (predominantly Cisco RV320/325, NETGEAR ProSAFE, Axis IP cameras). Used as obfuscation infrastructure for Volt Typhoon operations; the DOJ disrupted the network in Operation Dying Ember (announced 31 Jan 2024).","indicator_types":["malicious-activity"],"pattern":"[file:name = 'KV-botnet']","pattern_type":"stix","valid_from":"2024-01-31T00:00:00.000Z","confidence":85,"external_references":[{"source_name":"CISA","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a"}]},{"type":"relationship","spec_version":"2.1","id":"relationship--e87ad056-bc47-5e49-835c-a526dc2739eb","created":"2024-01-31T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","relationship_type":"indicates","source_ref":"indicator--989e2b83-42a8-56f1-9be0-7cd8dceab3ef","target_ref":"intrusion-set--8da23e49-ca00-5c41-9869-0d795a9187ea"},{"type":"intrusion-set","spec_version":"2.1","id":"intrusion-set--ab8f78ea-fd0c-54a9-bbb6-1e826f917f8f","created":"2014-01-01T00:00:00.000Z","modified":"2026-05-19T06:05:14.000Z","name":"XENOTIME","description":"Russian state-sponsored intrusion set responsible for the December 2017 TRITON/TRISIS malware attack on the Triconex safety instrumented system (SIS) at a Saudi Arabian petrochemical facility — the first publicly-known cyberattack deliberately designed to target industrial safety systems and risk loss of life. FireEye/Mandiant publicly disclosed the attack in December 2017, attributing the malware to the TRITON framework. The U.S. Treasury OFAC sanctioned the group's sponsor — the Central Scientific Research Institute of Chemistry and Mechanics (TsNIIKhM) in Moscow — on 23 October 2020 for its role in developing the TRITON malware. Dragos subsequently reported XENOTIME had expanded targeting to electric utilities beyond oil and gas.","first_seen":"2014-01-01T00:00:00.000Z","aliases":["TEMP.Veles","G0088"],"goals":["pre-positioning","sabotage","espionage"],"primary_motivation":"organizational-gain","labels":["country:RU"],"x_threatintel_kind":"state_sponsored","x_threatintel_target_sectors":["energy","oil and gas","petrochemical","ics","electric utilities"],"x_threatintel_target_countries":["SA","US"],"x_threatintel_attack_techniques":["T0830","T0817","T0859","T1078"]}]}