🇷🇺

APT 29

APT Group Information theft and espionage 76 zero-day CVEs ETDA ✓

Also Known As 19 names

APT29 ATK7 Blue Kitsune BlueBravo COZY BEAR Cloaked Ursa G0016 Grizzly Steppe Group 100 IRON HEMLOCK ITG11 Midnight Blizzard Minidionis Nobelium SeaDuke TA421 The Dukes UAC-0029 YTTRIUM

Target Countries 47

Countries highlighted in red

Australia Azerbaijan Belgium Bulgaria Brazil Belarus Canada Switzerland Chile Cameroon China Cyprus Germany Denmark Spain France United Kingdom Georgia Hungary Ireland Israel India Italy Japan Kyrgyzstan Republic of Korea Kazakhstan Lebanon Lithuania Luxembourg Latvia Montenegro Mexico Netherlands New Zealand Poland Portugal Romania Singapore Slovenia Slovakia Thailand Turkey Ukraine Uganda United States Uzbekistan

Sectors Targeted

Computer Systems Design and Related Services 54151 Business, Professional, Labor, Political, and Similar Organizations 8139 Government Libraries and Archives 51912 Pharmaceutical Healthcare Defense Real Estate 531 Transportation NGOs Media Motion Picture and Video Production 51211 Telecommunications Business Schools and Computer and Management Training 6114 Translation and Interpretation Services 54193 Commercial Banking 52211 Grantmaking and Giving Services 8132 Energy Education Internet Publishing and Broadcasting and Web Search Portals 51913 Computer Systems Design Services 541512 Periodical Publishers 51112 Imagery Financial Law enforcement Computer Systems Design and Related Services 5415 Think Tanks National Security and International Affairs 9281 Data Processing, Hosting, and Related Services 51821 Embassies Aerospace

Details

Origin 🇷🇺 RU
Last Updated 24 Sep 2025

Malware Families 4

hermeticwiper
zhmimikatz
karagany
Sliver Implant

MITRE ATT&CK 303

T1001 - Data Obfuscation T1001.002 T1001.003 - Protocol Impersonation T1003 - OS Credential Dumping T1003.001 T1003.002 - Security Account Manager T1003.004 T1003.006 T1005 - Data from Local System T1007 T1008 T1011 T1012 - Query Registry T1014 - Rootkit T1015 T1016 T1016.001 T1018 - Remote System Discovery T1020 - Automated Exfiltration T1021 - Remote Services T1021.001 - Remote Desktop Protocol T1021.002 T1021.006 T1021.007 T1022 - Data Encrypted T1023 T1025 - Data from Removable Media T1027 - Obfuscated Files or Information T1027.001 T1027.002 T1027.003 T1027.006 T1030 - Data Transfer Size Limits T1033 - System Owner/User Discovery T1036 - Masquerading T1036.004 T1036.005 T1037 - Boot or Logon Initialization Scripts T1037.004 T1039 - Data from Network Shared Drive T1040 - Network Sniffing T1041 - Exfiltration Over C2 Channel T1043 T1045 - Software Packing T1046 - Network Service Scanning T1047 - Windows Management Instrumentation T1048 - Exfiltration Over Alternative Protocol T1048.002 T1049 - System Network Connections Discovery T1053 - Scheduled Task/Job T1053.005 - Scheduled Task T1055 - Process Injection T1055.001 T1056 - Input Capture T1056.002 - GUI Input Capture T1056.003 - Web Portal Capture T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.001 - PowerShell T1059.003 - Windows Command Shell T1059.005 - Visual Basic T1059.006 - Python T1059.007 - JavaScript T1059.009 T1060 - Registry Run Keys / Startup Folder T1064 T1068 - Exploitation for Privilege Escalation T1069 T1069.002 T1070 - Indicator Removal on Host T1070.004 T1070.006 T1070.008 T1071 - Application Layer Protocol T1071.001 - Web Protocols T1074 - Data Staged T1074.002 T1078 - Valid Accounts T1078.002 T1078.003 T1078.004 T1081 - Credentials in Files T1082 - System Information Discovery T1083 - File and Directory Discovery T1084 T1085 T1086 - PowerShell T1087 - Account Discovery T1087.002 T1087.004 T1088 T1090 - Proxy T1090.001 T1090.002 T1090.003 T1090.004 T1091 - Replication Through Removable Media T1092 - Communication Through Removable Media T1095 - Non-Application Layer Protocol T1096 - NTFS File Attributes T1097 T1098 - Account Manipulation T1098.001 T1098.002 T1098.003 T1098.005 T1102 - Web Service T1102.001 - Dead Drop Resolver T1102.002 T1102.003 - One-Way Communication T1104 - Multi-Stage Channels T1105 - Ingress Tool Transfer T1106 - Native API T1107 - File Deletion T1110 - Brute Force T1110.001 T1110.003 T1111 - Two-Factor Authentication Interception T1112 - Modify Registry T1113 - Screen Capture T1114 - Email Collection T1114.001 T1114.002 T1115 - Clipboard Data T1119 - Automated Collection T1120 - Peripheral Device Discovery T1124 T1127 - Trusted Developer Utilities Proxy Execution T1129 - Shared Modules T1130 T1132 - Data Encoding T1132.001 - Standard Encoding T1133 - External Remote Services T1134 - Access Token Manipulation T1135 T1136 T1136.003 T1137 - Office Application Startup T1137.001 - Office Template Macros T1140 - Deobfuscate/Decode Files or Information T1143 - Hidden Window T1158 - Hidden Files and Directories T1170 T1172 T1176 - Browser Extensions T1187 - Forced Authentication T1188 T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application T1192 - Spearphishing Link T1193 T1195 - Supply Chain Compromise T1195.002 T1199 - Trusted Relationship T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204 - User Execution T1204.001 - Malicious Link T1204.002 - Malicious File T1210 - Exploitation of Remote Services T1211 - Exploitation for Defense Evasion T1213 - Data from Information Repositories T1213.003 T1217 T1218 - Signed Binary Proxy Execution T1218.005 T1218.011 T1219 - Remote Access Software T1221 - Template Injection T1222 - File and Directory Permissions Modification T1482 T1484 T1484.002 T1485 T1486 T1489 T1490 - Inhibit System Recovery T1495 T1496 T1497 - Virtualization/Sandbox Evasion T1497.001 - System Checks T1497.003 T1498 - Network Denial of Service T1503 T1505 - Server Software Component T1505.003 T1518 - Software Discovery T1518.001 - Security Software Discovery T1528 - Steal Application Access Token T1529 T1530 - Data from Cloud Storage Object T1531 T1534 - Internal Spearphishing T1539 - Steal Web Session Cookie T1542 - Pre-OS Boot T1542.003 - Bootkit T1543 - Create or Modify System Process T1546 - Event Triggered Execution T1546.003 T1546.008 T1546.015 T1547 - Boot or Logon Autostart Execution T1547.001 - Registry Run Keys / Startup Folder T1548 T1548.002 T1550 - Use Alternate Authentication Material T1550.001 - Application Access Token T1550.003 T1550.004 T1552 - Unsecured Credentials T1552.004 T1553 - Subvert Trust Controls T1553.002 T1553.005 T1555 T1555.003 T1556 - Modify Authentication Process T1556.004 - Network Device Authentication T1556.007 T1557 - Man-in-the-Middle T1558 T1558.003 T1559 - Inter-Process Communication T1559.002 T1560 - Archive Collected Data T1560.001 T1561 T1562 - Impair Defenses T1562.001 T1562.002 T1562.004 T1562.008 T1564 - Hide Artifacts T1564.003 - Hidden Window T1565 - Data Manipulation T1566 - Phishing T1566.001 - Spearphishing Attachment T1566.002 - Spearphishing Link T1566.003 T1567 - Exfiltration Over Web Service T1568 - Dynamic Resolution T1569 - System Services T1569.002 T1571 - Non-Standard Port T1572 T1573 - Encrypted Channel T1574 - Hijack Execution Flow T1574.002 - DLL Side-Loading T1583 - Acquire Infrastructure T1583.001 - Domains T1583.002 - DNS Server T1583.006 - Web Services T1584 - Compromise Infrastructure T1584.001 - Domains T1585 T1585.001 T1586 - Compromise Accounts T1586.002 T1586.003 T1587 - Develop Capabilities T1587.001 T1587.003 T1588 - Obtain Capabilities T1588.002 T1588.006 T1589 - Gather Victim Identity Information T1589.001 T1590 T1592 - Gather Victim Host Information T1593 - Search Open Websites/Domains T1595 - Active Scanning T1595.002 T1598 - Phishing for Information T1598.002 T1601 T1602 T1606 T1606.001 T1606.002 T1608 - Stage Capabilities T1608.001 - Upload Malware T1608.005 - Link Target T1609 - Container Administration Command T1610 T1621 T1649 T1651 T1665 T1680 T1685 T1685.001 T1685.002 T1686 TA0001 TA0002 - Execution TA0003 - Persistence TA0004 - Privilege Escalation TA0005 - Defense Evasion TA0006 - Credential Access TA0007 - Discovery TA0011 - Command and Control TA0042 TA0043

Related Zero-Days 76

CVE-2017-5638 CVE-2018-8174 CVE-2019-0708 CVE-2019-0797 CVE-2019-0859 CVE-2019-11510 CVE-2019-19781 CVE-2019-2725 CVE-2019-5591 CVE-2020-0986 CVE-2020-1472 CVE-2020-4006 CVE-2021-1675 CVE-2021-26855 CVE-2021-26857 CVE-2021-26858 CVE-2021-27065 CVE-2021-28310 CVE-2021-34527 CVE-2021-37973 CVE-2021-40444 CVE-2021-40449 CVE-2021-42292 CVE-2021-42321 CVE-2021-44228 CVE-2022-26138 CVE-2022-30190 CVE-2022-3236 CVE-2022-42475 CVE-2023-0669 CVE-2023-20198 CVE-2023-23397 CVE-2023-26360 CVE-2023-36025 CVE-2023-36884 CVE-2023-38831 CVE-2023-41993 CVE-2023-44487 CVE-2023-46805 CVE-2024-21887 CVE-2024-24919 CVE-2024-3400 CVE-2024-38112 CVE-2024-4671 CVE-2024-50302 CVE-2024-50623 CVE-2024-5274 CVE-2024-53104 CVE-2024-53197 CVE-2024-8190 CVE-2024-8963 CVE-2024-9380 CVE-2025-0282 CVE-2025-10035 CVE-2025-20333 CVE-2025-20337 CVE-2025-20352 CVE-2025-20362 CVE-2025-24201 CVE-2025-24983 CVE-2025-24984 CVE-2025-24985 CVE-2025-24991 CVE-2025-24993 CVE-2025-26633 CVE-2025-27363 CVE-2025-2783 CVE-2025-33053 CVE-2025-41244 CVE-2025-49704 CVE-2025-55182 CVE-2025-59689 CVE-2025-6218 CVE-2025-62221 CVE-2025-8088 CVE-2025-9491