🇫🇷

SNOWGLOBE

APT Group Information theft and espionage 4 zero-day CVEs ETDA ✓

Also Known As 2 names

ATK8 Animal Farm

Target Countries 26

Countries highlighted in red

Austria Australia Belgium Canada Congo Switzerland Cameroon China Germany Algeria Spain United Kingdom Greece Israel India Iraq Islamic Republic of Iran Morocco Mexico Malaysia Netherlands Norway New Zealand Turkey Ukraine United States

Sectors Targeted

Healthcare Translation and Interpretation Services 54193 Government Computer Systems Design Services 541512 Internet Publishing and Broadcasting and Web Search Portals 51913 Computer Systems Design and Related Services 5415 Media Grantmaking and Giving Services 8132 Periodical Publishers 51112 Telecommunications 517 private sectors National Security and International Affairs 9281 Defense Motion Picture and Video Production 51211 Data Processing, Hosting, and Related Services 51821 Business Schools and Computer and Management Training 6114 Libraries and Archives 51912 Computer Systems Design and Related Services 54151 Business, Professional, Labor, Political, and Similar Organizations 8139 Real Estate 531 Commercial Banking 52211

Details

Origin 🇫🇷 FR

Last Updated 01 Jun 2022

Malware Families 4

babar

evilbunny

zhmimikatz

Sliver Implant

MITRE ATT&CK 180

T1001 - Data Obfuscation T1001.002 T1003 - OS Credential Dumping T1003.002 T1003.004 T1003.006 T1005 T1014 - Rootkit T1016 T1016.001 T1018 T1021 T1021.001 T1021.002 T1021.006 T1021.007 T1027 - Obfuscated Files or Information T1027.001 T1027.002 T1027.003 T1027.006 T1036 - Masquerading T1036.004 T1036.005 T1037 T1037.004 T1041 - Exfiltration Over C2 Channel T1047 T1048 T1048.002 T1053 T1053.005 T1055 - Process Injection T1057 - Process Discovery T1059 - Command and Scripting Interpreter T1059.001 - PowerShell T1059.003 T1059.005 T1059.006 T1059.009 T1068 T1069 T1069.002 T1070 - Indicator Removal on Host T1070.004 T1070.006 T1070.008 T1071 - Application Layer Protocol T1071.001 - Web Protocols T1074 T1074.002 T1078 T1078.002 T1078.003 T1078.004 T1082 - System Information Discovery T1083 T1087 T1087.002 T1087.004 T1090 - Proxy T1090.001 T1090.002 T1090.003 T1090.004 T1098 T1098.001 T1098.002 T1098.003 T1098.005 T1102 - Web Service T1102.002 T1105 - Ingress Tool Transfer T1106 - Native API T1110 T1110.001 T1110.003 T1112 - Modify Registry T1114 T1114.002 T1133 T1134 - Access Token Manipulation T1136 T1136.003 T1140 - Deobfuscate/Decode Files or Information T1176 - Browser Extensions T1190 T1195 T1195.002 T1199 T1203 - Exploitation for Client Execution T1204 - User Execution T1204.001 T1204.002 T1213 T1213.003 T1218 - Signed Binary Proxy Execution T1218.005 T1218.011 T1482 T1484 T1484.002 T1497 - Virtualization/Sandbox Evasion T1505 T1505.003 T1518 - Software Discovery T1518.001 - Security Software Discovery T1528 T1539 T1542 - Pre-OS Boot T1542.003 - Bootkit T1543 - Create or Modify System Process T1546 T1546.003 T1546.008 T1547 - Boot or Logon Autostart Execution T1547.001 T1548 T1548.002 T1550 T1550.001 T1550.003 T1550.004 T1552 - Unsecured Credentials T1552.004 T1553 T1553.002 T1553.005 T1555 T1555.003 T1556 T1556.007 T1558 T1558.003 T1560 T1560.001 T1562 - Impair Defenses T1562.001 T1562.002 T1562.004 T1562.008 T1566 - Phishing T1566.001 T1566.002 T1566.003 T1568 T1573 T1574 - Hijack Execution Flow T1574.002 - DLL Side-Loading T1583 T1583.001 T1583.006 T1584 - Compromise Infrastructure T1584.001 T1585 T1585.001 T1586 T1586.002 T1586.003 T1587 T1587.001 T1587.003 T1588 T1588.002 T1589 T1589.001 T1595 T1595.002 T1606 T1606.001 T1606.002 T1621 T1649 T1651 T1665 T1680 T1685 T1685.001 T1685.002 T1686

Related Zero-Days 4

CVE-2023-44487 CVE-2025-55182 CVE-2025-6218 CVE-2025-8088

Known Names 4 entries

Snowglobe CSEC

Animal Farm Kaspersky

SIG20 NSA

ATK 8 Thales

Observed Target Countries 22

Based on ETDA data — countries highlighted in red

Algeria Austria China Congo Cote d'Ivoire Germany Greece Iran Iraq Israel Malaysia Morocco Netherlands New Zealand Norway Russia Spain Syria Turkey UK Ukraine USA

Description

(GData) The revelation about the existence of yet another potentially nation-state driven spyware occurred in March 2014 when Le Monde first published information about top secret slides originating from 2011 and part of their content. But the slides Le Monde published revealed only a small part of the picture – several slides were cut out, some information was redacted. Germany’s Der Spiegel re-published the slide set with far less deletions recently, in January 2015, and therefore gave a deeper insight about what CSEC actually says they have tracked down. The newly published documents reveal: the so called operation SNOWGLOBE, was discovered in 2009 (slide 9) and consists of three different “implants”, two were dubbed snowballs and one “more sophisticated implant, discovered in mid-2010” is tagged as snowman (slide 7). According to slide 22, “CSEC assesses, with moderate certainty, SNOWGLOBE to be a state-sponsored CNO [Cyber Network Operation] effort, put forth by a French intelligence agency.” The information given dates back to 2011 and nothing else has been published since. Now that specific Babar samples have been identified and analyzed, there might be new information, also with regards to similarities or differences between the two Remote Administration Tools (RATs) EvilBunny and Babar.

Tools Used 7

Babar Casper Dino EvilBunny Tafacalou Nbot Chocopop

Reports & References 3

https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope https://resources.infosecinstitute.com/animal-farm-apt-and-the-shadow-of-france-intelligence/ https://www.welivesecurity.com/2015/06/30/dino-spying-malware-analyzed/

ETDA Profile

Snowglobe, Animal Farm

Origin

France

First Seen 2011

Sponsor State-sponsored

Motivation

Information theft and espionage

View on ETDA APT Groups ↗