apt44
Iridium is a Russian state-sponsored threat actor, also widely known as Sandworm, Seashell Blizzard, Voodoo Bear, and APT44, among other aliases. It is affiliated with the GRU (Russian military intelligence, Unit 74455) and is considered one of the Kremlin’s most dangerous and capable cyber units. Iridium has a long history of targeting Ukraine and other European countries, focusing on critical infrastructure, especially the energy sector, government, logistics, and telecommunications. Notable operations include the 2015 and 2016 Ukrainian power grid attacks (using BlackEnergy and later GreyEnergy malware), the NotPetya supply chain attack (via TeleBots), and ongoing destructive and espionage campaigns against Ukrainian and EU targets. Iridium employs a wide range of tactics, including spearphishing, exploitation of public-facing servers, living-off-the-land techniques, supply chain attacks, and deployment of custom malware (e.g., BlackEnergy, GreyEnergy, KillDisk, NotPetya, AcidRain, ZEROLOT). The group is known for destructive wiper malware, advanced persistence mechanisms (e.g., SSHBearDoor), and targeting of ICS/SCADA environments. Iridium often coordinates cyberattacks with kinetic operations, as seen in combined missile strikes and cyberattacks on Ukrainian energy infrastructure. The group is highly adaptive, using both custom and legitimate tools for stealth, and frequently updates its malware and TTPs. Sub-groups and related clusters include TeleBots and GreyEnergy. Iridium’s operations are characterized by high operational security, advanced targeting, and a focus on both sabotage and espionage.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Recent activity
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Sandworm is known for conducting coordinated cyberattacks, including data-wiping malware campaigns, against Ukrainian critical infrastructure, often in tandem with Russian military strikes. Their operations target energy, logistics, government, and grain sectors to destabilize Ukraine's wartime economy.
Sandworm is a Russian state-linked threat actor known for targeting Ukrainian organizations using legitimate tools for cyberattacks.
Sandworm is a Russian military hacking unit known for disruptive cyberattacks, including power grid blackouts in Ukraine and the AcidRain malware attack on Viasat satellite modems. In this incident, they are suspected of breaching Ukrainian entities using living-off-the-land techniques and webshells, with minimal use of custom malware.
Sandworm is known for state-sponsored cyberattacks targeting critical infrastructure, particularly power grids, with the intent to cause physical disruption. They have been implicated in attacks on Ukraine's power grid.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.