🇷🇺 RU8 malware familiesExploits CVEs in the wild

GRU

Also known asgrumain_intelligence_directoraterussian_military_intelligence

GRU is Russia’s military intelligence service, referred to in the content as the Main Intelligence Directorate / Main Directorate of the General Staff of the Armed Forces and Russian military intelligence. The content attributes multiple cyber and related operations to the GRU, including interference in the 2016 U.S. presidential election; hacking of the Democratic National Committee (DNC), Democratic Congressional Campaign Committee (DCCC), and Clinton campaign officials; theft of voter data from a U.S. state election board; use of spearphishing, credential theft, malware including X-Agent, keystroke logging, screenshots, data exfiltration, leased U.S.-based infrastructure, and staged leaks via the DCLeaks and Guccifer 2.0 personas and WikiLeaks. The content specifically identifies GRU Units 26165 and 74455, both in Moscow, as carrying out most of that campaign, with Unit 74455 also described as the Main Center for Special Technology. The content also attributes February 2022 DDoS attacks against Ukrainian banking, defense, and government entities to the GRU, with U.S. and UK officials citing technical links to known GRU infrastructure. Additional activity mentioned includes targeting Yulia Skripal’s email accounts in 2013, alleged involvement in cyber operations supporting Russia’s war against Ukraine, and use of the Moobot botnet of compromised Ubiquiti Edge OS routers to proxy malicious traffic in cyberespionage attacks targeting the United States and its allies. Known aliases in the content are GRU, Main Intelligence Directorate, Main Directorate of the General Staff, and Russian military intelligence.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

Government & Administration

Where they target

Geographies tied to known operations.

🇺🇸 United States

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

45 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

11 of 15 tactics54 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

6 techniques

T1589×5

Gather Victim Identity Information

T1590×6

Gather Victim Network Information

T1592

Gather Victim Host Information

T1593

Search Open Websites/Domains

T1593.003

Code Repositories

T1595

Active Scanning

T1598

Phishing for Information

TA0042

Resource Development

5 techniques

T1583×3

Acquire Infrastructure

T1583.001×4

Domains

T1583.003×2

Virtual Private Server

T1584×3

Compromise Infrastructure

T1585×3

Establish Accounts

T1585.001×2

Social Media Accounts

T1586

Compromise Accounts

T1587

Develop Capabilities

T1587.001×3

Malware

TA0001

Initial Access

4 techniques

T1078×3

Valid Accounts

T1133×3

External Remote Services

T1190×5

Exploit Public-Facing Application

T1566×5

Phishing

T1566.002×3

Spearphishing Link

TA0003

Persistence

2 techniques

T1078×3

Valid Accounts

T1133×3

External Remote Services

TA0004

Privilege Escalation

1 technique

T1078×3

Valid Accounts

TA0005

Stealth

3 techniques

T1036×2

Masquerading

T1070×2

Indicator Removal

T1078×3

Valid Accounts

TA0006

Credential Access

2 techniques

T1003

OS Credential Dumping

T1056

Input Capture

T1056.001×2

Keylogging

TA0009

Collection

6 techniques

T1005

Data from Local System

T1056

Input Capture

T1056.001×2

Keylogging

T1074×2

Data Staged

T1113×3

Screen Capture

T1213×4

Data from Information Repositories

T1560×2

Archive Collected Data

TA0011

Command and Control

3 techniques

T1090

Proxy

T1090.003

Multi-hop Proxy

T1105

Ingress Tool Transfer

T1573×2

Encrypted Channel

TA0010

Exfiltration

6 techniques

T1020×3

Automated Exfiltration

T1030

Data Transfer Size Limits

T1041×2

Exfiltration Over C2 Channel

T1048×2

Exfiltration Over Alternative Protocol

T1048.002

Exfiltration Over Asymmetric Encrypted Non-C2 Protocol

T1537×2

Transfer Data to Cloud Account

T1567×2

Exfiltration Over Web Service

T1567.002

Exfiltration to Cloud Storage

T1567.003

Exfiltration to Text Storage Sites

TA0040

Impact

4 techniques

T1485×2

Data Destruction

T1489

Service Stop

T1491

Defacement

T1498×2

Network Denial of Service

ARSENAL

Associated malware families

8 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

NotPetyaThe GRU’s malign cyber activities include deployment of the NotPetya and Olympic Destroyer malware; intrusions targeting the Organization for the Prohibition of Chemical Weapons and the World Anti-Doping Agency; cyber attacks on government systems and critical infrastructure in Ukraine and the state of Georgia; and hack-and-leak operations targeting elections in the United States and France.4May 26, 2026

CHOPSTICKAnother unit mate, Capt. Nikolay Kozachek, allegedly crafted the X-Agent malware used to hack the Democratic Congressional Campaign Committee and DNC networks in April 2016.2May 26, 2026

CaddyWiper"CADDYWIPER is a wiper that Mandiant first identified and reported on in March 2022... The malware enumerates the file system's physical drives and overwrites both file content and partitions with null bytes."1Mar 8, 2026

Cyber BerkutCyber Berkut is a GRU persona influence operation which has been active since that time. Cyber Berkut has leaked a wide variety of hacked material and conducted other computer network operations and influence campaigns on behalf of the Russian government.1May 26, 2026

DrovorubFurthermore, the Drovorub malware used in the conduct of cyberespionage activities is attributed to have its origin within the GRU.1May 26, 2026

3 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

2 CVEs this actor has used in observed campaigns. 2 of them exploited in the wild.

CVE-2017-0144EternalBlue SMBv1 Remote Code Execution in Microsoft WindowsIn the wildEvidence1

The NotPetya attacks began by targeting Ukrainian agencies, but it quickly spread through the use of the EternalBlue exploit, which was developed by the National Security Agency and used in the WannaCry ransomware attacks.

CVE-2023-50224Authentication Bypass Information Disclosure in TP-Link TL-WR841N httpdIn the wildEvidence1

In its own advisory for the CVE-2023-50224 vulnerability, TP-Link said that many of its products are affected, but that all of them have reached end-of-life status, which means they are no longer supported by the company.

IOCS

Observables

19 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

19 IOCsView more in app

Domains

12 total

••••••.com•••••••.ru••••••••.com•••••••••.net••••••••••.com•••••••••••.ru••••••••••••.com••••••.ru+4

ip.v4

3 total

•••••••••••••••••••••••••••

Email addresses

1 total

••••@•••••.•••

hash.md5

1 total

••••••••

hash.sha1

1 total

••••••••

hash.sha256

1 total

••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app

bleeping computerNews

May 22, 2026

Ubiquiti patches three max severity UniFi OS vulnerabilities

Used the Moobot botnet of compromised Ubiquiti Edge OS routers to proxy malicious traffic for cyberespionage operations.

atlanta journal constitutionNews

May 1, 2026

Mueller: Wikileaks used dead DNC worker in bid to cover Russia ties

Attributed with hacking DNC emails during the 2016 U.S. election interference operation and transferring the stolen materials to WikiLeaks.

handlers diary fullNews

Feb 13, 2026

AI-Powered Knowledge Graph Generator & APTs - SANS ISC

Russian military intelligence-linked activity described as targeting Western logistics entities, technology companies, and the defense industry, using credential access (guessing/brute force) followed by post-compromise tradecraft leveraging shell, Active Directory, and PowerShell commands, and conducting exfiltration and influence operations.

handlers diary fullNews

Feb 13, 2026

AI-Powered Knowledge Graph Generator & APTs - SANS ISC

Referenced in the context of a CISA advisory describing Russian GRU activity targeting Western logistics entities and technology companies, with post-compromise activity involving shell/Active Directory/PowerShell commands, credential access, and influence operations; targets include the defense industry.

+45 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping45

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal8

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs2

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables19

Domains, IPs, and hashes tied to this actor, refreshed continuously.