Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to threat actors
🇷🇺 RU

Guccifer 2.0

Also known asguccifer_20

Guccifer 2.0 was an online persona used during the 2016 U.S. election-related intrusions and leaks involving Democratic targets. The content states that Russian intelligence officers apparently adopted the Guccifer 2.0 guise, and that the GRU created and deployed the persona to undercut attribution of the attacks to Russia and to promote and disseminate stolen data. Multiple cited articles and summaries describe Guccifer 2.0 as a likely Russian front or deception/disinformation persona rather than an independent Romanian hacker. The persona publicly claimed responsibility for hacking the Democratic National Committee (DNC), and was also associated with leaks from the Democratic Congressional Campaign Committee (DCCC) and claims of hacking the Clinton Foundation. Guccifer 2.0 published stolen Democratic documents online, shared material with media outlets, and was reported to have provided files to WikiLeaks. The content also references direct messages between Guccifer 2.0 and WikiLeaks, and states that Russian operators used personas including Guccifer 2.0 to work with organizations in a position to spread the stolen information, including WikiLeaks. Targets directly mentioned in the content include the DNC, DCCC, Democratic Party organizations, and purportedly the Clinton Foundation. Released material included opposition research on Donald Trump, political strategy and fundraising documents, convention planning files, donor and volunteer information, passwords, and private contact information. Tactics and tradecraft directly mentioned in the content include use of a fabricated online persona for false-flag/deception purposes, publication and dissemination of stolen documents, use of blogs and social media accounts, and coordination with amplifying outlets. Reporting cited in the content also notes forensic indicators in leaked documents that pointed toward Russian involvement, including Russian-language settings, Cyrillic metadata, and the username "Iron Felix." The content further references malware and intrusion activity at the DNC linked by security firms to Russian-associated groups COZY BEAR and FANCY BEAR, while Guccifer 2.0 emerged as a cover identity after public attribution. Known alias in the provided content: Guccifer 2.0.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Who they target

Sectors the actor has been observed targeting.

  • Government & Administration

Where they target

Geographies tied to known operations.

  • 🇺🇸 United States

Where they're from

Attributed origin per open-source reporting.

  • RU
MITRE ATT&CK

Tradecraft

24 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

11 of 15 tactics28 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0043
Reconnaissance
1 technique
T1589
Gather Victim Identity Information
TA0042
Resource Development
4 techniques
T1583×2
Acquire Infrastructure
T1583.001
Domains
T1584×2
Compromise Infrastructure
T1585×3
Establish Accounts
T1586
Compromise Accounts
T1586.001
Social Media Accounts
TA0001
Initial Access
3 techniques
T1078×3
Valid Accounts
T1190
Exploit Public-Facing Application
T1566×4
Phishing
TA0002
Execution
1 technique
T1059
Command and Scripting Interpreter
TA0003
Persistence
1 technique
T1078×3
Valid Accounts
TA0004
Privilege Escalation
1 technique
T1078×3
Valid Accounts
TA0005
Stealth
3 techniques
T1036×4
Masquerading
T1070
Indicator Removal
T1078×3
Valid Accounts
TA0009
Collection
3 techniques
T1005
Data from Local System
T1074
Data Staged
T1213×4
Data from Information Repositories
TA0011
Command and Control
1 technique
T1071
Application Layer Protocol
TA0010
Exfiltration
4 techniques
T1041×5
Exfiltration Over C2 Channel
T1048×2
Exfiltration Over Alternative Protocol
T1537×4
Transfer Data to Cloud Account
T1567×6
Exfiltration Over Web Service
T1567.001
Exfiltration to Code Repository
T1567.002×2
Exfiltration to Cloud Storage
T1567.003
Exfiltration to Text Storage Sites
TA0040
Impact
1 technique
T1565
Data Manipulation
IOCS

Observables

2 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

2 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
threatconnect blogNews
Jan 30, 2025
[Webinar] Guccifer 2.0, the DNC Hack, and Fancy Bears, Oh My! | Resources | ThreatConnect

Discussed as a persona associated with the DNC leak; the content indicates analysis aimed at attributing this activity to Russia.

Read more
news yahooNews
Sep 26, 2021
Kidnapping, assassination and a London shoot-out: Inside the CIA's secret war plans against WikiLeaks

Guccifer 2.0 is described as the moniker used by suspected Russian intelligence operatives involved in disseminating hacked Democratic Party emails and communicating directly with WikiLeaks.

Read more
theguardianNews
Jan 7, 2021
Nigel Farage is 'person of interest' in FBI investigation into Trump and Russia | Nigel Farage | The Guardian

Persona tied in the article to the hacking and release pipeline around Democratic Party emails during the 2016 US election.

Read more
arstechnicaNews
Jun 24, 2020
Twitter terminates DDoSecrets, falsely claims it may infect visitors - Ars Technica

Described as a purported hacker moniker that published extensive personal information obtained through hacking and shared links on Twitter.

Read more
+25 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping24

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables2

Domains, IPs, and hashes tied to this actor, refreshed continuously.