GRU Unit 29155
Russia’s GRU Unit 29155 (also referenced as the GRU’s 161st Specialist Training Center; sanctioned by New Zealand and described as “Ember Bear” in that context) is assessed in the provided content as a Russian state intelligence threat actor focused since early 2022 on disrupting aid efforts to Ukraine. Arctic Wolf Labs assessed with medium-to-high confidence that Unit 29155 is leveraging the SocGholish (FAKEUPDATE) initial access framework—operated by TA569 (aka Gold Prelude, Mustard Tempest, Purple Vallhund, UNC1543)—to target victims, and stated with high confidence that Unit 29155 is utilizing SocGholish. In the described September 2025 intrusion attempt against a U.S.-based civil engineering firm with apparent Ukraine affiliation, SocGholish was delivered via compromised legitimate websites using fake update lures, malvertising, and traffic direction systems (TDS). Post-execution, operators conducted PowerShell-based reconnaissance with mild evasion, tested connectivity to Mythic C2, and staged persistence via VIPERTUNNEL (a custom Python backdoor) scheduled on the host. Roughly 10 minutes after exploitation, a RomCom (aka Storm-0978, Tropical Scorpius, UNC2596; described as Russian-aligned) Mythic agent loader (msedge.dll) was delivered; it performed target validation by checking the victim’s Active Directory domain against a hardcoded value before decrypting/executing shellcode that instantiated a Mythic “dynamichttp” agent and reached out to a RomCom-associated C2 URL (imprimerie-agp[.]com). The content also notes prior reporting that SocGholish has delivered Raspberry Robin, which FBI/CISA/NSA assessed as strongly associated with Unit 29155.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Associated malware families
2 malware families attributed to this actor across reporting.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
GRU Unit 29155 (Cadet Blizzard) is known for conducting hybrid threats, including cyberattacks and sabotage, targeting EU member states, NATO allies, and Ukraine.
Using the SocGholish malware framework to target a US firm.
GRU Unit 29155 is a Russian military intelligence unit responsible for offensive cyber operations. Since early 2022, its primary focus has been disrupting international efforts to provide aid to Ukraine. The unit has been linked to the use of SocGholish as an initial access vector for targeting entities with ties to Ukraine.
GRU Unit 29155 is a Russian military cyber unit known for conducting cyberattacks against Ukraine and being sanctioned by multiple countries for its activities.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.