4 malware familiesExploits CVEs in the wild

GRU Unit 26165

Also known asGRU Unit 26165

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

MITRE ATT&CK

Tradecraft

31 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

12 of 15 tactics44 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0043

Reconnaissance

1 technique

T1598

Phishing for Information

TA0042

Resource Development

3 techniques

T1583

Acquire Infrastructure

T1583.001

Domains

T1588

Obtain Capabilities

T1588.004

Digital Certificates

T1608

Stage Capabilities

T1608.001

Upload Malware

TA0001

Initial Access

4 techniques

T1078

Valid Accounts

T1190

Exploit Public-Facing Application

T1199

Trusted Relationship

T1566

Phishing

T1566.001

Spearphishing Attachment

TA0002

Execution

2 techniques

T1203

Exploitation for Client Execution

T1204

User Execution

T1204.002

Malicious File

TA0003

Persistence

3 techniques

T1078

Valid Accounts

T1098

Account Manipulation

T1547

Boot or Logon Autostart Execution

T1547.006

Kernel Modules and Extensions

TA0004

Privilege Escalation

3 techniques

T1078

Valid Accounts

T1098

Account Manipulation

T1547

Boot or Logon Autostart Execution

T1547.006

Kernel Modules and Extensions

TA0005

Stealth

6 techniques

T1014

Rootkit

T1027

Obfuscated Files or Information

T1036

Masquerading

T1078

Valid Accounts

T1221

Template Injection

T1564

Hide Artifacts

TA0006

Credential Access

2 techniques

T1110

Brute Force

T1110.002

Password Cracking

T1187

Forced Authentication

TA0007

Discovery

1 technique

T1082

System Information Discovery

TA0008

Lateral Movement

2 techniques

T1021

Remote Services

T1021.001

Remote Desktop Protocol

T1550

Use Alternate Authentication Material

T1550.002

Pass the Hash

TA0009

Collection

2 techniques

T1125

Video Capture

T1213

Data from Information Repositories

TA0011

Command and Control

4 techniques

T1071

Application Layer Protocol

T1071.001

Web Protocols

T1090

Proxy

T1105

Ingress Tool Transfer

T1219

Remote Access Tools

ARSENAL

Associated malware families

4 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

BEARDSHELLa new backdoor called BeardShell ... written in C++, establishes persistence, executes PowerShell commands, and hides files under fake image headers.1Mar 18, 2026

CovenantThe attackers also customized the Covenant red-team framework to route encrypted command-and-control traffic through Koofr and Icedrive cloud services, making detection difficult.1Mar 18, 2026

HeadlaceThe Russian GRU cyber campaign also involves malware such as HEADLACE and MASEPIE, which are used for persistence and data exfiltration.1Apr 17, 2026

MASEPIEThe Russian GRU cyber campaign also involves malware such as HEADLACE and MASEPIE, which are used for persistence and data exfiltration.1Apr 17, 2026

WEAPONIZED

Associated vulnerabilities

4 CVEs this actor has used in observed campaigns. 4 of them exploited in the wild.

CVE-2020-0688Microsoft Exchange Server static validation key RCEIn the wildEvidence1

Use known vulnerabilities — CVE 2020-0688 and CVE 2020-17144 — to establish persistent access and escalate privileges, which means gaining administrative control of servers and systems.

CVE-2020-17144Microsoft Exchange Remote Code Execution VulnerabilityIn the wildEvidence1

Use known vulnerabilities — CVE 2020-0688 and CVE 2020-17144 — to establish persistent access and escalate privileges, which means gaining administrative control of servers and systems.

CVE-2023-23397Microsoft Outlook Net-NTLMv2 Hash Leak via Reminder Sound UNC PathIn the wildEvidence1

The actors have weaponized multiple CVEs, including: CVE-2023-23397 in Microsoft Outlook to harvest credentials

CVE-2023-38831Arbitrary Code Execution in WinRAR Archive File HandlingIn the wildEvidence1

The actors have weaponized multiple CVEs, including: CVE-2023-38831 in WinRAR for remote code execution

IOCS

Observables

16 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

16 IOCsView more in app

uri

7 total

•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••

hash.md5

6 total

•••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••

Domains

1 total

••••••.com

hash.sha1

1 total

••••••••

hash.sha256

1 total

••••••••

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

No public activity tracked yet. Mallory keeps watching.

0 SOURCESView more in app

No public activity observed for this threat actor.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping31

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal4

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs4

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables16

Domains, IPs, and hashes tied to this actor, refreshed continuously.