Octopus is malware referenced as versions 2.0 through 2.1. Based on the provided content, it is delivered via spearphishing emails and relies on the victim opening a malicious attachment. It has been disguised as legitimate software such as Java and Telegram Messenger. On compromised hosts, Octopus can collect the username, capture screenshots, and use wmic.exe for local discovery. It stores collected information in the Application Data directory, compresses data prior to exfiltration using the Abbrevia tool, and can upload stolen files and other victim data over its command-and-control channel. The malware’s C2 communications are Base64-encoded, and it has also exfiltrated data to file-sharing sites. High-confidence behaviors and artifacts directly mentioned in the content include spearphishing-based delivery, malicious attachment execution, username collection, screenshot capture, use of wmic.exe, storage in the Application Data directory, Base64-encoded C2 traffic, exfiltration over C2 and to file-sharing sites, and use of Abbrevia for compression before exfiltration.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Octopus, a Rust-based toolkit that's used to elevate privileges in a compromised Linux system.
22 distinct techniques documented for this family, organized by ATT&CK tactic.
The content repeatedly describes threat actors and malware being delivered through phishing or spearphishing emails containing malicious attachments such as Microsoft Office documents, PDFs, RAR/ZIP archives, CHM, ISO, IMG, HTA, LNK, and executable files disguised as documents.
The content repeatedly describes threat actors and malware using WMI/WMIC/wmiexec for remote execution, lateral movement, discovery, persistence, and administrative actions; e.g., 'APT41 used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via PowerSploit' and 'Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.'
The content repeatedly describes victims being lured into opening malicious attachments, enabling macros, launching installers, clicking embedded files/links, or otherwise directly executing malicious content.
Sandworm Team leveraged Microsoft Office attachments which contained malicious macros that were automatically executed once the user permitted them... APT29 has used various forms of spearphishing attempting to get a user to open attachments... DarkGate is distributed through phishing links to VBS or MSI objects requiring user interaction for execution.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder.
The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
The content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.
"Agent Tesla can capture screenshots of the victim’s desktop"; "AppleSeed can take screenshots on a compromised host"; "APT28 has used tools to take screenshots from victims"; "Cobalt Strike's Beacon payload is capable of capturing screenshots"; "PowerSploit's Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals"; "Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop"
Multiple actors and tools are described as using 7-Zip/WinRAR/zip/tar/gzip/makecab/PowerShell Compress-Archive to compress (often password-protect/encrypt) collected data prior to exfiltration (e.g., “used 7zip to archive extracted data in preparation for exfiltration”, “created password-protected RAR archives prior to exfiltration”, “used built-in PowerShell capabilities (Compress-Archive cmdlet) to compress collected data”).
The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."
ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
Kimsuky has exfiltrated stolen files and data to actor-controlled Blogspot accounts. Octopus has exfiltrated data to file sharing sites. HAMMERTOSS exfiltrates data by uploading it to accounts created by the actors on Web cloud storage providers for the adversaries to retrieve later.
"Akira will exfiltrate victim data using applications such as Rclone"; "APT41 DUST exfiltrated collected information to OneDrive"; "...upload data...in Dropbox"; "...exfiltrated files and sensitive data to the MEGA cloud storage site using the Rclone command..."; "...exfiltrated data to Google Drive"; "...use an attacker-controlled OneDrive account for exfiltration"; "...via the Microsoft Graph API"; "Turla has also exfiltrated stolen files to OneDrive and 4shared"
39 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Rust-based toolkit used for privilege escalation on compromised Linux systems.
... Octopus ... (v2.0→v2.1) ...
Octopus (v2.0→v2.1)
Software changes: ... Octopus
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.