Dragonfly
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:13
- Updated at
- 27/03/2026 01:13
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 60 attack patterns (mitre), 2 malware, 8 tool
Aliases
TEMP.Isotope DYMALLOY Berserk Bear TG-4192 Crouching Yeti IRON LIBERTY Energetic Bear Ghost Blizzard BROMINE
Description
Marking (TLP)
Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
- Symantec Dragonfly
- Microsoft Threat Actor Naming July 2023
- Gigamon Berserk Bear October 2021
- Secureworks MCMD July 2019
- Secureworks Karagany July 2019
- mitre-attack (G0035)
- Symantec Dragonfly Sept 2017
- Dragos DYMALLOY
- UK GOV FSB Factsheet April 2022
- Mandiant Ukraine Cyber Threats January 2022
- CISA AA20-296A Berserk Bear December 2020
- Symantec Dragonfly 2.0 October 2017
- DOJ Russia Targeting Critical Infrastructure March 2022
- Secureworks IRON LIBERTY July 2019
- Fortune Dragonfly 2.0 Sept 2017
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Attack patterns (MITRE) (60)
-
T1187 usesForced Authentication
-
T1595.002 usesVulnerability Scanning
-
T1598.002 usesSpearphishing Attachment
-
T1608.004 usesDrive-by Target
-
T1059.003 usesWindows Command Shell
-
T1591.002 usesBusiness Relationships
-
T1059.006 usesPython
-
T1059.001 usesPowerShell
-
T1195.002 usesCompromise Software Supply Chain
-
T1078 usesValid Accounts
-
T1584.004 usesServer
-
T1070.004 usesFile Deletion
-
T1221 usesTemplate Injection
-
T1562.004 usesDisable or Modify System Firewall
-
LSA Secrets uses
-
T1059 usesCommand and Scripting Interpreter
-
T1598.003 usesSpearphishing Link
-
T1083 usesFile and Directory Discovery
-
T1021.001 usesRemote Desktop Protocol
-
T1105 usesIngress Tool Transfer
-
T1005 usesData from Local System
-
T1583.003 usesVirtual Private Server
-
T1190 usesExploit Public-Facing Application
-
T1588.002 usesTool
-
T1112 usesModify Registry
-
T1114.002 usesRemote Email Collection
-
T1136.001 usesLocal Account
-
T1135 usesNetwork Share Discovery
-
T1033 usesSystem Owner/User Discovery
-
T1110.002 usesPassword Cracking
-
T1210 usesExploitation of Remote Services
-
T1113 usesScreen Capture
-
T1069.002 usesDomain Groups
-
T1070.001 usesClear Windows Event Logs
-
T1003.002 usesSecurity Account Manager
-
T1074.001 usesLocal Data Staging
-
T1110 usesBrute Force
-
T1003.003 usesNTDS
-
T1053.005 usesScheduled Task
-
T1189 usesDrive-by Compromise
-
T1203 usesExploitation for Client Execution
-
T1012 usesQuery Registry
-
T1018 usesRemote System Discovery
-
T1566.001 usesSpearphishing Attachment
-
T1087.002 usesDomain Account
-
T1133 usesExternal Remote Services
-
T1547.001 usesRegistry Run Keys / Startup Folder
-
T1505.003 usesWeb Shell
-
T1564.002 usesHidden Users
-
T1016 usesSystem Network Configuration Discovery
-
T1204.002 usesMalicious File
-
T1583.001 usesDomains
-
Drive-by Compromise uses
-
T1071.002 usesFile Transfer Protocols
-
T1560 usesArchive Collected Data
Malware (2)
- Backdoor.Oldrea
- Trojan.Karagany
Tool (8)
-
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft …
Published 31/05/2017 23:32 · Modified 27/03/2026 01:07 -
MCMD usesThe MITRE Corporation Confidence 100
[MCMD](https://attack.mitre.org/software/S0500) is a remote access tool that provides remote command shell capability used by [Dragonfly 2.0](https://attack.mitre.org/groups/G0074).(Citation: Secureworks MCMD July 2019)
Published 13/08/2020 19:15 · Modified 27/03/2026 01:07 -
Reg usesThe MITRE Corporation Confidence 100
[Reg](https://attack.mitre.org/software/S0075) is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. (Citation: …
Published 31/05/2017 23:32 · Modified 27/03/2026 01:07 -
netsh usesThe MITRE Corporation Confidence 100
[netsh](https://attack.mitre.org/software/S0108) is a scripting utility used to interact with networking components on local or remote systems. (Citation: TechNet Netsh)
Published 31/05/2017 23:33 · Modified 27/03/2026 01:07 -
Mimikatz usesThe MITRE Corporation Confidence 100
[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of …
Published 31/05/2017 23:32 · Modified 27/03/2026 01:07 -
CrackMapExec usesThe MITRE Corporation Confidence 100
[CrackMapExec](https://attack.mitre.org/software/S0488), or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. [CrackMapExec](https://attack.mitre.org/software/S0488) collects Active Directory information to conduct lateral movement through targeted …
Published 17/07/2020 16:23 · Modified 27/03/2026 01:07 -
Impacket usesThe MITRE Corporation Confidence 100
[Impacket](https://attack.mitre.org/software/S0357) is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. [Impacket](https://attack.mitre.org/software/S0357) contains several tools for remote service execution, Kerberos manipulation, …
Published 31/01/2019 02:39 · Modified 27/03/2026 01:07 -
PsExec usesThe MITRE Corporation Confidence 100
[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS …
Published 31/05/2017 23:32 · Modified 27/03/2026 01:07