Sandworm Team
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:13
- Updated at
- 27/03/2026 01:13
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 100 attack patterns (mitre), 26 malware, 6 sectors, 5 countries, 22 indicators, 7 vulnerabilities (cve), 8 tool, 3 campaign
Aliases
ELECTRUM Telebots IRON VIKING BlackEnergy (Group) Quedagh Voodoo Bear FROZENBARENTS APT44 IRIDIUM Seashell Blizzard
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
- mitre-attack (G0034)
- NCSC Sandworm Feb 2020
- Microsoft Threat Actor Naming July 2023
- Secureworks IRON VIKING
- CrowdStrike VOODOO BEAR
- F-Secure BlackEnergy 2014
- mandiant_apt44_unearthing_sandworm
- InfoSecurity Sandworm Oct 2014
- Dragos ELECTRUM
- USDOJ Sandworm Feb 2020
- iSIGHT Sandworm 2014
- Leonard TAG 2023
- US District Court Indictment GRU Oct 2018
- UK NCSC Olympic Attacks October 2020
- Microsoft Prestige ransomware October 2022
- US District Court Indictment GRU Unit 74455 October 2020
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Attack patterns (MITRE) (100)
-
T1490 usesInhibit System Recovery MITRE
-
T1195 usesSupply Chain Compromise MITRE
-
T1585.001 usesSocial Media Accounts MITRE
-
T1036 usesMasquerading MITRE
-
T1070.004 usesFile Deletion MITRE
-
T1005 usesData from Local System MITRE
-
T1595.002 usesVulnerability Scanning MITRE
-
T1018 usesRemote System Discovery MITRE
-
T1102.002 usesBidirectional Communication MITRE
-
T1589.002 usesEmail Addresses MITRE
-
T1571 usesNon-Standard Port MITRE
-
T1608.001 usesUpload Malware MITRE
Malware (26)
-
ShadowLink usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Neo-reGeorg usesThe MITRE Corporation Confidence 100
[Neo-reGeorg](https://attack.mitre.org/software/S1189) is an open-source web shell designed as a restructuring of [reGeorg](https://attack.mitre.org/software/S1187) with improved usability, security, and fixes for exising [reGeorg](https://attack.mitre.org/software/S1187) bugs.(Citation: GitHub Neo-reGeorg 2019)
First seen 01/01/1970 · Last seen 16/11/5138 · -
Exaramel for Linux usesFamily The MITRE Corporation Confidence 100
[Exaramel for Linux](https://attack.mitre.org/software/S0401) is a backdoor written in the Go Programming Language and compiled as a 64-bit ELF binary. The Windows version is tracked separately under [Exaramel for…
First seen 01/01/1970 · Last seen 16/11/5138 · -
AcidPour usesFamily The MITRE Corporation Confidence 100
[AcidPour](https://attack.mitre.org/software/S1167) is a variant of [AcidRain](https://attack.mitre.org/software/S1125) designed to impact a wider range of x86 architecture Linux devices. [AcidPour](https://attack.mitre.org/software/S1167) is an x86 ELF binary that expands on the targeted…
First seen 01/01/1970 · Last seen 16/11/5138 · -
KillDisk usesFamily The MITRE Corporation Confidence 100
[KillDisk](https://attack.mitre.org/software/S0607) is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of [BlackEnergy](https://attack.mitre.org/software/S0089) malware during…
First seen 01/01/1970 · Last seen 16/11/5138 · -
NotPetya usesFamily The MITRE Corporation Confidence 100
[NotPetya](https://attack.mitre.org/software/S0368) is malware that was used by [Sandworm Team](https://attack.mitre.org/groups/G0034) in a worldwide attack starting on June 27, 2017. While [NotPetya](https://attack.mitre.org/software/S0368) appears as a form of ransomware, its main…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Cyclops Blink usesFamily The MITRE Corporation Confidence 100
[Cyclops Blink](https://attack.mitre.org/software/S0687) is a modular malware that has been used in widespread campaigns by [Sandworm Team](https://attack.mitre.org/groups/G0034) since at least 2019 to target Small/Home Office (SOHO) network devices, including…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Bad Rabbit usesFamily The MITRE Corporation Confidence 100
[Bad Rabbit](https://attack.mitre.org/software/S0606) is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. [Bad Rabbit](https://attack.mitre.org/software/S0606) has also targeted organizations and consumers in Russia. (Citation: Secure List Bad…
First seen 01/01/1970 · Last seen 16/11/5138 · -
GreyEnergy usesFamily The MITRE Corporation Confidence 100
[GreyEnergy](https://attack.mitre.org/software/S0342) is a backdoor written in C and compiled in Visual Studio. [GreyEnergy](https://attack.mitre.org/software/S0342) shares similarities with the [BlackEnergy](https://attack.mitre.org/software/S0089) malware and is thought to be the successor of it.(Citation:…
First seen 01/01/1970 · Last seen 16/11/5138 · -
P.A.S. Webshell usesFamily The MITRE Corporation Confidence 100
[P.A.S. Webshell](https://attack.mitre.org/software/S0598) is a publicly available multifunctional PHP webshell in use since at least 2016 that provides remote access and execution on target web servers.(Citation: ANSSI Sandworm January…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Industroyer2 usesFamily The MITRE Corporation Confidence 100
[Industroyer2](https://attack.mitre.org/software/S1072) is a compiled and static piece of malware that has the ability to communicate over the IEC-104 protocol. It is similar to the IEC-104 module found in…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Kapeka usesFamily The MITRE Corporation Confidence 100
Kapeka is a backdoor written in C++ used against victims in Eastern Europe since at least mid-2022. Kapeka has technical overlaps with [Exaramel for Windows](https://attack.mitre.org/software/S0343) and [Prestige](https://attack.mitre.org/software/S1058) malware…
First seen 01/01/1970 · Last seen 16/11/5138 ·
Sectors (6)
-
Energy targets
-
Government targets
-
Defense targets
-
Manufacturing targets
-
Telecommunications targets
-
Transportation targets
Countries (5)
-
Canada targets
-
Australia targets
-
Ukraine targets
-
United Kingdom of Great Britain and Northern Ireland targets
-
United States of America targets
Indicators (22)
-
stix 100/100 Revoked· Valid until 13/02/2024 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 09/02/2026 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 16/07/2023 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 09/02/2026 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 16/07/2023 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 09/02/2026 · Source: AlienVault
-
stix 100/100 Revoked
mespinoza_svchost SHA256 of 986ba7a5714ad5b0de0d040d1c066389bcb81a67
· Valid until 29/05/2024 · Source: AlienVault -
stix 100/100 Revoked· Valid until 16/07/2023 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 09/02/2026 · Source: AlienVault
Vulnerabilities (CVE) (7)
JetBrains TeamCity contains an authentication bypass vulnerability that allows for remote code execution on TeamCity Server.
- Attack vector
- Network
- Published
- 04/10/2023
- Modified
- 29/05/2026
ConnectWise ScreenConnect contains an authentication bypass vulnerability that allows an attacker with network access to the management interface to create a new, …
- Attack vector
- Network
- Published
- 22/02/2024
- Modified
- 28/02/2026
Microsoft Exchange Server contains an unspecified vulnerability that allows for remote code execution.
- Published
- 03/11/2021
- Modified
- 29/05/2026
Microsoft Office Outlook contains a privilege escalation vulnerability that allows for a NTLM Relay attack against another service to authenticate as the …
- Attack vector
- Network
- Published
- 14/03/2023
- Modified
- 21/12/2025
Fortinet FortiClient EMS contains a SQL injection vulnerability that allows an unauthenticated attacker to execute commands as SYSTEM via specifically crafted requests.
- Attack vector
- Network
- Published
- 25/03/2024
- Modified
- 21/12/2025
Synacor Zimbra Collaboration Suite (ZCS) allows an attacker to upload arbitrary files using cpio package to gain incorrect access to any other …
- Attack vector
- Network
- Published
- 20/10/2022
- Modified
- 20/12/2025
Ignite Realtime Openfire contains a path traversal vulnerability that allows an unauthenticated attacker to access restricted pages in the Openfire Admin Console …
- Attack vector
- Network
- Published
- 24/08/2023
- Modified
- 21/12/2025
Tool (8)
-
Invoke-PSImage usesThe MITRE Corporation Confidence 100
[Invoke-PSImage](https://attack.mitre.org/software/S0231) takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a one liner for executing either from…
-
Empire usesThe MITRE Corporation Confidence 100
[Empire](https://attack.mitre.org/software/S0363) is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents…
-
PoshC2 usesThe MITRE Corporation Confidence 100
[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while…
-
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…
-
Impacket usesThe MITRE Corporation Confidence 100
[Impacket](https://attack.mitre.org/software/S0357) is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. [Impacket](https://attack.mitre.org/software/S0357) contains several tools for remote service execution, Kerberos manipulation,…
-
PsExec usesThe MITRE Corporation Confidence 100
[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS…
-
Mimikatz usesThe MITRE Corporation Confidence 100
[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of…
-
SDelete usesThe MITRE Corporation Confidence 100
[SDelete](https://attack.mitre.org/software/S0195) is an application that securely deletes data in a way that makes it unrecoverable. It is part of the Microsoft Sysinternals suite of tools. (Citation: Microsoft SDelete…
Campaign (3)
-
2016 Ukraine Electric Power Attack attributed-to
-
2015 Ukraine Electric Power Attack attributed-to
-
2022 Ukraine Electric Power Attack attributed-to