Sandworm
· Published 20/12/2025 23:15 · Modified 20/12/2025 23:15
· Source: AlienVault
Essential information
- Confidence
- 100/100
- Published
- 20/12/2025 23:15
- Modified
- 20/12/2025 23:15
- Updated at
- 20/12/2025 23:15
- Revoked
- No
- Author / Source
- AlienVault
- Resource level
- —
- Primary motivation
- —
- Related entities
- 4 reports, 73 attack patterns (mitre), 33 malware, 4 sectors, 9 countries, 100 indicators
Description
No description.
Marking (TLP)
TLP:CLEAR
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Reports (4)
-
8 MITREs 21 Malwares 7 Observables 1 APTPublished 30/01/2026 18:42 · Modified 02/02/2026 11:06
-
1 MITRE 1 APTPublished 23/01/2026 22:47 · Modified 23/01/2026 23:17
-
12 MITREs 1 APTPublished 05/11/2025 12:36 · Modified 05/11/2025 21:51
-
20 MITREs 4 Malwares 35 Observables 1 APTPublished 12/02/2025 00:24 · Modified 12/02/2025 09:07
Attack patterns (MITRE) (73)
-
T1021.001 usesRemote Desktop Protocol
-
T1090.003 usesMulti-hop Proxy
-
T1021.004 usesSSH
-
T1406
-
Location Tracking usesT1430
-
T1095 usesNon-Application Layer Protocol
-
T1071.001 usesWeb Protocols
-
T1584.004 usesServer
-
T1569.002 usesService Execution
-
T1531 usesAccount Access Removal
-
Scheduled Transfer usesT1029
-
T1059.001 usesPowerShell
-
T1074 usesData Staged
-
T1561.001 usesDisk Content Wipe
-
T1421
-
T1036.005 usesMatch Legitimate Resource Name or Location
-
T1056.001 usesKeylogging
-
T1082 usesSystem Information Discovery
-
T1005 usesData from Local System
-
TA0003 uses
-
T1021.002 usesSMB/Windows Admin Shares
-
T1565 usesData Manipulation
-
T1070.004 usesFile Deletion
-
T1548.002 usesBypass User Account Control
-
T1473 uses
-
T1533
-
T1105 usesIngress Tool Transfer
-
T1053 usesScheduled Task/Job
-
T1572 usesProtocol Tunneling
-
T1059.003 usesWindows Command Shell
-
T1218.011 usesRundll32
-
T1003.001 usesLSASS Memory
-
T1059 usesCommand and Scripting Interpreter
-
T1113 usesScreen Capture
-
T1124 usesSystem Time Discovery
-
T1566 usesPhishing
-
T1090.002 usesExternal Proxy
-
T1053.005 usesScheduled Task
-
T1041 usesExfiltration Over C2 Channel
-
T1027 usesObfuscated Files or Information
-
T1496 usesResource Hijacking
-
T1486 usesData Encrypted for Impact
-
T1204.002 usesMalicious File
-
T1083 usesFile and Directory Discovery
-
Encrypted Channel usesT1521
-
T1561 usesDisk Wipe
-
T1529 usesSystem Shutdown/Reboot
-
T1040 usesNetwork Sniffing
-
T1020 usesAutomated Exfiltration
-
T1420
-
T1398
-
TA0011 uses
-
T1497 usesVirtualization/Sandbox Evasion
-
T1219 usesRemote Access Tools
-
T1557 usesAdversary-in-the-Middle
-
T1070 usesIndicator Removal
-
T1422
-
T1489 usesService Stop
-
T1569 usesSystem Services
-
T1218 usesSystem Binary Proxy Execution
-
T1114 usesEmail Collection
-
T1555.003 usesCredentials from Web Browsers
-
T1490 usesInhibit System Recovery
-
T1471
-
T1484.001 usesGroup Policy Modification
-
T1036 usesMasquerading
-
Software Discovery usesT1418
-
T1573.002 usesAsymmetric Cryptography
-
T1112 usesModify Registry
-
T1552.004 usesPrivate Keys
-
T1562.001 usesDisable or Modify Tools
-
T1426
-
T1048.002 usesExfiltration Over Asymmetric Encrypted Non-C2 Protocol
Malware (33)
-
CaddyWiper - S0693 usesFamilyPublished 30/01/2026 18:42 · Modified 30/01/2026 18:42
-
Dark Crystal RAT usesFamilyPublished 12/02/2025 00:24 · Modified 12/02/2025 00:24
- CaddyWiper
-
ORCSHRED usesFamilyPublished 30/01/2026 18:42 · Modified 30/01/2026 18:42
-
FamilyPublished 30/01/2026 18:42 · Modified 30/01/2026 18:42
-
Industroyer2 - S1072 usesFamilyPublished 30/01/2026 18:42 · Modified 30/01/2026 18:42
-
ZOV wiper usesFamilyPublished 30/01/2026 18:42 · Modified 30/01/2026 18:42
-
SharpNikoWiper usesFamilyPublished 30/01/2026 18:42 · Modified 30/01/2026 18:42
-
SOLOSHRED usesFamilyPublished 30/01/2026 18:42 · Modified 30/01/2026 18:42
- Infamouse Chisel
-
SwiftSlicer usesFamilyPublished 30/01/2026 18:42 · Modified 30/01/2026 18:42
-
HermeticRansom usesFamilyPublished 30/01/2026 18:42 · Modified 30/01/2026 18:42
- GreyEnergy - S0342
-
AcidRain usesFamilyPublished 13/11/2025 23:20 · Modified 13/11/2025 23:20
-
DynoWiper usesFamilyPublished 21/05/2026 23:03 · Modified 21/05/2026 23:03
-
BidSwipe usesFamilyPublished 30/01/2026 18:42 · Modified 30/01/2026 18:42
-
RansomBoggs usesFamilyPublished 30/01/2026 18:42 · Modified 30/01/2026 18:42
- Kapeka
-
Kalambur usesFamilyPublished 12/02/2025 00:24 · Modified 12/02/2025 00:24
-
NikoWiper usesFamilyPublished 30/01/2026 18:42 · Modified 30/01/2026 18:42
-
DoubleZero usesFamilyPublished 30/01/2026 18:42 · Modified 30/01/2026 18:42
-
ZEROLOT usesFamilyPublished 30/01/2026 18:42 · Modified 30/01/2026 18:42
-
ROARBAT usesFamilyPublished 30/01/2026 18:42 · Modified 30/01/2026 18:42
- ZeroWipe
-
BACKORDER usesFamilyPublished 12/02/2025 00:24 · Modified 12/02/2025 00:24
-
Prestige - S1058 usesFamilyPublished 30/01/2026 18:42 · Modified 30/01/2026 18:42
- SDelete
- AcidPour
-
HermeticWiper usesFamilyPublished 30/01/2026 18:42 · Modified 30/01/2026 18:42
-
Sting wiper usesFamilyPublished 30/01/2026 18:42 · Modified 30/01/2026 18:42
-
AWFULSHRED usesFamilyPublished 30/01/2026 18:42 · Modified 30/01/2026 18:42
-
DcRAT usesFamilyPublished 01/03/2026 05:26 · Modified 01/03/2026 05:26
-
ARGUEPATCH usesFamilyPublished 30/01/2026 18:42 · Modified 30/01/2026 18:42
Sectors (4)
- Energy targets
- Defense targets
- Telecommunications targets
- Government targets
Countries (9)
- United States of America targets
- Australia targets
- Estonia targets
- Poland targets
- Canada targets
- Ukraine targets
- New Zealand targets
- Belarus targets
- United Kingdom of Great Britain and Northern Ireland targets
Indicators (100)
-
f3280e61f7c810457b8c6741aa57bdceb1dd918d18f16d314761a49788665877indicates -
426a480c6c11190cc9d7c069ef409ae0b6bffa13indicates -
c13270594f873bb188f893f307d1ec94aa21ee4c3b90301e168eec3a21a055caindicates -
272cfaebf22e0f6a34c0a93b7c9c5b67c725947ba0f17e60ed67dbf6e1602043indicates -
https://185.225.114.90/acceptindicates -
progamevl.ruindicates -
fdc3f0516e1558cc4c9105ac23716f39a6708b8facada3a48609073a16a63c83indicates -
4e6582b8ff2fb2e91cc31de2f4ed4f72ef7ac52845d4dbfabf36081d849bba64indicates -
d1871e43c0a5ebc123eafa91b44ce00636ef02a3indicates -
yuknkap4im65njr3tlprnpqwj4h7aal4hrn2tdieg75rpp6fx25hqbyd.onionindicates -
a42de97a466868efbfc4aa1ef08bfdb3cc5916d1accd59cfffff1a896d569412indicates -
33a2be6638be67ba9117e0ac7bad26b12adbcdf6f8556c4dc2ff3033a8cdf14findicates -
http://194.61.121.211/applicationindicates -
f30b9f6e913798ca52154c88725ee262a7bf92fe7caac1ae2e5147e457b9b08aindicates -
e76f78c5afbd1d1a3fefa7a37d1737f9cb06197f4a6d6dd8f7b74f3978362a9findicates -
http://kmsupdate2023.com/kms2023.zipindicates -
f38d170804471b31490d23fb483e0dd81c1a8be3indicates -
4e568242667c61a1551d3e5f3e42107c43db5d989647b333325d10840cd2d58eindicates -
70c91ffdc866920a634b31bf4a070fb3c3f947fc9de22b783d6f47a097fec2d8indicates -
http://91.92.137.164/jsonindicates -
001208a304258c23a0b3794abd8a5a21210dfeaf106195f995a6f55d75ef89cdindicates -
c237f1a3f75b2759f66ec741448bb352e95e186a9a689f87c8641b44a13d878bindicates -
4a4dde90762accb8d61caad9923f1473c6d8ee493c7dc6c482dfd52c9f8fc2f5indicates -
c3859810b9842daf129bc887e7b267ae70ba985387b1cea0fc62270c74c3d4a6indicates -
solntsepek.ruindicates -
5c5323bd17fd857a0e77be4e637841dad5c4367a72ac0a64cc054f78f530ba37indicates -
solntsepek.orgindicates -
553f7f32c40626cbddd6435994aff8fc46862ef2ed8f705f2ad92f76e8a3af12indicates -
ce85f5bcd52c79582a66bc7ef3f11f4ac74e9cc9962551b5912ac6bfa78ea841indicates -
5fdb577b5ce71c42032c77cf41b3a4478726dff5a234abd0a26ff0bdd42e4ef9indicates -
dc31de076eb9b2407bc4e7fa44216f906f0857271d71a2ea2fb6f35c96cd8f35indicates -
827278ad89486debd79c6bfc38d8b00fa5fb90adindicates -
9b4dfaca873961174ba935fddaf696145afe7bbf5734509f95feb54f3584fd9aindicates -
5866e1fa5e262ade874c4b869d57870a88e6a8f9d5b9c61bd5d6a323e763e021indicates -
3afbb6767c5b39888b4ddf7bc459cc1fea223e2eindicates -
7269b4bc6b3036e5a2f8c2a7908a439202cee9c8b9e50b67c786c39f2500df8findicates -
bfda142bc5c44913eed9ef1cf2a8ad07b7a71312a26e4c7c519bf1a3fedeb6a0indicates -
29c21a87bed19457f7f76e5f39c818ad563a2ddb203961bb2295263d8e875044indicates -
648c2067ef3d59eb94b54c43e798707b030e0383b3651bcc6840dae41808d3a9indicates -
645821ba80859651cdb8c1c1f8129702a85503c62b0c3ce74f99d50214f67244indicates -
807bfade291ab71c1bb47ef2c18a52d6db7b7546f28a421edf18ebeae5ad00aaindicates -
https://178.250.188.114/ubuntu/focalindicates -
http://178.250.188.114/ubuntu/focalindicates -
52faa381392c1a86b537096c2730de5aeab9be7512bde9536aef84857b19753eindicates -
kalambur.netindicates -
744364ea94245c26aabfdedc4a6fae2e2d188fbe3c851f439b27ed8a9084a9d1indicates -
2zilmiystfbjib2k4hvhpnv2uhni4ax5ce4xlpb7swkjimfnszxbkaid.onionindicates -
http://onedrivepack.com/pipe_RequestPollUpdateProcessAuthwordpress.phpindicates -
5d3a6340691840d1a87bfab543faec77b4a9d457991dd938834de820a99685f7indicates -
0e58d38fd2df86eeb4a556030a0996c04bd63e09e669b34d3bbc10558edf31a6indicates -
61b0246202707414da97911c0447eed70499e02285db9190a5842de748ae0bd1indicates -
bdd7b08ab069c71877352e4cf7cf0e1e14b14ccffd3fb827a81ed6fc564ff99bindicates -
a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92indicates -
00782ccd65a1e03e3e74ce1e59e752926e0a050818fa195bd7e5a5b359500758indicates -
5fc44c7342b84f50f24758e39c8848b2f0991e8817ef5465844f5f2ff6085a57indicates -
5557aea34234deb015d8e6c39ea2945bad6dd4e9dfe5278265c1183aa3942394indicates -
338f8b447c95ba1c3d8d730016f0847585a7840c0a71d5054eb51cc612f13853indicates -
835b0d87ed2d49899ab6f9479cddb8b4e03f5aeb2365c50a51f9088dcede68d5indicates -
3cf2de421c64f57c173400b2c50bbd9e59c58b778eba2eb56482f0c54636dd29indicates -
66548ba6ca6d34b7d17e42ab2e1405db1c581a516e0b1a4942d373d6d5396ba4indicates -
8a4df53283a363c4dd67e2bda7a430af2766a59f8a2faf341da98987fe8d7cbdindicates -
cca9accd3c1554703ab11eb9c10b146d9d8a84ea165450003200de1ebbc2ac4cindicates -
bcdf0bd8142a4828c61e775686c9892d89893ed0f5093bdc70bde3e48d04ab99indicates -
40a4b5e54fecce52c9d8ef5b2fa3973a3dd748c5bcedd7bde1154aa4a936c2e1indicates -
63939d3bd170846a95b124c09a4b6399ab1e790d0c2f407141de9265efc51ee9indicates -
https://91.92.137.164/jsonindicates -
31.172.71.5indicates -
d8d3a1c24a12795f0c65509db8b40c26396a51d0dfa258b6fc317e8b2270c5a3indicates -
kms-win11-update.netindicates -
feae0ab35affa24c52650c9da789cf214d4f7c37bdef3e4d0412feb4aaa3b4dbindicates -
activationsmicrosoft.comindicates -
daa0ebaf4c704a80cb79dd655c816b922d7480b6d97e53e4015ee96d936245b5indicates -
cd7c36a2f4797b9ca6e87ab44cb6c8b4da496cff29ed5bf727f0699917bae69aindicates -
bd07fb1e9b4768e7202de6cc454c78c6891270af02085c51fce5539db1386c3findicates -
main.showindicates -
7cddf5eabb6e59b9901e6a68996413e3469f8c56b4da92cf24c18862221c3046indicates -
e3bc3689f01fd431cd2ed368ae91eceaa7c465c2781fa7b7dc2ec9143a404f79indicates -
1a1ffcbab9bff4a033a26e8b9a08039955ac14ac5ce1f8fb22ff481109d781a7indicates -
294a16e3d8f507cdcfaa4582b0f93427fe924ad8indicates -
taibdsgqlwvnizgipp4sn7xee72qys3pufih3rjzhx3e5b5t245kafid.onionindicates -
44e0aa08ef5fdb2aec2f393078204fb70e271b63indicates -
6ca881729c4610cb08f0f54fa1ff2ad9a0f56313da8ae5caa3746f8c1cd527b2related -
a29944006225bb5cb0dacf597ef614cf947a8ac088cec90c954506b38ebdc28erelated -
a294620543334a721a2ae8eaaf9680a0786f4b9a216d75b55cfd28f39e9430earelated -
4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382related -
a97252c1a675d3c64dc806181e64f0a0e86914a540476b08cc578d94759ee082related -
06584cc9f5bc80964b80220064dda52e822e81ad1d0053f4390ca1433c64971brelated -
a0eed0e1ef8fc4129f630e6f68c29c357c717df0fe352961e92e7f8c93e5371brelated -
kmsupdate2023.comrelated -
1dbb018010a79d869f9a3f61907f81e61e15a366efe7302e26d93946754cd311related -
203890c3e60ccd4e05a2f9b1a784b010bb2d42d6related -
8369d112dc42151ceb3aaa6eca96fb66a08e631a2f18860d716a0604a80da76crelated -
3c5e7c6da03c5f66d71332a34b3a1f57fed05d3de624f05dae50f7b14a4e44b3related -
e2551b76534f0646fccbffd01856948b8f440618afd2b17cda6a9ae59e8e28f7related -
602dbcf4008c585582d5e5d5c8ddb1932fdee07a14308e9cbf937904f31df1f7related -
https://196.245.156.154/map/titlerelated -
9a76e608afca114f18e2b794e9a557b910f43e575c816019a49876188602c3aarelated -
8a7b3a7a9a4e8b7fd45c94b56ac59f6e15b6560f692756cf6050342bea06a1b3related -
https://165.231.34.106/users/merelated -
4571860df3a7c8f67db93bd038c1847ddda5ef4b0b23e631d814778ab7a5d549related