EXPLORE
Sign In
← Back to Actors

Gamaredon Group

Gamaredon GroupIRON TILDENPrimitive BearACTINIUMArmageddonShuckwormDEV-0157Aqua Blizzard

[Gamaredon Group](https://attack.mitre.org/groups/G0047) is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name [Gamaredon Group](https://attack.mitre.org/groups/G0047) derives from a misspelling of the word "Armageddon," found in early campaigns.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: Symantec Shuckworm January 2022)(Citation: Microsoft Actinium February 2022) In November...

70
Techniques
65
Covered
5
Gaps
93%
Coverage
Coverage65/70

GAPS (5)

T1001Data ObfuscationT1027.012LNK Icon SmugglingT1027.016Junk Code InsertionT1568.001Fast Flux DNST1583.003Virtual Private Server

COVERED (65)

T1005Data from Local System46 det.T1012Query Registry22 det.T1016.001Internet Connection Discovery6 det.T1020Automated Exfiltration17 det.T1021.005VNC2 det.T1025Data from Removable Media3 det.T1027Obfuscated Files or Information525 det.T1027.004Compile After Delivery9 det.T1027.010Command Obfuscation31 det.T1027.015Compression2 det.T1033System Owner/User Discovery59 det.T1036.005Match Legitimate Resource Name or Location44 det.T1039Data from Network Shared Drive6 det.T1041Exfiltration Over C2 Channel30 det.T1047Windows Management Instrumentation85 det.T1053.005Scheduled Task82 det.T1055Process Injection76 det.T1057Process Discovery18 det.T1059.001PowerShell338 det.T1059.003Windows Command Shell79 det.T1059.005Visual Basic66 det.T1070.004File Deletion40 det.T1071.001Web Protocols74 det.T1080Taint Shared Content2 det.T1082System Information Discovery80 det.T1083File and Directory Discovery48 det.T1090Proxy44 det.T1090.003Multi-hop Proxy8 det.T1091Replication Through Removable Media8 det.T1095Non-Application Layer Protocol23 det.T1102Web Service33 det.T1102.002Bidirectional Communication14 det.T1102.003One-Way Communication4 det.T1105Ingress Tool Transfer170 det.T1106Native API27 det.T1112Modify Registry197 det.T1113Screen Capture17 det.T1119Automated Collection11 det.T1120Peripheral Device Discovery4 det.T1137Office Application Startup17 det.T1140Deobfuscate/Decode Files or Information55 det.T1204.001Malicious Link9 det.T1204.002Malicious File397 det.T1218.005Mshta46 det.T1218.011Rundll3273 det.T1221Template Injection1 det.T1480Execution Guardrails1 det.T1491.001Internal Defacement4 det.T1497.001System Checks6 det.T1518.001Security Software Discovery8 det.T1534Internal Spearphishing181 det.T1547.001Registry Run Keys / Startup Folder50 det.T1559.001Component Object Model16 det.T1561.001Disk Content Wipe1 det.T1562.001Disable or Modify Tools300 det.T1564.003Hidden Window11 det.T1566.001Spearphishing Attachment850 det.T1568Dynamic Resolution10 det.T1571Non-Standard Port16 det.T1583.001Domains61 det.T1583.006Web Services1 det.T1587.003Digital Certificates1 det.T1588.002Tool13 det.T1608.001Upload Malware2 det.T1620Reflective Code Loading12 det.