OSINT – Russia’s APT28 uses fear of nuclear war to spread Follina docs in Ukraine

Event ID1250
UUID3410ad13-ef34-48c9-bc6f-b1b111a30e06 
Creator orgCIRCL
Owner orgLUNCHBOX
Creator useradmin@admin.test
Protected Event (experimental)  Event is in unprotected mode.
Tagstype:OSINTx osint:lifetime=”perpetual”x tlp:whitex   
Date2022-06-23
Threat LevelMedium
AnalysisCompleted
DistributionAll communities   
PublishedYes 2022-08-17 17:18:47
#Attributes101 (10 Objects)
First recorded change2022-06-23 13:08:58
Last change2022-06-23 13:24:07
Modification map
Sightings0 (0) – restricted to own organisation only.  

Order by date Order by count

Related Events

LUNCHBOXMetasploit exploits with CVE assigned feed
2022-09-211
CUDESORussia’s APT28 uses fear of nuclear war to spread Follina docs in Ukraine
2022-06-2111
abuse.chMalwareBazaar malware samples for 2022-06-20
2022-06-204

Related Feeds (show)

Top of Form

Bottom of Form

Top of Form

Bottom of Form

PivotsGalaxyEvent graphEvent timelineCorrelation graphATT&CK matrixEvent reportsAttributesDiscussion

1250: OSINT – Russia’s APT28 uses fear of nuclear war to spread Follina docs in Ukraine

Galaxies

Threat Actor 

  •  Sofacy   

Target Information 

  •  Ukraine   

Country 

  •  russia   

Top of Form

Bottom of Form

Top of Form

Bottom of Form

Top of Form

Bottom of Form

Scope toggle  Deleted Decay score SightingDB Context Related Tags Filtering tool

DateOrgCategoryTypeValueTagsGalaxiesCommentCorrelateRelated EventsFeed hitsIDSDistributionSightingsActivityActions
2022-06-23Object name: file 

References: 1  
Inherit 
2022-06-23Payload deliveryfilename: filename2318ae5d7c23bf186b88abecf892e23ce199381b22c8eb216ad1616ee8877933    Inherit   (0/0/0)         
2022-06-23Othersize-in-bytes: size-in-bytes5433824
5.18 MB
    Inherit   (0/0/0)     
2022-06-23Otherentropy: float7.9971445004064    Inherit   (0/0/0)     
2022-06-23Payload deliverymd5: md5d3bddb5de864afd7e4f5e56027f4e5ea     1513 2793   Top of Form Bottom of Form   Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23Payload deliverysha1: sha1ebb0e34f44089fd4cc750b5fe0dcc14f6bb85a11     2793   Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23Payload deliverysha256: sha2562318ae5d7c23bf186b88abecf892e23ce199381b22c8eb216ad1616ee8877933     1513 2793   Top of Form Bottom of Form   Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23Payload deliverysha512: sha5122905af78720fccb1167811b871d0509a6200c9cdc920409c337d30bf89e0be9c77195919e59e67c39dea0f8881d64f272825434e9e9a546df1b74451ee1e13a6      Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23Payload deliverymalware-sample: malware-sample2318ae5d7c23bf186b88abecf892e23ce199381b22c8eb216ad1616ee8877933
d3bddb5de864afd7e4f5e56027f4e5ea
    1513 2793   Top of Form Bottom of Form   Top of Form Bottom of FormInherit   (0/0/0)     
2022-06-23Artifacts droppedmimetype: mime-typePE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows    Inherit   (0/0/0)     
2022-06-23Payload deliveryssdeep: ssdeep98304:TtClVkoOSfJNp8FUcwti78OqJ7TPBLYVrsk9N8ivyhAdsPSQx3UGgdN:TlobhH8FUcwti7TQlgVN8iNIShN    2793   Top of Form Bottom of FormInherit   (0/0/0)     
2022-06-23Object name: pe 

References: 2  

Referenced by: 
Inherit 
2022-06-23Othertype: textexe     Inherit   (0/0/0)     
2022-06-23Otherentrypoint-address: text4194304     Inherit   (0/0/0)     
2022-06-23Othercompilation-timestamp: datetime2048-12-25T08:35:47.000000    Inherit   (0/0/0)     
2022-06-23Payload deliveryoriginal-filename: filenamedocx.exe    Inherit   (0/0/0)         
2022-06-23Payload deliveryinternal-filename: filenamedocx.exe    Inherit   (0/0/0)         
2022-06-23Otherfile-description: textDocumentSaver     Inherit   (0/0/0)     
2022-06-23Otherfile-version: text1.0.0.0     Inherit   (0/0/0)     
2022-06-23Otherlang-id: text000004b0     Inherit   (0/0/0)     
2022-06-23Otherproduct-name: textDocumentSaver     Inherit   (0/0/0)     
2022-06-23Otherproduct-version: text1.0.0.0     Inherit   (0/0/0)     
2022-06-23Otherlegal-copyright: textCopyright ©  2022     Inherit   (0/0/0)     
2022-06-23Otherentrypoint-section-at-position: text.text|0     Inherit   (0/0/0)     
2022-06-23Othernumber-sections: counter2    Inherit   (0/0/0)     
2022-06-23Object name: pe-section 

References: Referenced by: 
Inherit 
2022-06-23Othername: text.rsrc     Too many correlations. Inherit   (0/0/0)     
2022-06-23Othersize-in-bytes: size-in-bytes1024    Too many correlations. Inherit   (0/0/0)     
2022-06-23Otherentropy: float3.1296610663897    Inherit   (0/0/0)     
2022-06-23Payload deliverymd5: md55e813a8b2d0cb12dc8e7fc43e0149395       Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23Payload deliverysha1: sha1bc5083093539e54d748dd602eb0571ee5656744c       Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23Payload deliverysha256: sha2566b330540046cfcc9d62b17ffbe2c15d5b6c7854a0ea16842cc99a05bb189fb78       Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23Payload deliverysha512: sha512cd573468335c18df128bdba83002a71e275c8a1daed1cb2edbf4f0b919b593503b6898cf81b19afabb8aa40509f37099a50ef4bab0236848f63dbc8031f2d816      Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23Payload deliveryssdeep: ssdeep12:Es9cmi3n6EtXRAHC5YArJyE60NaUGiq+jZAiN5prynthXF7YnqqD63JaMKPN5alQ:9cDR0EytrgjZhN4XFSD63fKPN8q      Top of Form Bottom of FormInherit   (0/0/0)     
2022-06-23Object name: pe-section 

References: Referenced by: 
Inherit 
2022-06-23Othername: text.text     Too many correlations. Inherit   (0/0/0)     
2022-06-23Othersize-in-bytes: size-in-bytes5431296
5.18 MB
    Inherit   (0/0/0)     
2022-06-23Otherentropy: float7.9973059211035    Inherit   (0/0/0)     
2022-06-23Payload deliverymd5: md52320acc1bfdb7507bd655f7c3753c2e4       Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23Payload deliverysha1: sha1cfb20c4dbf2de009a1dccac68a4c822d02f7ae94       Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23Payload deliverysha256: sha2565653418e1ea815c908243332a9a7a82e0e0767a202899a2008ca2c21dc11861b       Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23Payload deliverysha512: sha51240b94a92923116d9b4b3886c4b10ab6979f8e4be238403bb169d1ec3c116d6fabc61ae776eb5cf0d09fe78911bb9f6bdcf27b7630f7559ae7597aa092b2087e1      Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23Payload deliveryssdeep: ssdeep98304:gtClVkoOSfJNp8FUcwti78OqJ7TPBLYVrsk9N8ivyhAdsPSQx3UGgdv:globhH8FUcwti7TQlgVN8iNIShv      Top of Form Bottom of FormInherit   (0/0/0)     
2022-06-23Object name: passive-dns 

References: 1  
kitten-268.frge.io: Enriched via the farsight_passivedns moduleInherit 
2022-06-23Otherrdata: text18.133.249.238     Result from a rrset lookup on DNSDB about the hostname: kitten-268.frge.io  Top of Form Bottom of FormInherit   (0/0/0)     
2022-06-23Othercount: counter88    Result from a rrset lookup on DNSDB about the hostname: kitten-268.frge.ioInherit   (0/0/0)     
2022-06-23Othertime_first: datetime2022-06-20T20:54:14.000000    Result from a rrset lookup on DNSDB about the hostname: kitten-268.frge.ioInherit   (0/0/0)     
2022-06-23Othertime_last: datetime2022-06-22T22:48:01.000000    Result from a rrset lookup on DNSDB about the hostname: kitten-268.frge.ioInherit   (0/0/0)     
2022-06-23Otherrrname: textkitten-268.frge.io.     Result from a rrset lookup on DNSDB about the hostname: kitten-268.frge.io  Top of Form Bottom of FormInherit   (0/0/0)     
2022-06-23Otherrrtype: text    Result from a rrset lookup on DNSDB about the hostname: kitten-268.frge.ioInherit   (0/0/0)     
2022-06-23Network activitybailiwick: domainfrge.io     Result from a rrset lookup on DNSDB about the hostname: kitten-268.frge.ioInherit   (0/0/0)         
2022-06-23Object name: url 

References: Referenced by: 
Inherit 
2022-06-23Network activityurl: urlhttp://kitten-268.frge.io/article.html     1513   Top of Form Bottom of Form   Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23Network activityhost: hostnamekitten-268.frge.io     1513   Top of Form Bottom of Form   Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23Otherscheme: texthttp     Inherit   (0/0/0)     
2022-06-23Object name: report 

References: 
Inherit 
2022-06-23External analysislink: linkhttps://otx.alienvault.com/pulse/62b44a9d13580736f8547cb8      Top of Form Bottom of FormInherit   (0/0/0)     
2022-06-23External analysislink: linkhttps://blog.malwarebytes.com/threat-intelligence/2022/06/russias-apt28-uses-fear-of-nuclear-war-to-spread-follina-docs-in-ukraine/    1513   Top of Form Bottom of Form   Top of Form Bottom of FormInherit   (0/0/0)     
2022-06-23Othersummary: textIn a recent campaign, APT28, an advanced persistent threat actor linked with Russian intelligence, set its sights on Ukraine, targeting users with malware that steals credentials stored in browsers. APT28 (also known as Sofacy and Fancy Bear) is a notorious Russian threat actor that has been active since at least 2004 with its main activity being collecting intelligence for the Russian government. The group is known to have targeted US politicians, and US organizations, including US nuclear faci
Show all 
      Top of Form Bottom of FormInherit   (0/0/0)     
2022-06-23Othertype: textBlog post     Inherit   (0/0/0)     
2022-06-23Object name: file 

References: 1  
Inherit 
2022-06-23Payload deliveryfilename: filenamedaaa271cee97853bf4e235b55cb34c1f03ea6f8d3c958f86728d41f418b0bf01    Inherit   (0/0/0)         
2022-06-23Othersize-in-bytes: size-in-bytes411760
402.11 kB
    Inherit   (0/0/0)     
2022-06-23Otherentropy: float7.9944351431945    Inherit   (0/0/0)     
2022-06-23Payload deliverymd5: md5eafa11070f213f16efc030f625a423d1     1513   Top of Form Bottom of Form   Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23Payload deliverysha1: sha1b1847c89143fad810b7a3686296b9c1e91ad087c       Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23Payload deliverysha256: sha256daaa271cee97853bf4e235b55cb34c1f03ea6f8d3c958f86728d41f418b0bf01     1513   Top of Form Bottom of Form   Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23Payload deliverysha512: sha51268a084c9a6dee3c315181c97e661454c61b442539f4875136828a87beef40ffff79a7f7c5df549890ce42ed636fa4404e673877379b849cd0e4e6c2ab2642d0a      Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23Payload deliverymalware-sample: malware-sampledaaa271cee97853bf4e235b55cb34c1f03ea6f8d3c958f86728d41f418b0bf01
eafa11070f213f16efc030f625a423d1
    1513   Top of Form Bottom of Form   Top of Form Bottom of FormInherit   (0/0/0)     
2022-06-23Artifacts droppedmimetype: mime-typeMicrosoft Word 2007+    Inherit   (0/0/0)     
2022-06-23Payload deliveryssdeep: ssdeep6144:UOjcXgk3fb0pZmtcQPbfUNnweoafhcdP19F9vQZ/y7dmMcnFn5iQiM8poFDNsGrO:Rm4zmtVbC6P19Fa67dmxl5iNGFpd/LA      Top of Form Bottom of FormInherit   (0/0/0)     
2022-06-23Object name: vulnerability 

References: 1  
CVE-2022-30190: Enriched via the cve_advanced moduleInherit 
2022-06-23External analysisid: vulnerabilityCVE-2022-30190     CVE-2022-30190: Enriched via the cve_advanced module1513 1824   Top of Form Bottom of Form   Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23Othersummary: textMicrosoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution Vulnerability.     CVE-2022-30190: Enriched via the cve_advanced module  Top of Form Bottom of FormInherit   (0/0/0)     
2022-06-23Othermodified: datetime2022-06-07T18:15:00.000000    CVE-2022-30190: Enriched via the cve_advanced moduleInherit   (0/0/0)     
2022-06-23Othercvss-score: float9.3    CVE-2022-30190: Enriched via the cve_advanced moduleInherit   (0/0/0)     
2022-06-23Otherpublished: datetime2022-06-01T20:15:00.000000    CVE-2022-30190: Enriched via the cve_advanced moduleInherit   (0/0/0)     
2022-06-23Otherstate: textPublished     CVE-2022-30190: Enriched via the cve_advanced moduleInherit   (0/0/0)     
2022-06-23External analysisreferences: linkhttps://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-30190    CVE-2022-30190: Enriched via the cve_advanced module  Top of Form Bottom of FormInherit   (0/0/0)     
2022-06-23External analysisreferences: linkhttp://packetstormsecurity.com/files/167438/Microsoft-Office-Word-MSDTJS-Code-Execution.html    CVE-2022-30190: Enriched via the cve_advanced module  Top of Form Bottom of FormInherit   (0/0/0)     
2022-06-23External analysisvulnerable_configuration: cpecpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*     CVE-2022-30190: Enriched via the cve_advanced module  Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23External analysisvulnerable_configuration: cpecpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*     CVE-2022-30190: Enriched via the cve_advanced module  Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23External analysisvulnerable_configuration: cpecpe:2.3:o:microsoft:windows_8.1:-:*:*:*:*:*:*:*     CVE-2022-30190: Enriched via the cve_advanced module  Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23External analysisvulnerable_configuration: cpecpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*     CVE-2022-30190: Enriched via the cve_advanced module  Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23External analysisvulnerable_configuration: cpecpe:2.3:o:microsoft:windows_server_2008:-:sp2:*:*:*:*:*:*     CVE-2022-30190: Enriched via the cve_advanced module  Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23External analysisvulnerable_configuration: cpecpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*     CVE-2022-30190: Enriched via the cve_advanced module  Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23External analysisvulnerable_configuration: cpecpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:*:*     CVE-2022-30190: Enriched via the cve_advanced module  Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23External analysisvulnerable_configuration: cpecpe:2.3:o:microsoft:windows_rt_8.1:-:*:*:*:*:*:*:*     CVE-2022-30190: Enriched via the cve_advanced module  Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23External analysisvulnerable_configuration: cpecpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*     CVE-2022-30190: Enriched via the cve_advanced module  Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23External analysisvulnerable_configuration: cpecpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*     CVE-2022-30190: Enriched via the cve_advanced module  Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23External analysisvulnerable_configuration: cpecpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*     CVE-2022-30190: Enriched via the cve_advanced module  Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23External analysisvulnerable_configuration: cpecpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*     CVE-2022-30190: Enriched via the cve_advanced module  Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23External analysisvulnerable_configuration: cpecpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*     CVE-2022-30190: Enriched via the cve_advanced module  Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23External analysisvulnerable_configuration: cpecpe:2.3:o:microsoft:windows_10:21h1:*:*:*:*:*:*:*     CVE-2022-30190: Enriched via the cve_advanced module  Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23External analysisvulnerable_configuration: cpecpe:2.3:o:microsoft:windows_server_2022:-:*:*:*:*:*:*:*     CVE-2022-30190: Enriched via the cve_advanced module  Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23External analysisvulnerable_configuration: cpecpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:arm64:*     CVE-2022-30190: Enriched via the cve_advanced module  Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23External analysisvulnerable_configuration: cpecpe:2.3:o:microsoft:windows_11:-:*:*:*:*:*:x64:*     CVE-2022-30190: Enriched via the cve_advanced module  Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23External analysisvulnerable_configuration: cpecpe:2.3:o:microsoft:windows_10:21h2:*:*:*:*:*:*:*     CVE-2022-30190: Enriched via the cve_advanced module  Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23Object name: vulnerability 

References: Referenced by: 

Inherit 
2022-06-23External analysisid: vulnerabilityCVE-2022-30190     1513 1824   Top of Form Bottom of Form   Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23Otherstate: textPublished     Inherit   (0/0/0)     
2022-06-23Payload deliverysha1b1847c89143fad810b7a3686296b9c1e91ad087c       Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23Payload deliverymd5eafa11070f213f16efc030f625a423d1     1513   Top of Form Bottom of Form   Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23Payload deliverysha1ebb0e34f44089fd4cc750b5fe0dcc14f6bb85a11     2793   Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23Payload deliverysha2562318ae5d7c23bf186b88abecf892e23ce199381b22c8eb216ad1616ee8877933     1513 2793   Top of Form Bottom of Form   Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23Payload deliverysha256daaa271cee97853bf4e235b55cb34c1f03ea6f8d3c958f86728d41f418b0bf01     1513   Top of Form Bottom of Form   Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23Network activityhostnamemail.sartoc.com       Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23Network activityip-dst144.208.77.68       Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23Network activityurlhttp://kompartpomiar.pl/grafika/SQLite.Interop.dll     1513   Top of Form Bottom of Form   Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23Network activityurlhttp://kompartpomiar.pl/grafika/docx.exe     1513   Top of Form Bottom of Form   Top of Form Bottom of FormInherit   (0/0/0)         
2022-06-23Network activityhostnamewww.specialityllc.com     1513   Top of Form Bottom of Form   Top of Form Bottom of FormInherit   (0/0/0)