Home/ Threat Actors/ Berserk Bear

🇷🇺Berserk Bear

🇷🇺 Berserk Bear is a tracked threat actor in the Clankerusecase corpus. Attributed to RU. Primary motivation: State. We map 26 detection use cases to this actor across 77 MITRE ATT&CK techniques, with 1 threat-intel article citing them. Active in our corpus from 2026-05-22 to 2026-05-22.

crit 1

View full actor card → All threat actors MITRE ATT&CK group spec (G0035) ↗

26Use cases

1Articles

77Techniques

45IOCs

Known aliases

Berserk BearEnergetic BearDragonFlyCrouching YetiIron LibertyDragonflyTEMP.IsotopeDYMALLOYTG-4192IRON LIBERTYGhost BlizzardBROMINE

Top techniques

T1021.001 · Remote Desktop Protocol T1021.002 · SMB/Windows Admin Shares T1027 · Obfuscated Files or Information

All other tracked techniques

T1003.002 · Security Account Manager T1003.003 · NTDS T1003.004 · LSA Secrets T1005 · Data from Local System T1006 · Direct Volume Access T1012 · Query Registry T1016 · System Network Configuration Discovery T1018 · Remote System Discovery T1033 · System Owner/User Discovery T1036.008 · Masquerade File Type T1036.010 · Masquerade Account Name T1053.005 · Scheduled Task T1059 · Command and Scripting Interpreter T1059.001 · PowerShell T1059.003 · Windows Command Shell T1059.005 · Visual Basic T1059.006 · Python T1069.002 · Domain Groups T1070.004 · File Deletion T1071 · Application Layer Protocol T1071.001 · Web Protocols T1071.002 · File Transfer Protocols T1071.004 · DNS T1074.001 · Local Data Staging T1078 · Valid Accounts T1083 · File and Directory Discovery T1087.002 · Domain Account T1090.001 · Internal Proxy T1098.007 · Additional Local or Domain Groups T1105 · Ingress Tool Transfer T1110 · Brute Force T1110.002 · Password Cracking T1112 · Modify Registry T1113 · Screen Capture T1114.002 · Remote Email Collection T1133 · External Remote Services T1135 · Network Share Discovery T1136.001 · Local Account T1187 · Forced Authentication T1189 · Drive-by Compromise T1190 · Exploit Public-Facing Application T1195.002 · Compromise Software Supply Chain T1203 · Exploitation for Client Execution T1204.001 · Malicious Link T1204.002 · Malicious File T1210 · Exploitation of Remote Services T1218 · System Binary Proxy Execution T1219 · Remote Access Tools T1221 · Template Injection T1505.003 · Web Shell T1547.001 · Registry Run Keys / Startup Folder T1547.014 · Active Setup T1555.003 · Credentials from Web Browsers T1558.003 · Kerberoasting T1560 · Archive Collected Data T1562.001 · T1562.001 T1564.001 · Hidden Files and Directories T1564.002 · Hidden Users T1566 · Phishing T1566.001 · Spearphishing Attachment T1566.002 · Spearphishing Link T1569.002 · Service Execution T1572 · Protocol Tunneling T1583.001 · Domains T1583.003 · Virtual Private Server T1584.004 · Server T1588.002 · Tool T1591.002 · Business Relationships T1595.002 · Vulnerability Scanning T1598.002 · Spearphishing Attachment T1598.003 · Spearphishing Link T1608.004 · Drive-by Target T1685.005 · Clear Windows Event Logs T1686 · Disable or Modify System Firewall

Detection use cases (26)

Berserk Bear ICS reconnaissance: outlook.exe → LOLBin SMB enumeration of file shares AI · profile SDD Berserk Bear SMB credential-theft via forced authentication (T1187) to attacker-controlled responder AI · profile SΣDD PowerShell-parented taskkill of winrar.exe (Cloud Atlas LNK anti-forensic cleanup) Bespoke PowerShower dropped to user Pictures folder as googleearth.ps1 Bespoke SAM/SECURITY registry hives copied from VSS shadow to Public\Documents as .pdf Bespoke termsrv.dll patched (multi-RDP enabling) - takeown + binary write + TermService restart Bespoke OpenSSH reverse port-forward (-R) launched on a workstation - Cloud Atlas backup C2 Bespoke Beaconing — periodic outbound to small set of destinations Internal Network connections to article IPs / domains Internal Asset exposure — vulnerability matches article CVE(s) Internal Phishing-link click correlated to endpoint execution Internal Email attachment opened from external sender Internal Office app spawning script/LOLBin child process Internal Remote service execution — PsExec / SMB lateral movement Internal 1Password failed sign-in burst MITRE match 1Password impossible-travel sign-in MITRE match Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Edge-service post-exploitation chain: internet-facing daemon → child shell or token redemption within 10 min of external request MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Linux LPE chain — anomalous algif_aead/esp4/esp6/rxrpc kernel-module load followed by same-user root transition MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match

Threat-intel articles (1)

crit Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload · 2026-05-22

Tracked indicators

Domains (26)

agenciakharis.com.br allgoodsdirect.com.au alnakhlah.com.sa amerikastaj.com bigbang.me cloudguide.in firsai.tipshub.net fishingflytackle.com goverru.com humanitas.si internationalcommodities investika-club.com istochnik.org kommando.live kufar.org lafortunaitalian.co.uk landscapeuganda.com mamurjor.com onedrivesupport.net paleturquoise-dragonfly- spbnews.net tenkoff.org totallegacy.org ultimatecore.net wizzifi.com +1 more

IP addresses (19)

146.70.53.171 185.126.239.77 185.22.154.73 185.250.181.207 185.53.179.136 194.102.104.207 194.87.196.163 195.58.49.9 37.228.129.224 45.15.65.134 45.87.219.116 46.17.44.125 46.17.44.212 46.17.45.49 46.17.45.56 5.181.21.75 81.30.105.71 93.125.114.193 93.125.114.57

CVEs (1)

CVE-2018-0802