Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ Dragonfly

🇷🇺Dragonfly

🇷🇺 Dragonfly is a tracked threat actor in the Clankerusecase corpus. RU-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 56 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0035) ↗
14Use cases
0Articles
56Techniques
0IOCs

About this actor (MITRE)

[Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022) Active since at least 2010, [Dragonfly](https://attack.mitre.org/groups/G0035) has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.(Citation: Symantec Drag

Known aliases

DragonflyTEMP.IsotopeDYMALLOYBerserk BearTG-4192Crouching YetiIRON LIBERTYEnergetic BearGhost BlizzardBROMINE

Top techniques

T1003.002 · Security Account ManagerT1003.003 · NTDST1003.004 · LSA Secrets

All other tracked techniques

T1005 · Data from Local SystemT1012 · Query RegistryT1016 · System Network Configuration DiscoveryT1018 · Remote System DiscoveryT1021.001 · Remote Desktop ProtocolT1033 · System Owner/User DiscoveryT1036.010 · Masquerade Account NameT1053.005 · Scheduled TaskT1059 · Command and Scripting InterpreterT1059.001 · PowerShellT1059.003 · Windows Command ShellT1059.006 · PythonT1069.002 · Domain GroupsT1070.004 · File DeletionT1071.002 · File Transfer ProtocolsT1074.001 · Local Data StagingT1078 · Valid AccountsT1083 · File and Directory DiscoveryT1087.002 · Domain AccountT1098.007 · Additional Local or Domain GroupsT1105 · Ingress Tool TransferT1110 · Brute ForceT1110.002 · Password CrackingT1112 · Modify RegistryT1113 · Screen CaptureT1114.002 · Remote Email CollectionT1133 · External Remote ServicesT1135 · Network Share DiscoveryT1136.001 · Local AccountT1187 · Forced AuthenticationT1189 · Drive-by CompromiseT1190 · Exploit Public-Facing ApplicationT1195.002 · Compromise Software Supply ChainT1203 · Exploitation for Client ExecutionT1204.002 · Malicious FileT1210 · Exploitation of Remote ServicesT1221 · Template InjectionT1505.003 · Web ShellT1547.001 · Registry Run Keys / Startup FolderT1560 · Archive Collected DataT1564.002 · Hidden UsersT1566.001 · Spearphishing AttachmentT1583.001 · DomainsT1583.003 · Virtual Private ServerT1584.004 · ServerT1588.002 · ToolT1591.002 · Business RelationshipsT1595.002 · Vulnerability ScanningT1598.002 · Spearphishing AttachmentT1598.003 · Spearphishing LinkT1608.004 · Drive-by TargetT1685.005 · Clear Windows Event LogsT1686 · Disable or Modify System Firewall

Detection use cases (14)

Dragonfly (Berserk Bear) Phishery template-injection forced auth: Office process initiating outbound SMB to external IP AI · profile SΣDD Dragonfly registry-hive credential extraction: reg.exe save of SAM/SECURITY/SYSTEM AI · profile SΣDD 1Password failed sign-in burst MITRE match 1Password impossible-travel sign-in MITRE match AI-Agent Server (PraisonAI/MCP) Spawns OS Shell or Recon LOLBin — Unauthenticated RCE Exploitation MITRE match AI/LLM Agent Framework Runtime Spawning Shell, Recon, or Egress Child Process MITRE match AI/LLM Framework Web Service Spawns Shell or Network Tool (Agent-Framework Unauthenticated RCE) MITRE match Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint MITRE match Edge-service post-exploitation chain: internet-facing daemon → child shell or token redemption within 10 min of external request MITRE match Internet-Exposed AI Agent/LLM Service Spawns Shell or LOLBin After Inbound Connection MITRE match