Home/ Threat Actors/ Sandworm

🇷🇺Sandworm

🇷🇺 Sandworm is a tracked threat actor in the Clankerusecase corpus. Attributed to RU. Primary motivation: State. We map 26 detection use cases to this actor across 121 MITRE ATT&CK techniques, with 12 threat-intel articles citing them. Active in our corpus from 2025-11-06 to 2026-05-28.

crit 9high 3

View full actor card → All threat actors MITRE ATT&CK group spec (G0034) ↗

26Use cases

12Articles

121Techniques

14IOCs

Known aliases

SandwormVoodoo BearTeleBotsBlackEnergy GroupIron VikingSeashell BlizzardGRU Unit 74455Sandworm TeamELECTRUMTelebotsIRON VIKINGBlackEnergy (Group)QuedaghIRIDIUMFROZENBARENTSAPT44

Top techniques

T1190 · Exploit Public-Facing Application T1059.001 · PowerShell T1204.002 · Malicious File

All other tracked techniques

T1003 · OS Credential Dumping T1003.001 · LSASS Memory T1003.003 · NTDS T1003.007 · Proc Filesystem T1005 · Data from Local System T1018 · Remote System Discovery T1021.002 · SMB/Windows Admin Shares T1027 · Obfuscated Files or Information T1027.002 · Software Packing T1027.009 · Embedded Payloads T1027.010 · Command Obfuscation T1033 · System Owner/User Discovery T1036 · Masquerading T1036.005 · Match Legitimate Resource Name or Location T1040 · Network Sniffing T1041 · Exfiltration Over C2 Channel T1047 · Windows Management Instrumentation T1049 · System Network Connections Discovery T1053.005 · Scheduled Task T1056.001 · Keylogging T1059 · Command and Scripting Interpreter T1059.003 · Windows Command Shell T1059.005 · Visual Basic T1059.007 · JavaScript T1070.004 · File Deletion T1071 · Application Layer Protocol T1071.001 · Web Protocols T1071.004 · DNS T1072 · Software Deployment Tools T1078 · Valid Accounts T1078.002 · Domain Accounts T1078.004 · Cloud Accounts T1082 · System Information Discovery T1083 · File and Directory Discovery T1087.002 · Domain Account T1087.003 · Email Account T1090 · Proxy T1090.001 · Internal Proxy T1090.002 · External Proxy T1098.001 · Additional Cloud Credentials T1102.002 · Bidirectional Communication T1102.003 · One-Way Communication T1105 · Ingress Tool Transfer T1106 · Native API T1124 · System Time Discovery T1132.001 · Standard Encoding T1133 · External Remote Services T1140 · Deobfuscate/Decode Files or Information T1176 · Software Extensions T1195 · Supply Chain Compromise T1195.002 · Compromise Software Supply Chain T1199 · Trusted Relationship T1203 · Exploitation for Client Execution T1204.001 · Malicious Link T1204.004 · Malicious Copy and Paste T1213.006 · Databases T1218 · System Binary Proxy Execution T1218.011 · Rundll32 T1219 · Remote Access Tools T1485 · Data Destruction T1486 · Data Encrypted for Impact T1489 · Service Stop T1490 · Inhibit System Recovery T1491.002 · External Defacement T1498 · Network Denial of Service T1499 · Endpoint Denial of Service T1505.003 · Web Shell T1528 · Steal Application Access Token T1529 · System Shutdown/Reboot T1539 · Steal Web Session Cookie T1543.001 · Launch Agent T1543.002 · Systemd Service T1546 · Event Triggered Execution T1546.016 · Installer Packages T1547.001 · Registry Run Keys / Startup Folder T1552.001 · Credentials In Files T1554 · Compromise Host Software Binary T1555 · Credentials from Password Stores T1555.003 · Credentials from Web Browsers T1558 · Steal or Forge Kerberos Tickets T1561.001 · Disk Content Wipe T1561.002 · Disk Structure Wipe T1566 · Phishing T1566.001 · Spearphishing Attachment T1566.002 · Spearphishing Link T1566.004 · Spearphishing Voice T1567 · Exfiltration Over Web Service T1567.002 · Exfiltration to Cloud Storage T1568 · Dynamic Resolution T1568.002 · Domain Generation Algorithms T1569.002 · Service Execution T1570 · Lateral Tool Transfer T1571 · Non-Standard Port T1572 · Protocol Tunneling T1574.002 · T1574.002 T1583 · Acquire Infrastructure T1583.001 · Domains T1583.003 · Virtual Private Server T1583.004 · Server T1584.004 · Server T1584.005 · Botnet T1585.001 · Social Media Accounts T1585.002 · Email Accounts T1586.001 · Social Media Accounts T1587.001 · Malware T1588.002 · Tool T1588.006 · Vulnerabilities T1589.002 · Email Addresses T1589.003 · Employee Names T1590.001 · Domain Properties T1591.002 · Business Relationships T1592.002 · Software T1593 · Search Open Websites/Domains T1594 · Search Victim-Owned Websites T1595.002 · Vulnerability Scanning T1598.003 · Spearphishing Link T1608.001 · Upload Malware T1680 · Local Storage Discovery

Detection use cases (26)

Sandworm GPO-Deployed Wiper via Task Scheduler Fan-Out from SYSVOL / C:\Windows Root AI · profile SΣDD HermeticWiper / Sandworm EaseUS Partition Driver Loaded by Non-Vendor Process AI · profile SΣDD NoName057(16) DDoSia client check-in (/client/login, /client/get_targets) Bespoke World Cup 2026 themed lookalike / typosquat domain resolution by corporate hosts Bespoke Beaconing — periodic outbound to small set of destinations Internal Infostealer — non-browser process accessing browser cookie/login DBs Internal Phishing-link click correlated to endpoint execution Internal Email attachment opened from external sender Internal Office app spawning script/LOLBin child process Internal Microsoft Teams external-tenant chat from unverified IT-helpdesk impersonator Internal RMM tool installed by non-IT user — remote-access utility for hands-on-keyboard Internal Ransomware-style mass file rename / extension change Internal LSASS process access / dump (credential theft) Internal Remote service execution — PsExec / SMB lateral movement Internal 1Password impossible-travel sign-in MITRE match Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) MITRE match Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer interpreter / package-manager process exfiltrating tokens to public code-hosting / worker domains MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Edge-service post-exploitation chain: internet-facing daemon → child shell or token redemption within 10 min of external request MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match

Threat-intel articles (12)

crit 2026 World Cup: Discussing The World’s Biggest Game’s Attack Surface · 2026-05-28

crit ESET APT Activity Report Q4 2025–Q1 2026 · 2026-05-28

crit Mini Shai-Hulud strikes again: npm worm compromises hundreds of @antv packages · 2026-05-19

crit Mini Shai-Hulud Hits AntV: 300+ Malicious npm Packages Published via Compromised Maintainer Account · 2026-05-18

crit TeamPCP's Mini Shai-Hulud Is Back: A Self-Spreading Supply Chain Attack Compromises TanStack npm Packages · 2026-05-12

crit Shai-Hulud Worm Pivots to Multi-Cloud: intercom-client@7.0.4 Hijacked — 361,000 Weekly Downloads, AWS, GCP, and Azure Credentials Now in Scope · 2026-05-04

high "A Mini Shai-Hulud Has Appeared": Bun-Based Stealer Hits SAP @cap-js and mbt npm Packages · 2026-04-29

high Is Shai-Hulud Back? Compromised Bitwarden CLI Contains a Self-Propagating npm Worm · 2026-04-23

crit DynoWiper update: Technical analysis and attribution · 2026-01-30

high ESET Research: Sandworm behind cyberattack on Poland’s power grid in late 2025 · 2026-01-23

crit The who, where, and how of APT attacks in Q2 2025–Q3 2025 · 2025-11-07

crit ESET APT Activity Report Q2 2025–Q3 2025 · 2025-11-06

Tracked indicators

Domains (11)

api.masscan.cloud audit.checkmarx.cx esetremover.com esetscanner.com esetsmart.com filev2.getsession.org git-tanstack.com litter.catbox.moe m-kosche.com progamevl.ru t.m-kosche.com

IP addresses (3)

185.95.159.32 31.172.71.5 83.142.209.194

CVEs (3)

CVE-2024-42009 CVE-2025-8088 CVE-2026-45321