Sandworm

Sandworm is a Russian state-sponsored threat actor associated with Russia’s military intelligence agency, the GRU, and specifically linked in the content to Unit 74455. Reported aliases include APT44, BE2, BlackEnergy / BlackEnergy Group, Blue Echidna, Electrum, FROZENBARENTS, Iridium, Iron Viking, Phantom, Quedagh, Seashell Blizzard, TeleBots, UAC-0113, Unit 74455, Voodoo Bear, and Sandworm Team. The group is described as active since 2014. The content associates Sandworm with cyber espionage and cyberwarfare operations and states that it has consistently targeted government bodies, energy firms, and research institutions, with a focus on intelligence collection. It is also linked to disruptive and destructive operations. In 2015, Sandworm attacked electrical distribution substations in Ukraine, causing power outages. During that operation, the group manipulated equipment, used malware to wipe Windows-based systems and impede recovery, and developed malicious firmware to brick serial-to-ethernet converters, creating loss-of-control conditions and forcing greater reliance on manual operations. During the 2016 Ukraine Electric Power Attack, Sandworm Team used an arbitrary system service to load Industroyer at boot for persistence and replaced the ImagePath registry value of a Windows service with a backdoor binary. The content also attributes the 2018 Pyeongchang Winter Olympics OLYMPICDESTROYER attack to Sandworm, stating the group directly deployed the wiper, disabling Wi-Fi at the opening ceremony, disrupting the official ticketing system, affecting broadcast drone operations, compromising more than 300 systems, and requiring roughly 12 hours for restoration. More recent reporting in the content describes a Sandworm spear-phishing campaign using ZIP archives containing disguised LNK files. Opening the LNK triggers a multi-stage infection chain that extracts hidden payloads, runs a PowerShell control script, displays a decoy PDF, and establishes persistence via hidden scheduled tasks masquerading as legitimate applications such as Opera GX and Dropbox. A notable tradecraft evolution described is the use of dual-layer SSH-over-Tor tunneling: Tor hidden services expose internal services such as SMB and RDP, while SSH provides authenticated localhost-only remote access. Additional behaviors mentioned include Obfs4 traffic obfuscation, sandbox and virtual machine checks, mutex controls, cleanup of installation traces, and transmission of victim identification data to a hardcoded onion-based command-and-control server. The content further states that Sandworm has exploited CVE-2025-8088, a WinRAR vulnerability, and that in November 2025 a phishing wave targeting Ukraine delivered malware via RAR archives exploiting that flaw. Sandworm is also linked in the content to incidents affecting civilian infrastructure, including attribution by investigators connecting the Cyber Army of Russia Reborn to Sandworm in relation to a January 2024 water-sector incident in Muleshoe, Texas. Technique examples explicitly mentioned in the content include spear-phishing with malicious Office attachments and macros, staging trojanized legitimate software installers in forums for initial access, PowerShell execution, file enumeration on compromised hosts, and Active Directory discovery via LDAP queries to identify usernames.