Dragonfly

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Dragonfly is a notable threat actor known for its malicious activities in the cybersecurity landscape. This group has been particularly active in targeting the energy sector across various countries, including the United States, Switzerland, and Turkey. The tactics employed by Dragonfly often involve traditional IT attack vectors, affecting both IT and OT environments. Notably, Dragonfly was involved in a series of watering hole attacks in 2017, as reported by Symantec. This same technique was observed again in subsequent instances, highlighting the group's consistent approach to cyber warfare. In July 2023, Trail of Bits conducted a comprehensive review of the Dragonfly codebase. Their findings were published in a report which included a maturity evaluation of the codebase, a list of identified code quality issues, and guidance for running static and dynamic analysis tooling on the Dragonfly codebase. Notably, the MD5 hash of “scr.exe” matched that of ScreenUtil, aligning with details from the Symantec Dragonfly 2.0 report. In at least two instances, the threat actors used batch scripts labeled “pss.bat” and “psc.bat” to run the PsExec tool, revealing their modus operandi. Dragonfly is also linked to a peer-to-peer file distribution and image acceleration system, which is a CNCF-hosted project. It features integrity checking for downloaded files, download speed limiting, the ability to isolate abnormal peers, and a public registry of artifacts aimed at being “the trusted cloud native repository for Kubernetes.” A subproject of Dragonfly, Nydus, implements a content-addressable filesystem to enable high-efficiency distribution for cloud-native resources. However, security companies like Harpie, supported by Coinbase Ventures and Dragonfly Capital, are working diligently to counteract these threats and secure the cyber landscape.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Havex
2
Havex, also known as Dragonfly or the Energetic Bear RAT, is a prominent threat actor in the cybersecurity landscape. First spotted in 2013, Havex was part of a broad industrial espionage campaign that specifically targeted Supervisory Control and Data Acquisition (SCADA) and Industrial Control Syst
Energetic Bear
2
Energetic Bear, also known as DragonFly, Crouching Yeti, and Berserk Bear, is a threat actor that has been operational since at least 2011. The group has been linked to various cyber-espionage campaigns targeting the energy sector in Europe and North America, with the primary focus on defense and av
Crouching Yeti
1
Crouching Yeti, also known as Iron Liberty, TG-4192, Energetic Bear, and Dragonfly, is a threat actor group that has been active since at least 2010. This group primarily targets the energy sector, with a specific focus on industrial control systems (ICS). Crouching Yeti's activities are part of a b
Emperor Dragonfly
1
Emperor Dragonfly, also known as Bronze Starlight or Storm-0401, is a threat actor group linked to China that has been identified as deploying various ransomware payloads. This group targets sectors such as gambling within Southeast Asia. The cybersecurity industry uses different names for the same
Bronze Starlight
1
Bronze Starlight, a Chinese threat actor group, has been linked to various malicious activities in the cybersecurity landscape. The group is known for deploying different types of ransomware payloads, including traditional ransomware schemes such as LockFile and name-and-shame models. Bronze Starlig
Grizzly Steppe
1
None
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Espionage
State Sponso...
Symantec
russian
Industrial
Malware
Encryption
Rat
Spam
Russia
Spearphishing
Sentinelone
Exploit Kit
Kubernetes
Exploits
Ics
Dragos
Backdoor
Exploit
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
FlameUnspecified
1
Flame is a sophisticated form of malware, designed to exploit and damage computer systems. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once embedded, Flame has the ability to steal personal information, disrupt operations, or hold data
Trojan.KaraganyUnspecified
1
Trojan.Karagany is a type of malware used by the hacking group Dragonfly to target energy companies in the United States, Spain, France, Italy, Germany, Turkey, and Poland. It is a trojan that can infect computer systems through suspicious downloads, emails, or websites, without the user's knowledge
Backdoor.OldreaUnspecified
1
None
StuxnetUnspecified
1
Stuxnet, a notorious malware discovered in 2010, is one of the most infamous Advanced Persistent Threat (APT) attacks in history. This military-grade cyberweapon was co-developed by the United States and Israel to specifically target Iran's nuclear enrichment facility at Natanz. The Stuxnet worm, a
DolphinUnspecified
1
Dolphin is a malicious software (malware) that was reportedly used by an unidentified group against South Korea in December 2022. The malware, named after the codenames of Xerox PARC's range of workstations which all began with the letter D, including Dolphin, Dorado, Dicentra, and others, infiltrat
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
DYMALLOYUnspecified
1
DYMALLOY is a long-standing threat actor that employs a range of tactics to target industrial organizations, including spear-phishing and watering hole attacks. The group has been active since at least 2015 and has been associated with activity going back to 2011. DYMALLOY's attacks have successfull
Berserk Bear, Energetic BearUnspecified
1
Berserk Bear and Energetic Bear are two of the most notorious threat actors in the cybersecurity world. Berserk Bear is a group believed to be linked to the Russian government, and they are known for carrying out cyber espionage operations against various countries. Energetic Bear, on the other hand
Berserk BearUnspecified
1
None
HeriplorUnspecified
1
Heriplor, a notable threat actor in the cybersecurity landscape, has been associated with multiple malicious campaigns involving the use of advanced Trojans. The entity is particularly linked to the Dragonfly 2.0 campaign, where it utilized both the Heriplor and Karagany Trojans, which were also emp
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Dragonfly/energeticUnspecified
1
None
Source Document References
Information about the Dragonfly Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
5 months ago
How to make the Internet and Wi-Fi in Infinite Craft
CERT-EU
6 months ago
How To Combat the Mounting ‘Hacktivist’ Threat
CERT-EU
7 months ago
Securing open-source infrastructure with OSTIF
CERT-EU
8 months ago
Today’s Hyper-Connected Network Systems Face Myriad Security Challenges
CERT-EU
8 months ago
Harpie Launches Proactive Mechanism to Stop Crypto Theft
CERT-EU
8 months ago
Revival of Medley/Interlisp: Elegant weapon gets sharpened
CERT-EU
9 months ago
Weaponizing Wheat: How Strategic Competition With Russia Could Threaten American Food Security – Analysis
CERT-EU
9 months ago
Search | arXiv e-print repository
CERT-EU
9 months ago
The Urgency for Robust Utility Cybersecurity
CERT-EU
10 months ago
The Fiji Times » Cybersecurity | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
10 months ago
'Redfly' hackers infiltrated power supplier's network for 6 months
DARKReading
a year ago
A Brief History of ICS-Tailored Attacks
CERT-EU
a year ago
China-Linked Bronze Starlight Group Targeting Gambling Sector with Cobalt Strike Beacons – GIXtools
CERT-EU
a year ago
Rising supply chain attacks | Professional Security
CERT-EU
a year ago
Perth's Trinity Networks partners with Fast50 company DragonFly
CERT-EU
a year ago
Links 13/07/2023: Wireshark 4.0.7 and BeagleV-Ahead
CERT-EU
a year ago
Amber Group Achieves Triple ISO Certification for Information Security and Privacy Protection
MITRE
a year ago
Four Russian Government Employees Charged in Two Historical Hacking
MITRE
a year ago
Hackers Have Penetrated Energy Grid, Symantec Warns
MITRE
a year ago
Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets | CISA