ELECTRUM

Threat Actor updated 4 days ago (2024-09-03T16:18:10.151Z)

Download STIX

Preview STIX

Electrum is a threat actor that has been implicated in numerous cyber attacks, including those against Ukraine on February 1, 2022. These attacks were Bitcoin-themed and involved Electrum Bitcoin wallets, with similarities observed in later attacks conducted in April of the same year. The delivery method involved PDF documents that referenced Electrum Bitcoin wallets, and an initial loader Trojan executable downloaded by JavaScript within these documents. This executable was signed using a certificate bearing the name "Electrum Technologies GmbH", further connecting the threat actor to the attacks. The malware used by Electrum demonstrated a significant focus on exploiting financial data, particularly targeting cryptocurrency wallets such as Coinbase, MetaMask, Wasabi, Binance, Daedalus, Electrum, Atomic, Harmony, Enjin, Hoo, Dapper, Coinomi, Trust, Blockchain, and XDeFI. Cyble's team also reported that Atomic Stealer, another malware variant, could target crypto wallets like Electrum, Binance, Exodus, Atomic, and Coinomi. This focus on crypto wallets indicates a high risk of substantial financial losses for victims whose wallet information is compromised. Electrum has been linked to power grid outages in Ukraine and other incidents, often working in conjunction with other threat groups like Kamacite. The group appears to specialize in gaining initial access before handing off to Electrum, which functions as an "ICS effects team". Increased activity from mature threat groups like ELECTRUM has been noted during periods of geopolitical tension, such as the Ukraine-Russia conflict and tensions between China and Taiwan. The new Atomic Stealer malware has also leveraged several functions to steal browser data and assets from cryptocurrency wallets, including Atomic, Exodus, Coinomi, and Electrum.

Description last updated: 2024-09-03T16:16:35.612Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Kamacite	2	Kamacite, a threat actor believed to be a unit of the Russian military intelligence service (GRU), has been observed targeting infrastructure across Europe, Ukraine, and the United States. This group is primarily focused on gaining initial access to networks using an implant known as Cyclops Blink.

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Bitcoin

Malware

Ics

Firefox

Outlook

Apt

Dragos

Chrome

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Amos	Unspecified	2	AMOS is a malicious software (malware) that targets Mac systems, with the ability to steal passwords, personal files, and cryptocurrency wallet information. It was first identified as part of the ClearFake campaign, which aimed to spread the macOS AMOS information stealer. The malware can infect bot

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Sandworm	Unspecified	3	Sandworm, a Russia-linked threat actor group, has been implicated in a series of significant cyber-attacks targeting Ukraine's infrastructure. The group successfully compromised 11 Ukrainian telecommunication providers, demonstrating their extensive capabilities and the broad reach of their operatio

Source Document References

Information about the ELECTRUM Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Fortinet	4 days ago	Emansrepo Stealer: Multi-Vector Attack Chains \| FortiGuard Labs
Securityaffairs	16 days ago	New malware Cthulhu Stealer targets Apple macOS users
Fortinet	3 months ago	Fickle Stealer Distributed via Multiple Attack Chain \| FortiGuard Labs
CERT-EU	a year ago	Atomic malware steals Mac passwords, crypto wallets, and more
BankInfoSecurity	6 months ago	Defending Operational Technology Environments: Basics Matter
CERT-EU	6 months ago	Dragos Reports Rise in Geopolitically Driven Attacks, Ransomware \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	6 months ago	New macOS malware ‘Atomic Stealer’ delivers triple dose of misery
Securityaffairs	7 months ago	A Ukrainian Raccoon Infostealer operator is awaiting trial in the US
CERT-EU	8 months ago	Windows SmartScreen flaw exploited to drop Phemedrone malware
Securityaffairs	8 months ago	New Version of Meduza Stealer Released in Dark Web
Checkpoint	9 months ago	Rhadamanthys v0.5.0 - a deep dive into the stealer’s components - Check Point Research
Securityaffairs	9 months ago	ClearFake campaign spreads macOS AMOS information stealer
Checkpoint	a year ago	Behind the Scenes of BBTok: Analyzing a Banker’s Server Side Components - Check Point Research
Securityaffairs	a year ago	A malvertising campaign is delivering a new version of macOS Atomic Stealer
CERT-EU	a year ago	Safeguard Your Investments: Discover the Most Secure Brokers for Crypto Trading
CERT-EU	a year ago	Discover the New Stealer Malware on the Rise:Mystic Stealer
MITRE	2 years ago	ELECTRUM Threat Group \| Dragos
MITRE	2 years ago	Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot
CERT-EU	2 years ago	Cyberattacks on Industrial Control Systems Jumped in 2022
CSO Online	2 years ago	Attacks on industrial infrastructure on the rise, defenses struggle to keep up