ELECTRUM

Threat Actor Profile Updated a month ago
Download STIX
Preview STIX
Electrum, a threat actor identified in cyberattacks against Ukraine on February 1, 2022, is known for its Bitcoin-themed attacks. These attacks often involve the use of PDF delivery documents referencing Electrum Bitcoin wallets, similar to those seen in subsequent attacks in April. The initial loader Trojan downloaded by JavaScript in the delivery document was signed using a certificate that includes "Electrum Technologies GmbH" within the organization field. This Trojan serves as the initial point of entry, allowing the threat actor to infiltrate and compromise systems. The threat actor has been associated with significant financial risks, particularly around cryptocurrency wallets. Atomic Stealer, a malware variant used by Electrum, targets crypto wallets such as Electrum, Binance, Exodus, Atomic, and Coinomi, potentially leading to substantial financial losses for investors if their wallets are compromised. The malware also enables the theft of browser data and assets from cryptocurrency wallets. It extracts data from various crypto wallet apps, including Atom, Armory, Electrum, and Exodus, and targets applications including major currency apps (Electrum, Ethereum, Exodus, Jaxx, and Monero), popular browsers, and email clients. Electrum's activities have not been limited to financial cybercrime; they have also been implicated in cyber-espionage related to geopolitical conflicts. For instance, the group has been linked to repeated power grid outages in Ukraine, suggesting a focus on infrastructure attacks. Another group, Kamacite, appears to work in tandem with Electrum, gaining initial access to systems and then handing it off to Electrum, which functions as an "ICS effects team." The increase in tensions between countries like Ukraine-Russia and China-Taiwan has prompted mature threat groups like Electrum to escalate their activities, leading to increased targeted cyber espionage attacks against industrial organizations in the Asia-Pacific region and the United States.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Kamacite
2
Kamacite, a threat actor believed to be a unit of the Russian military intelligence service (GRU), has been observed targeting infrastructure across Europe, Ukraine, and the United States. This group is primarily focused on gaining initial access to networks using an implant known as Cyclops Blink.
Seashell Blizzard
1
Seashell Blizzard, also known as Iridium, Sandworm, Voodoo Bear, and APT44, is a state-sponsored threat actor group affiliated with the Russian military intelligence service (GRU). Microsoft has identified this group as distinct from other Advanced Persistent Threat (APT) groups operating under the
IRON VIKING
1
Iron Viking, a threat actor group also known as Sandworm, Telebots, Voodoo Bear, and other names, has been active since 2000. This group operates under the control of Unit 74455 of the Russian GRU’s Main Center for Special Technologies (GTsST). Iron Viking is notorious for its destructive cyber-espi
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Bitcoin
Ics
Apt
Malware
Firefox
Chrome
Dragos
Outlook
Industrial
Reconnaissance
Atom
Implant
Ukraine
Infiltration
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
AmosUnspecified
2
AMOS is a malicious software (malware) that targets Mac systems, with the ability to steal passwords, personal files, and cryptocurrency wallet information. It was first identified as part of the ClearFake campaign, which aimed to spread the macOS AMOS information stealer. The malware can infect bot
Atomic StealerUnspecified
1
Atomic Stealer is a malicious software (malware) known for its ability to exploit and damage computer systems, often infiltrating through suspicious downloads, emails, or websites. It is designed to steal personal information, disrupt operations, and even hold data hostage for ransom. A new version
CrashoverrideUnspecified
1
CrashOverride, also known as Industroyer, is a notorious malware that was leveraged in 2016 to disrupt Ukraine's power grid at the transmission substation level. This malicious software, believed to be state-sponsored by Russia, manipulated Industrial Control Systems (ICS) equipment through the abus
Cyclops BlinkUnspecified
1
"Cyclops Blink" is a type of modular malware that emerged in 2019, designed to target network infrastructure. It was dubbed the "Son of VPNFilter" due to its similarities with the latter campaign. Specifically crafted to run on Linux systems, particularly those with 32-bit PowerPC architecture, Cycl
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SandwormUnspecified
3
Sandworm, a threat actor linked to Russia, has been implicated in numerous high-profile cyber attacks. This group's activities have primarily targeted Ukraine, compromising the country's critical infrastructure and telecommunications providers. The Sandworm group is known for its fileless attack met
HadesUnspecified
1
Hades is a notable threat actor, known for its distinctive tactics and infrastructure in executing cyber attacks. The cybersecurity industry first observed Hades' operations in June 2021, with its activities marked by the use of advanced tools such as Advanced Port Scanner, MegaSync, Rclone, and Mal
TelebotsUnspecified
1
TeleBots, a notorious threat actor group also known as Sandworm, BlackEnergy, Iron Viking, Voodoo Bear, and Seashell Blizzard, has been identified as operating under the control of Unit 74455 of the Russian GRU's Main Center for Special Technologies (GTsST). Active since 2000, the group is recognize
Voodoo BearUnspecified
1
VOODOO BEAR, also known as Sandworm, Seashell Blizzard, and other names such as Iridium, Iron Viking, Telebots, and APT44, is a highly advanced threat actor with a suspected nexus to the Russian Federation. First identified in January 2018, this group has been active since 2000 and operates under th
XENOTIMEUnspecified
1
XENOTIME is a threat actor group that has been active since late 2018, gaining notoriety for its malicious cyber activities. The group was initially referred to as TEMP.Veles by FireEye, but this terminology was later replaced with the more cryptic "TRITON actor". Meanwhile, cybersecurity firm Drago
Sandworm TeamUnspecified
1
The Sandworm Team, a threat actor associated with Russia's military intelligence-linked group, has demonstrated significant capabilities in developing custom malware to target Operational Technology (OT) and Industrial Control Systems (ICSs). Since at least 2015, the team has used the "BlackEnergy"
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the ELECTRUM Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Fortinet
a month ago
Fickle Stealer Distributed via Multiple Attack Chain | FortiGuard Labs
CERT-EU
a year ago
Atomic malware steals Mac passwords, crypto wallets, and more
BankInfoSecurity
5 months ago
Defending Operational Technology Environments: Basics Matter
CERT-EU
5 months ago
Dragos Reports Rise in Geopolitically Driven Attacks, Ransomware | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware | National Cyber Security Consulting
CERT-EU
5 months ago
New macOS malware ‘Atomic Stealer’ delivers triple dose of misery
Securityaffairs
5 months ago
A Ukrainian Raccoon Infostealer operator is awaiting trial in the US
CERT-EU
6 months ago
Windows SmartScreen flaw exploited to drop Phemedrone malware
Securityaffairs
7 months ago
New Version of Meduza Stealer Released in Dark Web
Checkpoint
7 months ago
Rhadamanthys v0.5.0 - a deep dive into the stealer’s components - Check Point Research
Securityaffairs
8 months ago
ClearFake campaign spreads macOS AMOS information stealer
Checkpoint
10 months ago
Behind the Scenes of BBTok: Analyzing a Banker’s Server Side Components - Check Point Research
Securityaffairs
a year ago
A malvertising campaign is delivering a new version of macOS Atomic Stealer
CERT-EU
a year ago
Safeguard Your Investments: Discover the Most Secure Brokers for Crypto Trading
CERT-EU
a year ago
Discover the New Stealer Malware on the Rise:Mystic Stealer
MITRE
a year ago
ELECTRUM Threat Group | Dragos
MITRE
a year ago
Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot
CERT-EU
a year ago
Cyberattacks on Industrial Control Systems Jumped in 2022
CSO Online
a year ago
Attacks on industrial infrastructure on the rise, defenses struggle to keep up
CERT-EU
a year ago
Хакеры снова используют Google Ads для распространения зловредного ПО FatalRAT
CERT-EU
a year ago
APT Profile: Sandworm - SOCRadar® Cyber Intelligence Inc.