Pteranodon

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Pteranodon is a custom backdoor malware that has been linked to the cyber espionage group known as Gamaredon (also referred to as Shuckworm, Actinium, Armageddon, Primitive Bear, UAC-0010, and Trident Ursa). This group has been active since 2014, with its activities primarily focused on Ukraine. Pteranodon infiltrates systems and can execute various tasks such as capturing screenshots based on a configuration file created on the disk. It has been observed to be distributed using a new PowerShell script in recent attacks. The malware was initially identified in an SFX file, containing a new Trojan we refer to as "Pteranodon". The earliest version of Pteranodon utilizes a hardcoded URL for command and control. More samples of Pteranodon can be found using the Pteranodon tag in AutoFocus, a threat intelligence tool developed by Palo Alto Networks. Gamaredon's use of the multistage backdoor Pteranodon underscores the persistent cyber threats faced by Ukraine. The group continues to evolve its strategies, employing new variants of the Pteranodon implant in their operations. Organizations are advised to stay vigilant against these threats by ensuring robust cybersecurity measures and regularly updating their systems to counteract such malicious software.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Ukraine
Russia
Trojan
Rat
Implant
russian
Malware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
GamaredonUnspecified
1
Gamaredon, a Russian Advanced Persistent Threat (APT) group, has been actively tracked since 2013 and is recognized as a significant threat actor in the cybersecurity landscape. Its primary target is Ukraine, against which it deploys an array of home-brewed malware through malicious documents. The E
Trident UrsaUnspecified
1
Trident Ursa, also known as Gamaredon, Shuckworm, Actinium, Armageddon, Primitive Bear, and UAC-0010, is a threat actor attributed to Russia's Federal Security Service by the Security Service of Ukraine. This group has been active since 2014, primarily focusing on Ukrainian entities such as governme
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Pteranodon Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Securityaffairs
8 months ago
Russian APT Gamaredon uses USB worm LitterDrifter against Ukraine
Securityaffairs
a year ago
Russia-linked APT Gamaredon starts stealing data from victims between 30 and 50 minutes after the initial compromise
Securityaffairs
a year ago
Russia-linked APT Gamaredon update TTPs in recent attacks against Ukraine
MITRE
a year ago
Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine
MITRE
a year ago
The Gamaredon Group Toolset Evolution
MITRE
a year ago
Ukraine links members of Gamaredon hacker group to Russian FSB