Trident Ursa

Threat Actor Profile Updated 3 months ago
Download STIX
Preview STIX
Trident Ursa, also known as Gamaredon, Shuckworm, Actinium, Armageddon, Primitive Bear, and UAC-0010, is a threat actor attributed to Russia's Federal Security Service by the Security Service of Ukraine. This group has been active since 2014, primarily focusing on Ukrainian entities such as government employees, journalists, and military personnel. Trident Ursa employs various techniques to limit URL access and uses phishing emails as part of their tactics. The group was observed using a multistage backdoor named Pteranodon/Pterodo, which can execute payloads received from the command and control center (C&C). The group's operations have shown no signs of slowing down since its inception, consistently targeting security services, military, and government organizations in Ukraine. The latest phishing documents used by Trident Ursa have low detection rates in VirusTotal, likely due to their simplicity. The initial VBScript responsible for enabling persistent access to systems does so by creating a Windows scheduled task and a registry key, both common techniques used by Trident Ursa. Despite their success, Trident Ursa does not employ overly sophisticated or complex techniques in its operations, demonstrating agility and adaptability instead. Their continued operation highlights the need for robust cybersecurity measures, with prevention being the best defense against such advanced persistent threats (APTs). Therefore, maintaining a security posture that favors prevention is crucial to mitigate the risks posed by groups like Trident Ursa.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Gamaredon
3
Gamaredon, a Russian Advanced Persistent Threat (APT) group, has been actively tracked since 2013 and is recognized as a significant threat actor in the cybersecurity landscape. Its primary target is Ukraine, against which it deploys an array of home-brewed malware through malicious documents. The E
Primitive Bear
1
Primitive Bear, also known as Gamaredon, UAC-0010, and Shuckworm, is a threat actor associated with Russia that has been actively targeting Ukraine for over a decade. This group has primarily focused on organizations within government, defense, and critical infrastructure sectors. Since our update i
Ursa
1
URSA is a harmful malware, typically delivered as an archive attachment to phishing emails. It operates as a backdoor into the infected system, enabling unauthorized access and exploitation. The malware has been particularly active in Latin America, where it's known as the Mispadu banking trojan. Si
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Ukraine
Backdoor
Phishing
Telegram
Russia
Malware
Windows
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
PteranodonUnspecified
1
Pteranodon is a custom backdoor malware that has been linked to the cyber espionage group known as Gamaredon (also referred to as Shuckworm, Actinium, Armageddon, Primitive Bear, UAC-0010, and Trident Ursa). This group has been active since 2014, with its activities primarily focused on Ukraine. Pte
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Pteranodon/pterodoUnspecified
1
None
Source Document References
Information about the Trident Ursa Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
8 months ago
Russian APT Gamaredon uses USB worm LitterDrifter against Ukraine
CERT-EU
8 months ago
‘LitterDrifter’ Russian USB Worm Leaks from Ukraine War Zone
CERT-EU
8 months ago
Russia’s LitterDrifter USB Worm Spreads Beyond Ukraine
Securityaffairs
8 months ago
Russian APT Gamaredon uses USB worm LitterDrifter against Ukraine
Securityaffairs
a year ago
Russia-linked APT Gamaredon update TTPs in recent attacks against Ukraine
Unit42
a year ago
Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine
CERT-EU
a year ago
Russia-linked APT Gamaredon starts stealing data from victims between 30 and 50 minutes after the initial compromise | IT Security News
Securityaffairs
a year ago
Russia-linked APT Gamaredon starts stealing data from victims between 30 and 50 minutes after the initial compromise
CERT-EU
a year ago
Russian Hackers Using USB-Spreading Malware in Attacks on Ukrainian Government, Military