Ursa

Malware updated 25 days ago (2024-08-14T09:25:42.910Z)
Download STIX
Preview STIX
Ursa is a highly active and motivated malware threat actor, also known as APT28, Fancy Bear, and Sofacy, which has been linked to various high-profile cyberattacks, including the US election interference in 2016 and the NotPetya attacks. The group is known for its use of the HeadLace backdoor malware, which is exclusive to this threat actor. In July 2023, Unit42 reported on Fighting Ursa's phishing scheme targeting diplomats through a used car sale lure, distributing the HeadLace backdoor malware. This tactic aligns with previously documented campaigns by Fighting Ursa and other Russian threat actors. The Hyperledger Foundation's Ursa project, unrelated to the malware, involves post-quantum cryptography in the production of open-source software for blockchain. Meanwhile, the Ursa Major company, based in Colorado, focuses on 3D rocket engine printing. Established in Youngstown, Ohio, in 2021 through a $3 million contract from America Makes, Ursa Major's Advanced Manufacturing Lab aims to boost U.S. manufacturing competitiveness through the adoption of additive manufacturing, also known as 3D printing. In terms of funding, Ursa Major recently announced that it received an additional $1.2 million from America Makes to transition its additive manufacturing of rocket engine hardware prototypes to production qualification hardware. This follows their earlier work producing thrust chambers for the vacuum variant of their Hadley liquid rocket engine. These developments represent significant advancements in additive manufacturing techniques for solid rocket motor production, positioning Ursa Major at the forefront of this innovative field.
Description last updated: 2024-08-14T08:42:20.496Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
APT28
3
APT28, also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM, is a threat actor linked to Russia that has been active since at least 2007. The group has targeted governments, militaries, and security organizations worldwide, including the German Social Democratic Party
Fighting Ursa
3
Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy, is a highly active Russian cyber threat actor with a notorious history of carrying out high-profile attacks. The group has been linked to significant cyber offensives including US election interference in 2016, the NotPetya attacks, the Oly
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Malware
Phishing
Apt
Payload
Windows
Outlook
Vulnerability
Exploit
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
IDTypeVotesProfile Description
UroburosUnspecified
2
Uroburos, also known as Snake, Turla, Pensive Ursa, and Venomous Bear, is a sophisticated malware linked to the Russian Federal Security Service (FSB). The development of this malicious software began in late 2003, with its operations traced back to at least 2004. Uroburos is part of a broader arsen
KazuarUnspecified
2
Kazuar is a sophisticated multiplatform trojan horse malware, linked to the Russian-based threat group Turla (also known as Pensive Ursa, Uroburos, Snake), which has been operating since at least 2004. This group, believed to be connected to the Russian Federal Security Service (FSB), utilizes an ar
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
IDTypeVotesProfile Description
Cloaked UrsaUnspecified
4
Cloaked Ursa, also known as APT29, BlueBravo, Midnight Blizzard, and formerly Nobelium, is a Russian threat actor believed to be associated with Russia's Foreign Intelligence Service (SVR). The group has been active in conducting cyber-espionage attacks against various diplomatic entities throughout
APT29Unspecified
3
APT29, also known as Cozy Bear, Nobelium, The Dukes, Midnight Blizzard, BlueBravo, and the SVR group, is a Russia-linked threat actor notorious for its malicious cyber activities. In November 2023, this entity exploited a zero-day vulnerability in WinRAR software to launch attacks against various em
Cozy BearUnspecified
3
Cozy Bear, also known as APT29, Midnight Blizzard, and Nobelium, is a threat actor believed to operate out of Russia's Foreign Intelligence Service or SVR. This group has been linked to several high-profile cyber intrusions. One of the earliest identified activities of Cozy Bear was at the Democrati
Pensive UrsaUnspecified
2
Pensive Ursa, also known as Turla, Uroburos, Venomous Bear, and Waterbug, is a Russian-based advanced persistent threat (APT) group that has been operating since at least 2004. The group, linked to the Russian Federal Security Service (FSB), is renowned for its sophisticated cyber-espionage activiti
TurlaUnspecified
2
Turla, a threat actor linked to Russia, is known for its sophisticated cyber-espionage activities. It has been associated with numerous high-profile attacks, employing innovative techniques and malware to infiltrate targets and execute actions with malicious intent. According to MITRE ATT&CK and MIT
Source Document References
Information about the Ursa Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
a month ago
Russia's 'Fighting Ursa' APT Uses Car Ads to Install HeadLace Malware
Unit42
a month ago
Fighting Ursa Luring Targets With Car for Sale
BankInfoSecurity
3 months ago
Brazil's Climb Onto the World Stage Sparks Cyber Risks
CERT-EU
a year ago
Linux SSH servers targeted by novel ShellBot malware variants
CERT-EU
a year ago
More than $1.6M stolen in General Bytes hack
CERT-EU
a year ago
A path forward in meeting the emerging cyber threats to the blockchain
CERT-EU
10 months ago
Carahsoft to Provide Public Sector Access to Resiliant Identity & Cybersecurity Products; Steve Jacyna Quoted - ExecutiveBiz
CERT-EU
a year ago
Defense Watch: SEC Cyber Rule, USCG UAS RFP, Frigate Test Site - Defense Daily
CERT-EU
a year ago
Ukraine targeted by novel malware attacks
CERT-EU
a year ago
Over 90K credentials stolen by Mispadu trojan in LatAm attacks
CERT-EU
9 months ago
Analysis: Russian hackers using Outlook zero-day in campaign targeting NATO nations | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
Unit42
9 months ago
Fighting Ursa Aka APT28: Illuminating a Covert Campaign
CERT-EU
10 months ago
Over the Kazuar’s nest: Cracking down on a freshly hatched backdoor used by Pensive Ursa - Cyber Security Review
Unit42
10 months ago
Over the Kazuar’s Nest: Cracking Down on a Freshly Hatched Backdoor Used by Pensive Ursa (Aka Turla)
CERT-EU
a year ago
SolarWinds Attackers Dangle BMWs to Spy on Diplomats
CERT-EU
a year ago
Russians try to exploit sale of a BMW 5 to hack diplomats in Ukraine: Report | IT World Canada News
InfoSecurity-magazine
a year ago
Diplomats in Ukraine Targeted by “Staggering” BMW Phishing Campaign
Unit42
a year ago
Diplomats Beware: Cloaked Ursa Phishing With a Twist
Unit42
2 years ago
Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine