Ursa

Malware updated a month ago (2024-11-29T14:21:06.836Z)
Download STIX
Preview STIX
Ursa is a highly active and motivated malware threat actor, also known as APT28, Fancy Bear, and Sofacy, which has been linked to various high-profile cyberattacks, including the US election interference in 2016 and the NotPetya attacks. The group is known for its use of the HeadLace backdoor malware, which is exclusive to this threat actor. In July 2023, Unit42 reported on Fighting Ursa's phishing scheme targeting diplomats through a used car sale lure, distributing the HeadLace backdoor malware. This tactic aligns with previously documented campaigns by Fighting Ursa and other Russian threat actors. The Hyperledger Foundation's Ursa project, unrelated to the malware, involves post-quantum cryptography in the production of open-source software for blockchain. Meanwhile, the Ursa Major company, based in Colorado, focuses on 3D rocket engine printing. Established in Youngstown, Ohio, in 2021 through a $3 million contract from America Makes, Ursa Major's Advanced Manufacturing Lab aims to boost U.S. manufacturing competitiveness through the adoption of additive manufacturing, also known as 3D printing. In terms of funding, Ursa Major recently announced that it received an additional $1.2 million from America Makes to transition its additive manufacturing of rocket engine hardware prototypes to production qualification hardware. This follows their earlier work producing thrust chambers for the vacuum variant of their Hadley liquid rocket engine. These developments represent significant advancements in additive manufacturing techniques for solid rocket motor production, positioning Ursa Major at the forefront of this innovative field.
Description last updated: 2024-08-14T08:42:20.496Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
APT28 is a possible alias for Ursa. APT28, also known as Fancy Bear, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM, is a threat actor linked to Russia. The group has been associated with cyber espionage campaigns across Central Asia and has historically targeted areas of national security, military operations, and geopolitical influ
3
Fighting Ursa is a possible alias for Ursa. Fighting Ursa, also known as APT28, Fancy Bear, and Sofacy, is a highly active Russian cyber threat actor with a notorious history of carrying out high-profile attacks. The group has been linked to significant cyber offensives including US election interference in 2016, the NotPetya attacks, the Oly
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Malware
Phishing
Apt
Payload
Windows
Outlook
Vulnerability
Exploit
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Uroburos Malware is associated with Ursa. Uroburos, also known as Snake, Turla, Pensive Ursa, and Venomous Bear, is a sophisticated malware linked to the Russian Federal Security Service (FSB). The development of this malicious software began in late 2003, with its operations traced back to at least 2004. Uroburos is part of a broader arsenUnspecified
2
The Kazuar Malware is associated with Ursa. Kazuar is a sophisticated multiplatform trojan horse malware that has been associated with the Russian-based threat group Turla, also known as Pensive Ursa, Uroburos, or Snake. This group, believed to be linked to the Russian Federal Security Service (FSB), has been operating since at least 2004 andUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Cloaked Ursa Threat Actor is associated with Ursa. Cloaked Ursa, also known as APT29, BlueBravo, Midnight Blizzard, and formerly Nobelium, is a Russian threat actor believed to be associated with Russia's Foreign Intelligence Service (SVR). The group has been active in conducting cyber-espionage attacks against various diplomatic entities throughoutUnspecified
4
The APT29 Threat Actor is associated with Ursa. APT29, also known as Midnight Blizzard and linked to Russia's Foreign Intelligence Service (SVR), is a notorious threat actor that has been implicated in several high-profile cyberattacks. The group has demonstrated sophisticated capabilities, exploiting vulnerabilities such as the WinRAR 0day flaw Unspecified
3
The Cozy Bear Threat Actor is associated with Ursa. Cozy Bear, also known as APT29 and Midnight Blizzard, is a threat actor believed to be linked to the Russian government. This entity has been behind numerous cyberattacks with malicious intent, targeting various organizations and systems worldwide. The first significant intrusion attributed to Cozy Unspecified
3
The Pensive Ursa Threat Actor is associated with Ursa. Pensive Ursa, also known as Turla, Uroburos, Venomous Bear, and Waterbug, is a Russian-based advanced persistent threat (APT) group that has been operating since at least 2004. The group, linked to the Russian Federal Security Service (FSB), is renowned for its sophisticated cyber-espionage activitiUnspecified
2
The Turla Threat Actor is associated with Ursa. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (Unspecified
2
Source Document References
Information about the Ursa Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
5 months ago
Unit42
5 months ago
BankInfoSecurity
6 months ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
a year ago
Unit42
a year ago
CERT-EU
a year ago
Unit42
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
Unit42
a year ago
Unit42
2 years ago