ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool Octopus

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: Octopus

NamesOctopus
CategoryMalware
TypeBackdoor
Description(Kaspersky) The name was originally coined by ESET in 2017 after the 0ct0pus3.php script used by the actor on their old C2 servers.

In the case of Octopus, DustSquad used Delphi as their programming language of choice, which is unusual for such an actor.

In April 2018 we discovered a new Octopus sample pretending to be Telegram Messenger with a Russian interface. We couldn´t find any legitimate software that this malware appears to be impersonating; in fact, we don´t believe it exists. The Trojan uses third-party Delphi libraries like The Indy Project for JSON-based C2 communications and TurboPower Abbrevia (sourceforge.net/projects/tpabbrevia) for compression. Malware persistence is basic and achieved via the system registry. The server side uses commercial hosting in different countries with .php scripts deployed.
Information<https://securelist.com/octopus-infested-seas-of-central-asia/88200/>
MITRE ATT&CK<https://attack.mitre.org/software/S0340/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.octopus>

Last change to this tool card: 22 April 2020

Download this tool card in JSON format

Previous: Oceansalt
Next: OddJob

All groups using tool Octopus

ChangedNameCountryObserved

APT groups

 DustSquad, Golden FalconRussia2014 
 LazyScripter[Unknown]2018 

2 groups listed (2 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key