ETDA ThaiCERT
Report
Search
Home > List all groups > DarkUniverse

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: DarkUniverse

NamesDarkUniverse (Kaspersky)
Country[Unknown]
MotivationInformation theft and espionage
First seen2017
Description(Kaspersky) DarkUniverse is an interesting example of a full cyber-espionage framework used for at least eight years. The malware contains all the necessary modules for collecting all kinds of information about the user and the infected system and appears to be fully developed from scratch. Due to unique code overlaps, we assume with medium confidence that DarkUniverse’s creators were connected with the ItaDuke set of activities. The attackers were resourceful and kept updating their malware during the full lifecycle of their operations, so the observed samples from 2017 are totally different from the initial samples from 2009. The suspension of its operations may be related to the publishing of the ‘Lost in Translation’ leak, or the attackers may simply have decided to switch to more modern approaches and start using more widely available artefacts for their operations.
ObservedSectors: Defense and civilian.
Countries: Afghanistan, Belarus, Ethiopia, Iran, Russia, Sudan, Syria, Tanzania, UAE and others.
Tools useddfrgntfs5.sqt, glue30.dll, msvcrt58.sqt, updater.mod, zl4vq.sqt.
Information<https://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/>

Last change to this card: 14 April 2020

Download this actor card in PDF or JSON format

Previous: DarkHydrus, LazyMeerkat
Next: Desert Falcons

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key