SYMBOLCOMMON_NAMEaka. SYNONYMS

DarkHotel  (Back to overview)

aka: DUBNIUM, Fallout Team, Karba, Luder, Nemim, Nemin, Tapaoux, Pioneer, Shadow Crane, APT-C-06, SIG25, TUNGSTEN BRIDGE, T-APT-02, G0012, ATK52

Kaspersky described DarkHotel in a 2014 report as: '... DarkHotel drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics. Moreover, this crews most unusual characteristic is that for several years the Darkhotel APT has maintained a capability to use hotel networks to follow and hit selected targets as they travel around the world.'


Associated Families
ps1.rmot win.dubnium_darkhotel win.thinmon win.asruex win.jaku win.nemim win.ramsay win.retro win.tapaoux

References
2022-05-16cocomelonccocomelonc
@online{cocomelonc:20220516:malware:ae31bde, author = {cocomelonc}, title = {{Malware development: persistence - part 6. Windows netsh helper DLL. Simple C++ example.}}, date = {2022-05-16}, organization = {cocomelonc}, url = {https://cocomelonc.github.io/tutorial/2022/05/16/malware-pers-5.html}, language = {English}, urldate = {2022-12-01} } Malware development: persistence - part 6. Windows netsh helper DLL. Simple C++ example.
CherryPicker POS Ramsay
2022-05-05BrightTALK (Mandiant)Christopher Gardner
@online{gardner:20220505:sample:66178f9, author = {Christopher Gardner}, title = {{The Sample: Beating the Malware Piñata}}, date = {2022-05-05}, organization = {BrightTALK (Mandiant)}, url = {https://www.brighttalk.com/webcast/7451/538775}, language = {English}, urldate = {2022-06-09} } The Sample: Beating the Malware Piñata
Jaku
2022-03-17TrellixThibault Seret, John Fokker
@online{seret:20220317:suspected:f30741a, author = {Thibault Seret and John Fokker}, title = {{Suspected DarkHotel APT activity update}}, date = {2022-03-17}, organization = {Trellix}, url = {https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/suspected-darkhotel-apt-activity-update.html}, language = {English}, urldate = {2022-03-18} } Suspected DarkHotel APT activity update
RMOT
2021-12-01ESET ResearchAlexis Dorais-Joncas, Facundo Muñoz
@techreport{doraisjoncas:20211201:jumping:00bc8f5, author = {Alexis Dorais-Joncas and Facundo Muñoz}, title = {{Jumping the air gap: 15 years of nation‑state effort}}, date = {2021-12-01}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf}, language = {English}, urldate = {2021-12-17} } Jumping the air gap: 15 years of nation‑state effort
Agent.BTZ Fanny Flame Gauss PlugX Ramsay Retro Stuxnet USBCulprit USBferry
2020-09-22Youtube (Virus Bulletin)Ignacio Sanmillan
@online{sanmillan:20200922:ramsay:efa8b8c, author = {Ignacio Sanmillan}, title = {{Ramsay: A cyber-espionage toolkit tailored for air-gapped networks}}, date = {2020-09-22}, organization = {Youtube (Virus Bulletin)}, url = {https://www.youtube.com/watch?v=SKIu4LqMrns}, language = {English}, urldate = {2020-11-19} } Ramsay: A cyber-espionage toolkit tailored for air-gapped networks
Ramsay
2020-09-08NSFOCUSNSFOCUS
@online{nsfocus:20200908:groupdarkhotelrat:f6ecf8c, author = {NSFOCUS}, title = {{APT GROUP系列——DARKHOTEL之窃密与RAT篇}}, date = {2020-09-08}, organization = {NSFOCUS}, url = {http://blog.nsfocus.net/darkhotel-3-0908/}, language = {Chinese}, urldate = {2020-09-15} } APT GROUP系列——DARKHOTEL之窃密与RAT篇
Nemim
2020-08-25360 Threat Intelligence Center360 Threat Intelligence Center
@online{center:20200825:darkhotel:cf3af4b, author = {360 Threat Intelligence Center}, title = {{Darkhotel (APT-C-06) organized multiple attacks using the Thinmon backdoor framework to reveal the secrets}}, date = {2020-08-25}, organization = {360 Threat Intelligence Center}, url = {https://mp.weixin.qq.com/s/nyxZFXgrtm2-tBiV3-wiMg}, language = {Chinese}, urldate = {2020-08-25} } Darkhotel (APT-C-06) organized multiple attacks using the Thinmon backdoor framework to reveal the secrets
ThinMon
2020-06-14BushidoTokenBushidoToken
@online{bushidotoken:20200614:deepdive:3a375ca, author = {BushidoToken}, title = {{Deep-dive: The DarkHotel APT}}, date = {2020-06-14}, organization = {BushidoToken}, url = {https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html}, language = {English}, urldate = {2020-06-16} } Deep-dive: The DarkHotel APT
Asruex Ghost RAT Ramsay Retro Unidentified 076 (Higaisa LNK to Shellcode)
2020-05-22Antiy CERTAntiy CERT
@online{cert:20200522:analysis:fc8e2b2, author = {Antiy CERT}, title = {{Analysis of Ramsay components of Darkhotel's infiltration and isolation network}}, date = {2020-05-22}, organization = {Antiy CERT}, url = {https://www.antiy.cn/research/notice&report/research_report/20200522.html}, language = {Chinese}, urldate = {2020-05-23} } Analysis of Ramsay components of Darkhotel's infiltration and isolation network
Ramsay DarkHotel
2020-05-20SentinelOneJim Walter
@online{walter:20200520:why:818c76f, author = {Jim Walter}, title = {{Why On-Device Detection Matters: New Ramsay Trojan Targets Air-Gapped Networks}}, date = {2020-05-20}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/why-on-device-detection-matters-new-ramsay-trojan-targets-air-gapped-networks/}, language = {English}, urldate = {2020-06-10} } Why On-Device Detection Matters: New Ramsay Trojan Targets Air-Gapped Networks
Ramsay
2020-05-13ESET ResearchIgnacio Sanmillan
@online{sanmillan:20200513:ramsay:8608f19, author = {Ignacio Sanmillan}, title = {{Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks}}, date = {2020-05-13}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/}, language = {English}, urldate = {2020-05-14} } Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks
Ramsay Retro
2020-03-23ReutersRaphael Satter, Jack Stubbs, Christopher Bing
@online{satter:20200323:exclusive:69223ea, author = {Raphael Satter and Jack Stubbs and Christopher Bing}, title = {{Exclusive: Elite hackers target WHO as coronavirus cyberattacks spike}}, date = {2020-03-23}, organization = {Reuters}, url = {https://www.reuters.com/article/us-health-coronavirus-who-hack-exclusive/exclusive-elite-hackers-target-who-as-coronavirus-cyberattacks-spike-idUSKBN21A3BN}, language = {English}, urldate = {2020-03-26} } Exclusive: Elite hackers target WHO as coronavirus cyberattacks spike
DarkHotel
2020SecureworksSecureWorks
@online{secureworks:2020:tungsten:f923f8b, author = {SecureWorks}, title = {{TUNGSTEN BRIDGE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/tungsten-bridge}, language = {English}, urldate = {2020-05-23} } TUNGSTEN BRIDGE
Nemim DarkHotel
2019-08-22Trend MicroIan Mercado, Mhica Romero
@online{mercado:20190822:asruex:9284e85, author = {Ian Mercado and Mhica Romero}, title = {{Asruex Backdoor Variant Infects Word Documents and PDFs Through Old MS Office and Adobe Vulnerabilities}}, date = {2019-08-22}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/asruex-backdoor-variant-infects-word-documents-and-pdfs-through-old-ms-office-and-adobe-vulnerabilities/}, language = {English}, urldate = {2020-01-13} } Asruex Backdoor Variant Infects Word Documents and PDFs Through Old MS Office and Adobe Vulnerabilities
Asruex
2019MITREMITRE ATT&CK
@online{attck:2019:darkhotel:eab9170, author = {MITRE ATT&CK}, title = {{Group description: Darkhotel}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0012/}, language = {English}, urldate = {2019-12-20} } Group description: Darkhotel
DarkHotel
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:darkhotel:930d3a8, author = {Cyber Operations Tracker}, title = {{Darkhotel}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/darkhotel}, language = {English}, urldate = {2019-12-20} } Darkhotel
DarkHotel
2018-06-17IBMIBM Support
@online{support:20180617:storwize:8759428, author = {IBM Support}, title = {{Storwize USB Initialization Tool may contain malicious code}}, date = {2018-06-17}, organization = {IBM}, url = {https://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146}, language = {English}, urldate = {2020-01-07} } Storwize USB Initialization Tool may contain malicious code
Jaku
2018-05-25360360 Helios Team
@online{team:20180525:analysis:a83bb88, author = {360 Helios Team}, title = {{Analysis of CVE-2018-8174 VBScript 0day and APT actor related to Office targeted attack}}, date = {2018-05-25}, organization = {360}, url = {https://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/}, language = {English}, urldate = {2020-05-14} } Analysis of CVE-2018-8174 VBScript 0day and APT actor related to Office targeted attack
Retro
2017-07-19SecurityWeekEduard Kovacs
@online{kovacs:20170719:darkhotel:03c4181, author = {Eduard Kovacs}, title = {{'DarkHotel' APT Uses New Methods to Target Politicians}}, date = {2017-07-19}, organization = {SecurityWeek}, url = {https://www.securityweek.com/darkhotel-apt-uses-new-methods-target-politicians}, language = {English}, urldate = {2020-01-09} } 'DarkHotel' APT Uses New Methods to Target Politicians
DarkHotel
2017-07-18BitdefenderAlexandru Rusu, Cristina Vatamanu, Alexandru Maximciuc
@online{rusu:20170718:inexsmar:65be001, author = {Alexandru Rusu and Cristina Vatamanu and Alexandru Maximciuc}, title = {{Inexsmar: An unusual DarkHotel campaign}}, date = {2017-07-18}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/}, language = {English}, urldate = {2020-04-06} } Inexsmar: An unusual DarkHotel campaign
DarkHotel
2016-06-30JPCERT/CCShusei Tomonaga
@online{tomonaga:20160630:asruex:7472f12, author = {Shusei Tomonaga}, title = {{Asruex: Malware Infecting through Shortcut Files}}, date = {2016-06-30}, organization = {JPCERT/CC}, url = {http://blog.jpcert.or.jp/2016/06/asruex-malware-infecting-through-shortcut-files.html}, language = {English}, urldate = {2019-10-25} } Asruex: Malware Infecting through Shortcut Files
DarkHotel
2016-06-09MicrosoftJeong Wook Oh
@online{oh:20160609:reverseengineering:e26dd54, author = {Jeong Wook Oh}, title = {{Reverse-engineering DUBNIUM}}, date = {2016-06-09}, organization = {Microsoft}, url = {https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/3/}, language = {English}, urldate = {2019-10-13} } Reverse-engineering DUBNIUM
DarkHotel
2016-06-09MicrosoftMicrosoft Defender ATP Research Team
@online{team:20160609:reverseengineering:6199f8b, author = {Microsoft Defender ATP Research Team}, title = {{Reverse-engineering DUBNIUM}}, date = {2016-06-09}, organization = {Microsoft}, url = {https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2}, language = {English}, urldate = {2020-01-06} } Reverse-engineering DUBNIUM
DarkHotel
2016ForcepointAndy Settle, Bapadittya Dey, Nicholas Griffin, Abel Toro
@techreport{settle:2016:analysis:8117245, author = {Andy Settle and Bapadittya Dey and Nicholas Griffin and Abel Toro}, title = {{Analysis of a Botnet Campaign}}, date = {2016}, institution = {Forcepoint}, url = {https://www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf}, language = {English}, urldate = {2020-01-06} } Analysis of a Botnet Campaign
Jaku
2015-12-31ThreatBook
@online{threatbook:20151231:overseas:9da6c7c, author = {ThreatBook}, title = {{Overseas "Dark Inn" organization launched an APT attack on executives of domestic enterprises}}, date = {2015-12-31}, url = {https://web.archive.org/web/20160104165148/http://drops.wooyun.org/tips/11726}, language = {English}, urldate = {2020-06-08} } Overseas "Dark Inn" organization launched an APT attack on executives of domestic enterprises
DarkHotel
2015-08-10Kaspersky LabsGReAT
@online{great:20150810:darkhotels:3c831d5, author = {GReAT}, title = {{Darkhotel’s attacks in 2015}}, date = {2015-08-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/}, language = {English}, urldate = {2019-12-20} } Darkhotel’s attacks in 2015
DarkHotel DarkHotel
2015-03-04Kaspersky LabsKurt Baumgartner, Juan Andrés Guerrero-Saade
@online{baumgartner:20150304:whos:0b8331c, author = {Kurt Baumgartner and Juan Andrés Guerrero-Saade}, title = {{Who’s Really Spreading through the Bright Star?}}, date = {2015-03-04}, organization = {Kaspersky Labs}, url = {https://securelist.com/whos-really-spreading-through-the-bright-star/68978/}, language = {English}, urldate = {2019-12-20} } Who’s Really Spreading through the Bright Star?
Jaku
2014-11-10Kaspersky LabsGReAT
@online{great:20141110:darkhotel:b1f9560, author = {GReAT}, title = {{The Darkhotel APT}}, date = {2014-11-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/66779/the-darkhotel-apt/}, language = {English}, urldate = {2019-12-20} } The Darkhotel APT
DarkHotel
2014-11-10Kaspersky LabsGReAT
@online{great:20141110:darkhotel:19e4934, author = {GReAT}, title = {{The Darkhotel APT}}, date = {2014-11-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-darkhotel-apt/66779/}, language = {English}, urldate = {2019-12-20} } The Darkhotel APT
DarkHotel

Credits: MISP Project