SYMBOLCOMMON_NAMEaka. SYNONYMS

DarkHotel  (Back to overview)

aka: DUBNIUM, Fallout Team, Karba, Luder, Nemim, Nemin, Tapaoux, Pioneer, Shadow Crane, APT-C-06, SIG25, TUNGSTEN BRIDGE, T-APT-02

Kaspersky described DarkHotel in a 2014 report as: '... DarkHotel drives its campaigns by spear-phishing targets with highly advanced Flash zero-day exploits that effectively evade the latest Windows and Adobe defenses, and yet they also imprecisely spread among large numbers of vague targets with peer-to-peer spreading tactics. Moreover, this crews most unusual characteristic is that for several years the Darkhotel APT has maintained a capability to use hotel networks to follow and hit selected targets as they travel around the world.'


Associated Families
win.dubnium_darkhotel win.nemim win.ramsay win.tapaoux win.retro win.asruex

References
2020-06-14BushidoTokenBushidoToken
@online{bushidotoken:20200614:deepdive:3a375ca, author = {BushidoToken}, title = {{Deep-dive: The DarkHotel APT}}, date = {2020-06-14}, organization = {BushidoToken}, url = {https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html}, language = {English}, urldate = {2020-06-16} } Deep-dive: The DarkHotel APT
Asruex Ghost RAT Ramsay Retro Unidentified 076 (Higaisa LNK to Shellcode)
2020-05-22Antiy CERTAntiy CERT
@online{cert:20200522:analysis:fc8e2b2, author = {Antiy CERT}, title = {{Analysis of Ramsay components of Darkhotel's infiltration and isolation network}}, date = {2020-05-22}, organization = {Antiy CERT}, url = {https://www.antiy.cn/research/notice&report/research_report/20200522.html}, language = {Chinese}, urldate = {2020-05-23} } Analysis of Ramsay components of Darkhotel's infiltration and isolation network
Ramsay DarkHotel
2020-05-20SentinelOneJim Walter
@online{walter:20200520:why:818c76f, author = {Jim Walter}, title = {{Why On-Device Detection Matters: New Ramsay Trojan Targets Air-Gapped Networks}}, date = {2020-05-20}, organization = {SentinelOne}, url = {https://www.sentinelone.com/blog/why-on-device-detection-matters-new-ramsay-trojan-targets-air-gapped-networks/}, language = {English}, urldate = {2020-06-10} } Why On-Device Detection Matters: New Ramsay Trojan Targets Air-Gapped Networks
Ramsay
2020-05-13ESET ResearchIgnacio Sanmillan
@online{sanmillan:20200513:ramsay:8608f19, author = {Ignacio Sanmillan}, title = {{Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks}}, date = {2020-05-13}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/}, language = {English}, urldate = {2020-05-14} } Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks
Ramsay Retro
2020-03-23ReutersRaphael Satter, Jack Stubbs, Christopher Bing
@online{satter:20200323:exclusive:69223ea, author = {Raphael Satter and Jack Stubbs and Christopher Bing}, title = {{Exclusive: Elite hackers target WHO as coronavirus cyberattacks spike}}, date = {2020-03-23}, organization = {Reuters}, url = {https://www.reuters.com/article/us-health-coronavirus-who-hack-exclusive/exclusive-elite-hackers-target-who-as-coronavirus-cyberattacks-spike-idUSKBN21A3BN}, language = {English}, urldate = {2020-03-26} } Exclusive: Elite hackers target WHO as coronavirus cyberattacks spike
DarkHotel
2020SecureworksSecureWorks
@online{secureworks:2020:tungsten:f923f8b, author = {SecureWorks}, title = {{TUNGSTEN BRIDGE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/tungsten-bridge}, language = {English}, urldate = {2020-05-23} } TUNGSTEN BRIDGE
Nemim DarkHotel
2019-08-22Trend MicroIan Mercado, Mhica Romero
@online{mercado:20190822:asruex:9284e85, author = {Ian Mercado and Mhica Romero}, title = {{Asruex Backdoor Variant Infects Word Documents and PDFs Through Old MS Office and Adobe Vulnerabilities}}, date = {2019-08-22}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/asruex-backdoor-variant-infects-word-documents-and-pdfs-through-old-ms-office-and-adobe-vulnerabilities/}, language = {English}, urldate = {2020-01-13} } Asruex Backdoor Variant Infects Word Documents and PDFs Through Old MS Office and Adobe Vulnerabilities
Asruex
2019MITREMITRE ATT&CK
@online{attck:2019:darkhotel:eab9170, author = {MITRE ATT&CK}, title = {{Group description: Darkhotel}}, date = {2019}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0012/}, language = {English}, urldate = {2019-12-20} } Group description: Darkhotel
DarkHotel
2019Council on Foreign RelationsCyber Operations Tracker
@online{tracker:2019:darkhotel:930d3a8, author = {Cyber Operations Tracker}, title = {{Darkhotel}}, date = {2019}, organization = {Council on Foreign Relations}, url = {https://www.cfr.org/interactive/cyber-operations/darkhotel}, language = {English}, urldate = {2019-12-20} } Darkhotel
DarkHotel
2018-05-25360360 Helios Team
@online{team:20180525:analysis:a83bb88, author = {360 Helios Team}, title = {{Analysis of CVE-2018-8174 VBScript 0day and APT actor related to Office targeted attack}}, date = {2018-05-25}, organization = {360}, url = {https://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/}, language = {English}, urldate = {2020-05-14} } Analysis of CVE-2018-8174 VBScript 0day and APT actor related to Office targeted attack
Retro
2017-07-19SecurityWeekEduard Kovacs
@online{kovacs:20170719:darkhotel:03c4181, author = {Eduard Kovacs}, title = {{'DarkHotel' APT Uses New Methods to Target Politicians}}, date = {2017-07-19}, organization = {SecurityWeek}, url = {https://www.securityweek.com/darkhotel-apt-uses-new-methods-target-politicians}, language = {English}, urldate = {2020-01-09} } 'DarkHotel' APT Uses New Methods to Target Politicians
DarkHotel
2017-07-18BitdefenderAlexandru Rusu, Cristina Vatamanu, Alexandru Maximciuc
@online{rusu:20170718:inexsmar:65be001, author = {Alexandru Rusu and Cristina Vatamanu and Alexandru Maximciuc}, title = {{Inexsmar: An unusual DarkHotel campaign}}, date = {2017-07-18}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/wp-content/uploads/downloads/inexsmar-an-unusual-darkhotel-campaign/}, language = {English}, urldate = {2020-04-06} } Inexsmar: An unusual DarkHotel campaign
DarkHotel
2016-06-30JPCERT/CCShusei Tomonaga
@online{tomonaga:20160630:asruex:7472f12, author = {Shusei Tomonaga}, title = {{Asruex: Malware Infecting through Shortcut Files}}, date = {2016-06-30}, organization = {JPCERT/CC}, url = {http://blog.jpcert.or.jp/2016/06/asruex-malware-infecting-through-shortcut-files.html}, language = {English}, urldate = {2019-10-25} } Asruex: Malware Infecting through Shortcut Files
DarkHotel
2016-06-09MicrosoftMicrosoft Defender ATP Research Team
@online{team:20160609:reverseengineering:6199f8b, author = {Microsoft Defender ATP Research Team}, title = {{Reverse-engineering DUBNIUM}}, date = {2016-06-09}, organization = {Microsoft}, url = {https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2}, language = {English}, urldate = {2020-01-06} } Reverse-engineering DUBNIUM
DarkHotel
2016-06-09MicrosoftJeong Wook Oh
@online{oh:20160609:reverseengineering:e26dd54, author = {Jeong Wook Oh}, title = {{Reverse-engineering DUBNIUM}}, date = {2016-06-09}, organization = {Microsoft}, url = {https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/3/}, language = {English}, urldate = {2019-10-13} } Reverse-engineering DUBNIUM
DarkHotel
2015-12-31ThreatBook
@online{threatbook:20151231:overseas:9da6c7c, author = {ThreatBook}, title = {{Overseas "Dark Inn" organization launched an APT attack on executives of domestic enterprises}}, date = {2015-12-31}, url = {https://web.archive.org/web/20160104165148/http://drops.wooyun.org/tips/11726}, language = {English}, urldate = {2020-06-08} } Overseas "Dark Inn" organization launched an APT attack on executives of domestic enterprises
DarkHotel
2015-08-10Kaspersky LabsGReAT
@online{great:20150810:darkhotels:3c831d5, author = {GReAT}, title = {{Darkhotel’s attacks in 2015}}, date = {2015-08-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/}, language = {English}, urldate = {2019-12-20} } Darkhotel’s attacks in 2015
DarkHotel DarkHotel
2014-11-10Kaspersky LabsGReAT
@online{great:20141110:darkhotel:19e4934, author = {GReAT}, title = {{The Darkhotel APT}}, date = {2014-11-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-darkhotel-apt/66779/}, language = {English}, urldate = {2019-12-20} } The Darkhotel APT
DarkHotel
2014-11-10Kaspersky LabsGReAT
@online{great:20141110:darkhotel:b1f9560, author = {GReAT}, title = {{The Darkhotel APT}}, date = {2014-11-10}, organization = {Kaspersky Labs}, url = {https://securelist.com/blog/research/66779/the-darkhotel-apt/}, language = {English}, urldate = {2019-12-20} } The Darkhotel APT
DarkHotel

Credits: MISP Project