Trusted Design

Operation Potao Express

概要

ESET presented our initial findings based on research into the Win32/Potao malware family in June, in our CCCC 2015 presentation in Copenhagen. Today, we are releasing the full whitepaper on the Potao malware with additional findings, the cyberespionage campaigns where it was employed, and its connection to a backdoor in the form of a modified version of the TrueCrypt encryption software. Like BlackEnergy, the malware used by the so-called Sandworm APT group (also known as Quedagh), Potao is an example of targeted espionage malware directed mostly at targets in Ukraine and a number of other post-Soviet countries, including Russia, Georgia and Belarus.

Created: 2026-02-23

Indicators

• FileHash-SHA1 - 900ad432b4cb2f2790ffeb0590b0a8348d9e60eb -
• FileHash-SHA1 - 12240271e928979ab2347c29b5599d6ac7cd6b8e -
• FileHash-SHA1 - 54fedcdb0d0f47453dd65373378d037844e813d0 -
• FileHash-SHA1 - bcc5a0ce0bcdfea2fd1d64b5529eac7309488273 -
• FileHash-SHA1 - 4ac999a1c54ae6f54803023dc0fcf126cb77c854 -
• YARA - 31e602def7d298c8e3e289782944a594dc1a2740 -
• FileHash-SHA1 - 94bbf39fff09b3a62a583c7d45a00b2492102dd7 -
• FileHash-SHA1 - eb86615f539e35a8d3e4838949382d09743502bf -
• FileHash-SHA1 - 5c52996d9f68ba6fd0da4982f238ec1d279a7f9d -
• FileHash-SHA1 - bb0500a24853e404ad6ca708813f926b90b38468 -
• FileHash-SHA1 - 855ca024afba0dc09d336a0896318d5cc47f03a6 -
• FileHash-SHA1 - 422b350371b3666a0bd0d56aeaad5dec6bd7c0d0 -
• YARA - 4d6105a98dc695f53870d2a614a40f718acdb45d -
• FileHash-SHA1 - db966220463db87c2c51c19303b3a20f4577d632 -
• FileHash-SHA1 - a4d685fca8afe9885db75282516006f5bc56c098 -
• FileHash-SHA1 - 639560488a75a9e3d35e4c0d9c4934295072dd89 -
• YARA - c292e06024048b058c42e0e2b5d2319c67f522b5 -
• FileHash-SHA1 - e15834263f2a6ccae07d106a71b99fe80a5f744b -
• FileHash-SHA1 - 5b30ecfd47988a77556fe6c0c0b950510052c91e -
• FileHash-SHA1 - e6d2ef05cedcd4abf1d8e3bcaf48b768eac598d7 -
• FileHash-SHA1 - cebab498e6fb1a324c84ba267a7bf5d9df1cf264 -
• FileHash-SHA1 - e400e1dd983fd94e29345aabc77fadeb3f43c219 -
• FileHash-SHA1 - a9cb079ef49cee35bf68ac80534cbfb5fa443780 -
• FileHash-SHA1 - 850c9f3b14f895aaa97a85ae147f07c9770fb4c7 -
• FileHash-SHA1 - f347da9aad52b717641ad3dd96925ab634ceb572 -
• FileHash-SHA1 - e2b2b2c8fb1996f3a4a4e3cee09028437a5284ae -
• FileHash-SHA1 - 82f48d7787bde5b7dec046cbef99963eeeb821a7 -
• FileHash-SHA1 - 9d584de2cce6b654e62573938c2c824d7cc7d0eb -
• FileHash-SHA1 - 92a459e759320447e1fa7b0e48328ab2c20b2c64 -
• domain - truecryptrussia.ru -
• domain - worldairpost.net -
• FileHash-SHA1 - 856802e0bd4a774cfffe5134d249508d89dcda58 -
• FileHash-SHA1 - f8bcdad02da2e0223f45f15da4fbab053e73cf6e -
• FileHash-SHA1 - f6f290a95d68373da813782ef4723e39524d048b -
• FileHash-SHA1 - 1b278a1a5e109f32b526660087aea99fb8d89403 -
• FileHash-SHA1 - b0413ea5c5951c57ea7201db8bb1d8c5ef42aa1e -
• FileHash-SHA1 - 18ddcd41dccfbbd904347ea75bc9413ff6dc8786 -
• FileHash-SHA1 - 9666af44fafc37e074b79455d347c2801218d9ea -
• FileHash-SHA1 - 8839d3e213717b88a06ffc48827929891a10059e -
• FileHash-SHA1 - 2cdd6aabb71fdb244baa313ebba13f06bcad2612 -
• domain - mntexpress.com -
• FileHash-SHA1 - 791ecf11c04470e9ea881549aebd1dded3e4a5ca -
• FileHash-SHA1 - a96b3d31888d267d7488417afe68671eb4f568bd -
• FileHash-SHA1 - 8be74605d90ed762310241828340900d4b502358 -
• domain - poolwaterslide2011.ru -
• FileHash-SHA1 - 59c07e5d69181e6c3afa7593e26d33383722d6c5 -
• FileHash-SHA1 - 4d5e0808a03a75bfe8202e3a6d2920eddbfc7774 -
• FileHash-SHA1 - d88c7c1e465bea7bf7377c08fba3aaf77cbf485f -
• FileHash-SHA1 - fbb399568e0a3b2e461a4eb3268abdf07f3d5764 -
• FileHash-SHA1 - 2531f40a1d9e50793d04d245fd6185aaebcc54f4 -
• FileHash-SHA1 - cc9bdbe37cbaf0cc634076950fd32d9a377de650 -
• FileHash-SHA1 - 9be3800b49e84e0c014852977557f21bcde2a775 -
• FileHash-SHA1 - 5bea9423db6d0500920578c12cb127cbafdd125e -
• FileHash-SHA1 - b80a90b39fba705f86676c5cc3e0deca225d57ff -
• FileHash-SHA1 - 76da7b4abc9b711ab1ef87b97c61dd895e508232 -
• FileHash-SHA1 - 224a07f002e8dfb3f2b615b3fa71166cf1a61b6d -
• FileHash-SHA1 - ba35edc3143ad021bb2490a3eb7b50c06f2ea40b -
• domain - worldairpost.com -
• FileHash-SHA1 - 56f6ac6197ce9cc774f72df948b414eed576b6c3 -
• FileHash-SHA1 - 0ae4e6e6fa1b1f8161a74525d4cb5a1808abfaf4 -
• FileHash-SHA1 - cddde7d44efe12b7252ea300362cf5898bdc5013 -
• FileHash-SHA1 - 642be4b2a87b47e77814744d154094392e413ab1 -
• FileHash-SHA1 - f1c9bc7b1d3fd3d9d96ecde3a46dfc3c33bbcd2b -
• FileHash-SHA1 - 181e9bca23484156cae005f421629da56b5cc6b5 -
• FileHash-SHA1 - 71a5da3ccb4347fe785c6bfff7b741af80b76091 -
• FileHash-SHA1 - 971a69547c5bc9b711a3bb6f6f2c5e3a46bf7b29 -
• FileHash-SHA1 - d8837002a04f4c93cc3b857f6a42ced6c9f3b882 -
• FileHash-SHA1 - ba5ad566a28d7712e0a64899d4675c06139f3ff0 -
• FileHash-SHA1 - 324b65c4291696d5c6c29b299c2849261f816a08 -
• FileHash-SHA1 - 88d703addb26acb7fbe35ec04d7b1aa6de982241 -
• FileHash-SHA1 - 8bd2c45de1ba7a7fd27e43abd35ae30e0d5e03bc -
• FileHash-SHA1 - c1d8be765adcf76e5ccb2cf094191c0fec4bf085 -
• FileHash-SHA1 - 7664c490160858ec8cfc8203f88d354aea1cfe43 -
• domain - camprainbowgold.ru -
• FileHash-SHA1 - 5be1ac1515da2397a7c52a8b1df384dd938fa714 -
• FileHash-SHA1 - 5d4724fba02965916a15a50a6937cdb6ab609fdd -
• FileHash-SHA1 - 526c3263f63f9470d08c6ba23e68f030e76caaf3 -
• FileHash-SHA1 - 1b3437c06cf917920688b25da0345749aa1a4a46 -
• FileHash-SHA1 - 4332a5ad314616d9319c248d41c7d1a709124db2 -
• FileHash-SHA1 - 86e3276b03f9b92b47d441bcfbb913c6c4263bfe -
• FileHash-SHA1 - 7fbabea446206991945fb4586aee93b61af1b341 -
• FileHash-SHA1 - 73a4a6864ef68c810c7c699ed51b759cf1c4adfb -
• FileHash-SHA1 - 2341139a0bc4bb80f5efce63a97aa9b5e818e79d -
• FileHash-SHA1 - ce7f96b400ed51f7fab465dea26147984f2627bd -
• FileHash-SHA1 - bb7a089bae3a4af44fb9b053bb703239e03c036e -
• FileHash-SHA1 - 48904399f7726b9adf7f28c07b0599717f741b8b -
• FileHash-SHA1 - ff6f6dcbedc24d22541013d2273c63b5f0f19fe9 -
• FileHash-SHA1 - 37a3e77bfa6ca1afbd0af7661655815fb1d3da83 -
• FileHash-SHA1 - 81efb422ed2631c739cc690d0a9a5eaa07897531 -
• FileHash-SHA1 - c96c29252e24b3eec5a21c29f7d9d30198f89232 -
• FileHash-SHA1 - a655020d606ca180e056a5b2c2f72f94e985e9db -
• FileHash-SHA1 - 84a70cdc24b68207f015d6308fe5ad13ddabb771 -
• FileHash-SHA1 - dcbd43cfe2f490a569e1c3dd6bca6546074fd2a1 -
• FileHash-SHA1 - 4ee82934f24e348696f1c813c24797618286a70c -
• FileHash-SHA1 - c02878a69efde20f049bc380dae10133c32e9cc9 -
• YARA - 38288a2290f024bc5b3f93d09147eedc4bcacc82 -
• FileHash-SHA1 - a62e69ef1e4f4d48e2920572b9176aedb0eeb1c6 -
• FileHash-SHA1 - 9654b6ea49b7fec4f92683863d10c045764cca86 -
• FileHash-SHA1 - cc3ecfb822d09cbb37916d7087eb032c1ee81aee -
• FileHash-SHA1 - ec0563cde3ffaff424b97d7eb692847132344127 -
• FileHash-SHA1 - 52e59cd4c864fbfc9902a144ed5e68c9ded45deb -

類似Pulses

• Korplug RAT used to attack Vietnamese institutions (score: 0.65)
• A Look Into Fysbis: Sofacy’s Linux Backdoor (score: 0.65)
• Defending the White Elephant (score: 0.65)
• Stegoloader: A Stealthy Information Stealer (score: 0.62)
• BlackEnergy by the SSHBearDoor (score: 0.61)

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

---

← Pulse一覧に戻る