high_confidence

C0026

[C0026](https://attack.mitre.org/campaigns/C0026) was a campaign identified in September 2022 that included the selective distribution of [KOPILUWAK](https://attack.mitre.org/software/S1075) and [QUIETCANARY](https://attack.mitre.org/software/S1076) malware to previous [ANDROMEDA](https://attack.mitre.org/software/S1074) malware victims in Ukraine through re-registered [ANDROMEDA](https://attack.mitre.org/software/S1074) C2 domains. Several tools and tactics used during [C0026](https://attack.mitre.org/campaigns/C0026) were consistent with historic [Turla](https://attack.mitre.org/groups/G0010) operations.(Citation: Mandiant Suspected Turla Campaign February 2023)

Start date

1 August 2022

End date

1 September 2022

Techniques

Attributed actors

Sandworm Team· primary

Techniques (6)

collection2

T1005Data from Local System

T1560.001Archive via Utility

command-and-control2

T1568Dynamic Resolution

T1105Ingress Tool Transfer

exfiltration1

T1030Data Transfer Size Limits

resource-development1

T1583.001Domains

Indicators of compromise

No IOCs linked to this campaign yet.