Nomadic Octopus

Nomadic Octopus is a Russian-speaking cyber espionage threat group that has primarily targeted Central Asia, including local governments, diplomatic missions, and individuals, since at least 2014. Nomadic Octopus has been observed conducting campaigns involving Android and Windows malware, mainly using the Delphi programming language, and building custom variants.[1][2][3]

ID: G0133
Associated Groups: DustSquad
Version: 1.0
Created: 24 August 2021
Last Modified: 02 September 2022

Associated Group Descriptions

Name Description


Techniques Used

Domain ID Name Use
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Nomadic Octopus has used PowerShell for execution.[3]

.003 Command and Scripting Interpreter: Windows Command Shell

Nomadic Octopus used cmd.exe /c within a malicious macro.[3]

Enterprise T1564 .003 Hide Artifacts: Hidden Window

Nomadic Octopus executed PowerShell in a hidden window.[3]

Enterprise T1105 Ingress Tool Transfer

Nomadic Octopus has used malicious macros to download additional files to the victim's machine.[3]

Enterprise T1036 Masquerading

Nomadic Octopus attempted to make Octopus appear as a Telegram Messenger with a Russian interface.[2]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Nomadic Octopus has targeted victims with spearphishing emails containing malicious attachments.[1][3]

Enterprise T1204 .002 User Execution: Malicious File

Nomadic Octopus as attempted to lure victims into clicking on malicious attachments within spearphishing emails.[2][3]


ID Name References Techniques
S0340 Octopus [1][2][3] Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Utility, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Data Encoding: Standard Encoding, Data from Local System, Data Staged: Local Data Staging, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Cloud Storage, File and Directory Discovery, Ingress Tool Transfer, Masquerading: Match Legitimate Name or Location, Phishing: Spearphishing Attachment, Screen Capture, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, User Execution: Malicious File, Windows Management Instrumentation