[Threat Actor Profile] Sandworm’s 2024–2025 Playbook — Infrastructure, Targets, TTPs

·

·

2–3 minutes

Executive Summary

  • Attribution: Sandworm (APT44) is operated by GRU Unit 74455 (GTsST) (see [MITRE – G0034]).

  • Destructive ops: ZEROLOT wiper used against Ukrainian energy firms (Dec 2024–Mar 2025) via Active Directory Group Policy abuse (see [ESET – ZEROLOT]).

  • Global access: BadPilot multiyear access campaign (2021–2025) expanded in 2024 to US, Canada, UK, Australia across energy, telecom, maritime, and arms sectors (see [Microsoft – BadPilot]).

  • Historic precedent: NotPetya (2017) and Industroyer/Industroyer2 (2016, 2022) against Ukraine’s power grid (see [Google Cloud – Industroyer]).

Background

Aliases: APT44, Seashell Blizzard (Microsoft), ELECTRUM, TeleBots, IRON VIKING, BlackEnergy Group, Quedagh, Voodoo Bear, IRIDIUM, FROZENBARENTS.

Mandate: strategic sabotage, access preparation, information ops supporting Russian military objectives (see [Google TAG – APT44]).

GRU’s Sandworm unit operates at the intersection of cyber and physical destruction. Organizations in critical infrastructure, energy, and defense-adjacent sectors need threat intelligence calibrated to this level of adversary.

Noorstream delivers threat intelligence, vulnerability management, and offensive security assessments for high-risk environments.

→ Book a Strategic Security Briefing

Active Campaigns

ZEROLOT Wiper (Dec 2024 – Mar 2025)

  • Target: Ukrainian energy sector. Delivery: AD Group Policy abuse. Effect: destructive wipe of Windows hosts (see [ESET – ZEROLOT]).

BadPilot Global Access (2021 – 2025)

  • 2024 focus: US, Canada, UK, Australia. Sectors: energy, oil & gas, telecom, shipping, arms.

  • TTPs: TOR-routed C2; abuse of RMM tools (Atera, Splashtop); persistent web shells (LocalOlive, Neo‑REGEORG) (see [Microsoft – BadPilot]).

Kapeka / KnuckleTouch (2022 – present)

  • Region: Ukraine, Estonia. Role: initial toolkit + long-term persistence; potential successor to GreyEnergy (see [WithSecure – Kapeka]).

Mobile – Infamous Chisel (2023 – present)**

  • Target: Android devices in Ukrainian military context; Capabilities: persistent access, data theft, network monitoring (see [CISA – Infamous Chisel]).

Tactics, Techniques, and Procedures (TTPs)

  • T1484.001 – Domain or Tenant Policy Modification: Group Policy Modification — ZEROLOT delivery (see [ESET – ZEROLOT])

  • T1219 – Remote Access Tools — Atera, Splashtop abuse (see [Microsoft – BadPilot])

  • T1572 – Protocol Tunneling — Yamux/TLS; TOR routing (see [Microsoft – BadPilot])

  • T1543.002 – Create or Modify System Process: Systemd Service — Linux persistence (see [MITRE – C0034])

  • Core set: T1078 – Valid Accounts, T1027 – Obfuscated/Compressed Files, T1485 – Data Destruction, T1486 – Data Encrypted for Impact (see [MITRE – G0034])

  • Mobile: T1476 – Deliver Malicious App, T1471 – Input Capture, T1473 – Application Layer Protocol, T1521 – Encrypted Channel, **T1020

– Automated Exfiltration** (see [CISA – Infamous Chisel])

Implications for Targeted Sectors

  • Energy/CIKR: Destructive wiper risk aligned with kinetic ops; AD/GPO misuse widens blast radius.

  • Defense, Maritime, Oil & Gas, Telecom: Long-dwell via RMM + web shells enables staging, lateral movement, multi-vector impact.

  • NATO states: BadPilot’s 2024 expansion indicates reconnaissance and pre‑positioning aligned to Russian military objectives (see [Microsoft – BadPilot]).

Mitigation Steps

Technical

  • Harden GPO: alert on creation/modification; restrict who can link GPOs; audit startup/logon scripts (see [ESET – ZEROLOT]).

  • Control RMM: inventory + allow‑list sanctioned RMM; block unsanctioned installers; EDR detections for Atera/Splashtop behaviors (see [Microsoft – BadPilot]).

  • Web shell hunting: monitor for LocalOlive/Neo‑REGEORG artifacts; review reverse proxy logs and unusual tunneling (see [Microsoft – BadPilot]).

Operational

  • Wiper readiness: destructive‑scenario tabletops; immutable/offline backups for IT/OT; validated recovery SLAs.

  • Access discipline: PAWs for admins; MFA on all remote services; patch internet‑facing apps aligned to Sandworm’s exploit set.

High‑Risk Indicators

Indicator Type: Tool
Value: LocalOlive web shell
Confidence: High (see [Microsoft – BadPilot])

Indicator Type: Tool
Value: Neo‑REGEORG web shell
Confidence: High (see [Microsoft – BadPilot])

Sources

Tags: critical infrastructure, cyber warfare, GRU, Russia, Sandworm, threat intelligence, wiper malware

Latest Exploited Vulnerabilities

  • CVE-2024-21182
    Oracle WebLogic Server Unspecified Vulnerability
    Vendor: Oracle
    Affected Product: WebLogic Server
    Exploit Confirmed: 2026-06-01
  • CVE-2026-0257
    Palo Alto Networks PAN-OS Authentication Bypass Vulnerability
    Vendor: Palo Alto Networks
    Affected Product: PAN-OS
    Exploit Confirmed: 2026-05-29
  • CVE-2026-48027
    Nx Console Embedded Malicious Code Vulnerability
    Vendor: Nx
    Affected Product: Nx Console
    Exploit Confirmed: 2026-05-27
  • CVE-2026-45321
    TanStack Unspecified Vulnerability
    Vendor: TanStack
    Affected Product: TanStack
    Exploit Confirmed: 2026-05-27
  • CVE-2026-8398
    Daemon Tools Lite Embedded Malicious Code Vulnerability
    Vendor: Daemon
    Affected Product: Daemon Tools Lite
    Exploit Confirmed: 2026-05-27

The Team Behind This Research Runs Every Briefing

Book a Strategic Security Briefing

Menu

About Us

Insights

Services

Company

Privacy Policy

Terms of Service

Disclosure Policy

Contact

Booking

Opt-Out

Report


© 2026 Noorstream Security. All Rights Reserved.

Discover more from Noorstream Security

Subscribe now to keep reading and get access to the full archive.

Continue reading