Unveiling 11 New Adversary Playbooks

Clock Icon 3 min read

This post is also available in: 日本語 (Japanese)

Today, Unit 42 released 11 new Adversary Playbooks as part of our mission to provide actionable threat intelligence. We use Playbooks to organize the tools, techniques, and procedures (TTPs) that an adversary uses into a structured format that can easily be shared and built upon. All of the Playbooks we have released can be accessed through our Playbook Viewer.

Here are brief descriptions of the new Unit 42 Adversary Playbooks:

  • MuddyWater: In Spring 2019, the group altered its TTPs to evade particular security controls in the BlackWater attack campaign. An espionage campaign previously conflated with FIN7 activity, MuddyWater was first reported by Unit 42 in November 2017.
  • Scarlet Mimic: Unveiled by Unit 42 in early 2016 and active since at least 2014, this espionage campaign largely targeted Tibetan and Uyghur activists using a suite of custom Windows and Android malware.
  • Inception: Active since at least 2014, this adversary used custom malware for a variety of platforms to target a range of industries, primarily in Russia, but also around the world. In October 2018 Inception used a new PowerShell backdoor and CVE-2017-11882 in attacks against European targets.
  • Windshift: In February 2019, Unit 42 shared additional targeting and technical data tied to this espionage group, first reported in October 2018. The group’s targets are primarily located in the Middle East. It is unique in that it only targets OSX systems with custom malware.
  • Sofacy: Active since at least 2007, this Russian-attributed espionage group persistently attacked government and private organizations around the world from mid-October 2018 through mid-November 2018. The majority of targets were NATO-aligned nation states, although several former USSR nation states were also targeted.
  • Chafer: Active since at least 2015, the espionage group Chafer in November 2018 targeted a Turkish government entity. While investigating, Unit 42 discovered a new secondary Python-based payload we named MechaFlounder, marking the first time Unit 42 observed this group use a Python-based payload.
  • Gorgon Group: Unit 42 researchers unveiled this group in August 2018, which performed a litany of attacks and operations around the globe, involving both criminal as well as targeted attacks. It was discovered while monitoring Subaat, an apparent member of Gorgon Group, who Unit 42 started tracking in 2017.
  • Cobalt Gang: While investigating ongoing commodity attacks by this group in October 2018, Unit 42 identified the use of a common macro builder and specific document metadata that allowed us to track and cluster new activity and infrastructure.
  • Th3bug: In the summer of 2014, this cyber espionage group, which compromised multiple websites to use in watering hole attacks. Watering hole attacks offer a much better chance of success because they involve compromising legitimate websites and install malware intended to infect website visitors. These often target popular websites frequented by people who work in specific industries or have political sympathies to which the actors want to gain access.
  • Rocke: In January 2019, Unit 42 revealed that this China-based cybercrime group had added new code to its Linux coin mining malware to uninstalls five different cloud security protection and monitoring products from compromised servers. The products were developed by Tencent Cloud and Alibaba Cloud (Aliyun), the two leading cloud providers in China that are expanding their business globally. This is the first malware family Unit 42 has seen with the unique capability to target and remove cloud security products.
  • CozyDuke: Active since at least 2008, this Russian-attributed espionage group launched a spear phishing campaign beginning in early July 2015 that leveraged new malware we named MiniDionis. The new malware, which is related to the group’s Seaduke malware, appeared to target government organizations and think-tanks located in democratic countries, and utilized compromised, legitimate websites for spear phishing and C2 activity.

All Adversary Playbooks can be viewed here.

Palo Alto Networks has shared our findings, including file samples and indicators of compromise, in this report with our fellow Cyber Threat Alliance members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. For more information on the Cyber Threat Alliance, visit

Enlarged Image