Skip to content

G0133 Nomadic Octopus

Nomadic Octopus is a Russian-speaking cyber espionage threat group that has primarily targeted Central Asia, including local governments, diplomatic missions, and individuals, since at least 2014. Nomadic Octopus has been observed conducting campaigns involving Android and Windows malware, mainly using the Delphi programming language, and building custom variants.421

Item Value
ID G0133
Associated Names DustSquad
Version 1.0
Created 24 August 2021
Last Modified 02 September 2022
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
DustSquad 423

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell Nomadic Octopus has used PowerShell for execution.1
enterprise T1059.003 Windows Command Shell Nomadic Octopus used cmd.exe /c within a malicious macro.1
enterprise T1564 Hide Artifacts -
enterprise T1564.003 Hidden Window Nomadic Octopus executed PowerShell in a hidden window.1
enterprise T1105 Ingress Tool Transfer Nomadic Octopus has used malicious macros to download additional files to the victim’s machine.1
enterprise T1036 Masquerading Nomadic Octopus attempted to make Octopus appear as a Telegram Messenger with a Russian interface.2
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Nomadic Octopus has targeted victims with spearphishing emails containing malicious attachments.41
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Nomadic Octopus as attempted to lure victims into clicking on malicious attachments within spearphishing emails.21

Software

ID Name References Techniques
S0340 Octopus 421 Web Protocols:Application Layer Protocol Archive via Utility:Archive Collected Data Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Standard Encoding:Data Encoding Data from Local System Local Data Staging:Data Staged Exfiltration Over C2 Channel Exfiltration to Cloud Storage:Exfiltration Over Web Service File and Directory Discovery Ingress Tool Transfer Match Legitimate Name or Location:Masquerading Spearphishing Attachment:Phishing Screen Capture System Information Discovery System Network Configuration Discovery System Owner/User Discovery Malicious File:User Execution Windows Management Instrumentation

References

  1. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021. 

  2. Kaspersky Lab’s Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018. 

  3. Kovacs, E. (2018, October 18). Russia-Linked Hackers Target Diplomatic Entities in Central Asia. Retrieved October 13, 2021. 

  4. Paganini, P. (2018, October 16). Russia-linked APT group DustSquad targets diplomatic entities in Central Asia. Retrieved August 24, 2021.