G0035: Dragonfly
Dragonfly is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.[1][2] Active since at least 2010, Dragonfly has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.[3][4][5][6][7][8][9]
Analyst context for executives and security teams
Dragonfly matters because ATT&CK describes it as a long-running cyber espionage group attributed to Russia’s FSB Center 16, with reporting tied to defense, aviation, government, industrial control systems, and critical infrastructure targets. For leaders, the decision value is not the name alone; it is whether the organization can withstand supply chain, spearphishing, drive-by compromise, credential theft, discovery, and lateral movement behaviors that ATT&CK associates with this group.
Executive priority
Prioritize Dragonfly as a resilience and assurance scenario for organizations with critical infrastructure, ICS, defense, aviation, government, or supplier exposure. Executives should ask whether identity controls, Windows credential protections, remote access governance, supplier risk processes, and SOC visibility can produce evidence during an incident. Because Dragonfly 2.0 has been revoked into this object across enterprise and ICS contexts, teams should avoid treating older reporting as unrelated without analyst review.
Technical view
ATT&CK provides no official detection text for this group, so coverage should be validated through the linked behaviors and software. The relationship set emphasizes Windows credential access and administration tooling, including Mimikatz, PsExec, Net, Reg, netsh, Impacket, CrackMapExec, Backdoor.Oldrea, Trojan.Karagany, and MCMD. SOC and IR teams should map detections to credential dumping from SAM, NTDS, and LSA Secrets; registry querying; network and remote system discovery; user discovery; RDP lateral movement; local data collection; and ICS-related drive-by and supply chain compromise scenarios.
Likely telemetry
- Windows security events and authentication logs, especially domain controller and privileged account activity
- Endpoint process creation and command-line telemetry for Net, Reg, netsh, PsExec-like execution, credential dumping tools, and remote access tooling
- Registry access telemetry, especially sensitive hives and security-related paths
- Active Directory and domain controller monitoring for NTDS access, replication-like activity, and unusual administrative access
- RDP session logs and remote logon records
Detection direction
- Build behavior-based coverage rather than relying only on group or alias names, because Dragonfly has many aliases and Dragonfly 2.0 is revoked into this object.
- Validate detections for Windows credential access paths: SAM, NTDS.dit, LSA Secrets, Mimikatz-like behavior, and suspicious access from hosts or accounts that do not normally administer identity systems.
- Tune administrative-tool detections for context: Net, Reg, netsh, PsExec, Impacket, and CrackMapExec may be legitimate in IT operations, so baselines for administrators, jump hosts, maintenance windows, and domain controllers are essential.
- Correlate discovery commands, registry queries, RDP use, and credential access into incident narratives; single events may be noisy, but sequences can indicate hands-on-keyboard activity.
- For ICS or critical infrastructure environments, validate visibility at IT/OT boundaries and supplier pathways because the ATT&CK relationships include ICS drive-by compromise and supply chain compromise.
Mitigation priorities
- Start with identity hardening: reduce standing privilege, protect domain controllers, monitor privileged accounts, and restrict credential exposure on Windows systems.
- Govern remote administration and lateral movement paths, including RDP and tools such as PsExec; require approved jump paths and strong authentication where applicable.
- Improve endpoint and domain controller logging before assuming detection coverage, especially for process execution, registry access, and credential store access.
- Strengthen supplier and software update assurance for environments where ICS or critical infrastructure dependency exists.
- Segment and monitor IT/OT boundaries and limit unnecessary access from enterprise systems into control system environments.
Analyst notes and limits
The supplied ATT&CK object identifies Dragonfly as a group with multiple aliases and links it to enterprise and ICS-relevant behaviors. The most actionable relationship context is the use of Windows tools, credential dumping techniques, remote access/lateral movement, discovery, and ICS supply chain or drive-by compromise techniques. Local asset criticality, supplier relationships, identity architecture, and logging maturity determine how material this is for a specific organization.
ATT&CK does not provide official detection guidance, object-level platforms, or object-level tactics for this group in the supplied fields. The relationship list is not necessarily complete, and several related descriptions are truncated. This take does not assert current activity, customer exposure, or guaranteed detection coverage; environment-specific validation is required.
Dragonfly
Dragonfly is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.[1][2] Active since at least 2010, Dragonfly has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.[3][4][5][6][7][8][9]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1560 | Archive Collected Data | Dragonfly has compressed data into .zip files prior to exfiltration.CitationUS-CERT TA18-074A |
| Enterprise | T1113 | Screen Capture | Dragonfly has performed screen captures of victims, including by using a tool, scr.exe (which matched the hash of ScreenUtil).CitationUS-CERT TA18-074ACitationSymantec Dragonfly Sept 2017CitationGigamon Berserk Bear October 2021 |
| Enterprise | T1564.002 | Hidden Users Sub-technique | Dragonfly has modified the Registry to hide created user accounts.CitationUS-CERT TA18-074A |
| Enterprise | T1505.003 | Web Shell Sub-technique | Dragonfly has commonly created Web shells on victims' publicly accessible email and web servers, which they used to maintain access to a victim network and download additional malicious files.CitationUS-CERT TA18-074A |
| Enterprise | T1204.002 | Malicious File Sub-technique | Dragonfly has used various forms of spearphishing in attempts to get users to open malicious attachments.CitationGigamon Berserk Bear October 2021 |
| Enterprise | T1591.002 | Business Relationships Sub-technique | Dragonfly has collected open source information to identify relationships between organizations for targeting purposes.CitationGigamon Berserk Bear October 2021 |
| Enterprise | T1078 | Valid Accounts | Dragonfly has compromised user credentials and used valid accounts for operations.CitationUS-CERT TA18-074ACitationGigamon Berserk Bear October 2021CitationCISA AA20-296A Berserk Bear December 2020 |
| Enterprise | T1016 | System Network Configuration Discovery | Dragonfly has used batch scripts to enumerate network information, including information about trusts, zones, and the domain.CitationUS-CERT TA18-074A |
| Enterprise | T1584.004 | Server Sub-technique | Dragonfly has compromised legitimate websites to host C2 and malware modules.CitationGigamon Berserk Bear October 2021 |
| Enterprise | T1083 | File and Directory Discovery | Dragonfly has used a batch script to gather folder and file names from victim hosts.CitationUS-CERT TA18-074ACitationGigamon Berserk Bear October 2021CitationCISA AA20-296A Berserk Bear December 2020 |
| Enterprise | T1136.001 | Local Account Sub-technique | Dragonfly has created accounts on victims, including administrator accounts, some of which appeared to be tailored to each individual staging target.CitationUS-CERT TA18-074A |
| Enterprise | T1221 | Template Injection | Dragonfly has injected SMB URLs into malicious Word spearphishing attachments to initiate Forced Authentication.CitationUS-CERT TA18-074A |
| Enterprise | T1203 | Exploitation for Client Execution | Dragonfly has exploited CVE-2011-0611 in Adobe Flash Player to gain execution on a targeted system.CitationGigamon Berserk Bear October 2021 |
| Enterprise | T1110.002 | Password Cracking Sub-technique | Dragonfly has dropped and executed tools used for password cracking, including Hydra and CrackMapExec.CitationUS-CERT TA18-074ACitationKali Hydra |
| Enterprise | T1608.004 | Drive-by Target Sub-technique | Dragonfly has compromised websites to redirect traffic and to host exploit kits.CitationGigamon Berserk Bear October 2021 |
| Enterprise | T1012 | Query Registry | Dragonfly has queried the Registry to identify victim information.CitationUS-CERT TA18-074A |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Dragonfly has sent emails with malicious attachments to gain initial access.CitationGigamon Berserk Bear October 2021 |
| Enterprise | T1189 | Drive-by Compromise | Dragonfly has compromised targets via strategic web compromise (SWC) utilizing a custom exploit kit.CitationSecureworks IRON LIBERTY July 2019CitationUS-CERT TA18-074ACitationGigamon Berserk Bear October 2021 |
| Enterprise | T1583.001 | Domains Sub-technique | Dragonfly has registered domains for targeting intended victims.CitationCISA AA20-296A Berserk Bear December 2020 |
| Enterprise | T1003.002 | Security Account Manager Sub-technique | Dragonfly has dropped and executed SecretsDump to dump password hashes.CitationUS-CERT TA18-074A |
| Enterprise | T1598.002 | Spearphishing Attachment Sub-technique | Dragonfly has used spearphishing with Microsoft Office attachments to enable harvesting of user credentials.CitationUS-CERT TA18-074A |
| Enterprise | T1005 | Data from Local System | Dragonfly has collected data from local victim systems.CitationUS-CERT TA18-074A |
| Enterprise | T1070.004 | File Deletion Sub-technique | Dragonfly has deleted many of its files used during operations as part of cleanup, including removing applications and deleting screenshots.CitationUS-CERT TA18-074A |
| Enterprise | T1059 | Command and Scripting Interpreter | Dragonfly has used the command line for execution.CitationUS-CERT TA18-074A |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | Dragonfly has cleared Windows event logs and other logs produced by tools they used, including system, security, terminal services, remote services, and audit logs. The actors also deleted specific Registry keys.CitationUS-CERT TA18-074A |
| Enterprise | T1686 | Disable or Modify System Firewall | Dragonfly has disabled host-based firewalls. The group has also globally opened port 3389.CitationUS-CERT TA18-074A |
| Enterprise | T1112 | Modify Registry | |
| Enterprise | T1588.002 | Tool Sub-technique | Dragonfly has obtained and used tools such as Mimikatz, CrackMapExec, and PsExec.CitationSecureworks IRON LIBERTY July 2019 |
| Enterprise | T1195.002 | Compromise Software Supply Chain Sub-technique | Dragonfly has placed trojanized installers for control system software on legitimate vendor app stores.CitationSecureworks IRON LIBERTY July 2019CitationGigamon Berserk Bear October 2021 |
| Enterprise | T1036.010 | Masquerade Account Name Sub-technique | Dragonfly has created accounts disguised as legitimate backup and service accounts as well as an email administration account.CitationUS-CERT TA18-074A |
| Enterprise | T1003.003 | NTDS Sub-technique | Dragonfly has dropped and executed SecretsDump to dump password hashes. They also obtained ntds.dit from domain controllers.CitationUS-CERT TA18-074ACitationCore Security Impacket |
| Enterprise | T1098.007 | Additional Local or Domain Groups Sub-technique | Dragonfly has added newly created accounts to the administrators group to maintain elevated access.CitationUS-CERT TA18-074A |
| Enterprise | T1583.003 | Virtual Private Server Sub-technique | Dragonfly has acquired VPS infrastructure for use in malicious campaigns.CitationGigamon Berserk Bear October 2021 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Dragonfly has used various types of scripting to perform operations, including batch scripts.CitationUS-CERT TA18-074A |
| Enterprise | T1071.002 | File Transfer Protocols Sub-technique | Dragonfly has used SMB for C2.CitationUS-CERT TA18-074A |
| Enterprise | T1598.003 | Spearphishing Link Sub-technique | Dragonfly has used spearphishing with PDF attachments containing malicious links that redirected to credential harvesting websites.CitationUS-CERT TA18-074A |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Dragonfly has used scheduled tasks to automatically log out of created accounts every 8 hours as well as to execute malicious files.CitationUS-CERT TA18-074A |
| Enterprise | T1069.002 | Domain Groups Sub-technique | Dragonfly has used batch scripts to enumerate administrators and users in the domain.CitationUS-CERT TA18-074A |
| Enterprise | T1114.002 | Remote Email Collection Sub-technique | Dragonfly has accessed email accounts using Outlook Web Access.CitationUS-CERT TA18-074A |
| Enterprise | T1595.002 | Vulnerability Scanning Sub-technique | Dragonfly has scanned targeted systems for vulnerable Citrix and Microsoft Exchange services.CitationCISA AA20-296A Berserk Bear December 2020 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Dragonfly has added the registry value ntdll to the Registry Run key to establish persistence.CitationUS-CERT TA18-074A |
| Enterprise | T1105 | Ingress Tool Transfer | Dragonfly has copied and installed tools for operations once in the victim environment.CitationUS-CERT TA18-074A |
| Enterprise | T1133 | External Remote Services | Dragonfly has used VPNs and Outlook Web Access (OWA) to maintain access to victim networks.CitationUS-CERT TA18-074ACitationCISA AA20-296A Berserk Bear December 2020 |
| Enterprise | T1003.004 | LSA Secrets Sub-technique | Dragonfly has dropped and executed SecretsDump to dump password hashes.CitationUS-CERT TA18-074ACitationCore Security Impacket |
| Enterprise | T1190 | Exploit Public-Facing Application | Dragonfly has conducted SQL injection attacks, exploited vulnerabilities CVE-2019-19781 and CVE-2020-0688 for Citrix and MS Exchange, and CVE-2018-13379 for Fortinet VPNs.CitationCISA AA20-296A Berserk Bear December 2020 |
| Enterprise | T1135 | Network Share Discovery | Dragonfly has identified and browsed file servers in the victim network, sometimes , viewing files pertaining to ICS or Supervisory Control and Data Acquisition (SCADA) systems.CitationUS-CERT TA18-074A |
| Enterprise | T1110 | Brute Force | Dragonfly has attempted to brute force credentials to gain access.CitationCISA AA20-296A Berserk Bear December 2020 |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | Dragonfly has moved laterally via RDP.CitationUS-CERT TA18-074A |
| Enterprise | T1187 | Forced Authentication | Dragonfly has gathered hashed user credentials over SMB using spearphishing attachments with external resource links and by modifying .LNK file icon resources to collect credentials from virtualized systems.CitationUS-CERT TA18-074ACitationGigamon Berserk Bear October 2021 |
| Enterprise | T1033 | System Owner/User Discovery | Dragonfly used the command |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Dragonfly has created a directory named "out" in the user's %AppData% folder and copied files to it.CitationUS-CERT TA18-074A |
| Enterprise | T1059.001 | PowerShell Sub-technique | Dragonfly has used PowerShell scripts for execution.CitationUS-CERT TA18-074ACitationSymantec Dragonfly Sept 2017 |
| Enterprise | T1210 | Exploitation of Remote Services | Dragonfly has exploited a Windows Netlogon vulnerability (CVE-2020-1472) to obtain access to Windows Active Directory servers.CitationCISA AA20-296A Berserk Bear December 2020 |
| Enterprise | T1059.006 | Python Sub-technique | Dragonfly has used various types of scripting to perform operations, including Python scripts. The group was observed installing Python 2.7 on a victim.CitationUS-CERT TA18-074A |
| Enterprise | T1018 | Remote System Discovery | Dragonfly has likely obtained a list of hosts in the victim environment.CitationUS-CERT TA18-074A |
| Enterprise | T1087.002 | Domain Account Sub-technique | Dragonfly has used batch scripts to enumerate users on a victim domain controller.CitationUS-CERT TA18-074A |
Groups, software, and campaigns
G0074: Dragonfly 2.0
Dragonfly 2.0 is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least December 2015. [1] [2] There is debate over the extent of overlap between Dragonfly 2.0 and Dragonfly, but there is sufficient evidence to lead to these being tracked as two separate groups. [3][4]
S0500: MCMD
S0039: Net
The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [1]
Net has a great deal of functionality, [2] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.
S0357: Impacket
S0488: CrackMapExec
CrackMapExec, or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. CrackMapExec collects Active Directory information to conduct lateral movement through targeted networks.[1]
S0075: Reg
S0093: Backdoor.Oldrea
Backdoor.Oldrea is a modular backdoor that used by Dragonfly against energy companies since at least 2013. Backdoor.Oldrea was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.[1][2][3]
S0002: Mimikatz
S0029: PsExec
S0094: Trojan.Karagany
Trojan.Karagany is a modular remote access tool used for recon and linked to Dragonfly. The source code for Trojan.Karagany originated from Dream Loader malware which was leaked in 2010 and sold on underground forums. [1][2][3]
S0108: netsh
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 4.0 | Current bundle | af4de2ac45e0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
DOJ Russia Targeting Critical Infrastructure March 2022
Department of Justice. (2022, March 24). Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide. Retrieved April 5, 2022.
Open source URL -
[2]
UK GOV FSB Factsheet April 2022
UK Gov. (2022, April 5). Russia's FSB malign activity: factsheet. Retrieved April 5, 2022.
Open source URL -
[3]
Symantec Dragonfly
Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
Open source URL -
[4]
Secureworks IRON LIBERTY July 2019
Secureworks. (2019, July 24). Resurgent Iron Liberty Targeting Energy Sector. Retrieved August 12, 2020.
Open source URL -
[5]
Symantec Dragonfly Sept 2017
Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.
Open source URL -
[6]
Fortune Dragonfly 2.0 Sept 2017
Hackett, R. (2017, September 6). Hackers Have Penetrated Energy Grid, Symantec Warns. Retrieved June 6, 2018.
Open source URL -
[7]
Gigamon Berserk Bear October 2021
Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.
Open source URL -
[8]
CISA AA20-296A Berserk Bear December 2020
CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021.
Open source URL -
[9]
Symantec Dragonfly 2.0 October 2017
Symantec. (2017, October 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved April 19, 2022.
Open source URL -
[10]
BROMINE
(Citation: Microsoft Threat Actor Naming July 2023)
-
[11]
Berserk Bear
(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)
-
[12]
Crouching Yeti
(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)
-
[13]
DYMALLOY
(Citation: Dragos DYMALLOY )(Citation: UK GOV FSB Factsheet April 2022)
-
[14]
Dragonfly
(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)
-
[15]
Dragos DYMALLOY
Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020.
Open source URL -
[16]
Energetic Bear
(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019)(Citation: Gigamon Berserk Bear October 2021)(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022)
-
[17]
Ghost Blizzard
(Citation: Microsoft Threat Actor Naming July 2023)
-
[18]
IRON LIBERTY
(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Secureworks MCMD July 2019)(Citation: Secureworks Karagany July 2019)(Citation: UK GOV FSB Factsheet April 2022)
-
[19]
Mandiant Ukraine Cyber Threats January 2022
Hultquist, J. (2022, January 20). Anticipating Cyber Threats as the Ukraine Crisis Escalates. Retrieved January 24, 2022.
Open source URL -
[20]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[21]
Secureworks Karagany July 2019
Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
Open source URL -
[22]
Secureworks MCMD July 2019
Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.
Open source URL -
[23]
TEMP.Isotope
(Citation: Mandiant Ukraine Cyber Threats January 2022)(Citation: Gigamon Berserk Bear October 2021)
-
[24]
TG-4192
(Citation: Secureworks IRON LIBERTY July 2019)(Citation: UK GOV FSB Factsheet April 2022)
-
[25]
mitre-attack G0035Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.