G0133: Nomadic Octopus
Nomadic Octopus is a Russian-speaking cyber espionage threat group that has primarily targeted Central Asia, including local governments, diplomatic missions, and individuals, since at least 2014. Nomadic Octopus has been observed conducting campaigns involving Android and Windows malware, mainly using the Delphi programming language, and building custom variants.[1][2][3]
Analyst context for executives and security teams
Nomadic Octopus matters as an espionage-focused group profile because ATT&CK ties it to long-running targeting of Central Asia, including governments, diplomatic missions, and individuals, with Android and Windows malware and custom variants. For leaders, the practical takeaway is not a single indicator to block; it is a reminder to validate resilience against targeted phishing, user-executed malicious files, Windows script execution, masquerading, hidden execution, and tool transfer behaviors that can support quiet intelligence collection.
Executive priority
Prioritize this profile when the organization has Central Asia exposure, government/diplomatic relationships, high-risk individuals, or compliance obligations requiring evidence of phishing defense, endpoint monitoring, and incident response readiness. Budget and assurance discussions should focus on whether the SOC can see suspicious attachments, PowerShell/cmd execution, disguised files or processes, hidden windows, and external tool downloads—not whether the organization recognizes the group name.
Technical view
ATT&CK provides no official detection text for this group, but relationships give defenders a validation path. Nomadic Octopus is linked to Octopus, a Windows Trojan written in Delphi, and to techniques including Spearphishing Attachment, Malicious File, PowerShell, Windows Command Shell, Masquerading, Hidden Window, and Ingress Tool Transfer. SOC and IR teams should test whether email, endpoint, process, script, file, and network telemetry can reconstruct a likely chain from attachment delivery and user execution through script or shell activity, evasive naming/window behavior, and downloaded tooling. Because the group object has no specified platforms or tactics, detection engineering should be technique-led rather than assuming complete platform coverage from this ATT&CK entry.
Likely telemetry
- Email security logs and message metadata for targeted attachments
- Attachment detonation or file analysis results where available
- Endpoint process creation events, especially PowerShell and Windows command shell activity
- Script block, command-line, and parent-child process telemetry on Windows systems
- File creation, rename, path, metadata, and execution events relevant to masquerading
Detection direction
- Build coverage around the related techniques rather than the group label: T1566.001, T1204.002, T1059.001, T1059.003, T1036, T1564.003, and T1105.
- Validate end-to-end correlation from inbound attachment to endpoint execution and outbound transfer activity; isolated alerts may miss the operational pattern.
- Tune PowerShell and cmd detections for suspicious parent processes, encoded or unusual command lines, and execution following document or attachment activity, while accounting for legitimate administration.
- Review masquerading detections for unusual names, locations, metadata, or renamed utilities; expect false positives from software installers and admin tooling.
- Check whether hidden-window or non-interactive execution is visible in endpoint telemetry; this is a common blind spot when only high-level antivirus alerts are retained.
Mitigation priorities
- Strengthen spearphishing attachment controls first: filtering, attachment analysis, safe handling workflows, and user reporting paths.
- Harden endpoint execution paths for malicious files, PowerShell, and Windows command shell using least privilege and controlled script execution policies where operationally feasible.
- Improve endpoint logging retention and centralization so IR teams can investigate process lineage, file changes, and network downloads.
- Use application control or execution allow-listing where appropriate to reduce success of disguised or user-launched malware.
- Review egress controls and monitoring for unexpected external file transfers from endpoints.
Analyst notes and limits
This take is based only on the supplied ATT&CK group object, external references, and listed relationships. The group is also known as DustSquad. ATT&CK describes it as Russian-speaking and espionage-focused, primarily targeting Central Asia since at least 2014; this does not by itself establish current activity or exposure for any specific organization.
The group object does not specify platforms, tactics, or official detection guidance. Several related techniques list broader platforms, but the supplied software relationship specifically identifies Octopus as Windows malware, while the group description also mentions Android malware. Organizations need local asset, identity, email, endpoint, mobile, and network evidence to determine actual relevance and coverage.
Nomadic Octopus
Nomadic Octopus is a Russian-speaking cyber espionage threat group that has primarily targeted Central Asia, including local governments, diplomatic missions, and individuals, since at least 2014. Nomadic Octopus has been observed conducting campaigns involving Android and Windows malware, mainly using the Delphi programming language, and building custom variants.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Nomadic Octopus used |
| Enterprise | T1036 | Masquerading | Nomadic Octopus attempted to make Octopus appear as a Telegram Messenger with a Russian interface.CitationSecurelist Octopus Oct 2018 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Nomadic Octopus has targeted victims with spearphishing emails containing malicious attachments.CitationSecurity Affairs DustSquad Oct 2018CitationESET Nomadic Octopus 2018 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Nomadic Octopus as attempted to lure victims into clicking on malicious attachments within spearphishing emails.CitationSecurelist Octopus Oct 2018CitationESET Nomadic Octopus 2018 |
| Enterprise | T1105 | Ingress Tool Transfer | Nomadic Octopus has used malicious macros to download additional files to the victim's machine.CitationESET Nomadic Octopus 2018 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | Nomadic Octopus executed PowerShell in a hidden window.CitationESET Nomadic Octopus 2018 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Nomadic Octopus has used PowerShell for execution.CitationESET Nomadic Octopus 2018 |
Groups, software, and campaigns
S0340: Octopus
Octopus is a Windows Trojan written in the Delphi programming language that has been used by Nomadic Octopus to target government organizations in Central Asia since at least 2014.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 9cb9bdfc32af… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Security Affairs DustSquad Oct 2018
Paganini, P. (2018, October 16). Russia-linked APT group DustSquad targets diplomatic entities in Central Asia. Retrieved August 24, 2021.
Open source URL -
[2]
Securelist Octopus Oct 2018
Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.
Open source URL -
[3]
ESET Nomadic Octopus 2018
Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.
Open source URL -
[4]
DustSquad
(Citation: Security Affairs DustSquad Oct 2018)(Citation: Securelist Octopus Oct 2018)(Citation: SecurityWeek Nomadic Octopus Oct 2018)
-
[5]
Nomadic Octopus
(Citation: SecurityWeek Nomadic Octopus Oct 2018)(Citation: ESET Nomadic Octopus 2018)
-
[6]
SecurityWeek Nomadic Octopus Oct 2018
Kovacs, E. (2018, October 18). Russia-Linked Hackers Target Diplomatic Entities in Central Asia. Retrieved October 13, 2021.
Open source URL -
[7]
mitre-attack G0133Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.