- Group-IB: OPERA1ER
- Orange-CERT-CC: NXSMS
- SWIFT: Common Raven
- Mandiant: UNC4044 (not in the report)
This is just a preliminary post about my research of a threat actor (TA) or group (TG) that we have named "DESKTOP-Group". Other companies (Orange-CERT, Group-IB, SWIFT) have other names for this TA, but they are not yet publicly known or linked yet. (I will update this post, as soon as more becomes public)
We started tracking this TA's activity in early 2018, while analyzing the first malware laden attack mails during February 2018. For the next three years, we saw and analyzed 170 distinct attack mails (campaigns) from this TA, but during 2021 it became harder to link malware mails back to them with high confidence.
In 2019, I started sharing on Twitter about this TA, later starting to use the hashtag #DESKTOPgroup.
There is also a closed Google-group for research collaboration, mostly with people tracking or having access to emails or logs, related this TA's activity.