THREATOPS Actor Dossier
LIVE ← Dashboard

Dragonfly

G00351 reports
aliases · Dragonfly · TEMP.Isotope · DYMALLOY · Berserk Bear · TG-4192 · Crouching Yeti · IRON LIBERTY · Energetic Bear · Ghost Blizzard · BROMINE
Export dossier:
1
Reports
12
Techniques
6
Tactics
5
Countries
26%
Hunt coverage
10
Aliases

Analyst assessment — key judgments

  • Signature techniques: T1583 (Acquire Infrastructure), T1003 (OS Credential Dumping), T1602 (Data from Configuration Repository).
  • Primary targeting: RU, US, AU, CA.
  • Newly emerged: 1 report(s) in last 30d vs 0 prior (+100%).
  • Recent movement: 31 new technique(s), 35 new infrastructure indicator(s) in the last 30 days.
  • Hunt coverage 26% of 31 observed techniques (23 gap(s)).
  • Assessment confidence: high (95).

Activity & trend

Newly emergedLast 30d: 1 vs 0 prior (+100%)· first reported 2026-07-13 · last 2026-07-13
1
7d
1
30d
1
90d
1
All
0.1
Rpts/wk
Reporting timeline · 12 months

Movement — last 30 days

New techniques
T1583T1003T1602T1590.005T1584.008T1588.006T1071T1584.003T1190T1602.002T1595.002T1595
Targeting gained
AUCANZRUUS
New infrastructure
https://www.ic3.gov/PSA/2025/PSA250820https://media.defense.gov/2026/Jul/09/20https://www.cve.org/CVERecord?id=CVE-201https://www.cve.org/CVERecord?id=CVE-200https://media.defense.gov/2025/Aug/22/20https://www.nsa.gov/About/Cybersecurity-https://media.defense.gov/2022/Jun/15/20https://www.cyber.gc.ca/en/guidance/routhttps://www.cyber.gc.ca/en/guidance/secuhttps://www.cyber.gc.ca/en/guidance/guidhttps://www.cyber.gc.ca/en/guidance/basehttps://www.cyber.gc.ca/en/guidance/top-

Vulnerabilities in this actor's reporting · 2

Overview

Analyst triage
Intelligence summary

Dragonfly is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.(Citation: DOJ Russia Targeting Critical Infrastructure March 2022)(Citation: UK GOV FSB Factsheet April 2022) Active since at least 2010, Dragonfly has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.(Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)(Citation: Symantec Dragonfly Sept 2017)(Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Gigamon Berserk Bear October 2021)(Citation: CISA AA20-296A Berserk Bear December 2020)(Citation: Symantec Dragonfly 2.0 October 2017)

Top co-occurring indicators
    Aliases & naming
      Targeting · countries
        Targeting · named victims

          ATT&CK technique matrix

          Coverage vs hunt library:
          Hunt-coverage gaps — prioritized

            Top techniques by observation

            Threat catalogue · engineering roadmap0

            Flagged detection-engineering queue

            Uncovered techniques you flagged for hunt / detection build-out, aggregated across every actor you visit. Stored locally in your browser.

              No techniques queued yet — flag a gap above to add it here.

              Infrastructure

              IOC type mix
              Tooling / malware families
                Tracked infrastructure

                Relationships

                Related actors (behavioral cluster)
                  Attributed malware
                  Campaigns
                  No behavioral cluster, attributed malware, or campaigns recorded for this actor yet.

                  Activity

                  30-day mention timeline
                  Recent reporting
                  TitleSourceSeverityCollected