{"description": "Enterprise techniques used by C0026, ATT&CK campaign C0026 (v1.0)", "name": "C0026 (C0026)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1583", "showSubtechniques": true}, {"techniqueID": "T1583.001", "comment": "For [C0026](https://attack.mitre.org/campaigns/C0026), the threat actors re-registered expired C2 domains previously used for [ANDROMEDA](https://attack.mitre.org/software/S1074) malware.(Citation: Mandiant Suspected Turla Campaign February 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "During [C0026](https://attack.mitre.org/campaigns/C0026), the threat actors used WinRAR to collect documents on targeted systems. The threat actors appeared to only exfiltrate files created after January 1, 2021.(Citation: Mandiant Suspected Turla Campaign February 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "During [C0026](https://attack.mitre.org/campaigns/C0026), the threat actors collected documents from compromised hosts.(Citation: Mandiant Suspected Turla Campaign February 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1030", "comment": "During [C0026](https://attack.mitre.org/campaigns/C0026), the threat actors split encrypted archives containing stolen files and information into 3MB parts prior to exfiltration.(Citation: Mandiant Suspected Turla Campaign February 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1568", "comment": "During [C0026](https://attack.mitre.org/campaigns/C0026), the threat actors re-registered a ClouDNS dynamic DNS subdomain which was previously used by [ANDROMEDA](https://attack.mitre.org/software/S1074).(Citation: Mandiant Suspected Turla Campaign February 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "During [C0026](https://attack.mitre.org/campaigns/C0026), the threat actors downloaded malicious payloads onto select compromised hosts.(Citation: Mandiant Suspected Turla Campaign February 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by C0026", "color": "#66b1ff"}]}