>samit_hota
Back to adversary profiles
G0133HighActive

Nomadic Octopus: Persistent Cyber Espionage in Central Asia

Samit Hota·
Suspected Origin
Russia
Motivation
Espionage, Political Surveillance
Aliases
DustSquad
Target Sectors
Government, Diplomatic, Telecommunications, Public Services, Operational Technology, Individuals
Associated Malware
Octopus, custom Android/Windows malware, fgdump, Abbrevia
#threat-actor#g0133

Overview

Nomadic Octopus, also tracked as DustSquad (MITRE ATT&CK ID: G0133), is a sophisticated and persistent Russian-speaking cyber espionage threat group that has been active since at least 2014. This group primarily focuses on intelligence gathering operations against entities within Central Asia and former Soviet Union countries. Their campaigns are characterized by politically-motivated surveillance, aiming to acquire sensitive digital documents, emails, and communications for their national interests. While specific attribution can be challenging due to the use of public tools, their tactics, techniques, and procedures (TTPs) exhibit overlaps with other Russia-linked advanced persistent threat (APT) groups, such as Sofacy (APT28). The group’s operational language in their command and control infrastructure further points to a Russian origin.

Nomadic Octopus consistently targets high-ranking government officials, diplomatic missions, local governments, and individuals deemed valuable for intelligence. In recent years, they have expanded their targeting to include critical infrastructure, specifically telecommunication services and public service infrastructures, demonstrating a broader scope for intelligence collection. The group’s operations are intelligence-driven, and they show a clear preference for victims with government connections or access to public services, often removing access to compromised systems if the target proves irrelevant to their objectives.

Tactics & Techniques

Nomadic Octopus employs a range of tactics and techniques to achieve its cyber espionage objectives. Initial access is frequently gained through spear-phishing campaigns involving malicious attachments, luring victims into executing malware. They also exploit publicly available services and vulnerabilities to infiltrate target networks.

Once a foothold is established, Nomadic Octopus demonstrates a methodical approach to reconnaissance and lateral movement. A common entry point for broader campaigns involves compromising telecommunication firm networks, which then serve as a pivot to infiltrate government networks, executive systems, and operational technology (OT) devices. The group often leverages publicly known vulnerabilities for these lateral movements.

While engaged in active operations, the group has been observed taking screenshots of victim systems, particularly when targets are composing emails or drafting contracts, indicating a focus on real-time intelligence gathering. They are known to dump Windows system credentials using tools like fgdump. For execution, Nomadic Octopus utilizes command and scripting interpreters such as PowerShell, often executing scripts in hidden windows, and cmd.exe /c within malicious macros.

A notable characteristic of Nomadic Octopus is their sometimes less-than-stealthy operational security. Operators have been observed downloading tools and running commands during a victim’s active hours, occasionally causing permission pop-ups that could raise suspicion. To obscure their activities, they frequently rename their tools to masquerade as legitimate software updates, such as “Google Update,” “Chrome Update,” “Java Update,” or “Google Crash Handler,” and store them in less commonly checked directories.

Notable Campaigns

Nomadic Octopus has orchestrated several significant campaigns throughout its operational history. One of their earlier recognized operations, sometimes referred to simply as “Octopus,” targeted Kazakhstan. In 2018, this campaign notably involved attacks against the Democratic Choice (DVK) opposition party in Kazakhstan, where the group deployed their Octopus malware disguised as a Russian version of the Telegram messaging application. In a separate instance, Gcow Security reported the group’s attacks against the Ministry of Foreign Affairs of Uzbekistan in December 2019 to deploy the same malware.

More recently, since at least November 2020 and continuing through 2022, the group has been associated with “Operation Paperbug.” This intelligence-driven surveillance campaign primarily targeted Tajikistan, focusing on high-ranking government officials, telecommunication services, and public service infrastructures. The initial phase of Paperbug involved the infiltration of a Tajikistani telecommunications provider, which then facilitated lateral movement to compromise a wider array of targets, including government networks, executive systems, and various operational technology (OT) devices like gas station systems and cash registers. As of January 2022, the Paperbug operation had successfully backdoored 499 systems, demonstrating the scale and persistence of this campaign.

Associated Malware & Tools

Nomadic Octopus employs a mix of custom-developed and publicly available tools. Their primary custom malware is the Octopus Windows Trojan, written in the Delphi programming language. This versatile backdoor provides extensive capabilities, including system information discovery (such as real IP addresses and Windows directory details), arbitrary command execution, file download and upload, and data exfiltration. Octopus can also take screenshots of compromised systems and has been observed searching for compressed RAR files. It achieves persistence through registry run keys and by placing executables in startup directories. Communication with command and control (C2) servers typically occurs via HTTP GET and POST requests. The malware is frequently disguised to appear as legitimate applications, most notably a Russian interface version of Telegram Messenger.

Beyond Octopus, the group develops and utilizes custom Android malware for mobile targeting. For specific tasks, Nomadic Octopus incorporates public offensive tools into their operations, such as fgdump for Windows credential dumping and Abbrevia for archiving collected data before exfiltration. The use of generic public tools, while sometimes leading to operational security lapses, also serves to complicate definitive attribution.

Current Status

Nomadic Octopus remains an active and persistent threat actor. The group’s Operation Paperbug campaign, which began in 2020, was still actively spying on targets, including a Tajikistani telecommunications carrier, as of November 2020 and continued into early 2022. Recent reports from 2023 detail the group’s ongoing activities and analysis of their operational environment, indicating continued engagement in cyber espionage. Their consistent focus on Central Asian governments, diplomatic entities, telecommunications, and critical infrastructure underscores their enduring mandate for intelligence collection. There are no public indications that Nomadic Octopus has ceased its operations, suggesting they continue to pose a significant cyber espionage risk in their regions of interest.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call