GANANITE
Impersonates victims, exploits vulnerabilities, targets internet-exposed endpoints, and exfiltrates data.

GANANITE targets critical infrastructure and government entities in the Commonwealth of Independent States and Central Asian nations, focusing on espionage and data theft with the possibility of handing off initial access to other threat groups.
Although GANANITE has not yet shown evidence of moving into OT networks or an elevated capability resembling Stage 2 actions, their assessed capabilities show efficient use of multiple phases across Stage 1 of the ICS Kill Chain.
Industrial organizations in Europe and Central Asia face a significant risk from GANANITE due to their initial intrusion capabilities, post-compromise espionage TTPs, and intellectual property theft, all of which can be used in follow-on attacks against the victim organizations.
Date: Since 2022
ADVERSARY
- Overlap with YORO TROOPER, TOMIRIS, STURGEON PHISHER
CAPABILITIES
- Uses multiple remote access trojans (RATs) & public proofs of concept exploits
- Credential phishing via lookalike domains to obtain credentials
VICTIM
- Targets Commonwealth of Independent States & Central Asia
- Focus on Oil & Gas, Logistics, Transportation, and Government entities
INFRASTRUCTURE
- Frequent use of VPNs and anonymizing infrastructure
- Uses telegram bot for data exfiltration
ICS IMPACT
- Loss of convention confidentiality, Theft of operations information
- Espionage, exfiltration, initial access, data theft