Threat Actor Profile
High APT
Description

Dragonfly 2.0 is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least December 2015. (Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) There is debate over the extent of overlap between Dragonfly 2.0 and Dragonfly, but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY )

Confidence Score
90%
Known Aliases
Dragonfly 2.0 IRON LIBERTY DYMALLOY Berserk Bear
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Dragonfly 2.0', 'IRON LIBERTY', 'DYMALLOY', 'Berserk Bear'],
 'created': '2018-10-17T00:14:20.652Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Dragonfly 2.0](https://attack.mitre.org/groups/G0074) is a '
                'suspected Russian group that has targeted government entities '
                'and multiple U.S. critical infrastructure sectors since at '
                'least December 2015. (Citation: US-CERT TA18-074A) (Citation: '
                'Symantec Dragonfly Sept 2017) There is debate over the extent '
                'of overlap between [Dragonfly '
                '2.0](https://attack.mitre.org/groups/G0074) and '
                '[Dragonfly](https://attack.mitre.org/groups/G0035), but there '
                'is sufficient evidence to lead to these being tracked as two '
                'separate groups. (Citation: Fortune Dragonfly 2.0 Sept '
                '2017)(Citation: Dragos DYMALLOY )',
 'external_references': [{'external_id': 'G0074',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0074'},
                         {'description': '(Citation: Dragos DYMALLOY )',
                          'source_name': 'DYMALLOY'},
                         {'description': '(Citation: Fortune Dragonfly 2.0 '
                                         'Sept 2017)',
                          'source_name': 'Berserk Bear'},
                         {'description': '(Citation: Secureworks MCMD July '
                                         '2019)(Citation: Secureworks IRON '
                                         'LIBERTY)',
                          'source_name': 'IRON LIBERTY'},
                         {'description': '(Citation: US-CERT TA18-074A) '
                                         '(Citation: Symantec Dragonfly Sept '
                                         '2017) (Citation: Fortune Dragonfly '
                                         '2.0 Sept 2017)',
                          'source_name': 'Dragonfly 2.0'},
                         {'description': 'Dragos. (n.d.). DYMALLOY. Retrieved '
                                         'August 20, 2020.',
                          'source_name': 'Dragos DYMALLOY ',
                          'url': 'https://www.dragos.com/threat/dymalloy/'},
                         {'description': 'Hackett, R. (2017, September 6). '
                                         'Hackers Have Penetrated Energy Grid, '
                                         'Symantec Warns. Retrieved June 6, '
                                         '2018.',
                          'source_name': 'Fortune Dragonfly 2.0 Sept 2017',
                          'url': 'http://fortune.com/2017/09/06/hack-energy-grid-symantec/'},
                         {'description': 'Secureworks. (2019, July 24). MCMD '
                                         'Malware Analysis. Retrieved August '
                                         '13, 2020.',
                          'source_name': 'Secureworks MCMD July 2019',
                          'url': 'https://www.secureworks.com/research/mcmd-malware-analysis'},
                         {'description': 'Secureworks. (n.d.). IRON LIBERTY. '
                                         'Retrieved October 15, 2020.',
                          'source_name': 'Secureworks IRON LIBERTY',
                          'url': 'https://www.secureworks.com/research/threat-profiles/iron-liberty'},
                         {'description': 'Symantec Security Response. (2017, '
                                         'September 6). Dragonfly: Western '
                                         'energy sector targeted by '
                                         'sophisticated attack group. '
                                         'Retrieved September 9, 2017.',
                          'source_name': 'Symantec Dragonfly Sept 2017',
                          'url': 'https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group'},
                         {'description': 'US-CERT. (2018, March 16). Alert '
                                         '(TA18-074A): Russian Government '
                                         'Cyber Activity Targeting Energy and '
                                         'Other Critical Infrastructure '
                                         'Sectors. Retrieved June 6, 2018.',
                          'source_name': 'US-CERT TA18-074A',
                          'url': 'https://www.us-cert.gov/ncas/alerts/TA18-074A'}],
 'id': 'intrusion-set--76d59913-1d24-4992-a8ac-05a3eb093f71',
 'modified': '2025-04-18T17:59:27.618Z',
 'name': 'Dragonfly 2.0',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': True,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack', 'ics-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '2.1'}
Quick Actions
Back to Threat Actors
Dashboard Home