analyst @ nohacky :~/threat-actors $
cat / threat-actors / nomadic-octopus-dustsquad
analyst@nohacky:~/nomadic-octopus-dustsquad.html
active threat profile
type Nation-State
threat_level Medium
status Active
origin Russia — state-linked (assessed)
last_updated 2026-03-27
NO
nomadic-octopus-dustsquad

Nomadic Octopus / DustSquad

also known as: DustSquad G0133

A Russian-speaking espionage group that has operated quietly across Central Asia and former Soviet states since at least 2014, targeting diplomatic missions, government networks, and opposition political groups. Notably opportunistic in its lure design — when Kazakhstan threatened to ban Telegram in 2018, the group disguised its Octopus trojan as an alternative Telegram client specifically for the Democratic Choice opposition party, exploiting the news cycle with precision. Operation Paperbug, documented by PRODAFT in 2023, revealed the group had maintained persistent access to a Tajikistani telecoms carrier since November 2020, using it as a pivot to compromise 499 systems including government networks, individual computers, and operational technology devices such as gas station systems. Compared to the most publicized Russian APTs, Nomadic Octopus operates with a smaller footprint and simpler toolset — but its sustained presence in a geopolitically sensitive region, its OT device access, and its victimology overlaps with Sofacy make it a credible and active intelligence collection capability.

attributed origin Russia — Russian-speaking, state-linked (assessed)
suspected sponsor Russian state intelligence (assessed, not confirmed)
first observed 2014 (publicly named 2017–2018)
primary motivation Political and diplomatic intelligence collection
primary targets Governments, Diplomatic Missions, Opposition Groups, Telecoms, OT Infrastructure
paperbug scope 499 systems backdoored including OT devices
mitre att&ck group G0133
sofacy overlap Victimology overlap — assessed not related
threat level Medium

Overview

Nomadic Octopus is one of the quieter Russian-aligned APT actors in the public threat intelligence record — a group that has operated for over a decade in a high-priority geopolitical region without attracting the sustained attention given to groups like APT28, Sandworm, or Turla. ESET coined the Nomadic Octopus name in 2017 after identifying the 0ct0pus3.php script the actor used on old C2 servers; Kaspersky linked the same infrastructure to its DustSquad tracking in 2018 through code similarity analysis. Prior to public attribution, the group had run at least four documented campaigns using custom Android and Windows malware against Central Asian targets since 2014.

Attribution to Russia is assessed rather than confirmed. The group is Russian-speaking — evidenced by Russian-language spearphishing emails, Russian-language malware filenames, and Russian annotations left on compromised victim device notes during Paperbug. The Octopus trojan is written in Delphi — the same programming language used by Sofacy's Zebrocy malware — though Kaspersky assessed the two groups are not operationally related despite infrastructure and victimology overlaps. PRODAFT noted that Paperbug TTPs aligned with Russian nation-state attack patterns and raised the possibility of cooperation or at least parallel tasking with Sofacy against shared target populations.

The group's defining operational characteristic is opportunistic, current-event-driven lure design against a regionally focused target set. When Kazakhstan's government threatened to ban Telegram in 2018 because the Democratic Choice opposition party was using it, Nomadic Octopus immediately created a fake Telegram application specifically branded for DVK opposition members — a Delphi-compiled RAT that appeared to offer continued secure communications. The lure worked precisely because it was timed to real anxieties within a specific, known target community. This pattern of exploiting genuine regional political events for lure credibility is the group's most consistent tradecraft signature across campaigns.

last confirmed campaign — paperbug (2020–2022, documented 2023)

The most recent public campaign documentation for Nomadic Octopus is Operation Paperbug, published by PRODAFT in April 2023 and covering activity from November 2020 through January 2022. No confirmed new campaign has been publicly attributed to the group since. The absence of new public reporting does not indicate the group has ceased operations — Nomadic Octopus has repeatedly operated for extended periods before public visibility. Given the Tajikistan carrier access documented in Paperbug and the group's historical persistence pattern, continued regional collection activity is assessed as likely.

Target Profile

Nomadic Octopus concentrates exclusively on Central Asia and former Soviet states — the group has not been observed targeting Western nations or organizations outside this geographic focus. Within this region, it targets entities of direct intelligence value to Russian foreign policy interests in the region.

  • Diplomatic missions and foreign ministries: Embassies, consulates, and foreign ministry networks across Central Asia are the primary documented target category. The group's original designation as a Nomadic Octopus at Virus Bulletin in 2017 was based on targeting of diplomatic missions throughout the region. A December 2019 Gcow Security analysis documented attacks on the Uzbekistan Ministry of Foreign Affairs deploying Octopus.
  • Opposition political organizations: The 2018 Telegram campaign specifically targeted members and supporters of Kazakhstan's Democratic Choice (DVK) opposition party. This targeting aligns with Russian intelligence interest in monitoring opposition political activity in former Soviet states — particularly groups that may represent destabilizing influences relative to Moscow's preferred regional order.
  • Government officials and agencies: The Paperbug campaign targeted high-ranking Tajikistani government officials across multiple agencies. PRODAFT observed operators maintaining categorized lists of victims by value, actively seeking government network access and individual official endpoints as priority targets. Russian-language annotations on victim device notes confirmed deliberate, informed targeting of specific officials.
  • Telecommunications providers: The Tajikistani mobile carrier compromise was the foundational pivot for Paperbug — providing both intelligence value (access to communications metadata) and lateral movement infrastructure to reach the carrier's government and public service clients. Telecom targeting in Central Asia provides passive collection capability against a broad population of government and diplomatic communications.
  • Operational technology and public service infrastructure: One of the more unusual aspects of Paperbug is the documented compromise of OT devices including gas station systems and a cash register. PRODAFT noted the group was specifically searching for OT devices alongside government networks — suggesting an intelligence collection interest in understanding public service infrastructure, potentially for future disruption capability or for mapping critical national dependencies.
  • Afghanistan: Kaspersky's 2018 analysis traced Nomadic Octopus activity to Afghanistan in addition to the former Soviet Central Asian republics, consistent with Russian intelligence interest in political and military developments in Afghanistan throughout the post-2001 occupation period and following the 2021 withdrawal.
  • Political bloggers and civil society: Beyond formal diplomatic and government targets, the group has targeted individual political bloggers and civil society figures — suggesting a surveillance mandate that encompasses monitoring of political opinion and dissent across the region, not just formal government communications.

Tactics, Techniques & Procedures

Nomadic Octopus uses a relatively straightforward TTP set compared to more sophisticated Russian APT groups. Its distinguishing feature is not technical sophistication but rather the quality of its social engineering — precisely timed, regionally specific lures that exploit real political events within defined target communities.

mitre id technique description
T1566.001 Spearphishing — Current Event Lures The group's primary initial access vector across all documented campaigns. Spearphishing emails use Russian-language content and are themed around genuine current events within the target community: Telegram ban anxieties in Kazakhstan, political events in Tajikistan and Uzbekistan, and diplomatic correspondence formats for missions. Lure quality is high relative to the group's overall toolset sophistication, suggesting deliberate investment in social engineering over technical capability.
T1204.002 Malicious File Execution — Trojanized Application The Kazakhstan campaign's primary delivery mechanism: a functional-appearing fake Telegram application distributed as an archive. The Octopus trojan was embedded within an application branded with the Democratic Choice party's imagery, targeting party members and supporters specifically. Once executed, Octopus provided persistent backdoor access while appearing to be a legitimate — if unofficial — communications tool.
T1059 Command and Scripting Interpreter During Paperbug, operators used public offensive tools downloaded and executed on victim systems, often during victims' active hours — indicating hands-on-keyboard operation rather than automated tasking. Commands were executed through standard Windows scripting mechanisms. Tools were named to masquerade as legitimate software: Google Update, Chrome Update, Java Update, and Google Crash Handler were documented tool names used by operators to obscure malicious activity from casual inspection.
T1113 Screen Capture Real-time surveillance was a documented Paperbug capability — operators captured screenshots of victims in the act of writing emails and creating contracts, providing not just stored document access but live operational intelligence on the targets' current activities and communications. The Octopus malware's screenshot capability was present from its first documented versions and updated in the Paperbug-era variant.
T1041 Exfiltration over C2 Channel Octopus exfiltrates files via its C2 channel using HTTP POST requests sending data in XML format — an updated communication technique compared to the original Octopus variant which used HTTP GET requests without XML parsing. File upload capability allows operators to stage and retrieve documents, emails, and messaging application chat histories. The group periodically stole emails, contracts, and communications in bulk rather than only conducting real-time surveillance.
T1021.001 Remote Desktop Protocol — Lateral Movement After initial telecom carrier compromise in Paperbug, operators moved laterally to over twelve government networks and OT devices using public offensive tooling and exploitation of known vulnerabilities in unpatched software. PRODAFT documented that the expansion from the carrier network occurred through document theft, stolen client contracts and credentials, and exploitation of weak network security configurations across interconnected government and public service networks.
T1078 Valid Accounts — Credential Theft Paperbug operators expanded from the initial telecom compromise through stolen client contracts and credentials obtained from the carrier's own document stores. Legitimate credentials from the carrier's client relationships provided trusted access to government network clients, reducing the need for exploitation of those networks directly and leaving less forensic evidence of intrusion at the point of lateral movement.
T1082 System Discovery — Opportunistic OT Targeting A notable characteristic of Paperbug is that operators were not always certain which device they had accessed. PRODAFT observed that the group's decision to maintain or drop connections was based on active assessment of what they had reached — specifically searching for OT devices, government networks, and public service infrastructure. Gas station systems, a cash register, and government network devices were all documented compromises, reflecting broad opportunistic scanning of accessible systems rather than pre-identified target selection.
T1036.005 Masquerading — Legitimate Tool Names During Paperbug, offensive tools deployed on victim systems were renamed to impersonate legitimate software update processes: Google Update, Chrome Update, Java Update, and Google Crash Handler. This masquerading approach is consistent with a low-sophistication attempt to blend malicious processes into background software activity on Windows systems, reducing the likelihood of administrator or user review of running process lists triggering investigation.

Known Campaigns

Documented operations across Nomadic Octopus's known history. The group has likely run campaigns that have not been publicly documented given its decade-long activity and low public profile prior to 2018.

Early Central Asia Operations — Android and Windows Malware 2014–2017

Kaspersky tracked Nomadic Octopus (as DustSquad) through four campaigns prior to public attribution, involving both custom Android and custom Windows malware targeting Central Asian users and diplomatic entities. The group was identified targeting entities in Kazakhstan, Uzbekistan, Kyrgyzstan, Tajikistan, and Afghanistan — the former Soviet Central Asian republics — and used Russian-language spearphishing with lures relevant to local political contexts. The Android malware component suggests the group pursued device-level surveillance alongside computer-based access, potentially targeting individuals rather than only institutional networks.

Kazakhstan Telegram Lure — Democratic Choice Opposition Party 2018

Nomadic Octopus's highest-profile documented operation prior to Paperbug. In April 2018, Kaspersky discovered a new Octopus sample disguised as a Russian-language version of Telegram specifically branded for the Democratic Choice (DVK) opposition party in Kazakhstan. The lure exploited the Kazakhstan government's threat to ban Telegram — using members' anxiety about losing a secure communications channel to drive installation of a trojanized alternative. The Octopus malware provided remote access including command execution, file upload/download, screenshot capture, and RAR archive search. Once installed, attackers could surveil victims, steal sensitive data, and maintain backdoor access. ESET had independently identified the 0ct0pus3.php C2 script in 2017 when first naming the group; Kaspersky's April 2018 analysis formally linked Octopus to DustSquad.

Uzbekistan Ministry of Foreign Affairs — Octopus Deployment 2019

A December 2019 Gcow Security analysis documented Nomadic Octopus targeting the Uzbekistan Ministry of Foreign Affairs with Octopus malware, extending the group's confirmed targeting beyond Kazakhstan to formally documented attacks on a foreign ministry's network infrastructure. This campaign confirmed the group's interest in foreign ministry access as a diplomatic intelligence collection priority, consistent with the broader diplomatic targeting pattern documented by ESET and Kaspersky in 2018.

Operation Paperbug — Tajikistan Telecoms and Government Surveillance 2020–2022

PRODAFT's Paperbug report, published April 2023, documented the most comprehensive Nomadic Octopus campaign in the public record. Beginning in November 2020, the group compromised an unnamed Tajikistani mobile phone carrier and used it as a persistent access base and lateral movement pivot. The carrier's position in Tajikistan's communications infrastructure provided access to client credentials, contracts, and network paths reaching government agencies. From the carrier, operators expanded to more than twelve government networks, plus individual executive computers and OT devices. As of January 27, 2022, PRODAFT's analysis of the C2 server confirmed 499 backdoored systems — including government network devices, gas station systems, and a cash register. Operators conducted both bulk email and document theft and real-time surveillance, taking screenshots while targets were actively writing emails or creating contracts. Operators were noted to have left Russian-language annotations on victim device records, maintaining a classified list of target categories by value. The group deployed public offensive tooling renamed to masquerade as Google, Chrome, and Java update processes. Despite the campaign's intelligence value, the operators were not consistently stealthy — inadvertently triggering permission pop-ups and deploying tools during victims' active working hours.

Tools & Malware

Nomadic Octopus uses a limited toolkit built around the Octopus trojan as its primary capability, supplemented by commodity offensive tools during post-compromise operations. The toolset reflects a group that prioritizes reliable intelligence collection over technical sophistication.

  • Octopus trojan (Windows): The group's primary custom malware, written in Delphi — an unusual language choice noted by Kaspersky. Provides remote access including command execution, file upload and download, screenshot capture, and RAR archive searching. C2 communications use HTTP POST requests sending data in XML format in updated variants (original variants used HTTP GET without XML parsing). Distributed via spearphishing and trojanized application lures. Multiple variants have been documented across campaigns; the Paperbug-era variant was uploaded to VirusTotal in April 2021. Uses third-party Delphi libraries including The Indy Project for JSON C2 communications and TurboPower Abbrevia for compression. Some components appeared unfinished, suggesting development under time pressure or iterative incomplete implementation.
  • Android malware (unnamed variants): Kaspersky documented multiple custom Android malware families used by DustSquad in campaigns targeting Central Asian users, predating the public Octopus attribution. The Android malware reflects a mobile surveillance component targeting individual users rather than institutional networks — consistent with the group's interest in political opposition figures and individual government officials as targets alongside diplomatic mission networks.
  • Commodity offensive tools — Cobalt Strike: PRODAFT's Paperbug analysis confirmed use of Cobalt Strike during the Tajikistan campaign alongside the Octopus variant. The use of commodity tooling makes attribution harder — it is consistent with lower-tier state actors who supplement limited custom malware with commercial frameworks rather than investing in a fully proprietary post-exploitation toolkit.
  • Renamed public tools (Google Update / Chrome Update / Java Update / Google Crash Handler): Standard Windows administrative tools and public offensive tools were renamed to masquerade as legitimate software update processes, reducing likelihood of casual detection by non-security administrators reviewing running processes or scheduled tasks on compromised systems.

Indicators of Compromise

IOCs from the documented 2018 Kazakhstan campaign and Paperbug. Given that the most recent public campaign ended in 2022, network IOCs from those campaigns are historical. Behavioral indicators are more durable.

historical iocs — last campaign documented 2022

Network IOCs from the 2018 Kazakhstan campaign and 2020–2022 Paperbug campaign are stale for active detection. The Octopus C2 domains listed below are from Kaspersky's 2018 analysis. For current operational IOCs, consult PRODAFT's full Paperbug report (April 2023) and MITRE ATT&CK G0133 for all documented IOC references.

indicators of compromise — behavioral and historical network
behavior Delphi-compiled executable disguised as legitimate messaging application — Octopus delivery pattern
behavior Process masquerading as Google Update, Chrome Update, Java Update, Google Crash Handler
c2 protocol HTTP POST with XML-formatted data payload — updated Octopus C2 communication pattern
behavior Periodic screenshot capture during active user sessions — targeted surveillance indicator
behavior Automated RAR archive search on compromised hosts — Octopus file discovery capability
domain (2018) hovnanflovers[.]com, latecafe[.]in, certificatesshop[.]com, blondehairman[.]com, porenticofacts[.]com
ip (2018) 85.93.31.141 — 104.223.20.136 — 5.8.88.87 — 103.208.86.237 — 185.106.120.240

Mitigation & Defense

Nomadic Octopus's TTPs are relatively straightforward to defend against with standard security hygiene, but the quality of its social engineering means that initial access defenses — particularly email and application vetting — carry disproportionate importance.

  • Application allowlisting and unofficial software policies: The Kazakhstan Telegram lure succeeded because targets installed an unofficial application to replace one they feared would be banned. Strict application installation policies — requiring all software to come from organizational deployment systems or verified sources — eliminate the trojanized application initial access vector. Security awareness training should specifically address the risk of installing unofficial "alternative" versions of popular applications, particularly during politically charged periods where access to official services is threatened.
  • Spearphishing detection with regional political context: Nomadic Octopus lures are of high quality within their regional context but are less sophisticated at a technical level than the lures used by top-tier groups like APT28. Email gateway controls enforcing sandbox analysis of attachments and link inspection should catch Octopus delivery mechanisms. Organizations in Central Asian government and diplomatic sectors should brief security teams on the group's pattern of exploiting local political events for lure timing.
  • Patch management for OT and public service devices: Paperbug's lateral spread to OT devices including gas station systems was explicitly attributed to exploitation of known vulnerabilities in unpatched software and weak network security configurations. Organizations managing mixed IT/OT environments must extend patch management discipline to OT devices — unpatched OT systems accessible from a compromised carrier network represent exactly the vulnerability Paperbug exploited.
  • Telecom supplier network segmentation: The Paperbug campaign's scale derived from using a compromised telecom carrier as a pivot to government clients. Government organizations relying on shared telecom infrastructure should treat their telecom supplier connection as an untrusted network segment, not a trusted internal path. Zero trust network access architecture specifically reduces the blast radius of a carrier-level compromise against downstream government clients.
  • Process monitoring for masqueraded tools: Nomadic Octopus renamed offensive tools as Google Update, Chrome Update, Java Update, and Google Crash Handler. These names can be detected by comparing the actual executable path and hash against known-legitimate update binaries from Google and Oracle. Alert on any process using these names that does not originate from expected installation paths or does not match the expected binary hashes for those products.
  • HTTP POST XML traffic inspection: The updated Octopus variant communicates via HTTP POST with XML-formatted payloads. Deep packet inspection and C2 traffic analysis tools that flag unexpected HTTP POST patterns from non-browser processes — particularly from systems that do not normally generate outbound HTTP traffic — can detect active Octopus C2 communications.
  • Cobalt Strike beacon detection: Paperbug's use of Cobalt Strike alongside Octopus makes standard Cobalt Strike detection rules applicable. Behavioral indicators include Cobalt Strike's characteristic sleep patterns, default beacon profiles, and named pipe activity. Commercial EDR solutions maintain Cobalt Strike detection rules; ensure they are current and applied to endpoints across the targeted environment.
analyst note

Nomadic Octopus is a useful case study in what a mid-tier state-linked espionage actor looks like when operating in a region that is strategically important to its likely patron but receives less international security attention. The Paperbug campaign's 499 backdoored systems — including OT devices — ran for over two years with no public reporting, suggesting the group operates within an intelligence gap: Central Asian cybersecurity posture and threat visibility remains lower than in Western targets, and the group's limited public profile reduces the likelihood of proactive hunting for its TTPs. The Sofacy victimology overlap is notable: Kaspersky documented targets who were simultaneously infected by both DustSquad and Sofacy — described as "threat magnets." This overlap either reflects similar collection priorities leading to independent convergence on the same high-value targets, or some form of coordinated or sequential tasking between the groups. PRODAFT did not conclude on this question. For organizations operating in or with interests in Central Asia — particularly Tajikistan, Kazakhstan, Uzbekistan, and Kyrgyzstan — Nomadic Octopus warrants active monitoring even absent recent public campaign documentation.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile