Skip to main content
Mallory
Back to threat actors
3 malware families

Unit 29155

Also known asunit_29155

Unit 29155 is a unit of რუსეთის military intelligence service, the GRU, described in the content as a Russian military intelligence sabotage and assassination group. The content also attributes cyber activity to the group, including cyberespionage operations and the WhisperGate attacks targeting Ukraine. A 2024 joint advisory cited in the content linked Raspberry Robin to Russia’s GRU and the 161st Specialist Training Center (Unit 29155). The content further states that France’s Viginum said the disinformation operation Storm-1516 had been publicly attributed to Unit 29155, and assessed Storm-1516 as a significant foreign digital interference threat affecting public debate in France and across Europe. Reported targeting and effects mentioned in the content include Ukraine, as well as influence activity aimed at European audiences and narratives intended to discredit Ukraine, its allies, and supporting Western leaders. Alias mentioned in the content: unit_29155. Sub-group or linked operation mentioned in the content: Storm-1516.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

1 of 15 tactics1 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0042
Resource Development
1 technique
T1585
Establish Accounts
ARSENAL

Associated malware families

3 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
Raspberry RobinRaspberry Robin: A complex worm, initially spread via “Bad USB” attacks, which Microsoft observed pushing the SocGholish on-device agent.1Mar 18, 2026
SocGholishSocGholish, operated by TA569, actually functions as a Malware-as-a-Service (MaaS) vendor, selling access to compromised systems to various financially motivated cybercriminal clients. The primary tactic used involves deceptive “fake browser update” lures...1Mar 18, 2026
WhisperGateUnit 29155 ... has been carrying out destructive attacks, such as WhisperGate, which involved a wiper malware used against Ukraine in February 20221Mar 18, 2026
ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
occrpNews
Mar 11, 2026
Spies, Lies, and Video Clicks: The Warped World of Pro-Russian Disinformation in Europe | OCCRP

Russian military intelligence unit publicly linked to the Storm-1516 disinformation operation.

Read more
silentpush blogNews
Aug 6, 2025
Unmasking SocGholish: Silent Push Untangles the Malware Web behind the “Pioneer of Fake Updates” and Its Operator, TA569

Russian military intelligence-linked unit referenced as connected (via Raspberry Robin) to follow-on activity enabled by SocGholish-provided access; described in the content as part of state-sponsored operations targeting critical infrastructure.

Read more
lawfareNews
Jun 13, 2025
Trump Scales Back Biden's Product Security Demands

Russian military intelligence unit associated (in the cited discussion) with hacking activity in support of sabotage/assassination operations.

Read more
risky biz rssNews
Jun 11, 2025
Risky Bulletin: SentinelOne avoids a Chinese APT hack

Referenced as a Russian military intelligence-linked group associated with sabotage/assassination; no cyber TTP details provided in the text.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping1

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal3

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.