Trojan.Karagany and Backdoor.Oldrea are remote access Trojans (RATs) that are used to install additional tools or malware, to search the system for valuable data, and to exfiltrate data from the system. In an attack, the group uses either Karagany or Oldrea, but never both, because the malware serve the same purpose. The Karagany malware is only used in 5% of attacks. Karagany is a widely available exploit for purchase or source code recompilation on the internet underground because its code was leaked in 2010. Karagany features tools for indexing documents, taking screenshots of the system, and collecting passwords. At the adversary’s instruction, it can also download new tools or files, run plugins or executables, or exfiltrate data to a designated C&C server. Oldrea, also widely known as the Havex malware, appears to be used in most attacks and it appears to have been written by or written for the attackers. Once installed, Oldrea profiles the system by collecting system information, harvesting outlook address book information, noting VPN configuration files, and indexing files, programs, and the root of available drives. The data is compiled into a temporary file, encrypted, and sent to an adversary C&C server. Oldrea features a control panel that the adversaries can use to authenticate to a C&C server and download a compressed copy of each specific victim’s data. The servers hijacked by Energetic Bear to serve as C&C servers may have been compromised using the same exploit of content management systems.