HOMETHREATSOperation Emmental
APT / THREAT GROUP

Operation Emmental

🇷🇺Russia-attributed
1
campaigns
3
aliases
Last seen:Mar 17, 2026

Intelligence Profile

Operation Emmental, also known as the Retefe gang, is a threat actor group that has been active since at least 2012. They primarily target customers of banks in countries such as Austria, Sweden, Switzerland, and Japan. The group has developed sophisticated malware, including a Mac alternative called Dok, to bypass two-factor authentication and hijack network traffic. They have also been observed using phishing emails to spread their malware. The group is believed to be Russian-speaking and has continuously improved their malicious codes over the years.

Threat Analysis

Operation Emmental is a known-sophistication threat actor attributed to Russia, engaged in cyber operations with a primary motivation of unknown activity patterns.

Known Campaigns

Operation Emmental — Active Operations March 2026

Operation Emmental is a unknown-motivation threat actor attributed to Russia. Operation Emmental, also known as the Retefe gang, is a threat actor group that has been active since at least 2012. They primarily target customers of banks in countries such as Austria, Sweden, Switzerland, and Japan. The group has developed sophisticated malware, including a M...

ACTIVEMEDIUM2026

External References

Quick Facts

TypeAPT / Threat Group
Origin🇷🇺 Russia
Aliases3
SourceMalpedia

Also Known As

Retefe GroupOperation EmmentalRetefe Gang

Research Links

Data sourced from Malpedia, Ransomware.live, RansomLook, and CTIWATCH OSINT collection. Actor attribution is based on available intelligence and may be incomplete.