In April 2017, ShadowBrokers published their well-known Lost in Translation leak, which, among other things, contained an interesting script that checked for traces of other APTs in compromised systems. In 2018, we found an APT described as the 27th function of this script, which we call DarkUniverse This APT was active for at least eight years, from 2009 until 2017. We assess with medium confidence that DarkUniverse is a part of the ItaDuke set of activities due to unique code overlaps.”]
Source: https://securelist.com/darkuniverse-the-mysterious-apt-framework-27/94897/