Energetic Bear/Crouching Yeti is an APT actor involved in campaigns since 2010. Targeted sectors include industrial/machinery, manufacturing, pharmaceutical, construction, education, and IT. Infections occur through spear-phishing emails, Trojanized software installers, and waterhole attacks. Malware/Trojans exclusively infect Windows systems, including Havex, Sysmain, ClientX, Karagany, and lateral movement tools. Command and control is through hacked websites hosting malware modules, victim info, and serving commands. Dozens of exploit sites and referrer sites were legitimate, compromised sites running vulnerable content management systems or web apps. No exploits were zero-day, and none of the client-side exploits were re-used from Metasploit. About 2,800 worldwide victims were observed, with the most prevalent in the industrial/machinery building sector.