<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1, shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v9/theme/favicon.ico" type='image/x-icon'> <title>Software | MITRE ATT&CK&reg;</title> <!-- Bootstrap CSS --> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-glyphicon.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-tourist.css" /> <link rel="stylesheet" type="text/css" href="/versions/v9/theme/style.min.css?426cc53a"> </head> <body> <!--stopindex--> <header> <nav class='navbar navbar-expand-lg navbar-dark fixed-top'> <a class='navbar-brand' href="/versions/v9/"><img src="/versions/v9/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item"> <a href="/versions/v9/matrices/" class="nav-link" ><b>Matrices</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/tactics/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/techniques/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/mitigations/mobile/">Mobile</a> </div> </li> <li class="nav-item"> <a href="/versions/v9/groups" class="nav-link" ><b>Groups</b></a> </li> <li class="nav-item"> <a href="/versions/v9/software/" class="nav-link active" ><b>Software</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/resources/">General Information</a> <a class="dropdown-item" href="/versions/v9/resources/getting-started/">Getting Started</a> <a class="dropdown-item" href="/versions/v9/resources/training/">Training</a> <a class="dropdown-item" href="/versions/v9/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v9/resources/working-with-attack/">Working with ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/updates/">Updates</a> <a class="dropdown-item" href="/resources/versions/">Versions of ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/related-projects/">Related Projects</a> </div> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/versions/v9/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <a href="/versions/v9/resources/contribute/" class="nav-link" ><b>Contribute</b></a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div class="search-icon"></div></button> </li> </ul> </div> </nav> </header> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v9/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v9.0" target="_blank">ATT&CK v9.0</a> which was live between April 29, 2021 and October 20, 2021. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> <div id='content' class="maincontent"> <!--start-indexing-for-search--> <div class='container-fluid h-100'> <div class='row h-100'> <div class="nav flex-column col-xl-2 col-lg-3 col-md-3 sidebar nav pt-5 pb-3 pl-3 border-right" id="v-tab" role="tablist" aria-orientation="vertical"> <!--stop-indexing-for-search--> <div class="group-nav-desktop-view"> <span class="heading" id="v-home-tab" aria-selected="false">SOFTWARE</span> <div class="sidenav"> <div class="sidenav-head active" id="0-0"> <a href="/versions/v9/software/"> Overview </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="3PARA RAT-3PARA RAT"> <a href="/versions/v9/software/S0066/"> 3PARA RAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="4H RAT-4H RAT"> <a href="/versions/v9/software/S0065/"> 4H RAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="ABK-ABK"> <a href="/versions/v9/software/S0469/"> ABK </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="adbupd-adbupd"> <a href="/versions/v9/software/S0202/"> adbupd </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="AdFind-AdFind"> <a href="/versions/v9/software/S0552/"> AdFind </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Adups-Adups"> <a href="/versions/v9/software/S0309/"> Adups </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="ADVSTORESHELL-ADVSTORESHELL"> <a href="/versions/v9/software/S0045/"> ADVSTORESHELL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Agent Smith-Agent Smith"> <a href="/versions/v9/software/S0440/"> Agent Smith </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Agent Tesla-Agent Tesla"> <a href="/versions/v9/software/S0331/"> Agent Tesla </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Agent.btz-Agent.btz"> <a href="/versions/v9/software/S0092/"> Agent.btz </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Allwinner-Allwinner"> <a href="/versions/v9/software/S0319/"> Allwinner </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Anchor-Anchor"> <a href="/versions/v9/software/S0504/"> Anchor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Android/AdDisplay.Ashas-Android/AdDisplay.Ashas"> <a href="/versions/v9/software/S0525/"> Android/AdDisplay.Ashas </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Android/Chuli.A-Android/Chuli.A"> <a href="/versions/v9/software/S0304/"> Android/Chuli.A </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="AndroidOS/MalLocker.B-AndroidOS/MalLocker.B"> <a href="/versions/v9/software/S0524/"> AndroidOS/MalLocker.B </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="ANDROIDOS_ANSERVER.A-ANDROIDOS_ANSERVER.A"> <a href="/versions/v9/software/S0310/"> ANDROIDOS_ANSERVER.A </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="AndroRAT-AndroRAT"> <a href="/versions/v9/software/S0292/"> AndroRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Anubis-Anubis"> <a href="/versions/v9/software/S0422/"> Anubis </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="AppleJeus-AppleJeus"> <a href="/versions/v9/software/S0584/"> AppleJeus </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Aria-body-Aria-body"> <a href="/versions/v9/software/S0456/"> Aria-body </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Arp-Arp"> <a href="/versions/v9/software/S0099/"> Arp </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Asacub-Asacub"> <a href="/versions/v9/software/S0540/"> Asacub </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="ASPXSpy-ASPXSpy"> <a href="/versions/v9/software/S0073/"> ASPXSpy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Astaroth-Astaroth"> <a href="/versions/v9/software/S0373/"> Astaroth </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="at-at"> <a href="/versions/v9/software/S0110/"> at </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Attor-Attor"> <a href="/versions/v9/software/S0438/"> Attor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="AuditCred-AuditCred"> <a href="/versions/v9/software/S0347/"> AuditCred </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="AutoIt backdoor-AutoIt backdoor"> <a href="/versions/v9/software/S0129/"> AutoIt backdoor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Avenger-Avenger"> <a href="/versions/v9/software/S0473/"> Avenger </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Azorult-Azorult"> <a href="/versions/v9/software/S0344/"> Azorult </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="BabyShark-BabyShark"> <a href="/versions/v9/software/S0414/"> BabyShark </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="BackConfig-BackConfig"> <a href="/versions/v9/software/S0475/"> BackConfig </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Backdoor.Oldrea-Backdoor.Oldrea"> <a href="/versions/v9/software/S0093/"> Backdoor.Oldrea </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="BACKSPACE-BACKSPACE"> <a href="/versions/v9/software/S0031/"> BACKSPACE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="BADCALL-BADCALL"> <a href="/versions/v9/software/S0245/"> BADCALL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="BADNEWS-BADNEWS"> <a href="/versions/v9/software/S0128/"> BADNEWS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="BadPatch-BadPatch"> <a href="/versions/v9/software/S0337/"> BadPatch </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Bandook-Bandook"> <a href="/versions/v9/software/S0234/"> Bandook </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Bankshot-Bankshot"> <a href="/versions/v9/software/S0239/"> Bankshot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Bazar-Bazar"> <a href="/versions/v9/software/S0534/"> Bazar </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="BBK-BBK"> <a href="/versions/v9/software/S0470/"> BBK </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="BBSRAT-BBSRAT"> <a href="/versions/v9/software/S0127/"> BBSRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="BendyBear-BendyBear"> <a href="/versions/v9/software/S0574/"> BendyBear </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="BISCUIT-BISCUIT"> <a href="/versions/v9/software/S0017/"> BISCUIT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Bisonal-Bisonal"> <a href="/versions/v9/software/S0268/"> Bisonal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="BitPaymer-BitPaymer"> <a href="/versions/v9/software/S0570/"> BitPaymer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="BITSAdmin-BITSAdmin"> <a href="/versions/v9/software/S0190/"> BITSAdmin </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="BLACKCOFFEE-BLACKCOFFEE"> <a href="/versions/v9/software/S0069/"> BLACKCOFFEE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="BlackEnergy-BlackEnergy"> <a href="/versions/v9/software/S0089/"> BlackEnergy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="BlackMould-BlackMould"> <a href="/versions/v9/software/S0564/"> BlackMould </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="BLINDINGCAN-BLINDINGCAN"> <a href="/versions/v9/software/S0520/"> BLINDINGCAN </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="BloodHound-BloodHound"> <a href="/versions/v9/software/S0521/"> BloodHound </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Bonadan-Bonadan"> <a href="/versions/v9/software/S0486/"> Bonadan </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="BONDUPDATER-BONDUPDATER"> <a href="/versions/v9/software/S0360/"> BONDUPDATER </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="BOOSTWRITE-BOOSTWRITE"> <a href="/versions/v9/software/S0415/"> BOOSTWRITE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="BOOTRASH-BOOTRASH"> <a href="/versions/v9/software/S0114/"> BOOTRASH </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="BrainTest-BrainTest"> <a href="/versions/v9/software/S0293/"> BrainTest </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Brave Prince-Brave Prince"> <a href="/versions/v9/software/S0252/"> Brave Prince </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Bread-Bread"> <a href="/versions/v9/software/S0432/"> Bread </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Briba-Briba"> <a href="/versions/v9/software/S0204/"> Briba </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="BS2005-BS2005"> <a href="/versions/v9/software/S0014/"> BS2005 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="BUBBLEWRAP-BUBBLEWRAP"> <a href="/versions/v9/software/S0043/"> BUBBLEWRAP </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="build_downer-build_downer"> <a href="/versions/v9/software/S0471/"> build_downer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Bundlore-Bundlore"> <a href="/versions/v9/software/S0482/"> Bundlore </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Cachedump-Cachedump"> <a href="/versions/v9/software/S0119/"> Cachedump </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Cadelspy-Cadelspy"> <a href="/versions/v9/software/S0454/"> Cadelspy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="CALENDAR-CALENDAR"> <a href="/versions/v9/software/S0025/"> CALENDAR </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Calisto-Calisto"> <a href="/versions/v9/software/S0274/"> Calisto </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="CallMe-CallMe"> <a href="/versions/v9/software/S0077/"> CallMe </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Cannon-Cannon"> <a href="/versions/v9/software/S0351/"> Cannon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Carbanak-Carbanak"> <a href="/versions/v9/software/S0030/"> Carbanak </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Carberp-Carberp"> <a href="/versions/v9/software/S0484/"> Carberp </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Carbon-Carbon"> <a href="/versions/v9/software/S0335/"> Carbon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="CarbonSteal-CarbonSteal"> <a href="/versions/v9/software/S0529/"> CarbonSteal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Cardinal RAT-Cardinal RAT"> <a href="/versions/v9/software/S0348/"> Cardinal RAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="CARROTBALL-CARROTBALL"> <a href="/versions/v9/software/S0465/"> CARROTBALL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="CARROTBAT-CARROTBAT"> <a href="/versions/v9/software/S0462/"> CARROTBAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Catchamas-Catchamas"> <a href="/versions/v9/software/S0261/"> Catchamas </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Caterpillar WebShell-Caterpillar WebShell"> <a href="/versions/v9/software/S0572/"> Caterpillar WebShell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="CCBkdr-CCBkdr"> <a href="/versions/v9/software/S0222/"> CCBkdr </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Cerberus-Cerberus"> <a href="/versions/v9/software/S0480/"> Cerberus </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="certutil-certutil"> <a href="/versions/v9/software/S0160/"> certutil </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Chaos-Chaos"> <a href="/versions/v9/software/S0220/"> Chaos </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Charger-Charger"> <a href="/versions/v9/software/S0323/"> Charger </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="ChChes-ChChes"> <a href="/versions/v9/software/S0144/"> ChChes </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="CHEMISTGAMES-CHEMISTGAMES"> <a href="/versions/v9/software/S0555/"> CHEMISTGAMES </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Cherry Picker-Cherry Picker"> <a href="/versions/v9/software/S0107/"> Cherry Picker </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="China Chopper-China Chopper"> <a href="/versions/v9/software/S0020/"> China Chopper </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="CHOPSTICK-CHOPSTICK"> <a href="/versions/v9/software/S0023/"> CHOPSTICK </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Circles-Circles"> <a href="/versions/v9/software/S0602/"> Circles </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="CloudDuke-CloudDuke"> <a href="/versions/v9/software/S0054/"> CloudDuke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="cmd-cmd"> <a href="/versions/v9/software/S0106/"> cmd </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Cobalt Strike-Cobalt Strike"> <a href="/versions/v9/software/S0154/"> Cobalt Strike </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Cobian RAT-Cobian RAT"> <a href="/versions/v9/software/S0338/"> Cobian RAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="CoinTicker-CoinTicker"> <a href="/versions/v9/software/S0369/"> CoinTicker </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Comnie-Comnie"> <a href="/versions/v9/software/S0244/"> Comnie </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="ComRAT-ComRAT"> <a href="/versions/v9/software/S0126/"> ComRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Concipit1248-Concipit1248"> <a href="/versions/v9/software/S0426/"> Concipit1248 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="ConnectWise-ConnectWise"> <a href="/versions/v9/software/S0591/"> ConnectWise </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Conti-Conti"> <a href="/versions/v9/software/S0575/"> Conti </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="CookieMiner-CookieMiner"> <a href="/versions/v9/software/S0492/"> CookieMiner </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="CORALDECK-CORALDECK"> <a href="/versions/v9/software/S0212/"> CORALDECK </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="CORESHELL-CORESHELL"> <a href="/versions/v9/software/S0137/"> CORESHELL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Corona Updates-Corona Updates"> <a href="/versions/v9/software/S0425/"> Corona Updates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="CosmicDuke-CosmicDuke"> <a href="/versions/v9/software/S0050/"> CosmicDuke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="CozyCar-CozyCar"> <a href="/versions/v9/software/S0046/"> CozyCar </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="CrackMapExec-CrackMapExec"> <a href="/versions/v9/software/S0488/"> CrackMapExec </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Crimson-Crimson"> <a href="/versions/v9/software/S0115/"> Crimson </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="CrossRAT-CrossRAT"> <a href="/versions/v9/software/S0235/"> CrossRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Crutch-Crutch"> <a href="/versions/v9/software/S0538/"> Crutch </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Cryptoistic-Cryptoistic"> <a href="/versions/v9/software/S0498/"> Cryptoistic </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="CSPY Downloader-CSPY Downloader"> <a href="/versions/v9/software/S0527/"> CSPY Downloader </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Dacls-Dacls"> <a href="/versions/v9/software/S0497/"> Dacls </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="DarkComet-DarkComet"> <a href="/versions/v9/software/S0334/"> DarkComet </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Daserf-Daserf"> <a href="/versions/v9/software/S0187/"> Daserf </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="DDKONG-DDKONG"> <a href="/versions/v9/software/S0255/"> DDKONG </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="DealersChoice-DealersChoice"> <a href="/versions/v9/software/S0243/"> DealersChoice </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="DEFENSOR ID-DEFENSOR ID"> <a href="/versions/v9/software/S0479/"> DEFENSOR ID </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Dendroid-Dendroid"> <a href="/versions/v9/software/S0301/"> Dendroid </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Denis-Denis"> <a href="/versions/v9/software/S0354/"> Denis </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Derusbi-Derusbi"> <a href="/versions/v9/software/S0021/"> Derusbi </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Desert Scorpion-Desert Scorpion"> <a href="/versions/v9/software/S0505/"> Desert Scorpion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Dipsind-Dipsind"> <a href="/versions/v9/software/S0200/"> Dipsind </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="DOGCALL-DOGCALL"> <a href="/versions/v9/software/S0213/"> DOGCALL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Dok-Dok"> <a href="/versions/v9/software/S0281/"> Dok </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Doki-Doki"> <a href="/versions/v9/software/S0600/"> Doki </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="DoubleAgent-DoubleAgent"> <a href="/versions/v9/software/S0550/"> DoubleAgent </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="down_new-down_new"> <a href="/versions/v9/software/S0472/"> down_new </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Downdelph-Downdelph"> <a href="/versions/v9/software/S0134/"> Downdelph </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="DownPaper-DownPaper"> <a href="/versions/v9/software/S0186/"> DownPaper </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="DressCode-DressCode"> <a href="/versions/v9/software/S0300/"> DressCode </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Dridex-Dridex"> <a href="/versions/v9/software/S0384/"> Dridex </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="DroidJack-DroidJack"> <a href="/versions/v9/software/S0320/"> DroidJack </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="DropBook-DropBook"> <a href="/versions/v9/software/S0547/"> DropBook </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Drovorub-Drovorub"> <a href="/versions/v9/software/S0502/"> Drovorub </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="dsquery-dsquery"> <a href="/versions/v9/software/S0105/"> dsquery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Dtrack-Dtrack"> <a href="/versions/v9/software/S0567/"> Dtrack </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="DualToy-DualToy"> <a href="/versions/v9/software/S0315/"> DualToy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Duqu-Duqu"> <a href="/versions/v9/software/S0038/"> Duqu </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="DustySky-DustySky"> <a href="/versions/v9/software/S0062/"> DustySky </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Dvmap-Dvmap"> <a href="/versions/v9/software/S0420/"> Dvmap </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Dyre-Dyre"> <a href="/versions/v9/software/S0024/"> Dyre </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Ebury-Ebury"> <a href="/versions/v9/software/S0377/"> Ebury </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="ECCENTRICBANDWAGON-ECCENTRICBANDWAGON"> <a href="/versions/v9/software/S0593/"> ECCENTRICBANDWAGON </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Egregor-Egregor"> <a href="/versions/v9/software/S0554/"> Egregor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Elise-Elise"> <a href="/versions/v9/software/S0081/"> Elise </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="ELMER-ELMER"> <a href="/versions/v9/software/S0064/"> ELMER </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Emissary-Emissary"> <a href="/versions/v9/software/S0082/"> Emissary </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Emotet-Emotet"> <a href="/versions/v9/software/S0367/"> Emotet </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Empire-Empire"> <a href="/versions/v9/software/S0363/"> Empire </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Epic-Epic"> <a href="/versions/v9/software/S0091/"> Epic </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="esentutl-esentutl"> <a href="/versions/v9/software/S0404/"> esentutl </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="eSurv-eSurv"> <a href="/versions/v9/software/S0507/"> eSurv </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="EventBot-EventBot"> <a href="/versions/v9/software/S0478/"> EventBot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="EvilBunny-EvilBunny"> <a href="/versions/v9/software/S0396/"> EvilBunny </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="EvilGrab-EvilGrab"> <a href="/versions/v9/software/S0152/"> EvilGrab </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="EVILNUM-EVILNUM"> <a href="/versions/v9/software/S0568/"> EVILNUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Exaramel for Linux-Exaramel for Linux"> <a href="/versions/v9/software/S0401/"> Exaramel for Linux </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Exaramel for Windows-Exaramel for Windows"> <a href="/versions/v9/software/S0343/"> Exaramel for Windows </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Exobot-Exobot"> <a href="/versions/v9/software/S0522/"> Exobot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Exodus-Exodus"> <a href="/versions/v9/software/S0405/"> Exodus </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Expand-Expand"> <a href="/versions/v9/software/S0361/"> Expand </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Explosive-Explosive"> <a href="/versions/v9/software/S0569/"> Explosive </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FakeM-FakeM"> <a href="/versions/v9/software/S0076/"> FakeM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FakeSpy-FakeSpy"> <a href="/versions/v9/software/S0509/"> FakeSpy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FALLCHILL-FALLCHILL"> <a href="/versions/v9/software/S0181/"> FALLCHILL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FatDuke-FatDuke"> <a href="/versions/v9/software/S0512/"> FatDuke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Felismus-Felismus"> <a href="/versions/v9/software/S0171/"> Felismus </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FELIXROOT-FELIXROOT"> <a href="/versions/v9/software/S0267/"> FELIXROOT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Fgdump-Fgdump"> <a href="/versions/v9/software/S0120/"> Fgdump </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Final1stspy-Final1stspy"> <a href="/versions/v9/software/S0355/"> Final1stspy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FinFisher-FinFisher"> <a href="/versions/v9/software/S0182/"> FinFisher </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Flame-Flame"> <a href="/versions/v9/software/S0143/"> Flame </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FLASHFLOOD-FLASHFLOOD"> <a href="/versions/v9/software/S0036/"> FLASHFLOOD </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FlawedAmmyy-FlawedAmmyy"> <a href="/versions/v9/software/S0381/"> FlawedAmmyy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FlawedGrace-FlawedGrace"> <a href="/versions/v9/software/S0383/"> FlawedGrace </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FlexiSpy-FlexiSpy"> <a href="/versions/v9/software/S0408/"> FlexiSpy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FLIPSIDE-FLIPSIDE"> <a href="/versions/v9/software/S0173/"> FLIPSIDE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Forfiles-Forfiles"> <a href="/versions/v9/software/S0193/"> Forfiles </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FrameworkPOS-FrameworkPOS"> <a href="/versions/v9/software/S0503/"> FrameworkPOS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FrozenCell-FrozenCell"> <a href="/versions/v9/software/S0577/"> FrozenCell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FruitFly-FruitFly"> <a href="/versions/v9/software/S0277/"> FruitFly </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FTP-FTP"> <a href="/versions/v9/software/S0095/"> FTP </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Fysbis-Fysbis"> <a href="/versions/v9/software/S0410/"> Fysbis </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Gazer-Gazer"> <a href="/versions/v9/software/S0168/"> Gazer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="GeminiDuke-GeminiDuke"> <a href="/versions/v9/software/S0049/"> GeminiDuke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Get2-Get2"> <a href="/versions/v9/software/S0460/"> Get2 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="gh0st RAT-gh0st RAT"> <a href="/versions/v9/software/S0032/"> gh0st RAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Ginp-Ginp"> <a href="/versions/v9/software/S0423/"> Ginp </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="GLOOXMAIL-GLOOXMAIL"> <a href="/versions/v9/software/S0026/"> GLOOXMAIL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Gold Dragon-Gold Dragon"> <a href="/versions/v9/software/S0249/"> Gold Dragon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Golden Cup-Golden Cup"> <a href="/versions/v9/software/S0535/"> Golden Cup </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="GoldenEagle-GoldenEagle"> <a href="/versions/v9/software/S0551/"> GoldenEagle </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="GoldenSpy-GoldenSpy"> <a href="/versions/v9/software/S0493/"> GoldenSpy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="GoldFinder-GoldFinder"> <a href="/versions/v9/software/S0597/"> GoldFinder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="GoldMax-GoldMax"> <a href="/versions/v9/software/S0588/"> GoldMax </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="GolfSpy-GolfSpy"> <a href="/versions/v9/software/S0421/"> GolfSpy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Gooligan-Gooligan"> <a href="/versions/v9/software/S0290/"> Gooligan </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Goopy-Goopy"> <a href="/versions/v9/software/S0477/"> Goopy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="GPlayed-GPlayed"> <a href="/versions/v9/software/S0536/"> GPlayed </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Grandoreiro-Grandoreiro"> <a href="/versions/v9/software/S0531/"> Grandoreiro </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="GravityRAT-GravityRAT"> <a href="/versions/v9/software/S0237/"> GravityRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="GreyEnergy-GreyEnergy"> <a href="/versions/v9/software/S0342/"> GreyEnergy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="GRIFFON-GRIFFON"> <a href="/versions/v9/software/S0417/"> GRIFFON </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="gsecdump-gsecdump"> <a href="/versions/v9/software/S0008/"> gsecdump </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="GuLoader-GuLoader"> <a href="/versions/v9/software/S0561/"> GuLoader </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Gustuff-Gustuff"> <a href="/versions/v9/software/S0406/"> Gustuff </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="H1N1-H1N1"> <a href="/versions/v9/software/S0132/"> H1N1 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Hacking Team UEFI Rootkit-Hacking Team UEFI Rootkit"> <a href="/versions/v9/software/S0047/"> Hacking Team UEFI Rootkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="HALFBAKED-HALFBAKED"> <a href="/versions/v9/software/S0151/"> HALFBAKED </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="HAMMERTOSS-HAMMERTOSS"> <a href="/versions/v9/software/S0037/"> HAMMERTOSS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Hancitor-Hancitor"> <a href="/versions/v9/software/S0499/"> Hancitor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="HAPPYWORK-HAPPYWORK"> <a href="/versions/v9/software/S0214/"> HAPPYWORK </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="HARDRAIN-HARDRAIN"> <a href="/versions/v9/software/S0246/"> HARDRAIN </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Havij-Havij"> <a href="/versions/v9/software/S0224/"> Havij </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="HAWKBALL-HAWKBALL"> <a href="/versions/v9/software/S0391/"> HAWKBALL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="hcdLoader-hcdLoader"> <a href="/versions/v9/software/S0071/"> hcdLoader </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="HDoor-HDoor"> <a href="/versions/v9/software/S0061/"> HDoor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Helminth-Helminth"> <a href="/versions/v9/software/S0170/"> Helminth </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="HenBox-HenBox"> <a href="/versions/v9/software/S0544/"> HenBox </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Hi-Zor-Hi-Zor"> <a href="/versions/v9/software/S0087/"> Hi-Zor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="HiddenWasp-HiddenWasp"> <a href="/versions/v9/software/S0394/"> HiddenWasp </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="HIDEDRV-HIDEDRV"> <a href="/versions/v9/software/S0135/"> HIDEDRV </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Hikit-Hikit"> <a href="/versions/v9/software/S0009/"> Hikit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Hildegard-Hildegard"> <a href="/versions/v9/software/S0601/"> Hildegard </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="HOMEFRY-HOMEFRY"> <a href="/versions/v9/software/S0232/"> HOMEFRY </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="HOPLIGHT-HOPLIGHT"> <a href="/versions/v9/software/S0376/"> HOPLIGHT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="HotCroissant-HotCroissant"> <a href="/versions/v9/software/S0431/"> HotCroissant </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="HTRAN-HTRAN"> <a href="/versions/v9/software/S0040/"> HTRAN </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="HTTPBrowser-HTTPBrowser"> <a href="/versions/v9/software/S0070/"> HTTPBrowser </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="httpclient-httpclient"> <a href="/versions/v9/software/S0068/"> httpclient </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="HummingBad-HummingBad"> <a href="/versions/v9/software/S0322/"> HummingBad </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="HummingWhale-HummingWhale"> <a href="/versions/v9/software/S0321/"> HummingWhale </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Hydraq-Hydraq"> <a href="/versions/v9/software/S0203/"> Hydraq </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="HyperBro-HyperBro"> <a href="/versions/v9/software/S0398/"> HyperBro </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="HyperStack-HyperStack"> <a href="/versions/v9/software/S0537/"> HyperStack </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="IcedID-IcedID"> <a href="/versions/v9/software/S0483/"> IcedID </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="ifconfig-ifconfig"> <a href="/versions/v9/software/S0101/"> ifconfig </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="iKitten-iKitten"> <a href="/versions/v9/software/S0278/"> iKitten </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Imminent Monitor-Imminent Monitor"> <a href="/versions/v9/software/S0434/"> Imminent Monitor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Impacket-Impacket"> <a href="/versions/v9/software/S0357/"> Impacket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="InnaputRAT-InnaputRAT"> <a href="/versions/v9/software/S0259/"> InnaputRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="INSOMNIA-INSOMNIA"> <a href="/versions/v9/software/S0463/"> INSOMNIA </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="InvisiMole-InvisiMole"> <a href="/versions/v9/software/S0260/"> InvisiMole </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Invoke-PSImage-Invoke-PSImage"> <a href="/versions/v9/software/S0231/"> Invoke-PSImage </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="ipconfig-ipconfig"> <a href="/versions/v9/software/S0100/"> ipconfig </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="IronNetInjector-IronNetInjector"> <a href="/versions/v9/software/S0581/"> IronNetInjector </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="ISMInjector-ISMInjector"> <a href="/versions/v9/software/S0189/"> ISMInjector </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Ixeshe-Ixeshe"> <a href="/versions/v9/software/S0015/"> Ixeshe </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Janicab-Janicab"> <a href="/versions/v9/software/S0163/"> Janicab </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Javali-Javali"> <a href="/versions/v9/software/S0528/"> Javali </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="JCry-JCry"> <a href="/versions/v9/software/S0389/"> JCry </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="JHUHUGIT-JHUHUGIT"> <a href="/versions/v9/software/S0044/"> JHUHUGIT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="JPIN-JPIN"> <a href="/versions/v9/software/S0201/"> JPIN </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="jRAT-jRAT"> <a href="/versions/v9/software/S0283/"> jRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Judy-Judy"> <a href="/versions/v9/software/S0325/"> Judy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="KARAE-KARAE"> <a href="/versions/v9/software/S0215/"> KARAE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Kasidet-Kasidet"> <a href="/versions/v9/software/S0088/"> Kasidet </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Kazuar-Kazuar"> <a href="/versions/v9/software/S0265/"> Kazuar </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Kerrdown-Kerrdown"> <a href="/versions/v9/software/S0585/"> Kerrdown </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Kessel-Kessel"> <a href="/versions/v9/software/S0487/"> Kessel </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="KeyBoy-KeyBoy"> <a href="/versions/v9/software/S0387/"> KeyBoy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Keydnap-Keydnap"> <a href="/versions/v9/software/S0276/"> Keydnap </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="KEYMARBLE-KEYMARBLE"> <a href="/versions/v9/software/S0271/"> KEYMARBLE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="KeyRaider-KeyRaider"> <a href="/versions/v9/software/S0288/"> KeyRaider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="KGH_SPY-KGH_SPY"> <a href="/versions/v9/software/S0526/"> KGH_SPY </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Kinsing-Kinsing"> <a href="/versions/v9/software/S0599/"> Kinsing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Kivars-Kivars"> <a href="/versions/v9/software/S0437/"> Kivars </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Koadic-Koadic"> <a href="/versions/v9/software/S0250/"> Koadic </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Komplex-Komplex"> <a href="/versions/v9/software/S0162/"> Komplex </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="KOMPROGO-KOMPROGO"> <a href="/versions/v9/software/S0156/"> KOMPROGO </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="KONNI-KONNI"> <a href="/versions/v9/software/S0356/"> KONNI </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Kwampirs-Kwampirs"> <a href="/versions/v9/software/S0236/"> Kwampirs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="LaZagne-LaZagne"> <a href="/versions/v9/software/S0349/"> LaZagne </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="LightNeuron-LightNeuron"> <a href="/versions/v9/software/S0395/"> LightNeuron </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Linfo-Linfo"> <a href="/versions/v9/software/S0211/"> Linfo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Linux Rabbit-Linux Rabbit"> <a href="/versions/v9/software/S0362/"> Linux Rabbit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="LockerGoga-LockerGoga"> <a href="/versions/v9/software/S0372/"> LockerGoga </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="LoJax-LoJax"> <a href="/versions/v9/software/S0397/"> LoJax </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Lokibot-Lokibot"> <a href="/versions/v9/software/S0447/"> Lokibot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="LookBack-LookBack"> <a href="/versions/v9/software/S0582/"> LookBack </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="LoudMiner-LoudMiner"> <a href="/versions/v9/software/S0451/"> LoudMiner </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="LOWBALL-LOWBALL"> <a href="/versions/v9/software/S0042/"> LOWBALL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Lslsass-Lslsass"> <a href="/versions/v9/software/S0121/"> Lslsass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Lucifer-Lucifer"> <a href="/versions/v9/software/S0532/"> Lucifer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Lurid-Lurid"> <a href="/versions/v9/software/S0010/"> Lurid </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Machete-Machete"> <a href="/versions/v9/software/S0409/"> Machete </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="MacSpy-MacSpy"> <a href="/versions/v9/software/S0282/"> MacSpy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="MailSniper-MailSniper"> <a href="/versions/v9/software/S0413/"> MailSniper </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Mandrake-Mandrake"> <a href="/versions/v9/software/S0485/"> Mandrake </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Marcher-Marcher"> <a href="/versions/v9/software/S0317/"> Marcher </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Matryoshka-Matryoshka"> <a href="/versions/v9/software/S0167/"> Matryoshka </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="MazarBOT-MazarBOT"> <a href="/versions/v9/software/S0303/"> MazarBOT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Maze-Maze"> <a href="/versions/v9/software/S0449/"> Maze </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="MCMD-MCMD"> <a href="/versions/v9/software/S0500/"> MCMD </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="MechaFlounder-MechaFlounder"> <a href="/versions/v9/software/S0459/"> MechaFlounder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="meek-meek"> <a href="/versions/v9/software/S0175/"> meek </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="MegaCortex-MegaCortex"> <a href="/versions/v9/software/S0576/"> MegaCortex </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Melcoz-Melcoz"> <a href="/versions/v9/software/S0530/"> Melcoz </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="MESSAGETAP-MESSAGETAP"> <a href="/versions/v9/software/S0443/"> MESSAGETAP </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Metamorfo-Metamorfo"> <a href="/versions/v9/software/S0455/"> Metamorfo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Micropsia-Micropsia"> <a href="/versions/v9/software/S0339/"> Micropsia </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Mimikatz-Mimikatz"> <a href="/versions/v9/software/S0002/"> Mimikatz </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="MimiPenguin-MimiPenguin"> <a href="/versions/v9/software/S0179/"> MimiPenguin </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Miner-C-Miner-C"> <a href="/versions/v9/software/S0133/"> Miner-C </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="MiniDuke-MiniDuke"> <a href="/versions/v9/software/S0051/"> MiniDuke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="MirageFox-MirageFox"> <a href="/versions/v9/software/S0280/"> MirageFox </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Mis-Type-Mis-Type"> <a href="/versions/v9/software/S0084/"> Mis-Type </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Misdat-Misdat"> <a href="/versions/v9/software/S0083/"> Misdat </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Mivast-Mivast"> <a href="/versions/v9/software/S0080/"> Mivast </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="MobileOrder-MobileOrder"> <a href="/versions/v9/software/S0079/"> MobileOrder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="MoleNet-MoleNet"> <a href="/versions/v9/software/S0553/"> MoleNet </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Monokle-Monokle"> <a href="/versions/v9/software/S0407/"> Monokle </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="MoonWind-MoonWind"> <a href="/versions/v9/software/S0149/"> MoonWind </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="More_eggs-More_eggs"> <a href="/versions/v9/software/S0284/"> More_eggs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Mosquito-Mosquito"> <a href="/versions/v9/software/S0256/"> Mosquito </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="MURKYTOP-MURKYTOP"> <a href="/versions/v9/software/S0233/"> MURKYTOP </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Naid-Naid"> <a href="/versions/v9/software/S0205/"> Naid </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="NanHaiShu-NanHaiShu"> <a href="/versions/v9/software/S0228/"> NanHaiShu </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="NanoCore-NanoCore"> <a href="/versions/v9/software/S0336/"> NanoCore </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="NavRAT-NavRAT"> <a href="/versions/v9/software/S0247/"> NavRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="NBTscan-NBTscan"> <a href="/versions/v9/software/S0590/"> NBTscan </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="nbtstat-nbtstat"> <a href="/versions/v9/software/S0102/"> nbtstat </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="NDiskMonitor-NDiskMonitor"> <a href="/versions/v9/software/S0272/"> NDiskMonitor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Nerex-Nerex"> <a href="/versions/v9/software/S0210/"> Nerex </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Net-Net"> <a href="/versions/v9/software/S0039/"> Net </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Net Crawler-Net Crawler"> <a href="/versions/v9/software/S0056/"> Net Crawler </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="NETEAGLE-NETEAGLE"> <a href="/versions/v9/software/S0034/"> NETEAGLE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="netsh-netsh"> <a href="/versions/v9/software/S0108/"> netsh </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="netstat-netstat"> <a href="/versions/v9/software/S0104/"> netstat </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="NetTraveler-NetTraveler"> <a href="/versions/v9/software/S0033/"> NetTraveler </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Netwalker-Netwalker"> <a href="/versions/v9/software/S0457/"> Netwalker </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="NETWIRE-NETWIRE"> <a href="/versions/v9/software/S0198/"> NETWIRE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Ngrok-Ngrok"> <a href="/versions/v9/software/S0508/"> Ngrok </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Nidiran-Nidiran"> <a href="/versions/v9/software/S0118/"> Nidiran </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="njRAT-njRAT"> <a href="/versions/v9/software/S0385/"> njRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Nltest-Nltest"> <a href="/versions/v9/software/S0359/"> Nltest </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="NOKKI-NOKKI"> <a href="/versions/v9/software/S0353/"> NOKKI </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="NotCompatible-NotCompatible"> <a href="/versions/v9/software/S0299/"> NotCompatible </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="NotPetya-NotPetya"> <a href="/versions/v9/software/S0368/"> NotPetya </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="OBAD-OBAD"> <a href="/versions/v9/software/S0286/"> OBAD </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="OceanSalt-OceanSalt"> <a href="/versions/v9/software/S0346/"> OceanSalt </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Octopus-Octopus"> <a href="/versions/v9/software/S0340/"> Octopus </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Okrum-Okrum"> <a href="/versions/v9/software/S0439/"> Okrum </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="OLDBAIT-OLDBAIT"> <a href="/versions/v9/software/S0138/"> OLDBAIT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="OldBoot-OldBoot"> <a href="/versions/v9/software/S0285/"> OldBoot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Olympic Destroyer-Olympic Destroyer"> <a href="/versions/v9/software/S0365/"> Olympic Destroyer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="OnionDuke-OnionDuke"> <a href="/versions/v9/software/S0052/"> OnionDuke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="OopsIE-OopsIE"> <a href="/versions/v9/software/S0264/"> OopsIE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Orz-Orz"> <a href="/versions/v9/software/S0229/"> Orz </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="OSInfo-OSInfo"> <a href="/versions/v9/software/S0165/"> OSInfo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="OSX/Shlayer-OSX/Shlayer"> <a href="/versions/v9/software/S0402/"> OSX/Shlayer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="OSX_OCEANLOTUS.D-OSX_OCEANLOTUS.D"> <a href="/versions/v9/software/S0352/"> OSX_OCEANLOTUS.D </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Out1-Out1"> <a href="/versions/v9/software/S0594/"> Out1 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="OwaAuth-OwaAuth"> <a href="/versions/v9/software/S0072/"> OwaAuth </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="P.A.S. Webshell-P.A.S. Webshell"> <a href="/versions/v9/software/S0598/"> P.A.S. Webshell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="P2P ZeuS-P2P ZeuS"> <a href="/versions/v9/software/S0016/"> P2P ZeuS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Pallas-Pallas"> <a href="/versions/v9/software/S0399/"> Pallas </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Pasam-Pasam"> <a href="/versions/v9/software/S0208/"> Pasam </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Pass-The-Hash Toolkit-Pass-The-Hash Toolkit"> <a href="/versions/v9/software/S0122/"> Pass-The-Hash Toolkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Pay2Key-Pay2Key"> <a href="/versions/v9/software/S0556/"> Pay2Key </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Pegasus for Android-Pegasus for Android"> <a href="/versions/v9/software/S0316/"> Pegasus for Android </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Pegasus for iOS-Pegasus for iOS"> <a href="/versions/v9/software/S0289/"> Pegasus for iOS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Penquin-Penquin"> <a href="/versions/v9/software/S0587/"> Penquin </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="PHOREAL-PHOREAL"> <a href="/versions/v9/software/S0158/"> PHOREAL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Pillowmint-Pillowmint"> <a href="/versions/v9/software/S0517/"> Pillowmint </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="PinchDuke-PinchDuke"> <a href="/versions/v9/software/S0048/"> PinchDuke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Ping-Ping"> <a href="/versions/v9/software/S0097/"> Ping </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="PipeMon-PipeMon"> <a href="/versions/v9/software/S0501/"> PipeMon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Pisloader-Pisloader"> <a href="/versions/v9/software/S0124/"> Pisloader </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="PJApps-PJApps"> <a href="/versions/v9/software/S0291/"> PJApps </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="PLAINTEE-PLAINTEE"> <a href="/versions/v9/software/S0254/"> PLAINTEE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="PLEAD-PLEAD"> <a href="/versions/v9/software/S0435/"> PLEAD </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="PlugX-PlugX"> <a href="/versions/v9/software/S0013/"> PlugX </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="pngdowner-pngdowner"> <a href="/versions/v9/software/S0067/"> pngdowner </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="PoetRAT-PoetRAT"> <a href="/versions/v9/software/S0428/"> PoetRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="PoisonIvy-PoisonIvy"> <a href="/versions/v9/software/S0012/"> PoisonIvy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="PolyglotDuke-PolyglotDuke"> <a href="/versions/v9/software/S0518/"> PolyglotDuke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Pony-Pony"> <a href="/versions/v9/software/S0453/"> Pony </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="POORAIM-POORAIM"> <a href="/versions/v9/software/S0216/"> POORAIM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="PoshC2-PoshC2"> <a href="/versions/v9/software/S0378/"> PoshC2 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="POSHSPY-POSHSPY"> <a href="/versions/v9/software/S0150/"> POSHSPY </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Power Loader-Power Loader"> <a href="/versions/v9/software/S0177/"> Power Loader </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="PowerDuke-PowerDuke"> <a href="/versions/v9/software/S0139/"> PowerDuke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="PowerShower-PowerShower"> <a href="/versions/v9/software/S0441/"> PowerShower </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="POWERSOURCE-POWERSOURCE"> <a href="/versions/v9/software/S0145/"> POWERSOURCE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="PowerSploit-PowerSploit"> <a href="/versions/v9/software/S0194/"> PowerSploit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="PowerStallion-PowerStallion"> <a href="/versions/v9/software/S0393/"> PowerStallion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="POWERSTATS-POWERSTATS"> <a href="/versions/v9/software/S0223/"> POWERSTATS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="POWERTON-POWERTON"> <a href="/versions/v9/software/S0371/"> POWERTON </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="POWRUNER-POWRUNER"> <a href="/versions/v9/software/S0184/"> POWRUNER </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Prikormka-Prikormka"> <a href="/versions/v9/software/S0113/"> Prikormka </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Proton-Proton"> <a href="/versions/v9/software/S0279/"> Proton </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Proxysvc-Proxysvc"> <a href="/versions/v9/software/S0238/"> Proxysvc </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="PsExec-PsExec"> <a href="/versions/v9/software/S0029/"> PsExec </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Psylo-Psylo"> <a href="/versions/v9/software/S0078/"> Psylo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Pteranodon-Pteranodon"> <a href="/versions/v9/software/S0147/"> Pteranodon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="PUNCHBUGGY-PUNCHBUGGY"> <a href="/versions/v9/software/S0196/"> PUNCHBUGGY </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="PUNCHTRACK-PUNCHTRACK"> <a href="/versions/v9/software/S0197/"> PUNCHTRACK </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Pupy-Pupy"> <a href="/versions/v9/software/S0192/"> Pupy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="pwdump-pwdump"> <a href="/versions/v9/software/S0006/"> pwdump </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Pysa-Pysa"> <a href="/versions/v9/software/S0583/"> Pysa </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="QUADAGENT-QUADAGENT"> <a href="/versions/v9/software/S0269/"> QUADAGENT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="QuasarRAT-QuasarRAT"> <a href="/versions/v9/software/S0262/"> QuasarRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Ragnar Locker-Ragnar Locker"> <a href="/versions/v9/software/S0481/"> Ragnar Locker </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Raindrop-Raindrop"> <a href="/versions/v9/software/S0565/"> Raindrop </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Ramsay-Ramsay"> <a href="/versions/v9/software/S0458/"> Ramsay </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="RARSTONE-RARSTONE"> <a href="/versions/v9/software/S0055/"> RARSTONE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="RATANKBA-RATANKBA"> <a href="/versions/v9/software/S0241/"> RATANKBA </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="RawDisk-RawDisk"> <a href="/versions/v9/software/S0364/"> RawDisk </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="RawPOS-RawPOS"> <a href="/versions/v9/software/S0169/"> RawPOS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="RCSAndroid-RCSAndroid"> <a href="/versions/v9/software/S0295/"> RCSAndroid </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="RDAT-RDAT"> <a href="/versions/v9/software/S0495/"> RDAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="RDFSNIFFER-RDFSNIFFER"> <a href="/versions/v9/software/S0416/"> RDFSNIFFER </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Reaver-Reaver"> <a href="/versions/v9/software/S0172/"> Reaver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Red Alert 2.0-Red Alert 2.0"> <a href="/versions/v9/software/S0539/"> Red Alert 2.0 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="RedDrop-RedDrop"> <a href="/versions/v9/software/S0326/"> RedDrop </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="RedLeaves-RedLeaves"> <a href="/versions/v9/software/S0153/"> RedLeaves </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Reg-Reg"> <a href="/versions/v9/software/S0075/"> Reg </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="RegDuke-RegDuke"> <a href="/versions/v9/software/S0511/"> RegDuke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Regin-Regin"> <a href="/versions/v9/software/S0019/"> Regin </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Remcos-Remcos"> <a href="/versions/v9/software/S0332/"> Remcos </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Remexi-Remexi"> <a href="/versions/v9/software/S0375/"> Remexi </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="RemoteCMD-RemoteCMD"> <a href="/versions/v9/software/S0166/"> RemoteCMD </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="RemoteUtilities-RemoteUtilities"> <a href="/versions/v9/software/S0592/"> RemoteUtilities </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Remsec-Remsec"> <a href="/versions/v9/software/S0125/"> Remsec </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Responder-Responder"> <a href="/versions/v9/software/S0174/"> Responder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Revenge RAT-Revenge RAT"> <a href="/versions/v9/software/S0379/"> Revenge RAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="REvil-REvil"> <a href="/versions/v9/software/S0496/"> REvil </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="RGDoor-RGDoor"> <a href="/versions/v9/software/S0258/"> RGDoor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Rifdoor-Rifdoor"> <a href="/versions/v9/software/S0433/"> Rifdoor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Riltok-Riltok"> <a href="/versions/v9/software/S0403/"> Riltok </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="RIPTIDE-RIPTIDE"> <a href="/versions/v9/software/S0003/"> RIPTIDE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Rising Sun-Rising Sun"> <a href="/versions/v9/software/S0448/"> Rising Sun </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="RobbinHood-RobbinHood"> <a href="/versions/v9/software/S0400/"> RobbinHood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="ROCKBOOT-ROCKBOOT"> <a href="/versions/v9/software/S0112/"> ROCKBOOT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="RogueRobin-RogueRobin"> <a href="/versions/v9/software/S0270/"> RogueRobin </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="ROKRAT-ROKRAT"> <a href="/versions/v9/software/S0240/"> ROKRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Rotexy-Rotexy"> <a href="/versions/v9/software/S0411/"> Rotexy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="route-route"> <a href="/versions/v9/software/S0103/"> route </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Rover-Rover"> <a href="/versions/v9/software/S0090/"> Rover </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="RTM-RTM"> <a href="/versions/v9/software/S0148/"> RTM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Ruler-Ruler"> <a href="/versions/v9/software/S0358/"> Ruler </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="RuMMS-RuMMS"> <a href="/versions/v9/software/S0313/"> RuMMS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="RunningRAT-RunningRAT"> <a href="/versions/v9/software/S0253/"> RunningRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Ryuk-Ryuk"> <a href="/versions/v9/software/S0446/"> Ryuk </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="S-Type-S-Type"> <a href="/versions/v9/software/S0085/"> S-Type </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Sakula-Sakula"> <a href="/versions/v9/software/S0074/"> Sakula </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="SamSam-SamSam"> <a href="/versions/v9/software/S0370/"> SamSam </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="schtasks-schtasks"> <a href="/versions/v9/software/S0111/"> schtasks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="SDBbot-SDBbot"> <a href="/versions/v9/software/S0461/"> SDBbot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="SDelete-SDelete"> <a href="/versions/v9/software/S0195/"> SDelete </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="SeaDuke-SeaDuke"> <a href="/versions/v9/software/S0053/"> SeaDuke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Seasalt-Seasalt"> <a href="/versions/v9/software/S0345/"> Seasalt </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="SEASHARPEE-SEASHARPEE"> <a href="/versions/v9/software/S0185/"> SEASHARPEE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="ServHelper-ServHelper"> <a href="/versions/v9/software/S0382/"> ServHelper </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="ShadowPad-ShadowPad"> <a href="/versions/v9/software/S0596/"> ShadowPad </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Shamoon-Shamoon"> <a href="/versions/v9/software/S0140/"> Shamoon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="SharpStage-SharpStage"> <a href="/versions/v9/software/S0546/"> SharpStage </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="SHARPSTATS-SHARPSTATS"> <a href="/versions/v9/software/S0450/"> SHARPSTATS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="ShiftyBug-ShiftyBug"> <a href="/versions/v9/software/S0294/"> ShiftyBug </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="ShimRat-ShimRat"> <a href="/versions/v9/software/S0444/"> ShimRat </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="ShimRatReporter-ShimRatReporter"> <a href="/versions/v9/software/S0445/"> ShimRatReporter </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="SHIPSHAPE-SHIPSHAPE"> <a href="/versions/v9/software/S0028/"> SHIPSHAPE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="SHOTPUT-SHOTPUT"> <a href="/versions/v9/software/S0063/"> SHOTPUT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="SHUTTERSPEED-SHUTTERSPEED"> <a href="/versions/v9/software/S0217/"> SHUTTERSPEED </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Sibot-Sibot"> <a href="/versions/v9/software/S0589/"> Sibot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="SilkBean-SilkBean"> <a href="/versions/v9/software/S0549/"> SilkBean </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="SimBad-SimBad"> <a href="/versions/v9/software/S0419/"> SimBad </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Skeleton Key-Skeleton Key"> <a href="/versions/v9/software/S0007/"> Skeleton Key </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Skidmap-Skidmap"> <a href="/versions/v9/software/S0468/"> Skidmap </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Skygofree-Skygofree"> <a href="/versions/v9/software/S0327/"> Skygofree </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="SLOTHFULMEDIA-SLOTHFULMEDIA"> <a href="/versions/v9/software/S0533/"> SLOTHFULMEDIA </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="SLOWDRIFT-SLOWDRIFT"> <a href="/versions/v9/software/S0218/"> SLOWDRIFT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Smoke Loader-Smoke Loader"> <a href="/versions/v9/software/S0226/"> Smoke Loader </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="SNUGRIDE-SNUGRIDE"> <a href="/versions/v9/software/S0159/"> SNUGRIDE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Socksbot-Socksbot"> <a href="/versions/v9/software/S0273/"> Socksbot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="SoreFang-SoreFang"> <a href="/versions/v9/software/S0516/"> SoreFang </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="SOUNDBITE-SOUNDBITE"> <a href="/versions/v9/software/S0157/"> SOUNDBITE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="SPACESHIP-SPACESHIP"> <a href="/versions/v9/software/S0035/"> SPACESHIP </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Spark-Spark"> <a href="/versions/v9/software/S0543/"> Spark </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="SpeakUp-SpeakUp"> <a href="/versions/v9/software/S0374/"> SpeakUp </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="spwebmember-spwebmember"> <a href="/versions/v9/software/S0227/"> spwebmember </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="SpyDealer-SpyDealer"> <a href="/versions/v9/software/S0324/"> SpyDealer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="SpyNote RAT-SpyNote RAT"> <a href="/versions/v9/software/S0305/"> SpyNote RAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="sqlmap-sqlmap"> <a href="/versions/v9/software/S0225/"> sqlmap </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="SQLRat-SQLRat"> <a href="/versions/v9/software/S0390/"> SQLRat </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="SslMM-SslMM"> <a href="/versions/v9/software/S0058/"> SslMM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Starloader-Starloader"> <a href="/versions/v9/software/S0188/"> Starloader </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Stealth Mango-Stealth Mango"> <a href="/versions/v9/software/S0328/"> Stealth Mango </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="StoneDrill-StoneDrill"> <a href="/versions/v9/software/S0380/"> StoneDrill </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="StreamEx-StreamEx"> <a href="/versions/v9/software/S0142/"> StreamEx </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="StrongPity-StrongPity"> <a href="/versions/v9/software/S0491/"> StrongPity </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="SUNBURST-SUNBURST"> <a href="/versions/v9/software/S0559/"> SUNBURST </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="SUNSPOT-SUNSPOT"> <a href="/versions/v9/software/S0562/"> SUNSPOT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="SUPERNOVA-SUPERNOVA"> <a href="/versions/v9/software/S0578/"> SUPERNOVA </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Sykipot-Sykipot"> <a href="/versions/v9/software/S0018/"> Sykipot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="SynAck-SynAck"> <a href="/versions/v9/software/S0242/"> SynAck </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="SYNful Knock-SYNful Knock"> <a href="/versions/v9/software/S0519/"> SYNful Knock </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Sys10-Sys10"> <a href="/versions/v9/software/S0060/"> Sys10 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="SYSCON-SYSCON"> <a href="/versions/v9/software/S0464/"> SYSCON </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Systeminfo-Systeminfo"> <a href="/versions/v9/software/S0096/"> Systeminfo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="T9000-T9000"> <a href="/versions/v9/software/S0098/"> T9000 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Taidoor-Taidoor"> <a href="/versions/v9/software/S0011/"> Taidoor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="TAINTEDSCRIBE-TAINTEDSCRIBE"> <a href="/versions/v9/software/S0586/"> TAINTEDSCRIBE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="TajMahal-TajMahal"> <a href="/versions/v9/software/S0467/"> TajMahal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Tangelo-Tangelo"> <a href="/versions/v9/software/S0329/"> Tangelo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Tasklist-Tasklist"> <a href="/versions/v9/software/S0057/"> Tasklist </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="TDTESS-TDTESS"> <a href="/versions/v9/software/S0164/"> TDTESS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="TEARDROP-TEARDROP"> <a href="/versions/v9/software/S0560/"> TEARDROP </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="TERRACOTTA-TERRACOTTA"> <a href="/versions/v9/software/S0545/"> TERRACOTTA </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="TEXTMATE-TEXTMATE"> <a href="/versions/v9/software/S0146/"> TEXTMATE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="ThiefQuest-ThiefQuest"> <a href="/versions/v9/software/S0595/"> ThiefQuest </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Tiktok Pro-Tiktok Pro"> <a href="/versions/v9/software/S0558/"> Tiktok Pro </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="TINYTYPHON-TINYTYPHON"> <a href="/versions/v9/software/S0131/"> TINYTYPHON </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="TinyZBot-TinyZBot"> <a href="/versions/v9/software/S0004/"> TinyZBot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Tor-Tor"> <a href="/versions/v9/software/S0183/"> Tor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Triada-Triada"> <a href="/versions/v9/software/S0424/"> Triada </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="TrickBot-TrickBot"> <a href="/versions/v9/software/S0266/"> TrickBot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="TrickMo-TrickMo"> <a href="/versions/v9/software/S0427/"> TrickMo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Trojan-SMS.AndroidOS.Agent.ao-Trojan-SMS.AndroidOS.Agent.ao"> <a href="/versions/v9/software/S0307/"> Trojan-SMS.AndroidOS.Agent.ao </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Trojan-SMS.AndroidOS.FakeInst.a-Trojan-SMS.AndroidOS.FakeInst.a"> <a href="/versions/v9/software/S0306/"> Trojan-SMS.AndroidOS.FakeInst.a </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Trojan-SMS.AndroidOS.OpFake.a-Trojan-SMS.AndroidOS.OpFake.a"> <a href="/versions/v9/software/S0308/"> Trojan-SMS.AndroidOS.OpFake.a </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Trojan.Karagany-Trojan.Karagany"> <a href="/versions/v9/software/S0094/"> Trojan.Karagany </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Trojan.Mebromi-Trojan.Mebromi"> <a href="/versions/v9/software/S0001/"> Trojan.Mebromi </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Truvasys-Truvasys"> <a href="/versions/v9/software/S0178/"> Truvasys </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="TSCookie-TSCookie"> <a href="/versions/v9/software/S0436/"> TSCookie </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="TURNEDUP-TURNEDUP"> <a href="/versions/v9/software/S0199/"> TURNEDUP </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Twitoor-Twitoor"> <a href="/versions/v9/software/S0302/"> Twitoor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="TYPEFRAME-TYPEFRAME"> <a href="/versions/v9/software/S0263/"> TYPEFRAME </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="UACMe-UACMe"> <a href="/versions/v9/software/S0116/"> UACMe </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="UBoatRAT-UBoatRAT"> <a href="/versions/v9/software/S0333/"> UBoatRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Umbreon-Umbreon"> <a href="/versions/v9/software/S0221/"> Umbreon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Unknown Logger-Unknown Logger"> <a href="/versions/v9/software/S0130/"> Unknown Logger </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="UPPERCUT-UPPERCUT"> <a href="/versions/v9/software/S0275/"> UPPERCUT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Uroburos-Uroburos"> <a href="/versions/v9/software/S0022/"> Uroburos </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Ursnif-Ursnif"> <a href="/versions/v9/software/S0386/"> Ursnif </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="USBferry-USBferry"> <a href="/versions/v9/software/S0452/"> USBferry </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="USBStealer-USBStealer"> <a href="/versions/v9/software/S0136/"> USBStealer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Valak-Valak"> <a href="/versions/v9/software/S0476/"> Valak </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Vasport-Vasport"> <a href="/versions/v9/software/S0207/"> Vasport </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="VBShower-VBShower"> <a href="/versions/v9/software/S0442/"> VBShower </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="VERMIN-VERMIN"> <a href="/versions/v9/software/S0257/"> VERMIN </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="ViceLeaker-ViceLeaker"> <a href="/versions/v9/software/S0418/"> ViceLeaker </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="ViperRAT-ViperRAT"> <a href="/versions/v9/software/S0506/"> ViperRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Volgmer-Volgmer"> <a href="/versions/v9/software/S0180/"> Volgmer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="WannaCry-WannaCry"> <a href="/versions/v9/software/S0366/"> WannaCry </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Waterbear-Waterbear"> <a href="/versions/v9/software/S0579/"> Waterbear </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="WEBC2-WEBC2"> <a href="/versions/v9/software/S0109/"> WEBC2 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="WellMail-WellMail"> <a href="/versions/v9/software/S0515/"> WellMail </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="WellMess-WellMess"> <a href="/versions/v9/software/S0514/"> WellMess </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Wiarp-Wiarp"> <a href="/versions/v9/software/S0206/"> Wiarp </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Windows Credential Editor-Windows Credential Editor"> <a href="/versions/v9/software/S0005/"> Windows Credential Editor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="WINDSHIELD-WINDSHIELD"> <a href="/versions/v9/software/S0155/"> WINDSHIELD </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="WindTail-WindTail"> <a href="/versions/v9/software/S0466/"> WindTail </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="WINERACK-WINERACK"> <a href="/versions/v9/software/S0219/"> WINERACK </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Winexe-Winexe"> <a href="/versions/v9/software/S0191/"> Winexe </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Wingbird-Wingbird"> <a href="/versions/v9/software/S0176/"> Wingbird </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="WinMM-WinMM"> <a href="/versions/v9/software/S0059/"> WinMM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Winnti for Linux-Winnti for Linux"> <a href="/versions/v9/software/S0430/"> Winnti for Linux </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Winnti for Windows-Winnti for Windows"> <a href="/versions/v9/software/S0141/"> Winnti for Windows </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Wiper-Wiper"> <a href="/versions/v9/software/S0041/"> Wiper </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="WireLurker-WireLurker"> <a href="/versions/v9/software/S0312/"> WireLurker </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="WolfRAT-WolfRAT"> <a href="/versions/v9/software/S0489/"> WolfRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="X-Agent for Android-X-Agent for Android"> <a href="/versions/v9/software/S0314/"> X-Agent for Android </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="XAgentOSX-XAgentOSX"> <a href="/versions/v9/software/S0161/"> XAgentOSX </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Xbash-Xbash"> <a href="/versions/v9/software/S0341/"> Xbash </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Xbot-Xbot"> <a href="/versions/v9/software/S0298/"> Xbot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="xCmd-xCmd"> <a href="/versions/v9/software/S0123/"> xCmd </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="XcodeGhost-XcodeGhost"> <a href="/versions/v9/software/S0297/"> XcodeGhost </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="XLoader for Android-XLoader for Android"> <a href="/versions/v9/software/S0318/"> XLoader for Android </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="XLoader for iOS-XLoader for iOS"> <a href="/versions/v9/software/S0490/"> XLoader for iOS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="XTunnel-XTunnel"> <a href="/versions/v9/software/S0117/"> XTunnel </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="YAHOYAH-YAHOYAH"> <a href="/versions/v9/software/S0388/"> YAHOYAH </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="YiSpecter-YiSpecter"> <a href="/versions/v9/software/S0311/"> YiSpecter </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="yty-yty"> <a href="/versions/v9/software/S0248/"> yty </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Zebrocy-Zebrocy"> <a href="/versions/v9/software/S0251/"> Zebrocy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Zen-Zen"> <a href="/versions/v9/software/S0494/"> Zen </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="ZergHelper-ZergHelper"> <a href="/versions/v9/software/S0287/"> ZergHelper </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Zeroaccess-Zeroaccess"> <a href="/versions/v9/software/S0027/"> Zeroaccess </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="ZeroT-ZeroT"> <a href="/versions/v9/software/S0230/"> ZeroT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Zeus Panda-Zeus Panda"> <a href="/versions/v9/software/S0330/"> Zeus Panda </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="ZLib-ZLib"> <a href="/versions/v9/software/S0086/"> ZLib </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="zwShell-zwShell"> <a href="/versions/v9/software/S0350/"> zwShell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="ZxShell-ZxShell"> <a href="/versions/v9/software/S0412/"> ZxShell </a> </div> </div> </div> <div class="group-nav-mobile-view"> <span class="heading" id="v-home-tab" aria-selected="false">SOFTWARE</span> <div class="sidenav"> <div class="sidenav-head active" id="0-0"> <a href="/versions/v9/software/"> Overview </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="48418f3c6358406ca44dc7b2e84bda24"> <span>1-9</span> <div class="expand-button collapsed" id="48418f3c6358406ca44dc7b2e84bda24-header" data-toggle="collapse" data-target="#48418f3c6358406ca44dc7b2e84bda24-body" aria-expanded="false" aria-controls="#48418f3c6358406ca44dc7b2e84bda24-body"></div> </div> <div class="sidenav-body collapse" id="48418f3c6358406ca44dc7b2e84bda24-body" aria-labelledby="48418f3c6358406ca44dc7b2e84bda24-header"> <div class="sidenav"> <div class="sidenav-head" id="48418f3c6358406ca44dc7b2e84bda24-6292761697c84af2b3ab47e564c686ab"> <a href="/versions/v9/software/S0066/"> 3PARA RAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="48418f3c6358406ca44dc7b2e84bda24-17fcf8f0d70e44b58bde97ee87b3565b"> <a href="/versions/v9/software/S0065/"> 4H RAT </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="7188c073623b4deea3ad87f4c7b3a4a6"> <span>A-B</span> <div class="expand-button collapsed" id="7188c073623b4deea3ad87f4c7b3a4a6-header" data-toggle="collapse" data-target="#7188c073623b4deea3ad87f4c7b3a4a6-body" aria-expanded="false" aria-controls="#7188c073623b4deea3ad87f4c7b3a4a6-body"></div> </div> <div class="sidenav-body collapse" id="7188c073623b4deea3ad87f4c7b3a4a6-body" aria-labelledby="7188c073623b4deea3ad87f4c7b3a4a6-header"> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-c361fed4a2074ad7a1b58a298c868ebe"> <a href="/versions/v9/software/S0469/"> ABK </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-3c28e91d0f7d4f699305d80a31914546"> <a href="/versions/v9/software/S0202/"> adbupd </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-dcfaa7c55aa54178bb1cc38ebb04cd6b"> <a href="/versions/v9/software/S0552/"> AdFind </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-3e8ea259f66b434c9588b0e2c0349926"> <a href="/versions/v9/software/S0309/"> Adups </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-e088cc1834d34121af72dc7b045482fd"> <a href="/versions/v9/software/S0045/"> ADVSTORESHELL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-9f815df98da84d3796ae7d95cffc9f24"> <a href="/versions/v9/software/S0440/"> Agent Smith </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-5b248b193495413c9facde687b2e847f"> <a href="/versions/v9/software/S0331/"> Agent Tesla </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-5ebfbe1d23fc48cab30374a1245c473c"> <a href="/versions/v9/software/S0092/"> Agent.btz </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-30fecf8c31324fd18243df17eaa001bc"> <a href="/versions/v9/software/S0319/"> Allwinner </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-650af89e5439418384922ea1c5d7203d"> <a href="/versions/v9/software/S0504/"> Anchor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-e241110c3cfd497987f99cdc22bed84c"> <a href="/versions/v9/software/S0525/"> Android/AdDisplay.Ashas </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-c455c275f1104f2b9568877e39ec371a"> <a href="/versions/v9/software/S0304/"> Android/Chuli.A </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-049ae09456f440f8b186438d24818080"> <a href="/versions/v9/software/S0524/"> AndroidOS/MalLocker.B </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-1a447cea39ce4c7d96479b78bb151b38"> <a href="/versions/v9/software/S0310/"> ANDROIDOS_ANSERVER.A </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-518a1b4049754cb68fabe42c4f7be83e"> <a href="/versions/v9/software/S0292/"> AndroRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-9f91b583c2284257bfd7b5d2e8ed159e"> <a href="/versions/v9/software/S0422/"> Anubis </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-2c29f7b3241f4412a6af27efb5267c98"> <a href="/versions/v9/software/S0584/"> AppleJeus </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-3fceb81ae6334adba4e53928c78aae45"> <a href="/versions/v9/software/S0456/"> Aria-body </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-38c89689838e4cc58ae68c68aa6d2ba8"> <a href="/versions/v9/software/S0099/"> Arp </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-3ec5cd516aba43e1b565c349e0e0af61"> <a href="/versions/v9/software/S0540/"> Asacub </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-d6c4219cc90c4477b8afde579671bd4d"> <a href="/versions/v9/software/S0073/"> ASPXSpy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-ca5e8e9311c740d8999891bbe66a7473"> <a href="/versions/v9/software/S0373/"> Astaroth </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-8f07137280d748029a428f9c869490f1"> <a href="/versions/v9/software/S0110/"> at </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-21ba4399938d430a93a3870b52d4074f"> <a href="/versions/v9/software/S0438/"> Attor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-72cc824120794007bbb90faaaaabea70"> <a href="/versions/v9/software/S0347/"> AuditCred </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-ed6da5f058a44bf2ae11275996b538d4"> <a href="/versions/v9/software/S0129/"> AutoIt backdoor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-8a6b6cb297d143b7b42383cccacfa307"> <a href="/versions/v9/software/S0473/"> Avenger </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-978a5d6b115140139cea6617c618a64f"> <a href="/versions/v9/software/S0344/"> Azorult </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-822554ddc024457796d462a62758ce5c"> <a href="/versions/v9/software/S0414/"> BabyShark </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-bff93946cb2d48cf826fd3bff6ab9335"> <a href="/versions/v9/software/S0475/"> BackConfig </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-50c9eb5bed2745ae87547a9c1796d515"> <a href="/versions/v9/software/S0093/"> Backdoor.Oldrea </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-1d4dcd04271e4d3f80126e736572db43"> <a href="/versions/v9/software/S0031/"> BACKSPACE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-aebb4b3c06ce4e56945bcc799a52a88e"> <a href="/versions/v9/software/S0245/"> BADCALL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-9994806518954b64bd5412d9d343ba29"> <a href="/versions/v9/software/S0128/"> BADNEWS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-a26f35ae3d6944469dd839fc3b72f541"> <a href="/versions/v9/software/S0337/"> BadPatch </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-1a2fbb2fda144f648411131ee14da0c6"> <a href="/versions/v9/software/S0234/"> Bandook </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-2c8d1b721be04f898f11e64d83e23cc7"> <a href="/versions/v9/software/S0239/"> Bankshot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-10bd8795e03147fc818236863fdd80b5"> <a href="/versions/v9/software/S0534/"> Bazar </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-38276d27a0374313a4e7714fdc4059c5"> <a href="/versions/v9/software/S0470/"> BBK </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-87f24b07cfd8464692c0cc5c89fccbde"> <a href="/versions/v9/software/S0127/"> BBSRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-2e08a24c21a64b2c86e94708c5358265"> <a href="/versions/v9/software/S0574/"> BendyBear </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-9ccb2a12b027460abb117c09b0d07ed2"> <a href="/versions/v9/software/S0017/"> BISCUIT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-8b3c0ea89a17410293a45ff73448425c"> <a href="/versions/v9/software/S0268/"> Bisonal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-2718d54e72074504b90503b4bc99b07c"> <a href="/versions/v9/software/S0570/"> BitPaymer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-3b45607bc5994a338fe62b8db410de1f"> <a href="/versions/v9/software/S0190/"> BITSAdmin </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-fc913627c5194c75b21a6940c6944926"> <a href="/versions/v9/software/S0069/"> BLACKCOFFEE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-a6a73e3cb1654412bba4a0543decaec8"> <a href="/versions/v9/software/S0089/"> BlackEnergy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-df1ced35d9d94bbc9210e374b3ab67e1"> <a href="/versions/v9/software/S0564/"> BlackMould </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-a6cb5b8bf420475db961cf2c1d907002"> <a href="/versions/v9/software/S0520/"> BLINDINGCAN </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-1f6dc762aa94492885c1c497e0c9ddd1"> <a href="/versions/v9/software/S0521/"> BloodHound </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-02043ab47c384237a7aa4ae2f58bbde3"> <a href="/versions/v9/software/S0486/"> Bonadan </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-750a5513c41a4721be478e5d0eca8193"> <a href="/versions/v9/software/S0360/"> BONDUPDATER </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-29a722ee137f4dffa821f75ebd28084b"> <a href="/versions/v9/software/S0415/"> BOOSTWRITE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-838ad4c53d3f44a481952a144c2bade1"> <a href="/versions/v9/software/S0114/"> BOOTRASH </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-6e542a152aff45698a40c0e3355730c4"> <a href="/versions/v9/software/S0293/"> BrainTest </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-0f116510c376423bb447f11f31569445"> <a href="/versions/v9/software/S0252/"> Brave Prince </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-f8410717cea048a18d4a1cbfd0d6ec0e"> <a href="/versions/v9/software/S0432/"> Bread </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-14305b258f924dc69805ccca619fc289"> <a href="/versions/v9/software/S0204/"> Briba </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-3c936682994942799c616c5dbfdd1616"> <a href="/versions/v9/software/S0014/"> BS2005 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-54a4b9ab2d6b4cb385713de7b962e14c"> <a href="/versions/v9/software/S0043/"> BUBBLEWRAP </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-1ec2787799bf4b33a2503115682766e3"> <a href="/versions/v9/software/S0471/"> build_downer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7188c073623b4deea3ad87f4c7b3a4a6-85f3be01078e4d07ae9dcc12d28a350f"> <a href="/versions/v9/software/S0482/"> Bundlore </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="45d7b74aa0944de18130a412091c2509"> <span>C-D</span> <div class="expand-button collapsed" id="45d7b74aa0944de18130a412091c2509-header" data-toggle="collapse" data-target="#45d7b74aa0944de18130a412091c2509-body" aria-expanded="false" aria-controls="#45d7b74aa0944de18130a412091c2509-body"></div> </div> <div class="sidenav-body collapse" id="45d7b74aa0944de18130a412091c2509-body" aria-labelledby="45d7b74aa0944de18130a412091c2509-header"> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-dad0af829bbb4a9395c730410f88e2e7"> <a href="/versions/v9/software/S0119/"> Cachedump </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-de6f81ee60034dcbba5a68d8db2e3265"> <a href="/versions/v9/software/S0454/"> Cadelspy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-01265574e664494ebcafbfa532b50fc6"> <a href="/versions/v9/software/S0025/"> CALENDAR </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-e6ae9e482ffa4d44958f0a0743a60190"> <a href="/versions/v9/software/S0274/"> Calisto </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-b7c27f7c3b42438084f65c75a11f6565"> <a href="/versions/v9/software/S0077/"> CallMe </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-9e34224cc35b4f5f80bede1031672758"> <a href="/versions/v9/software/S0351/"> Cannon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-1be1987dbcdb418ba963efc08035dcb7"> <a href="/versions/v9/software/S0030/"> Carbanak </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-cdb5bf3a936c4bd5891db6557758b8e0"> <a href="/versions/v9/software/S0484/"> Carberp </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-105da4ac017a475e996da2a02a510117"> <a href="/versions/v9/software/S0335/"> Carbon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-e2132eeea32f43f9a10eca6a6b45fc45"> <a href="/versions/v9/software/S0529/"> CarbonSteal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-48735f1d19c5466ca1f0e08e2f140fd2"> <a href="/versions/v9/software/S0348/"> Cardinal RAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-5e1645f3b9c345ddbd6ae47b727c1147"> <a href="/versions/v9/software/S0465/"> CARROTBALL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-e955430c035e4528a1d5a801c7dc362f"> <a href="/versions/v9/software/S0462/"> CARROTBAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-b4dc0bd1f545420b99a1a9e4cc96a103"> <a href="/versions/v9/software/S0261/"> Catchamas </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-b1a3a7d15ad84f86ab845ed9418b5f30"> <a href="/versions/v9/software/S0572/"> Caterpillar WebShell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-48c60ad8c9414793b82ae2e4b18c1d89"> <a href="/versions/v9/software/S0222/"> CCBkdr </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-4ac63d8c3f004beca2c39e03aa9214f0"> <a href="/versions/v9/software/S0480/"> Cerberus </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-589addb37a2540cba233dc99523bb4e8"> <a href="/versions/v9/software/S0160/"> certutil </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-7cbb910100a6400a9f0908afee4f0e13"> <a href="/versions/v9/software/S0220/"> Chaos </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-f84cae45f1734efe9a38ff69c4999c68"> <a href="/versions/v9/software/S0323/"> Charger </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-b7ea032273d14477aef845efab4ac4e1"> <a href="/versions/v9/software/S0144/"> ChChes </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-52fd1fc57d714395a84887087abf19c1"> <a href="/versions/v9/software/S0555/"> CHEMISTGAMES </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-73854f02864544e7bdcfe218c431f145"> <a href="/versions/v9/software/S0107/"> Cherry Picker </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-eeaf494c03694aabaedd33c962cef449"> <a href="/versions/v9/software/S0020/"> China Chopper </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-5348a1bd98264c819cbdbafc413854b4"> <a href="/versions/v9/software/S0023/"> CHOPSTICK </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-cd75d2edc6f74f28bec4aad343a3afb3"> <a href="/versions/v9/software/S0602/"> Circles </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-c1106e7c997448f9b31530026c59d44b"> <a href="/versions/v9/software/S0054/"> CloudDuke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-72565e36ba454a99aae137a6ca24c733"> <a href="/versions/v9/software/S0106/"> cmd </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-f131493e37a5488a93a5139a465e1c25"> <a href="/versions/v9/software/S0154/"> Cobalt Strike </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-04d6b8d929e24e56bd31461a3d6948ae"> <a href="/versions/v9/software/S0338/"> Cobian RAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-8664bd79ce864898ab5bd66a38e95cf2"> <a href="/versions/v9/software/S0369/"> CoinTicker </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-a1b6d60ce8974ebc8e60ebf22f197cc0"> <a href="/versions/v9/software/S0244/"> Comnie </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-eab1b3bbaa944f0489a05755a82a2d58"> <a href="/versions/v9/software/S0126/"> ComRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-b3a86a366f3147cf9243008da1d3779b"> <a href="/versions/v9/software/S0426/"> Concipit1248 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-cbb4d5b88d2648fab212979e84a8eda4"> <a href="/versions/v9/software/S0591/"> ConnectWise </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-10b66095858747c283c1b835297089dc"> <a href="/versions/v9/software/S0575/"> Conti </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-636f8f0797d34c4c98a8db4a12ce97a3"> <a href="/versions/v9/software/S0492/"> CookieMiner </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-5e2920a47cd04278a5ed7f647796e216"> <a href="/versions/v9/software/S0212/"> CORALDECK </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-691179444b504df79e5cde4d7ef407eb"> <a href="/versions/v9/software/S0137/"> CORESHELL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-5bcc7a6ed46d41d0a655b69190233504"> <a href="/versions/v9/software/S0425/"> Corona Updates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-7ddeee50080b41bfaa7aa2ff81d7636c"> <a href="/versions/v9/software/S0050/"> CosmicDuke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-46b4abcccb0f4fc7b64dec9039e06d1c"> <a href="/versions/v9/software/S0046/"> CozyCar </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-ff1c32c259394e37830d8f88222a3035"> <a href="/versions/v9/software/S0488/"> CrackMapExec </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-85e1e120a7844821bc6e61fe91780793"> <a href="/versions/v9/software/S0115/"> Crimson </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-76f3ee6d70e84263810dae1d8f61f0df"> <a href="/versions/v9/software/S0235/"> CrossRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-1491ddb715884b50af82d4be6b3813cc"> <a href="/versions/v9/software/S0538/"> Crutch </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-4917f92d6b2a4fc992cfb2c5509e9c04"> <a href="/versions/v9/software/S0498/"> Cryptoistic </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-d8b7b5f1e00a4c2da5abc58d62e64d2f"> <a href="/versions/v9/software/S0527/"> CSPY Downloader </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-b609e4bb10af49fe94202373f70a947a"> <a href="/versions/v9/software/S0497/"> Dacls </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-e85c09afbce04478afc62f2c5dae9a8f"> <a href="/versions/v9/software/S0334/"> DarkComet </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-2972aba1d08242c397b6e568e422ce90"> <a href="/versions/v9/software/S0187/"> Daserf </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-825bc4f61d1b4bafab04caba19a26e88"> <a href="/versions/v9/software/S0255/"> DDKONG </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-47d1e9e048a941b3ae254814d2028265"> <a href="/versions/v9/software/S0243/"> DealersChoice </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-e3a46bb9605b456bb082db70738d7714"> <a href="/versions/v9/software/S0479/"> DEFENSOR ID </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-c850e96cf9ca4b1daf8743091f92c3be"> <a href="/versions/v9/software/S0301/"> Dendroid </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-999990709ba842358ab749cedb6318e0"> <a href="/versions/v9/software/S0354/"> Denis </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-b0e6ee62f57d449187222d1b29795390"> <a href="/versions/v9/software/S0021/"> Derusbi </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-5f3f9ca9a3184c78a97a5f9134802f97"> <a href="/versions/v9/software/S0505/"> Desert Scorpion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-d2b4fb9f315541ec9daff39f1f1f1578"> <a href="/versions/v9/software/S0200/"> Dipsind </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-3cc8a2c475954ea1a01aefa8ad1f02e1"> <a href="/versions/v9/software/S0213/"> DOGCALL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-0af4d57a58b748389510a5707b46bef7"> <a href="/versions/v9/software/S0281/"> Dok </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-e79202c9fc8e47958dd3c0594270b149"> <a href="/versions/v9/software/S0600/"> Doki </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-5b685bd7b0e54ab2ab1dfb1dcbe5f87e"> <a href="/versions/v9/software/S0550/"> DoubleAgent </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-d40e4c25800e492f9fa0d7237d6a6574"> <a href="/versions/v9/software/S0472/"> down_new </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-318f3e3aba4247249bcd3315cdef6e9e"> <a href="/versions/v9/software/S0134/"> Downdelph </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-73f7193d85bc456abf76b76e23a5408b"> <a href="/versions/v9/software/S0186/"> DownPaper </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-d78df7f9ce6445839574b0de511cee94"> <a href="/versions/v9/software/S0300/"> DressCode </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-fa4cbfb5fb2b4924ba720a7471e0c7d7"> <a href="/versions/v9/software/S0384/"> Dridex </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-f29dec5d90124dc383fd704790a56adf"> <a href="/versions/v9/software/S0320/"> DroidJack </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-72e27647836b41d2891f3aa86e9eb5d7"> <a href="/versions/v9/software/S0547/"> DropBook </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-082862e8aaa4476a85feb3fa0b4ee427"> <a href="/versions/v9/software/S0502/"> Drovorub </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-b45370169aca4afbbf90a25713df83f4"> <a href="/versions/v9/software/S0105/"> dsquery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-83ab160e2f944e0f930ec564eee30b1f"> <a href="/versions/v9/software/S0567/"> Dtrack </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-ea784617c55649e5afd0ff7592ee5748"> <a href="/versions/v9/software/S0315/"> DualToy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-8401eaf6aa7140c8ad9c02f4b93991a5"> <a href="/versions/v9/software/S0038/"> Duqu </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-37dcdb82678c40f5844d6a6da1ac99b9"> <a href="/versions/v9/software/S0062/"> DustySky </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-0a68233f002244dc816940be9a0c5a91"> <a href="/versions/v9/software/S0420/"> Dvmap </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="45d7b74aa0944de18130a412091c2509-f698142a09fe40f0acd96f3e06ff4a62"> <a href="/versions/v9/software/S0024/"> Dyre </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="995763ff60774cf6905e1c1225aa6cd3"> <span>E-F</span> <div class="expand-button collapsed" id="995763ff60774cf6905e1c1225aa6cd3-header" data-toggle="collapse" data-target="#995763ff60774cf6905e1c1225aa6cd3-body" aria-expanded="false" aria-controls="#995763ff60774cf6905e1c1225aa6cd3-body"></div> </div> <div class="sidenav-body collapse" id="995763ff60774cf6905e1c1225aa6cd3-body" aria-labelledby="995763ff60774cf6905e1c1225aa6cd3-header"> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-440f7c89572f45459fde0f2b3f78af44"> <a href="/versions/v9/software/S0377/"> Ebury </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-af702b2b4d1c4369b91a94f544ed9dc5"> <a href="/versions/v9/software/S0593/"> ECCENTRICBANDWAGON </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-92800ced9f9c49e1801f9b0515ccd9bc"> <a href="/versions/v9/software/S0554/"> Egregor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-1c4639d52c5b42619d9241b0af6162b2"> <a href="/versions/v9/software/S0081/"> Elise </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-3837c26de33f42e2859703e13989f07e"> <a href="/versions/v9/software/S0064/"> ELMER </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-579ebdbfad37467b8b654b1762fafcb3"> <a href="/versions/v9/software/S0082/"> Emissary </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-4d64ad85a3ae425b9b27317efba9b8ee"> <a href="/versions/v9/software/S0367/"> Emotet </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-36953764dc7148d68be75e1c0d44df6b"> <a href="/versions/v9/software/S0363/"> Empire </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-315be8b1c5414f41b96c87ed4d5bda14"> <a href="/versions/v9/software/S0091/"> Epic </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-b6cb7a3c66734b75b3b2947b812f6015"> <a href="/versions/v9/software/S0404/"> esentutl </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-501630d620c64844aad50e4efda919b0"> <a href="/versions/v9/software/S0507/"> eSurv </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-f6a6f27546ae4243931a90dab5c9c05a"> <a href="/versions/v9/software/S0478/"> EventBot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-39969cce13a0435ab804d1966e0c0d06"> <a href="/versions/v9/software/S0396/"> EvilBunny </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-ae9c39bd012b4b42b7b93ec2aa085252"> <a href="/versions/v9/software/S0152/"> EvilGrab </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-becba6a835494476ba9ba67466806cc1"> <a href="/versions/v9/software/S0568/"> EVILNUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-38e3cf036c114a428b8ebd0949b04ca0"> <a href="/versions/v9/software/S0401/"> Exaramel for Linux </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-8fe762f488324340bf591085e32ed4f0"> <a href="/versions/v9/software/S0343/"> Exaramel for Windows </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-1efdb46c675244fe9905f40dab34784d"> <a href="/versions/v9/software/S0522/"> Exobot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-65873afe72f347ec9c23193d4ea207cb"> <a href="/versions/v9/software/S0405/"> Exodus </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-9c9808f5b39742e7a7c8851232fc98b3"> <a href="/versions/v9/software/S0361/"> Expand </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-f036159060774437a649ecff71d96392"> <a href="/versions/v9/software/S0569/"> Explosive </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-1bb75bf13b454132b4f2d6f49ad79196"> <a href="/versions/v9/software/S0076/"> FakeM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-e27cb3bd2d1e4db5bdf971b4a6810657"> <a href="/versions/v9/software/S0509/"> FakeSpy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-44bd9661e61345439195a28bbfef165b"> <a href="/versions/v9/software/S0181/"> FALLCHILL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-c7a52e1061e54cb7a7e54d126e19f36c"> <a href="/versions/v9/software/S0512/"> FatDuke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-8b957d75690d428bb943f4ff6c4f0409"> <a href="/versions/v9/software/S0171/"> Felismus </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-7b8d3d8c16574e1c86904ecdefc66495"> <a href="/versions/v9/software/S0267/"> FELIXROOT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-2660039fd2ba487ba124a9c4ee077db4"> <a href="/versions/v9/software/S0120/"> Fgdump </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-3a17a2e1458f4f3ca0b6cb0ec557cbe9"> <a href="/versions/v9/software/S0355/"> Final1stspy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-dae234fb63374b9ea14e943efd098143"> <a href="/versions/v9/software/S0182/"> FinFisher </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-4f617b954de64c9fba3e2384f654a9bd"> <a href="/versions/v9/software/S0143/"> Flame </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-89c77272716844e3a5ff144d0f7d96a8"> <a href="/versions/v9/software/S0036/"> FLASHFLOOD </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-23cd0ec2130b4cb08fade93190bfc2c9"> <a href="/versions/v9/software/S0381/"> FlawedAmmyy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-41c0eac5fe6b48cb9b590f3008ec18d0"> <a href="/versions/v9/software/S0383/"> FlawedGrace </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-b24d12ea13284553a4ce495c23ec2da9"> <a href="/versions/v9/software/S0408/"> FlexiSpy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-0004f61cbecc488e950b5d5823945b87"> <a href="/versions/v9/software/S0173/"> FLIPSIDE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-a4dd54ccde59437a951a3a43ea883a43"> <a href="/versions/v9/software/S0193/"> Forfiles </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-08df06ecbf794e4b9f186eb39d9f2454"> <a href="/versions/v9/software/S0503/"> FrameworkPOS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-f984817dbfcd4011b2cd08e2e36f520e"> <a href="/versions/v9/software/S0577/"> FrozenCell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-e90edf8b275e46f188cb74dcec6105b0"> <a href="/versions/v9/software/S0277/"> FruitFly </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-eaf3bceec6a24054ad25195399c9b56b"> <a href="/versions/v9/software/S0095/"> FTP </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="995763ff60774cf6905e1c1225aa6cd3-6dc5615da30647799b4fd29942a7601d"> <a href="/versions/v9/software/S0410/"> Fysbis </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="7dda4863994e41969314028147217d4b"> <span>G-H</span> <div class="expand-button collapsed" id="7dda4863994e41969314028147217d4b-header" data-toggle="collapse" data-target="#7dda4863994e41969314028147217d4b-body" aria-expanded="false" aria-controls="#7dda4863994e41969314028147217d4b-body"></div> </div> <div class="sidenav-body collapse" id="7dda4863994e41969314028147217d4b-body" aria-labelledby="7dda4863994e41969314028147217d4b-header"> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-96c3a7e149f8443883fb29e3fb8c17d0"> <a href="/versions/v9/software/S0168/"> Gazer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-068b14a3f8904e0393a7c41db7899025"> <a href="/versions/v9/software/S0049/"> GeminiDuke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-39539bdfc5554eeb9861f2b88936cc13"> <a href="/versions/v9/software/S0460/"> Get2 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-1379197e041e4f49b753bbad9ab55d5d"> <a href="/versions/v9/software/S0032/"> gh0st RAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-0a1b690dca9c424c9dd3d3d84aee2a12"> <a href="/versions/v9/software/S0423/"> Ginp </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-0fb3045a074c41fb8186f4bba6880ca4"> <a href="/versions/v9/software/S0026/"> GLOOXMAIL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-0b4bdbfb8cac4d7b91b45c06510b664f"> <a href="/versions/v9/software/S0249/"> Gold Dragon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-32b08aa056464f55879d72bcfc3f1c7e"> <a href="/versions/v9/software/S0535/"> Golden Cup </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-61f827c3521242968b6917fc1c89d1ef"> <a href="/versions/v9/software/S0551/"> GoldenEagle </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-b6542052a3c045c0975867c84f7f8ac9"> <a href="/versions/v9/software/S0493/"> GoldenSpy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-57504368f36f4b009a5db0bd1c4e5ca5"> <a href="/versions/v9/software/S0597/"> GoldFinder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-ec7a7bb8ff1b42fca43931d4508c6893"> <a href="/versions/v9/software/S0588/"> GoldMax </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-199454843d354ee585d312061c05c59b"> <a href="/versions/v9/software/S0421/"> GolfSpy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-bb53aabf90a84a4f983d725c0bf4d753"> <a href="/versions/v9/software/S0290/"> Gooligan </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-5ea97ac576bc4a299da0082d0d97e5fb"> <a href="/versions/v9/software/S0477/"> Goopy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-0d14e13bfec04b78acf37473f35c2de7"> <a href="/versions/v9/software/S0536/"> GPlayed </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-60fe034b7b5c4d219234baa028eb05c2"> <a href="/versions/v9/software/S0531/"> Grandoreiro </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-bb8c6a5e36974e7a9a1482a005f50e52"> <a href="/versions/v9/software/S0237/"> GravityRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-0a6266a7b2b04e968513cc93e5c21308"> <a href="/versions/v9/software/S0342/"> GreyEnergy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-11d60f2256f643ccb5d3365f842ed916"> <a href="/versions/v9/software/S0417/"> GRIFFON </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-578c22d4f5054d6f96295dc9bccadfd7"> <a href="/versions/v9/software/S0008/"> gsecdump </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-7c07dfc2afba4c31a9ae969b7a565793"> <a href="/versions/v9/software/S0561/"> GuLoader </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-1163df4d3fd2447dbaa2b50e21bfb631"> <a href="/versions/v9/software/S0406/"> Gustuff </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-f3d85c50ecac4af790400f86293fbfc6"> <a href="/versions/v9/software/S0132/"> H1N1 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-8b9a871d7bc949e2b245482480f41887"> <a href="/versions/v9/software/S0047/"> Hacking Team UEFI Rootkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-2686b8a32f264a4ea8725539a6c0138a"> <a href="/versions/v9/software/S0151/"> HALFBAKED </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-6ddd8a7c2fcc44a6be4fecf905f28dc6"> <a href="/versions/v9/software/S0037/"> HAMMERTOSS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-098de606790d4a6b9f96822c8c9cf8bb"> <a href="/versions/v9/software/S0499/"> Hancitor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-887e37ed1c9a4af1a7f6a0ee03658e97"> <a href="/versions/v9/software/S0214/"> HAPPYWORK </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-bb6014d8e91d4bb09a5435ea0469c61c"> <a href="/versions/v9/software/S0246/"> HARDRAIN </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-2e825e70c3154d4b9b5daaa719bfd71f"> <a href="/versions/v9/software/S0224/"> Havij </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-df118731429a492dab61890aa302cccb"> <a href="/versions/v9/software/S0391/"> HAWKBALL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-763c001420674678b586a1a6371e2090"> <a href="/versions/v9/software/S0071/"> hcdLoader </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-9cb257c7297241389f7ef7b505836f66"> <a href="/versions/v9/software/S0061/"> HDoor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-b4264d11660f43aebbf18b58acc38578"> <a href="/versions/v9/software/S0170/"> Helminth </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-66fb445f47b44daea9a51c95c2e89e69"> <a href="/versions/v9/software/S0544/"> HenBox </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-624ac6fa8f7548c88de3a1f492371a85"> <a href="/versions/v9/software/S0087/"> Hi-Zor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-4174588c8a784aa7b86bf44cca029f0e"> <a href="/versions/v9/software/S0394/"> HiddenWasp </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-56d093a3a65940c5ab13c4c46b6c6a41"> <a href="/versions/v9/software/S0135/"> HIDEDRV </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-f7582b8b16d646b18d1cccc40502e080"> <a href="/versions/v9/software/S0009/"> Hikit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-cfbb1a3b2af84107b3b553ca52b0dc9a"> <a href="/versions/v9/software/S0601/"> Hildegard </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-259bb3505eae4ad9a7e20f92398a645b"> <a href="/versions/v9/software/S0232/"> HOMEFRY </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-8da03ca68df54ae2bb0a6bb4159869ce"> <a href="/versions/v9/software/S0376/"> HOPLIGHT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-af129521a0f9411d9ce612a0fcbcc38e"> <a href="/versions/v9/software/S0431/"> HotCroissant </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-f64a8f347ef74cd4a081e01eca2e7eab"> <a href="/versions/v9/software/S0040/"> HTRAN </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-a45716a36032488c8e9948a50838c255"> <a href="/versions/v9/software/S0070/"> HTTPBrowser </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-50729d64d668464dbbc7c8330fdad07c"> <a href="/versions/v9/software/S0068/"> httpclient </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-b446f4c7d5ed4f38847b873ff1fe1964"> <a href="/versions/v9/software/S0322/"> HummingBad </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-6a05d0e232b2476bb6dfc8eef44dedb8"> <a href="/versions/v9/software/S0321/"> HummingWhale </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-d7ba3aafe5f74bc691385c71cfbbeb70"> <a href="/versions/v9/software/S0203/"> Hydraq </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-9a14ee55c92944d3bd6e444a4a03dc34"> <a href="/versions/v9/software/S0398/"> HyperBro </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7dda4863994e41969314028147217d4b-7f65bf8eade14e8aa999c61158f72523"> <a href="/versions/v9/software/S0537/"> HyperStack </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="1fb850c336df45e2badf3c675ecf29e3"> <span>I-J</span> <div class="expand-button collapsed" id="1fb850c336df45e2badf3c675ecf29e3-header" data-toggle="collapse" data-target="#1fb850c336df45e2badf3c675ecf29e3-body" aria-expanded="false" aria-controls="#1fb850c336df45e2badf3c675ecf29e3-body"></div> </div> <div class="sidenav-body collapse" id="1fb850c336df45e2badf3c675ecf29e3-body" aria-labelledby="1fb850c336df45e2badf3c675ecf29e3-header"> <div class="sidenav"> <div class="sidenav-head" id="1fb850c336df45e2badf3c675ecf29e3-3d40ba62c14a493480edc1728666aeba"> <a href="/versions/v9/software/S0483/"> IcedID </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1fb850c336df45e2badf3c675ecf29e3-b4182532aaa24485af90d97a9aa1952e"> <a href="/versions/v9/software/S0101/"> ifconfig </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1fb850c336df45e2badf3c675ecf29e3-6beee0141dac4625afc4478f6a4b78bf"> <a href="/versions/v9/software/S0278/"> iKitten </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1fb850c336df45e2badf3c675ecf29e3-8d781293905445ee8e05d26859313757"> <a href="/versions/v9/software/S0434/"> Imminent Monitor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1fb850c336df45e2badf3c675ecf29e3-7684f92140c243608b02a6d042cc465f"> <a href="/versions/v9/software/S0357/"> Impacket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1fb850c336df45e2badf3c675ecf29e3-da794609c7994d7c95075ceb3b1ebc0f"> <a href="/versions/v9/software/S0259/"> InnaputRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1fb850c336df45e2badf3c675ecf29e3-01130ca148184b70a711973a77fa0806"> <a href="/versions/v9/software/S0463/"> INSOMNIA </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1fb850c336df45e2badf3c675ecf29e3-4a36b62bf4e34ed387f8a2346700f719"> <a href="/versions/v9/software/S0260/"> InvisiMole </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1fb850c336df45e2badf3c675ecf29e3-a7c39411776c4e8690ea794ca7f38620"> <a href="/versions/v9/software/S0231/"> Invoke-PSImage </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1fb850c336df45e2badf3c675ecf29e3-233c3873a10e44428baa1e141eab02d8"> <a href="/versions/v9/software/S0100/"> ipconfig </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1fb850c336df45e2badf3c675ecf29e3-9c613e68b89d408bbc1fb7f58e6c10da"> <a href="/versions/v9/software/S0581/"> IronNetInjector </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1fb850c336df45e2badf3c675ecf29e3-26fa4f3bda444405993504417e0e14b8"> <a href="/versions/v9/software/S0189/"> ISMInjector </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1fb850c336df45e2badf3c675ecf29e3-bbcc26bad22740c1bc33863e7613b32c"> <a href="/versions/v9/software/S0015/"> Ixeshe </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1fb850c336df45e2badf3c675ecf29e3-279190baddd04d27942986d05a0202d6"> <a href="/versions/v9/software/S0163/"> Janicab </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1fb850c336df45e2badf3c675ecf29e3-dbf21dc30e9c4484893c9fe96a1a7709"> <a href="/versions/v9/software/S0528/"> Javali </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1fb850c336df45e2badf3c675ecf29e3-9dcb81f14ce74a14bf7d792831629db5"> <a href="/versions/v9/software/S0389/"> JCry </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1fb850c336df45e2badf3c675ecf29e3-aab2f351221148e9aa59b738ebef31a9"> <a href="/versions/v9/software/S0044/"> JHUHUGIT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1fb850c336df45e2badf3c675ecf29e3-a199308d03e542e4a9cb13b225f64f3b"> <a href="/versions/v9/software/S0201/"> JPIN </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1fb850c336df45e2badf3c675ecf29e3-00c9db0c3eed46108db3d22e71e08a8d"> <a href="/versions/v9/software/S0283/"> jRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1fb850c336df45e2badf3c675ecf29e3-23903cfe984d444cb9a0c1eb6e97d98f"> <a href="/versions/v9/software/S0325/"> Judy </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="56cffb3dd4fc4e38868dba75d49ec567"> <span>K-L</span> <div class="expand-button collapsed" id="56cffb3dd4fc4e38868dba75d49ec567-header" data-toggle="collapse" data-target="#56cffb3dd4fc4e38868dba75d49ec567-body" aria-expanded="false" aria-controls="#56cffb3dd4fc4e38868dba75d49ec567-body"></div> </div> <div class="sidenav-body collapse" id="56cffb3dd4fc4e38868dba75d49ec567-body" aria-labelledby="56cffb3dd4fc4e38868dba75d49ec567-header"> <div class="sidenav"> <div class="sidenav-head" id="56cffb3dd4fc4e38868dba75d49ec567-f77ada02ba3e4f8b9eb4c0859a06f549"> <a href="/versions/v9/software/S0215/"> KARAE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="56cffb3dd4fc4e38868dba75d49ec567-d67dff796de24c7bbbf867bc80233183"> <a href="/versions/v9/software/S0088/"> Kasidet </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="56cffb3dd4fc4e38868dba75d49ec567-ececab99072d48f1adc66cd5378e94f5"> <a href="/versions/v9/software/S0265/"> Kazuar </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="56cffb3dd4fc4e38868dba75d49ec567-f8847c79826b46438ddee9c498526222"> <a href="/versions/v9/software/S0585/"> Kerrdown </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="56cffb3dd4fc4e38868dba75d49ec567-7fd9cc8646384389a9999c3f7177eb07"> <a href="/versions/v9/software/S0487/"> Kessel </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="56cffb3dd4fc4e38868dba75d49ec567-4f1a8954e70c4a6b8545fbe79858a59a"> <a href="/versions/v9/software/S0387/"> KeyBoy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="56cffb3dd4fc4e38868dba75d49ec567-f98ce974c937466abda3fd8dbe8891d6"> <a href="/versions/v9/software/S0276/"> Keydnap </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="56cffb3dd4fc4e38868dba75d49ec567-5f3b7542656242bdb46e39d3b4c4f72f"> <a href="/versions/v9/software/S0271/"> KEYMARBLE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="56cffb3dd4fc4e38868dba75d49ec567-64e1d76b46764879b2b5a2ead9c78a87"> <a href="/versions/v9/software/S0288/"> KeyRaider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="56cffb3dd4fc4e38868dba75d49ec567-4657bc4617c149afb9f585b96923b600"> <a href="/versions/v9/software/S0526/"> KGH_SPY </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="56cffb3dd4fc4e38868dba75d49ec567-bbaed415b2d242b887372c5311efc1d7"> <a href="/versions/v9/software/S0599/"> Kinsing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="56cffb3dd4fc4e38868dba75d49ec567-7bc048a70ad244b3bb873a699e730598"> <a href="/versions/v9/software/S0437/"> Kivars </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="56cffb3dd4fc4e38868dba75d49ec567-2daeb36dc3d2442d9c0903f066ba60a7"> <a href="/versions/v9/software/S0250/"> Koadic </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="56cffb3dd4fc4e38868dba75d49ec567-472418f1763441aa8fedc6330cfbbbcb"> <a href="/versions/v9/software/S0162/"> Komplex </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="56cffb3dd4fc4e38868dba75d49ec567-9373784fcfe04a0393f3ebcee431beaf"> <a href="/versions/v9/software/S0156/"> KOMPROGO </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="56cffb3dd4fc4e38868dba75d49ec567-b7ac592a1cee47dd81b8ceb1191f8d83"> <a href="/versions/v9/software/S0356/"> KONNI </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="56cffb3dd4fc4e38868dba75d49ec567-3034cdc6a1f141f8b87065bca529b203"> <a href="/versions/v9/software/S0236/"> Kwampirs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="56cffb3dd4fc4e38868dba75d49ec567-e966a5795b8c45229f5d87ba392be3f6"> <a href="/versions/v9/software/S0349/"> LaZagne </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="56cffb3dd4fc4e38868dba75d49ec567-18df2766ab6f470c93d06ba657a07ce0"> <a href="/versions/v9/software/S0395/"> LightNeuron </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="56cffb3dd4fc4e38868dba75d49ec567-fed64c4332ed4ac6b437ecd0575fc475"> <a href="/versions/v9/software/S0211/"> Linfo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="56cffb3dd4fc4e38868dba75d49ec567-36377314560944ef9afdbded7f3b3b55"> <a href="/versions/v9/software/S0362/"> Linux Rabbit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="56cffb3dd4fc4e38868dba75d49ec567-d2335b6d5bbd4f399f2ff6874a52eb39"> <a href="/versions/v9/software/S0372/"> LockerGoga </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="56cffb3dd4fc4e38868dba75d49ec567-2da91ae36682427b89a2aec900a16f70"> <a href="/versions/v9/software/S0397/"> LoJax </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="56cffb3dd4fc4e38868dba75d49ec567-595c207eec2c42eb9eba8164b7c41ffa"> <a href="/versions/v9/software/S0447/"> Lokibot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="56cffb3dd4fc4e38868dba75d49ec567-e13b6d6e12b545ab9708c99547d9250b"> <a href="/versions/v9/software/S0582/"> LookBack </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="56cffb3dd4fc4e38868dba75d49ec567-f172a7d526304444b76d8be5a7b233ea"> <a href="/versions/v9/software/S0451/"> LoudMiner </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="56cffb3dd4fc4e38868dba75d49ec567-0c323671203948c4a80babf1dc1ed468"> <a href="/versions/v9/software/S0042/"> LOWBALL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="56cffb3dd4fc4e38868dba75d49ec567-4a4f0b3db0bf4f03a24f7bcedfd3695b"> <a href="/versions/v9/software/S0121/"> Lslsass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="56cffb3dd4fc4e38868dba75d49ec567-e51744fa8f084fbca7800c3005f93f73"> <a href="/versions/v9/software/S0532/"> Lucifer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="56cffb3dd4fc4e38868dba75d49ec567-b16a3ead86764bc08a02d401e0c7ddef"> <a href="/versions/v9/software/S0010/"> Lurid </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="39e3ccf5e40641dd904b0d11d0c696e4"> <span>M-N</span> <div class="expand-button collapsed" id="39e3ccf5e40641dd904b0d11d0c696e4-header" data-toggle="collapse" data-target="#39e3ccf5e40641dd904b0d11d0c696e4-body" aria-expanded="false" aria-controls="#39e3ccf5e40641dd904b0d11d0c696e4-body"></div> </div> <div class="sidenav-body collapse" id="39e3ccf5e40641dd904b0d11d0c696e4-body" aria-labelledby="39e3ccf5e40641dd904b0d11d0c696e4-header"> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-ad929117e09c414a99510c6884b8fbbd"> <a href="/versions/v9/software/S0409/"> Machete </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-1be03db82b904c3d9c3def4cd5307df3"> <a href="/versions/v9/software/S0282/"> MacSpy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-854f7ba19f764fafa71f39422a209dc3"> <a href="/versions/v9/software/S0413/"> MailSniper </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-6c7f7d70f91140f3a5cb1346216d79e9"> <a href="/versions/v9/software/S0485/"> Mandrake </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-6df4c2455a694f588b7e7f48db1d1320"> <a href="/versions/v9/software/S0317/"> Marcher </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-3908733201d1485397d84dbbba44a8c6"> <a href="/versions/v9/software/S0167/"> Matryoshka </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-da462f365ca0493786b531201ad50e96"> <a href="/versions/v9/software/S0303/"> MazarBOT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-a7abc2ef8f8f4c6a8ad7e3fe1f7e172a"> <a href="/versions/v9/software/S0449/"> Maze </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-ae9a0cccb9d740ce8c9eaea8013a9ea3"> <a href="/versions/v9/software/S0500/"> MCMD </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-cf63d9e793ff4bb79c8d6f1621a598bd"> <a href="/versions/v9/software/S0459/"> MechaFlounder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-c790a4e42ac341c3955c5bf4447c2ab0"> <a href="/versions/v9/software/S0175/"> meek </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-8721b77ee5184cea8335bd7254836979"> <a href="/versions/v9/software/S0576/"> MegaCortex </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-721a9f2030c0422cbd7392e72c28584a"> <a href="/versions/v9/software/S0530/"> Melcoz </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-f8f4d0bce12b4736bd4f3bfdf90584de"> <a href="/versions/v9/software/S0443/"> MESSAGETAP </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-1da54db31e6d4b64a31852798f0d4990"> <a href="/versions/v9/software/S0455/"> Metamorfo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-004261e81643479e991be592c70f5062"> <a href="/versions/v9/software/S0339/"> Micropsia </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-5ecf9de241b64124a1fb9e357f3a8813"> <a href="/versions/v9/software/S0002/"> Mimikatz </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-c478b0248ea24614944a6a2e4952c95b"> <a href="/versions/v9/software/S0179/"> MimiPenguin </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-c3e1dd27da46472caf37200b211d2ac5"> <a href="/versions/v9/software/S0133/"> Miner-C </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-bad0c4c4be6e42fab0dd5f6cb168478e"> <a href="/versions/v9/software/S0051/"> MiniDuke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-36c0a28ca3cc4a84b795cb71ef88906c"> <a href="/versions/v9/software/S0280/"> MirageFox </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-9be1eb1f139e4855a1e496520c428b67"> <a href="/versions/v9/software/S0084/"> Mis-Type </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-3e7c4a59633444c9a2b513a17f677b8a"> <a href="/versions/v9/software/S0083/"> Misdat </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-39f1845f13494108bb8d9ceac30747b2"> <a href="/versions/v9/software/S0080/"> Mivast </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-3823ed1fcb6a4963a5892b961f2d5c58"> <a href="/versions/v9/software/S0079/"> MobileOrder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-f3283bf6f961410daa182f9c616fe683"> <a href="/versions/v9/software/S0553/"> MoleNet </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-3cc87a218f854f01a39b074ce385493d"> <a href="/versions/v9/software/S0407/"> Monokle </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-24b9f40b56bb414e8646435a75c0789d"> <a href="/versions/v9/software/S0149/"> MoonWind </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-78e27f7765e442f0ad63cad93b6c7623"> <a href="/versions/v9/software/S0284/"> More_eggs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-8187b4ae14764ffa8f6955b6631e7b9c"> <a href="/versions/v9/software/S0256/"> Mosquito </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-1bbd06698a184d7a928ab3b978fa6b0e"> <a href="/versions/v9/software/S0233/"> MURKYTOP </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-329d993dff564edeab6a3e8a3c047a83"> <a href="/versions/v9/software/S0205/"> Naid </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-57bb1e806b094adaa76a5d5ac422df66"> <a href="/versions/v9/software/S0228/"> NanHaiShu </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-383d88f910024a9b96534b50707590c5"> <a href="/versions/v9/software/S0336/"> NanoCore </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-c145f2bf6cd343f0bbe141b4b872bc36"> <a href="/versions/v9/software/S0247/"> NavRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-4ac9ba123fd24f51a2673406d350b453"> <a href="/versions/v9/software/S0590/"> NBTscan </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-237cd62fb48c46e79a89c0d95816211a"> <a href="/versions/v9/software/S0102/"> nbtstat </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-8239c6acce7345d7b214877a597b547b"> <a href="/versions/v9/software/S0272/"> NDiskMonitor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-2cbaccb651054ac980f1cb98119c41d2"> <a href="/versions/v9/software/S0210/"> Nerex </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-3451e90b94af4b0692914f9ed0d77855"> <a href="/versions/v9/software/S0039/"> Net </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-ba349ab92da348918f09459989f1b0d0"> <a href="/versions/v9/software/S0056/"> Net Crawler </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-82712a11e595430088def8ae706e1dcb"> <a href="/versions/v9/software/S0034/"> NETEAGLE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-99911262ee034dfba7696a9ebbe9f7a7"> <a href="/versions/v9/software/S0108/"> netsh </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-e0b2b87eb57e4b968dd5ac1b5c686caa"> <a href="/versions/v9/software/S0104/"> netstat </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-d0c11584f2b74392b2d1f533f81371ae"> <a href="/versions/v9/software/S0033/"> NetTraveler </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-421955b56ae1467bb0e5d76189f39f25"> <a href="/versions/v9/software/S0457/"> Netwalker </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-cc3558cc87ec4534b60db1eb81343fd6"> <a href="/versions/v9/software/S0198/"> NETWIRE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-4869ab27832a4c089c48b3526b840df4"> <a href="/versions/v9/software/S0508/"> Ngrok </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-bf54a356521245f3a0cfdeb480f90796"> <a href="/versions/v9/software/S0118/"> Nidiran </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-70a2e95f5fc5468293820c24cc00e5ba"> <a href="/versions/v9/software/S0385/"> njRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-7853dd3460244e25835b6e07a6564e72"> <a href="/versions/v9/software/S0359/"> Nltest </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-06008a854bea4165bf51aa294c9a5439"> <a href="/versions/v9/software/S0353/"> NOKKI </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-c851e818d6504bcab55a8eeb452ef612"> <a href="/versions/v9/software/S0299/"> NotCompatible </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="39e3ccf5e40641dd904b0d11d0c696e4-5db08187e1f04e6785664ec216fb438b"> <a href="/versions/v9/software/S0368/"> NotPetya </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="765d7bcc2f35481abaf311c71e691b83"> <span>O-P</span> <div class="expand-button collapsed" id="765d7bcc2f35481abaf311c71e691b83-header" data-toggle="collapse" data-target="#765d7bcc2f35481abaf311c71e691b83-body" aria-expanded="false" aria-controls="#765d7bcc2f35481abaf311c71e691b83-body"></div> </div> <div class="sidenav-body collapse" id="765d7bcc2f35481abaf311c71e691b83-body" aria-labelledby="765d7bcc2f35481abaf311c71e691b83-header"> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-d02af7fe8e3041e9a094fb891ea9a6d8"> <a href="/versions/v9/software/S0286/"> OBAD </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-eed06a361c6249e49fd10519e054f6a1"> <a href="/versions/v9/software/S0346/"> OceanSalt </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-733a765d980747a1a5702334bcf168bb"> <a href="/versions/v9/software/S0340/"> Octopus </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-aa36d57739a944a5aafadc4cd9f6955d"> <a href="/versions/v9/software/S0439/"> Okrum </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-e79b3832a34c4be59e591111a511f0a3"> <a href="/versions/v9/software/S0138/"> OLDBAIT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-33a51d03895544248d4d463fabd5237d"> <a href="/versions/v9/software/S0285/"> OldBoot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-512d584663794170a397f688f117bb7b"> <a href="/versions/v9/software/S0365/"> Olympic Destroyer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-622e5f32421d4c4696d0976414810b0a"> <a href="/versions/v9/software/S0052/"> OnionDuke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-37b25c0eb5ba4e7dbf4e08fc20a9364a"> <a href="/versions/v9/software/S0264/"> OopsIE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-dc8e7d261028475f8987251e1040691f"> <a href="/versions/v9/software/S0229/"> Orz </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-3ce2ce7ebdcd41c0836de01cdf9ed07e"> <a href="/versions/v9/software/S0165/"> OSInfo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-15ee2f0eaf9f45588448b0c93fb0b65c"> <a href="/versions/v9/software/S0402/"> OSX/Shlayer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-6d9b8ade4f4248c894b2c74d12867cc1"> <a href="/versions/v9/software/S0352/"> OSX_OCEANLOTUS.D </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-73b29d4d4489437687f4239e5813dcd2"> <a href="/versions/v9/software/S0594/"> Out1 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-248016dca2af41718474a50fb029859f"> <a href="/versions/v9/software/S0072/"> OwaAuth </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-0a7b03a25954470b8146c88e68f15067"> <a href="/versions/v9/software/S0598/"> P.A.S. Webshell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-bac0568ce8fe451d9ecd40b8dbae3265"> <a href="/versions/v9/software/S0016/"> P2P ZeuS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-a65692d250264a7e8363058ba9620bb8"> <a href="/versions/v9/software/S0399/"> Pallas </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-9f8e69e8e9974f32a0e7a0aaf6bc7cf7"> <a href="/versions/v9/software/S0208/"> Pasam </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-77943927dbf84eaf9d063afb4d9558ce"> <a href="/versions/v9/software/S0122/"> Pass-The-Hash Toolkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-29c42cf923454e23a0b49b593759b21e"> <a href="/versions/v9/software/S0556/"> Pay2Key </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-1580852c70904a4d92fff291b51efcc7"> <a href="/versions/v9/software/S0316/"> Pegasus for Android </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-564799ac5bbf4df18c94663955e465dc"> <a href="/versions/v9/software/S0289/"> Pegasus for iOS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-d3a5b3f2de99484184392431d06ee6e9"> <a href="/versions/v9/software/S0587/"> Penquin </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-a062fb28bd634dd2b7dd5b0c6cc78556"> <a href="/versions/v9/software/S0158/"> PHOREAL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-b1344bfc5b5e4a24aba03e74eda7556b"> <a href="/versions/v9/software/S0517/"> Pillowmint </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-2a27e3fa9f4c4de8a09b279088b9e1c4"> <a href="/versions/v9/software/S0048/"> PinchDuke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-ff886d9db7c84ee1ac33f6644f497643"> <a href="/versions/v9/software/S0097/"> Ping </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-5e2b48ed7eb84c3e9ee931eca5e4b6ab"> <a href="/versions/v9/software/S0501/"> PipeMon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-b86fea5e5f1047d5b69331b71696ec8c"> <a href="/versions/v9/software/S0124/"> Pisloader </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-d291369e05324e859f7c5c8468f1f7c6"> <a href="/versions/v9/software/S0291/"> PJApps </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-5b560a3bb78540cfb3b65fd33cba0ceb"> <a href="/versions/v9/software/S0254/"> PLAINTEE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-e1f529ec6cd14dbd9e4944898fa33021"> <a href="/versions/v9/software/S0435/"> PLEAD </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-ad32b797007648db98eac0516e701208"> <a href="/versions/v9/software/S0013/"> PlugX </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-4cb2b1be41f64c889593fb025d2b2dc9"> <a href="/versions/v9/software/S0067/"> pngdowner </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-1e37110d87664e1d9a70d1917b812b5b"> <a href="/versions/v9/software/S0428/"> PoetRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-c3910be3a28e447abea8b2e49d19cd14"> <a href="/versions/v9/software/S0012/"> PoisonIvy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-edd68a24caa547f7bd36ee48b0b82aeb"> <a href="/versions/v9/software/S0518/"> PolyglotDuke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-75ad2d21cb6849ca847ae90683a4bde4"> <a href="/versions/v9/software/S0453/"> Pony </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-84da3071627c48a0b11c6b066638c810"> <a href="/versions/v9/software/S0216/"> POORAIM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-78c179ad0ba04768bfa9e02a7c1b77c0"> <a href="/versions/v9/software/S0378/"> PoshC2 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-c978ee001e4545bb86eb5c19c5681c59"> <a href="/versions/v9/software/S0150/"> POSHSPY </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-b239ee716eb046d8b85304ff03233b1f"> <a href="/versions/v9/software/S0177/"> Power Loader </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-655f8e173a3642248cd8b8d63da37385"> <a href="/versions/v9/software/S0139/"> PowerDuke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-f86a51265afa497faba0e365a4cc8ee7"> <a href="/versions/v9/software/S0441/"> PowerShower </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-64b1f2a3d5454da8a9e19842d38e06da"> <a href="/versions/v9/software/S0145/"> POWERSOURCE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-0031cd6a045c4725ad4ce1bf68ad9428"> <a href="/versions/v9/software/S0194/"> PowerSploit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-17ef6b47e44744aea2f60bcfc29c3f7e"> <a href="/versions/v9/software/S0393/"> PowerStallion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-c24e2755414247fdaf7a9900fe1b6cee"> <a href="/versions/v9/software/S0223/"> POWERSTATS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-abbfb1ae473548ecacf912ce30c9d9af"> <a href="/versions/v9/software/S0371/"> POWERTON </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-a8b1dffb0c204208b9d03e78e7aaf103"> <a href="/versions/v9/software/S0184/"> POWRUNER </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-f3b1bd95bba54546872464de91080385"> <a href="/versions/v9/software/S0113/"> Prikormka </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-b0a0f24554d643a7aa78067a2e184d34"> <a href="/versions/v9/software/S0279/"> Proton </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-1f702a63fd234899917773ce398bb143"> <a href="/versions/v9/software/S0238/"> Proxysvc </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-dadd7124e6ac44d5bb37674ede9e4691"> <a href="/versions/v9/software/S0029/"> PsExec </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-f3178421604a451ca5b384ad2c1473f1"> <a href="/versions/v9/software/S0078/"> Psylo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-1ce1a24553e743d18e17196db129f46c"> <a href="/versions/v9/software/S0147/"> Pteranodon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-fd0b0fca5ab74159b779d9eab2953fc5"> <a href="/versions/v9/software/S0196/"> PUNCHBUGGY </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-5caaefa62cf84497b802a52e1b3734c5"> <a href="/versions/v9/software/S0197/"> PUNCHTRACK </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-b1c9926545fb4fe290504e708cbb3553"> <a href="/versions/v9/software/S0192/"> Pupy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-b71eb17a19764209b61d1d8347243cda"> <a href="/versions/v9/software/S0006/"> pwdump </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="765d7bcc2f35481abaf311c71e691b83-a4f3c87e46424c06851258ff2eb97c04"> <a href="/versions/v9/software/S0583/"> Pysa </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="1d295894e7a94614ab8c6a56330ce2cf"> <span>Q-R</span> <div class="expand-button collapsed" id="1d295894e7a94614ab8c6a56330ce2cf-header" data-toggle="collapse" data-target="#1d295894e7a94614ab8c6a56330ce2cf-body" aria-expanded="false" aria-controls="#1d295894e7a94614ab8c6a56330ce2cf-body"></div> </div> <div class="sidenav-body collapse" id="1d295894e7a94614ab8c6a56330ce2cf-body" aria-labelledby="1d295894e7a94614ab8c6a56330ce2cf-header"> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-cd0e5123083445d59444154270f83a6b"> <a href="/versions/v9/software/S0269/"> QUADAGENT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-8cd12cd6394242bebb93a35acc650bc8"> <a href="/versions/v9/software/S0262/"> QuasarRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-ff5b834c1fa04f66b1f9f2f55d53bda6"> <a href="/versions/v9/software/S0481/"> Ragnar Locker </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-da739d517c3a4bb48bdbc9911114b074"> <a href="/versions/v9/software/S0565/"> Raindrop </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-211d9bdbc7d94a85957d5498024379c4"> <a href="/versions/v9/software/S0458/"> Ramsay </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-7344e222306a4ddba5691e97946414b3"> <a href="/versions/v9/software/S0055/"> RARSTONE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-9426299bd74542d5927b2b61042e5199"> <a href="/versions/v9/software/S0241/"> RATANKBA </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-d1691d8cc8834ef794756ab458f7ee00"> <a href="/versions/v9/software/S0364/"> RawDisk </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-57e09eee33b247c49c9970ab7404a689"> <a href="/versions/v9/software/S0169/"> RawPOS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-9d9ff53d728641d8be3a450d59717164"> <a href="/versions/v9/software/S0295/"> RCSAndroid </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-67f158b9c68b407c80f75e18c95581bc"> <a href="/versions/v9/software/S0495/"> RDAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-2c8651703a08466ba672bd625d5a933e"> <a href="/versions/v9/software/S0416/"> RDFSNIFFER </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-8d55201f80f3470b8908c22974608d4e"> <a href="/versions/v9/software/S0172/"> Reaver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-5702ad7da0d849c69fb44c4c863d3b43"> <a href="/versions/v9/software/S0539/"> Red Alert 2.0 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-d8a41dad618e4edf80a35c4445f5beb1"> <a href="/versions/v9/software/S0326/"> RedDrop </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-bcc5b9affe674cc9834c5b9b19eceae1"> <a href="/versions/v9/software/S0153/"> RedLeaves </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-8e17302b07e64557b7240b8cc13cdc5f"> <a href="/versions/v9/software/S0075/"> Reg </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-df3ea8cf02904d1089194a3878d45ad8"> <a href="/versions/v9/software/S0511/"> RegDuke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-40a2a2dbe0ec47d2a9efb7db4039b6fb"> <a href="/versions/v9/software/S0019/"> Regin </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-2500d8a0e8bb465c9d17fdec75751dc9"> <a href="/versions/v9/software/S0332/"> Remcos </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-2323308f8ae642b08afdac7fbb3a7585"> <a href="/versions/v9/software/S0375/"> Remexi </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-469ff9d046ad4832858610168eb420c0"> <a href="/versions/v9/software/S0166/"> RemoteCMD </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-25051c5399a24d228818d28d464a0061"> <a href="/versions/v9/software/S0592/"> RemoteUtilities </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-5464941c17844028b4df8a8ed74c6248"> <a href="/versions/v9/software/S0125/"> Remsec </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-9f73fb7701754315b7fd4280919d0f0b"> <a href="/versions/v9/software/S0174/"> Responder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-55d3f71459004f2ca2f7dbbc5868bc1a"> <a href="/versions/v9/software/S0379/"> Revenge RAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-b7f7effca712495aae8a4ba8bb701354"> <a href="/versions/v9/software/S0496/"> REvil </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-eb811d090d2d4882ba8a160dad72cfc2"> <a href="/versions/v9/software/S0258/"> RGDoor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-abb7cdadf1d741ba86a6560b6fcfd712"> <a href="/versions/v9/software/S0433/"> Rifdoor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-a6ae63409a014629aed6b70c8988cc3e"> <a href="/versions/v9/software/S0403/"> Riltok </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-0ef24be3505b4e2c945010b9800a3eeb"> <a href="/versions/v9/software/S0003/"> RIPTIDE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-45f68fc46b3d44bd948abf038b19007c"> <a href="/versions/v9/software/S0448/"> Rising Sun </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-f6fed98ddde348a7946c8597deb6aba2"> <a href="/versions/v9/software/S0400/"> RobbinHood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-6a15713c27ed400c9003a03e667978b2"> <a href="/versions/v9/software/S0112/"> ROCKBOOT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-0d84f873b32749e394a3a739dee2cbc9"> <a href="/versions/v9/software/S0270/"> RogueRobin </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-0447dc0196c14bddba552213a370fd51"> <a href="/versions/v9/software/S0240/"> ROKRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-ae828b9e8e9f4c7ca772262e8e7b94e1"> <a href="/versions/v9/software/S0411/"> Rotexy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-3e8228a832114024939f8a4d57f61e76"> <a href="/versions/v9/software/S0103/"> route </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-6728f74d4d9a482a806dd0a00fa3adc3"> <a href="/versions/v9/software/S0090/"> Rover </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-03fb989e8d784e72b89e318434b89f5a"> <a href="/versions/v9/software/S0148/"> RTM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-ba8a862396554b1a9b7556360555ec38"> <a href="/versions/v9/software/S0358/"> Ruler </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-2ac50fed105949b5a11c4113bff084cb"> <a href="/versions/v9/software/S0313/"> RuMMS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-5183fbba5a3b43e6af87b9e680c25877"> <a href="/versions/v9/software/S0253/"> RunningRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="1d295894e7a94614ab8c6a56330ce2cf-b369784646f34c408eb50353ae0b81cf"> <a href="/versions/v9/software/S0446/"> Ryuk </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="15aa0ca24b1f4115a3ec8a114cf45759"> <span>S-T</span> <div class="expand-button collapsed" id="15aa0ca24b1f4115a3ec8a114cf45759-header" data-toggle="collapse" data-target="#15aa0ca24b1f4115a3ec8a114cf45759-body" aria-expanded="false" aria-controls="#15aa0ca24b1f4115a3ec8a114cf45759-body"></div> </div> <div class="sidenav-body collapse" id="15aa0ca24b1f4115a3ec8a114cf45759-body" aria-labelledby="15aa0ca24b1f4115a3ec8a114cf45759-header"> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-ea6e98679a2e482cba9c14b4e9da4180"> <a href="/versions/v9/software/S0085/"> S-Type </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-6152c407d01448769ad39d0d3f01d076"> <a href="/versions/v9/software/S0074/"> Sakula </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-d8b854356cb14539b6b613e7c3186d28"> <a href="/versions/v9/software/S0370/"> SamSam </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-bcee0fc4bebc4a85acb57b05b8f201a0"> <a href="/versions/v9/software/S0111/"> schtasks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-0a9386f7dd60457e945c336059afa9b3"> <a href="/versions/v9/software/S0461/"> SDBbot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-c9c3fa1db1e644a7b223d17f3f38760f"> <a href="/versions/v9/software/S0195/"> SDelete </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-4fdc7944b99b4e42856fc8049d0baa65"> <a href="/versions/v9/software/S0053/"> SeaDuke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-f983f05c988742f8b95fcc1d07ac346f"> <a href="/versions/v9/software/S0345/"> Seasalt </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-c909a35768b145c5b78c928c4379697c"> <a href="/versions/v9/software/S0185/"> SEASHARPEE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-52727e23d6c44c64a196e60a8e49984c"> <a href="/versions/v9/software/S0382/"> ServHelper </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-a872f109703146a4b0d9e22b7fa9f100"> <a href="/versions/v9/software/S0596/"> ShadowPad </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-01f3a26d7a4f4dacb01dd0b502bd15cd"> <a href="/versions/v9/software/S0140/"> Shamoon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-5d54439399874fc99c02541fd70664b9"> <a href="/versions/v9/software/S0546/"> SharpStage </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-1b90224aaa2540a3895cb354d056a386"> <a href="/versions/v9/software/S0450/"> SHARPSTATS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-80d7e92bf75d4d45b6c024bd7ead1cc3"> <a href="/versions/v9/software/S0294/"> ShiftyBug </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-55dbab27a2314d1f9985a1eeeb72065d"> <a href="/versions/v9/software/S0444/"> ShimRat </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-3ed080aa09f34b0da33f4fc83fcf507e"> <a href="/versions/v9/software/S0445/"> ShimRatReporter </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-545577c2e50b471491533e4edc550a05"> <a href="/versions/v9/software/S0028/"> SHIPSHAPE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-5394b8427e8d45dabc231338cf8adbab"> <a href="/versions/v9/software/S0063/"> SHOTPUT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-9ebe30d5a3f04a0692e9bdb596e25ae2"> <a href="/versions/v9/software/S0217/"> SHUTTERSPEED </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-acb11ef1550e47598904f5076b4b5ea0"> <a href="/versions/v9/software/S0589/"> Sibot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-d667077ff4e24e319173e3d09713d478"> <a href="/versions/v9/software/S0549/"> SilkBean </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-dbc487142b8f4d88aa76b9909628e237"> <a href="/versions/v9/software/S0419/"> SimBad </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-1518b6b3fc2f4fada42918c8d71c4c3c"> <a href="/versions/v9/software/S0007/"> Skeleton Key </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-4b55bdcd98624f83837778868f3096db"> <a href="/versions/v9/software/S0468/"> Skidmap </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-ec3d0ebce4254daa90d337b7ba3571a6"> <a href="/versions/v9/software/S0327/"> Skygofree </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-16a2a9044f004b139e034a223b8540f6"> <a href="/versions/v9/software/S0533/"> SLOTHFULMEDIA </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-01c63e07064349fcbc8c1c88f519a938"> <a href="/versions/v9/software/S0218/"> SLOWDRIFT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-dc198740f2d94484af9a1d5505e8ef59"> <a href="/versions/v9/software/S0226/"> Smoke Loader </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-74481046eff346e1974a7e7f0e4fab5a"> <a href="/versions/v9/software/S0159/"> SNUGRIDE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-b5cde379d3b54ccbaa3fb3a1e8570dff"> <a href="/versions/v9/software/S0273/"> Socksbot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-9f1a3fc6ea9743fcb7d10a9193378976"> <a href="/versions/v9/software/S0516/"> SoreFang </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-548bd8cbd2ed424ca926af80c212699d"> <a href="/versions/v9/software/S0157/"> SOUNDBITE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-95e20b4079504fbfb38d71fe492f677b"> <a href="/versions/v9/software/S0035/"> SPACESHIP </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-323c20e773614934acee3650115e0f35"> <a href="/versions/v9/software/S0543/"> Spark </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-b706daf112a24c94a704ad2493ee60e4"> <a href="/versions/v9/software/S0374/"> SpeakUp </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-c48c4de5dde14d5ba98fd078096fba69"> <a href="/versions/v9/software/S0227/"> spwebmember </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-b2a14338c5bf41709bc62a5b178eff49"> <a href="/versions/v9/software/S0324/"> SpyDealer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-98f6995dbd6943ee914a923d7d4d936b"> <a href="/versions/v9/software/S0305/"> SpyNote RAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-4cb101c759e24b4db2d09d57aeaa787f"> <a href="/versions/v9/software/S0225/"> sqlmap </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-6f36597c58a64ee398dd795f6f222bfa"> <a href="/versions/v9/software/S0390/"> SQLRat </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-e2489e7c9df742d9b9f2e74fcd37781d"> <a href="/versions/v9/software/S0058/"> SslMM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-472a04b1ee2a4ef1839d944c8d494d1c"> <a href="/versions/v9/software/S0188/"> Starloader </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-2eecda35affa48b38f788ab837008042"> <a href="/versions/v9/software/S0328/"> Stealth Mango </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-0e3dd73036e9463b9628c0b621b1c7ea"> <a href="/versions/v9/software/S0380/"> StoneDrill </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-98b5d6f482224fb29f4323aca6c816f8"> <a href="/versions/v9/software/S0142/"> StreamEx </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-f2a4f1d11a374352a3a87e9ad607bf4f"> <a href="/versions/v9/software/S0491/"> StrongPity </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-08e85fc1741c459c9385ef6998c583af"> <a href="/versions/v9/software/S0559/"> SUNBURST </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-d29d56e66e7447e28e40bdb9e74fa1a6"> <a href="/versions/v9/software/S0562/"> SUNSPOT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-98c9f44bf41d45c79411c3651b99d679"> <a href="/versions/v9/software/S0578/"> SUPERNOVA </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-44e26958502648ae890e46f20c62c34a"> <a href="/versions/v9/software/S0018/"> Sykipot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-e89ead481eab4935a7d255a749c56c02"> <a href="/versions/v9/software/S0242/"> SynAck </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-53ca34c7f5a04b19ada6955481bb3581"> <a href="/versions/v9/software/S0519/"> SYNful Knock </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-a1a848232dae4f7f89408cd9979a0745"> <a href="/versions/v9/software/S0060/"> Sys10 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-ee44814b98514821b0bae9a1cf36d070"> <a href="/versions/v9/software/S0464/"> SYSCON </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-7deb103aa3c54bebb99f89553538113d"> <a href="/versions/v9/software/S0096/"> Systeminfo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-1a357678b8024f85af86418de4b6e7a9"> <a href="/versions/v9/software/S0098/"> T9000 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-d8fcb654e00b4aeaabe9201a3cdd182a"> <a href="/versions/v9/software/S0011/"> Taidoor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-8f9a6ec8e8e24e55b8b360dd9419865a"> <a href="/versions/v9/software/S0586/"> TAINTEDSCRIBE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-61fc867a4867446392bfd85b18fa44e5"> <a href="/versions/v9/software/S0467/"> TajMahal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-3176860488734abe90a1fc7d08ec333f"> <a href="/versions/v9/software/S0329/"> Tangelo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-490904e37b8e4c9b878fe9914b39b650"> <a href="/versions/v9/software/S0057/"> Tasklist </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-67c19529f9df4ca38170275765e797be"> <a href="/versions/v9/software/S0164/"> TDTESS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-b80db1c7728142c28270168205aa00b5"> <a href="/versions/v9/software/S0560/"> TEARDROP </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-34ef4cae4c7c483983d402055ccb3c02"> <a href="/versions/v9/software/S0545/"> TERRACOTTA </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-0d7ccab9f5a34f87b2c6b8e0d2c1e93f"> <a href="/versions/v9/software/S0146/"> TEXTMATE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-d9f9d047e4a74fc3abbd97f5ff90c380"> <a href="/versions/v9/software/S0595/"> ThiefQuest </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-2383282c4c50465b883c8194d1f4b0f7"> <a href="/versions/v9/software/S0558/"> Tiktok Pro </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-d6e3c98e52444ecf8b2dc4dda2637543"> <a href="/versions/v9/software/S0131/"> TINYTYPHON </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-302e64ce1d7841cb946cdc2553a1f110"> <a href="/versions/v9/software/S0004/"> TinyZBot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-be0fe600775047f4a170946bf709b54f"> <a href="/versions/v9/software/S0183/"> Tor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-0d1a2fc569b44d64982dd46689f42e8a"> <a href="/versions/v9/software/S0424/"> Triada </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-2e7ef33c492f4b33ae1dda162c91a720"> <a href="/versions/v9/software/S0266/"> TrickBot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-b8d5d5c5582644008526787eaa15f1ec"> <a href="/versions/v9/software/S0427/"> TrickMo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-1e2f6ff87c1b430da45f35525599d318"> <a href="/versions/v9/software/S0307/"> Trojan-SMS.AndroidOS.Agent.ao </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-691eebd166a44ff1946a8f105c238ebe"> <a href="/versions/v9/software/S0306/"> Trojan-SMS.AndroidOS.FakeInst.a </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-cc1d5d39020a41cc888fce098c17b97a"> <a href="/versions/v9/software/S0308/"> Trojan-SMS.AndroidOS.OpFake.a </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-7af8eca0765a44c88b2ad88f4aab80cc"> <a href="/versions/v9/software/S0094/"> Trojan.Karagany </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-9779b768ef5c4124ae91412fa50c2fd7"> <a href="/versions/v9/software/S0001/"> Trojan.Mebromi </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-282f499a654c4c85840ac62568502153"> <a href="/versions/v9/software/S0178/"> Truvasys </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-fd3b52ec0c2c4a16b9e08d15dabfc35a"> <a href="/versions/v9/software/S0436/"> TSCookie </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-943771414962416d911cf963c66b4749"> <a href="/versions/v9/software/S0199/"> TURNEDUP </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-813def908b244b4a94e1834eb7a350f1"> <a href="/versions/v9/software/S0302/"> Twitoor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="15aa0ca24b1f4115a3ec8a114cf45759-b0a00ee9448642a580b7effa8c12e6c0"> <a href="/versions/v9/software/S0263/"> TYPEFRAME </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="77e4f19870be4252a0de8a84c11b4ee1"> <span>U-V</span> <div class="expand-button collapsed" id="77e4f19870be4252a0de8a84c11b4ee1-header" data-toggle="collapse" data-target="#77e4f19870be4252a0de8a84c11b4ee1-body" aria-expanded="false" aria-controls="#77e4f19870be4252a0de8a84c11b4ee1-body"></div> </div> <div class="sidenav-body collapse" id="77e4f19870be4252a0de8a84c11b4ee1-body" aria-labelledby="77e4f19870be4252a0de8a84c11b4ee1-header"> <div class="sidenav"> <div class="sidenav-head" id="77e4f19870be4252a0de8a84c11b4ee1-43e43427743a49b9828a5b8d322dc275"> <a href="/versions/v9/software/S0116/"> UACMe </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="77e4f19870be4252a0de8a84c11b4ee1-d6ae64d8c61543579d5167f4719c3287"> <a href="/versions/v9/software/S0333/"> UBoatRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="77e4f19870be4252a0de8a84c11b4ee1-a4dcfce6e57f478e8c4571d85789897b"> <a href="/versions/v9/software/S0221/"> Umbreon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="77e4f19870be4252a0de8a84c11b4ee1-23436e3c6e4e43fdba5e718b42220d62"> <a href="/versions/v9/software/S0130/"> Unknown Logger </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="77e4f19870be4252a0de8a84c11b4ee1-8e32f4628e984236b076fb6794199a24"> <a href="/versions/v9/software/S0275/"> UPPERCUT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="77e4f19870be4252a0de8a84c11b4ee1-912abd85faee4bc88b2221d308893f91"> <a href="/versions/v9/software/S0022/"> Uroburos </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="77e4f19870be4252a0de8a84c11b4ee1-e6de7b31fc504ea8b22d1642a022a149"> <a href="/versions/v9/software/S0386/"> Ursnif </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="77e4f19870be4252a0de8a84c11b4ee1-6cdae87bbddc4f7cac03296202d72112"> <a href="/versions/v9/software/S0452/"> USBferry </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="77e4f19870be4252a0de8a84c11b4ee1-84ffddf95e264244b31c48ef02de69f7"> <a href="/versions/v9/software/S0136/"> USBStealer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="77e4f19870be4252a0de8a84c11b4ee1-9dc2dc0c9a9a4f9a870757b67fd00fc5"> <a href="/versions/v9/software/S0476/"> Valak </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="77e4f19870be4252a0de8a84c11b4ee1-94dab4452e6d4d05938a4725574980f1"> <a href="/versions/v9/software/S0207/"> Vasport </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="77e4f19870be4252a0de8a84c11b4ee1-8786aae2da804a1e913848ceb6842d7a"> <a href="/versions/v9/software/S0442/"> VBShower </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="77e4f19870be4252a0de8a84c11b4ee1-eaaaba953cdf432caa8dcee6515ba34a"> <a href="/versions/v9/software/S0257/"> VERMIN </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="77e4f19870be4252a0de8a84c11b4ee1-419191f6ce5b4d488727b1891de51122"> <a href="/versions/v9/software/S0418/"> ViceLeaker </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="77e4f19870be4252a0de8a84c11b4ee1-5f659086bae54408b26fa129d97d37ec"> <a href="/versions/v9/software/S0506/"> ViperRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="77e4f19870be4252a0de8a84c11b4ee1-f580c77dfe3f4daf85e6330bfe594edf"> <a href="/versions/v9/software/S0180/"> Volgmer </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="55d438137efb45b2a8ab34a3e319980b"> <span>W-X</span> <div class="expand-button collapsed" id="55d438137efb45b2a8ab34a3e319980b-header" data-toggle="collapse" data-target="#55d438137efb45b2a8ab34a3e319980b-body" aria-expanded="false" aria-controls="#55d438137efb45b2a8ab34a3e319980b-body"></div> </div> <div class="sidenav-body collapse" id="55d438137efb45b2a8ab34a3e319980b-body" aria-labelledby="55d438137efb45b2a8ab34a3e319980b-header"> <div class="sidenav"> <div class="sidenav-head" id="55d438137efb45b2a8ab34a3e319980b-700c9c47465c43cdab6c1ce6bd9c1dd8"> <a href="/versions/v9/software/S0366/"> WannaCry </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="55d438137efb45b2a8ab34a3e319980b-a768f763025947258e6c29d2e8d4081f"> <a href="/versions/v9/software/S0579/"> Waterbear </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="55d438137efb45b2a8ab34a3e319980b-7c804ba0883a4eeebc8e997ad633efdf"> <a href="/versions/v9/software/S0109/"> WEBC2 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="55d438137efb45b2a8ab34a3e319980b-b3c2103e0e694da0a58d3f80887a55f1"> <a href="/versions/v9/software/S0515/"> WellMail </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="55d438137efb45b2a8ab34a3e319980b-5c415dc7c7fe46e399218f643eefd0c1"> <a href="/versions/v9/software/S0514/"> WellMess </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="55d438137efb45b2a8ab34a3e319980b-1126f71fede44e248bf58f0808c61eac"> <a href="/versions/v9/software/S0206/"> Wiarp </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="55d438137efb45b2a8ab34a3e319980b-5c302499f1964d518a04679075b6017d"> <a href="/versions/v9/software/S0005/"> Windows Credential Editor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="55d438137efb45b2a8ab34a3e319980b-322e2caf814c4e5ebf535247daacecda"> <a href="/versions/v9/software/S0155/"> WINDSHIELD </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="55d438137efb45b2a8ab34a3e319980b-40ac3a659af24593a82a7d2adf125dfd"> <a href="/versions/v9/software/S0466/"> WindTail </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="55d438137efb45b2a8ab34a3e319980b-9b37411796514207a5fce16dfbc50eeb"> <a href="/versions/v9/software/S0219/"> WINERACK </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="55d438137efb45b2a8ab34a3e319980b-3087e3820f234d3182240772f94f006d"> <a href="/versions/v9/software/S0191/"> Winexe </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="55d438137efb45b2a8ab34a3e319980b-81a16b302f0b47f9a74e65ceac8093ce"> <a href="/versions/v9/software/S0176/"> Wingbird </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="55d438137efb45b2a8ab34a3e319980b-7603c9cd4b58423dac33dc67152a3a08"> <a href="/versions/v9/software/S0059/"> WinMM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="55d438137efb45b2a8ab34a3e319980b-0242b9ed2b7b4188bfde9875cacff24c"> <a href="/versions/v9/software/S0430/"> Winnti for Linux </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="55d438137efb45b2a8ab34a3e319980b-80aed80f3f1f4495893e0fbd29798e6e"> <a href="/versions/v9/software/S0141/"> Winnti for Windows </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="55d438137efb45b2a8ab34a3e319980b-eab80861027d45c59c02b1bb4d68a41a"> <a href="/versions/v9/software/S0041/"> Wiper </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="55d438137efb45b2a8ab34a3e319980b-6ed7b149839f49c6bb1047d4f419f66f"> <a href="/versions/v9/software/S0312/"> WireLurker </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="55d438137efb45b2a8ab34a3e319980b-2c0ca6604e37439d843b5c9af0d887eb"> <a href="/versions/v9/software/S0489/"> WolfRAT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="55d438137efb45b2a8ab34a3e319980b-b725ef00df2a46c0abda20bd4fec1d02"> <a href="/versions/v9/software/S0314/"> X-Agent for Android </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="55d438137efb45b2a8ab34a3e319980b-5aa24b597dd544d3a9396643988afc71"> <a href="/versions/v9/software/S0161/"> XAgentOSX </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="55d438137efb45b2a8ab34a3e319980b-b88905a73aee4963bcbf00678bb4d4ce"> <a href="/versions/v9/software/S0341/"> Xbash </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="55d438137efb45b2a8ab34a3e319980b-eb4f8b9a090446bdab68741ac3a491a9"> <a href="/versions/v9/software/S0298/"> Xbot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="55d438137efb45b2a8ab34a3e319980b-889991f3d20a4164a81259a419ef1930"> <a href="/versions/v9/software/S0123/"> xCmd </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="55d438137efb45b2a8ab34a3e319980b-1896d41242324c059e40bac0ee3a64d1"> <a href="/versions/v9/software/S0297/"> XcodeGhost </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="55d438137efb45b2a8ab34a3e319980b-a5fad0a88f2148d79f29eadad968eff9"> <a href="/versions/v9/software/S0318/"> XLoader for Android </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="55d438137efb45b2a8ab34a3e319980b-3e2b327de8ef418a84640cb872e674ee"> <a href="/versions/v9/software/S0490/"> XLoader for iOS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="55d438137efb45b2a8ab34a3e319980b-800b43f387e94cc0a1da9b53eda1eba0"> <a href="/versions/v9/software/S0117/"> XTunnel </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="4fd897e7588447a2a2622250f2b7755b"> <span>Y-Z</span> <div class="expand-button collapsed" id="4fd897e7588447a2a2622250f2b7755b-header" data-toggle="collapse" data-target="#4fd897e7588447a2a2622250f2b7755b-body" aria-expanded="false" aria-controls="#4fd897e7588447a2a2622250f2b7755b-body"></div> </div> <div class="sidenav-body collapse" id="4fd897e7588447a2a2622250f2b7755b-body" aria-labelledby="4fd897e7588447a2a2622250f2b7755b-header"> <div class="sidenav"> <div class="sidenav-head" id="4fd897e7588447a2a2622250f2b7755b-7ba0d36f96844fab8bca01f9245277b4"> <a href="/versions/v9/software/S0388/"> YAHOYAH </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="4fd897e7588447a2a2622250f2b7755b-d0c50e5480f64fb2a80d99230b360648"> <a href="/versions/v9/software/S0311/"> YiSpecter </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="4fd897e7588447a2a2622250f2b7755b-cc980bf115dc4d1f82d6ec873933aca6"> <a href="/versions/v9/software/S0248/"> yty </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="4fd897e7588447a2a2622250f2b7755b-d1df68c14ceb425d9ac54e0d57be9016"> <a href="/versions/v9/software/S0251/"> Zebrocy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="4fd897e7588447a2a2622250f2b7755b-881d59775df74bf98fe38a32cf3a1b8c"> <a href="/versions/v9/software/S0494/"> Zen </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="4fd897e7588447a2a2622250f2b7755b-36c9677d75074742a54558d001d57f23"> <a href="/versions/v9/software/S0287/"> ZergHelper </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="4fd897e7588447a2a2622250f2b7755b-fb940d1e2ba941da86bcc8b80a19080f"> <a href="/versions/v9/software/S0027/"> Zeroaccess </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="4fd897e7588447a2a2622250f2b7755b-5db84952c85b413d9d2bf7fa4831d11a"> <a href="/versions/v9/software/S0230/"> ZeroT </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="4fd897e7588447a2a2622250f2b7755b-1dacedbe178c47858f279515adf022b3"> <a href="/versions/v9/software/S0330/"> Zeus Panda </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="4fd897e7588447a2a2622250f2b7755b-140b30c9da1b46539712f639a365ef4a"> <a href="/versions/v9/software/S0086/"> ZLib </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="4fd897e7588447a2a2622250f2b7755b-7f953f79d6fa4d6c8b3856712508f25c"> <a href="/versions/v9/software/S0350/"> zwShell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="4fd897e7588447a2a2622250f2b7755b-18672cae57a442d6a5895c5abd2d1761"> <a href="/versions/v9/software/S0412/"> ZxShell </a> </div> </div> </div> </div> </div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-10 col-lg-9 col-md-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v9/">Home</a></li> <li class="breadcrumb-item">Software</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <div class="overflow-x-auto"> <h1> Software </h1> <p>Software is a generic term for custom or commercial code, operating system utilities, open-source software, or other tools used to conduct behavior modeled in ATT&CK. Some instances of software have multiple names associated with the same instance due to various organizations tracking the same set of software by different names. The team makes a best effort to track overlaps between names based on publicly reported associations, which are designated as “Associated Software” on each page (formerly labeled “Aliases”), because we believe these overlaps are useful for analyst awareness.</p> <p>Software entries include publicly reported technique use or capability to use a technique and may be mapped to Groups who have been reported to use that Software. The information provided does not represent all possible technique use by a piece of Software, but rather a subset that is available solely through open source reporting.</p> <ul> <li class="mb-4">Tool - Commercial, open-source, built-in, or publicly available software that could be used by a defender, pen tester, red teamer, or an adversary. This category includes both software that generally is not found on an enterprise system as well as software generally available as part of an operating system that is already present in an environment. Examples include PsExec, Metasploit, Mimikatz, as well as Windows utilities such as Net, netstat, Tasklist, etc.</li> <li class="mb-4">Malware - Commercial, custom closed source, or open source software intended to be used for malicious purposes by adversaries. Examples include PlugX, CHOPSTICK, etc.</li> </ul> <h6 class="table-object-count">Software: 585</h6> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Associated Software</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v9/software/S0066"> S0066 </a> </td> <td> <a href="/versions/v9/software/S0066"> 3PARA RAT </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0066">3PARA RAT</a> is a remote access tool (RAT) programmed in C++ that has been used by <a href="/versions/v9/groups/G0024">Putter Panda</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0065"> S0065 </a> </td> <td> <a href="/versions/v9/software/S0065"> 4H RAT </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0065">4H RAT</a> is malware that has been used by <a href="/versions/v9/groups/G0024">Putter Panda</a> since at least 2007. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0469"> S0469 </a> </td> <td> <a href="/versions/v9/software/S0469"> ABK </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0469">ABK</a> is a downloader that has been used by <a href="/versions/v9/groups/G0060">BRONZE BUTLER</a> since at least 2019.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0202"> S0202 </a> </td> <td> <a href="/versions/v9/software/S0202"> adbupd </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0202">adbupd</a> is a backdoor used by <a href="/versions/v9/groups/G0068">PLATINUM</a> that is similar to <a href="/versions/v9/software/S0200">Dipsind</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0552"> S0552 </a> </td> <td> <a href="/versions/v9/software/S0552"> AdFind </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0552">AdFind</a> is a free command-line query tool that can be used for gathering information from Active Directory.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0309"> S0309 </a> </td> <td> <a href="/versions/v9/software/S0309"> Adups </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0309">Adups</a> is software that was pre-installed onto Android devices, including those made by BLU Products. The software was reportedly designed to help a Chinese phone manufacturer monitor user behavior, transferring sensitive data to a Chinese server. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0045"> S0045 </a> </td> <td> <a href="/versions/v9/software/S0045"> ADVSTORESHELL </a> </td> <td> AZZY, EVILTOSS, NETUI, Sedreco </td> <td> <p><a href="/versions/v9/software/S0045">ADVSTORESHELL</a> is a spying backdoor that has been used by <a href="/versions/v9/groups/G0007">APT28</a> from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0440"> S0440 </a> </td> <td> <a href="/versions/v9/software/S0440"> Agent Smith </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0440">Agent Smith</a> is mobile malware that generates financial gain by replacing legitimate applications on devices with malicious versions that include fraudulent ads. As of July 2019 <a href="/versions/v9/software/S0440">Agent Smith</a> had infected around 25 million devices, primarily targeting India though effects had been observed in other Asian countries as well as Saudi Arabia, the United Kingdom, and the United States.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0331"> S0331 </a> </td> <td> <a href="/versions/v9/software/S0331"> Agent Tesla </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0331">Agent Tesla</a> is a spyware Trojan written for the .NET framework that has been observed since at least 2014.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0092"> S0092 </a> </td> <td> <a href="/versions/v9/software/S0092"> Agent.btz </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0092">Agent.btz</a> is a worm that primarily spreads itself via removable devices such as USB drives. It reportedly infected U.S. military networks in 2008. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0319"> S0319 </a> </td> <td> <a href="/versions/v9/software/S0319"> Allwinner </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0319">Allwinner</a> is a company that supplies processors used in Android tablets and other devices. A Linux kernel distributed by <a href="/versions/v9/software/S0319">Allwinner</a> for use on these devices reportedly contained a backdoor. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0504"> S0504 </a> </td> <td> <a href="/versions/v9/software/S0504"> Anchor </a> </td> <td> Anchor_DNS </td> <td> <p><a href="/versions/v9/software/S0504">Anchor</a> is one of a family of backdoor malware that has been used in conjunction with <a href="/versions/v9/software/S0266">TrickBot</a> on selected high profile targets since at least 2018.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0525"> S0525 </a> </td> <td> <a href="/versions/v9/software/S0525"> Android/AdDisplay.Ashas </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0525">Android/AdDisplay.Ashas</a> is a variant of adware that has been distributed through multiple apps in the Google Play Store. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0304"> S0304 </a> </td> <td> <a href="/versions/v9/software/S0304"> Android/Chuli.A </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0304">Android/Chuli.A</a> is Android malware that was delivered to activist groups via a spearphishing email with an attachment. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0524"> S0524 </a> </td> <td> <a href="/versions/v9/software/S0524"> AndroidOS/MalLocker.B </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0524">AndroidOS/MalLocker.B</a> is a variant of a ransomware family targeting Android devices. It prevents the user from interacting with the UI by displaying a screen containing a ransom note over all other windows. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0310"> S0310 </a> </td> <td> <a href="/versions/v9/software/S0310"> ANDROIDOS_ANSERVER.A </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0310">ANDROIDOS_ANSERVER.A</a> is Android malware that is unique because it uses encrypted content within a blog site for command and control. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0292"> S0292 </a> </td> <td> <a href="/versions/v9/software/S0292"> AndroRAT </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0292">AndroRAT</a> is malware that allows a third party to control the device and collect information. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0422"> S0422 </a> </td> <td> <a href="/versions/v9/software/S0422"> Anubis </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0422">Anubis</a> is Android malware that was originally used for cyber espionage, and has been retooled as a banking trojan.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0584"> S0584 </a> </td> <td> <a href="/versions/v9/software/S0584"> AppleJeus </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0584">AppleJeus</a> is a family of downloaders initially discovered in 2018 embedded within trojanized cryptocurrency applications. <a href="/versions/v9/software/S0584">AppleJeus</a> has been used by <a href="/versions/v9/groups/G0032">Lazarus Group</a>, targeting companies in the energy, finance, government, industry, technology, and telecommunications sectors, and several countries including the United States, United Kingdom, South Korea, Australia, Brazil, New Zealand, and Russia. <a href="/versions/v9/software/S0584">AppleJeus</a> has been used to distribute the <a href="/versions/v9/software/S0181">FALLCHILL</a> RAT.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0456"> S0456 </a> </td> <td> <a href="/versions/v9/software/S0456"> Aria-body </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0456">Aria-body</a> is a custom backdoor that has been used by <a href="/versions/v9/groups/G0019">Naikon</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0099"> S0099 </a> </td> <td> <a href="/versions/v9/software/S0099"> Arp </a> </td> <td> arp.exe </td> <td> <p><a href="/versions/v9/software/S0099">Arp</a> displays information about a system's Address Resolution Protocol (ARP) cache. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0540"> S0540 </a> </td> <td> <a href="/versions/v9/software/S0540"> Asacub </a> </td> <td> Trojan-SMS.AndroidOS.Smaps </td> <td> <p><a href="/versions/v9/software/S0540">Asacub</a> is a banking trojan that attempts to steal money from victims’ bank accounts. It attempts to do this by initiating a wire transfer via SMS message from compromised devices.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0073"> S0073 </a> </td> <td> <a href="/versions/v9/software/S0073"> ASPXSpy </a> </td> <td> ASPXTool </td> <td> <p><a href="/versions/v9/software/S0073">ASPXSpy</a> is a Web shell. It has been modified by <a href="/versions/v9/groups/G0027">Threat Group-3390</a> actors to create the ASPXTool version. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0373"> S0373 </a> </td> <td> <a href="/versions/v9/software/S0373"> Astaroth </a> </td> <td> Guildma </td> <td> <p><a href="/versions/v9/software/S0373">Astaroth</a> is a Trojan and information stealer known to affect companies in Europe, Brazil, and throughout Latin America. It has been known publicly since at least late 2017. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0110"> S0110 </a> </td> <td> <a href="/versions/v9/software/S0110"> at </a> </td> <td> at.exe </td> <td> <p><a href="/versions/v9/software/S0110">at</a> is used to schedule tasks on a system to run at a specified date or time. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0438"> S0438 </a> </td> <td> <a href="/versions/v9/software/S0438"> Attor </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0438">Attor</a> is a Windows-based espionage platform that has been seen in use since 2013. <a href="/versions/v9/software/S0438">Attor</a> has a loadable plugin architecture to customize functionality for specific targets.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0347"> S0347 </a> </td> <td> <a href="/versions/v9/software/S0347"> AuditCred </a> </td> <td> Roptimizer </td> <td> <p><a href="/versions/v9/software/S0347">AuditCred</a> is a malicious DLL that has been used by <a href="/versions/v9/groups/G0032">Lazarus Group</a> during their 2018 attacks.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0129"> S0129 </a> </td> <td> <a href="/versions/v9/software/S0129"> AutoIt backdoor </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0129">AutoIt backdoor</a> is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0473"> S0473 </a> </td> <td> <a href="/versions/v9/software/S0473"> Avenger </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0473">Avenger</a> is a downloader that has been used by <a href="/versions/v9/groups/G0060">BRONZE BUTLER</a> since at least 2019.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0344"> S0344 </a> </td> <td> <a href="/versions/v9/software/S0344"> Azorult </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0344">Azorult</a> is a commercial Trojan that is used to steal information from compromised hosts. <a href="/versions/v9/software/S0344">Azorult</a> has been observed in the wild as early as 2016.In July 2018, <a href="/versions/v9/software/S0344">Azorult</a> was seen used in a spearphishing campaign against targets in North America. <a href="/versions/v9/software/S0344">Azorult</a> has been seen used for cryptocurrency theft. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0414"> S0414 </a> </td> <td> <a href="/versions/v9/software/S0414"> BabyShark </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0414">BabyShark</a> is a Microsoft Visual Basic (VB) script-based malware family that is believed to be associated with several North Korean campaigns. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0475"> S0475 </a> </td> <td> <a href="/versions/v9/software/S0475"> BackConfig </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0475">BackConfig</a> is a custom Trojan with a flexible plugin architecture that has been used by <a href="/versions/v9/groups/G0040">Patchwork</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0093"> S0093 </a> </td> <td> <a href="/versions/v9/software/S0093"> Backdoor.Oldrea </a> </td> <td> Havex </td> <td> <p><a href="/versions/v9/software/S0093">Backdoor.Oldrea</a> is a backdoor used by <a href="/versions/v9/groups/G0035">Dragonfly</a>. It appears to be custom malware authored by the group or specifically for it. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0031"> S0031 </a> </td> <td> <a href="/versions/v9/software/S0031"> BACKSPACE </a> </td> <td> Lecna </td> <td> <p><a href="/versions/v9/software/S0031">BACKSPACE</a> is a backdoor used by <a href="/versions/v9/groups/G0013">APT30</a> that dates back to at least 2005. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0245"> S0245 </a> </td> <td> <a href="/versions/v9/software/S0245"> BADCALL </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0245">BADCALL</a> is a Trojan malware variant used by the group <a href="/versions/v9/groups/G0032">Lazarus Group</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0128"> S0128 </a> </td> <td> <a href="/versions/v9/software/S0128"> BADNEWS </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0128">BADNEWS</a> is malware that has been used by the actors responsible for the <a href="/versions/v9/groups/G0040">Patchwork</a> campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0337"> S0337 </a> </td> <td> <a href="/versions/v9/software/S0337"> BadPatch </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0337">BadPatch</a> is a Windows Trojan that was used in a Gaza Hackers-linked campaign.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0234"> S0234 </a> </td> <td> <a href="/versions/v9/software/S0234"> Bandook </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0234">Bandook</a> is a commercially available RAT, written in Delphi, which has been available since roughly 2007 .</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0239"> S0239 </a> </td> <td> <a href="/versions/v9/software/S0239"> Bankshot </a> </td> <td> Trojan Manuscript </td> <td> <p><a href="/versions/v9/software/S0239">Bankshot</a> is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, <a href="/versions/v9/groups/G0032">Lazarus Group</a> used the <a href="/versions/v9/software/S0239">Bankshot</a> implant in attacks against the Turkish financial sector. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0534"> S0534 </a> </td> <td> <a href="/versions/v9/software/S0534"> Bazar </a> </td> <td> KEGTAP, Team9 </td> <td> <p><a href="/versions/v9/software/S0534">Bazar</a> is a downloader and backdoor malware in use since at least April 2020, with infections mainly targeting professional services, healthcare, manufacturing, IT, logistics and travel companies across the US and Europe. <a href="/versions/v9/software/S0534">Bazar</a> has been reported to have ties to <a href="/versions/v9/software/S0266">TrickBot</a> campaigns and can be used to deploy additional malware, including ransomware, and to steal sensitive data.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0470"> S0470 </a> </td> <td> <a href="/versions/v9/software/S0470"> BBK </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0470">BBK</a> is a downloader that has been used by <a href="/versions/v9/groups/G0060">BRONZE BUTLER</a> since at least 2019.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0127"> S0127 </a> </td> <td> <a href="/versions/v9/software/S0127"> BBSRAT </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0127">BBSRAT</a> is malware with remote access tool functionality that has been used in targeted compromises. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0574"> S0574 </a> </td> <td> <a href="/versions/v9/software/S0574"> BendyBear </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0574">BendyBear</a> is an x64 shellcode for a stage-zero implant designed to download malware from a C2 server. First discovered in August 2020, <a href="/versions/v9/software/S0574">BendyBear</a> shares a variety of features with <a href="/versions/v9/software/S0579">Waterbear</a>, malware previously attributed to the Chinese cyber espionage group <a href="/versions/v9/groups/G0098">BlackTech</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0017"> S0017 </a> </td> <td> <a href="/versions/v9/software/S0017"> BISCUIT </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0017">BISCUIT</a> is a backdoor that has been used by <a href="/versions/v9/groups/G0006">APT1</a> since as early as 2007. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0268"> S0268 </a> </td> <td> <a href="/versions/v9/software/S0268"> Bisonal </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0268">Bisonal</a> is malware that has been used in attacks against targets in Russia, South Korea, and Japan. It has been observed in the wild since 2014. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0570"> S0570 </a> </td> <td> <a href="/versions/v9/software/S0570"> BitPaymer </a> </td> <td> wp_encrypt, FriedEx </td> <td> <p><a href="/versions/v9/software/S0570">BitPaymer</a> is a ransomware variant first observed in August 2017 targeting hospitals in the U.K. <a href="/versions/v9/software/S0570">BitPaymer</a> uses a unique encryption key, ransom note, and contact information for each operation. <a href="/versions/v9/software/S0570">BitPaymer</a> has several indicators suggesting overlap with the <a href="/versions/v9/software/S0384">Dridex</a> malware and is often delivered via <a href="/versions/v9/software/S0384">Dridex</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0190"> S0190 </a> </td> <td> <a href="/versions/v9/software/S0190"> BITSAdmin </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0190">BITSAdmin</a> is a command line tool used to create and manage <a href="/versions/v9/techniques/T1197">BITS Jobs</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0069"> S0069 </a> </td> <td> <a href="/versions/v9/software/S0069"> BLACKCOFFEE </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0069">BLACKCOFFEE</a> is malware that has been used by several Chinese groups since at least 2013. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0089"> S0089 </a> </td> <td> <a href="/versions/v9/software/S0089"> BlackEnergy </a> </td> <td> Black Energy </td> <td> <p><a href="/versions/v9/software/S0089">BlackEnergy</a> is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0564"> S0564 </a> </td> <td> <a href="/versions/v9/software/S0564"> BlackMould </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0564">BlackMould</a> is a web shell based on <a href="/versions/v9/software/S0020">China Chopper</a> for servers running Microsoft IIS. First reported in December 2019, it has been used in malicious campaigns by <a href="/versions/v9/groups/G0093">GALLIUM</a> against telecommunication providers.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0520"> S0520 </a> </td> <td> <a href="/versions/v9/software/S0520"> BLINDINGCAN </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0520">BLINDINGCAN</a> is a remote access Trojan that has been used by the North Korean government since at least early 2020 in cyber operations against defense, engineering, and government organizations in Western Europe and the US.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0521"> S0521 </a> </td> <td> <a href="/versions/v9/software/S0521"> BloodHound </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0521">BloodHound</a> is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0486"> S0486 </a> </td> <td> <a href="/versions/v9/software/S0486"> Bonadan </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0486">Bonadan</a> is a malicious version of OpenSSH which acts as a custom backdoor. <a href="/versions/v9/software/S0486">Bonadan</a> has been active since at least 2018 and combines a new cryptocurrency-mining module with the same credential-stealing module used by the Onderon family of backdoors.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0360"> S0360 </a> </td> <td> <a href="/versions/v9/software/S0360"> BONDUPDATER </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0360">BONDUPDATER</a> is a PowerShell backdoor used by <a href="/versions/v9/groups/G0049">OilRig</a>. It was first observed in November 2017 during targeting of a Middle Eastern government organization, and an updated version was observed in August 2018 being used to target a government organization with spearphishing emails.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0415"> S0415 </a> </td> <td> <a href="/versions/v9/software/S0415"> BOOSTWRITE </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0415">BOOSTWRITE</a> is a loader crafted to be launched via abuse of the DLL search order of applications used by <a href="/versions/v9/groups/G0046">FIN7</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0114"> S0114 </a> </td> <td> <a href="/versions/v9/software/S0114"> BOOTRASH </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0114">BOOTRASH</a> is a <a href="/versions/v9/techniques/T1542/003">Bootkit</a> that targets Windows operating systems. It has been used by threat actors that target the financial sector.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0293"> S0293 </a> </td> <td> <a href="/versions/v9/software/S0293"> BrainTest </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0293">BrainTest</a> is a family of Android malware. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0252"> S0252 </a> </td> <td> <a href="/versions/v9/software/S0252"> Brave Prince </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0252">Brave Prince</a> is a Korean-language implant that was first observed in the wild in December 2017. It contains similar code and behavior to <a href="/versions/v9/software/S0249">Gold Dragon</a>, and was seen along with <a href="/versions/v9/software/S0249">Gold Dragon</a> and <a href="/versions/v9/software/S0253">RunningRAT</a> in operations surrounding the 2018 Pyeongchang Winter Olympics. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0432"> S0432 </a> </td> <td> <a href="/versions/v9/software/S0432"> Bread </a> </td> <td> Joker </td> <td> <p><a href="/versions/v9/software/S0432">Bread</a> was a large-scale billing fraud malware family known for employing many different cloaking and obfuscation techniques in an attempt to continuously evade Google Play Store’s malware detection. 1,700 unique Bread apps were detected and removed from the Google Play Store before being downloaded by users.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0204"> S0204 </a> </td> <td> <a href="/versions/v9/software/S0204"> Briba </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0204">Briba</a> is a trojan used by <a href="/versions/v9/groups/G0066">Elderwood</a> to open a backdoor and download files on to compromised hosts. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0014"> S0014 </a> </td> <td> <a href="/versions/v9/software/S0014"> BS2005 </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0014">BS2005</a> is malware that was used by <a href="/versions/v9/groups/G0004">Ke3chang</a> in spearphishing campaigns since at least 2011. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0043"> S0043 </a> </td> <td> <a href="/versions/v9/software/S0043"> BUBBLEWRAP </a> </td> <td> Backdoor.APT.FakeWinHTTPHelper </td> <td> <p><a href="/versions/v9/software/S0043">BUBBLEWRAP</a> is a full-featured, second-stage backdoor used by the <a href="/versions/v9/groups/G0018">admin@338</a> group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0471"> S0471 </a> </td> <td> <a href="/versions/v9/software/S0471"> build_downer </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0471">build_downer</a> is a downloader that has been used by <a href="/versions/v9/groups/G0060">BRONZE BUTLER</a> since at least 2019.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0482"> S0482 </a> </td> <td> <a href="/versions/v9/software/S0482"> Bundlore </a> </td> <td> OSX.Bundlore </td> <td> <p><a href="/versions/v9/software/S0482">Bundlore</a> is adware written for macOS that has been in use since at least 2015. Though categorized as adware, <a href="/versions/v9/software/S0482">Bundlore</a> has many features associated with more traditional backdoors.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0119"> S0119 </a> </td> <td> <a href="/versions/v9/software/S0119"> Cachedump </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0119">Cachedump</a> is a publicly-available tool that program extracts cached password hashes from a system’s registry. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0454"> S0454 </a> </td> <td> <a href="/versions/v9/software/S0454"> Cadelspy </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0454">Cadelspy</a> is a backdoor that has been used by <a href="/versions/v9/groups/G0087">APT39</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0025"> S0025 </a> </td> <td> <a href="/versions/v9/software/S0025"> CALENDAR </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0025">CALENDAR</a> is malware used by <a href="/versions/v9/groups/G0006">APT1</a> that mimics legitimate Gmail Calendar traffic. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0274"> S0274 </a> </td> <td> <a href="/versions/v9/software/S0274"> Calisto </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0274">Calisto</a> is a macOS Trojan that opens a backdoor on the compromised machine. <a href="/versions/v9/software/S0274">Calisto</a> is believed to have first been developed in 2016. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0077"> S0077 </a> </td> <td> <a href="/versions/v9/software/S0077"> CallMe </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0077">CallMe</a> is a Trojan designed to run on Apple OSX. It is based on a publicly available tool called Tiny SHell. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0351"> S0351 </a> </td> <td> <a href="/versions/v9/software/S0351"> Cannon </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0351">Cannon</a> is a Trojan with variants written in C# and Delphi. It was first observed in April 2018. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0030"> S0030 </a> </td> <td> <a href="/versions/v9/software/S0030"> Carbanak </a> </td> <td> Anunak </td> <td> <p><a href="/versions/v9/software/S0030">Carbanak</a> is a full-featured, remote backdoor used by a group of the same name (<a href="/versions/v9/groups/G0008">Carbanak</a>). It is intended for espionage, data exfiltration, and providing remote access to infected machines. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0484"> S0484 </a> </td> <td> <a href="/versions/v9/software/S0484"> Carberp </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0484">Carberp</a> is a credential and information stealing malware that has been active since at least 2009. <a href="/versions/v9/software/S0484">Carberp</a>'s source code was leaked online in 2013, and subsequently used as the foundation for the <a href="/versions/v9/software/S0030">Carbanak</a> backdoor.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0335"> S0335 </a> </td> <td> <a href="/versions/v9/software/S0335"> Carbon </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0335">Carbon</a> is a sophisticated, second-stage backdoor and framework that can be used to steal sensitive information from victims. <a href="/versions/v9/software/S0335">Carbon</a> has been selectively used by <a href="/versions/v9/groups/G0010">Turla</a> to target government and foreign affairs-related organizations in Central Asia.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0529"> S0529 </a> </td> <td> <a href="/versions/v9/software/S0529"> CarbonSteal </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0529">CarbonSteal</a> is one of a family of four surveillanceware tools that share a common C2 infrastructure. <a href="/versions/v9/software/S0529">CarbonSteal</a> primarily deals with audio surveillance. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0348"> S0348 </a> </td> <td> <a href="/versions/v9/software/S0348"> Cardinal RAT </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0348">Cardinal RAT</a> is a potentially low volume remote access trojan (RAT) observed since December 2015. <a href="/versions/v9/software/S0348">Cardinal RAT</a> is notable for its unique utilization of uncompiled C# source code and the Microsoft Windows built-in csc.exe compiler.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0465"> S0465 </a> </td> <td> <a href="/versions/v9/software/S0465"> CARROTBALL </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0465">CARROTBALL</a> is an FTP downloader utility that has been in use since at least 2019. <a href="/versions/v9/software/S0465">CARROTBALL</a> has been used as a downloader to install <a href="/versions/v9/software/S0464">SYSCON</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0462"> S0462 </a> </td> <td> <a href="/versions/v9/software/S0462"> CARROTBAT </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0462">CARROTBAT</a> is a customized dropper that has been in use since at least 2017. <a href="/versions/v9/software/S0462">CARROTBAT</a> has been used to install <a href="/versions/v9/software/S0464">SYSCON</a> and has infrastructure overlap with <a href="/versions/v9/software/S0356">KONNI</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0261"> S0261 </a> </td> <td> <a href="/versions/v9/software/S0261"> Catchamas </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0261">Catchamas</a> is a Windows Trojan that steals information from compromised systems. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0572"> S0572 </a> </td> <td> <a href="/versions/v9/software/S0572"> Caterpillar WebShell </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0572">Caterpillar WebShell</a> is a self-developed Web Shell tool created by the group <a href="/versions/v9/groups/G0123">Volatile Cedar</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0222"> S0222 </a> </td> <td> <a href="/versions/v9/software/S0222"> CCBkdr </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0222">CCBkdr</a> is malware that was injected into a signed version of CCleaner and distributed from CCleaner's distribution website. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0480"> S0480 </a> </td> <td> <a href="/versions/v9/software/S0480"> Cerberus </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0480">Cerberus</a> is a banking trojan whose usage can be rented on underground forums and marketplaces. Prior to being available to rent, the authors of <a href="/versions/v9/software/S0480">Cerberus</a> claim was used in private operations for two years.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0160"> S0160 </a> </td> <td> <a href="/versions/v9/software/S0160"> certutil </a> </td> <td> certutil.exe </td> <td> <p><a href="/versions/v9/software/S0160">certutil</a> is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0220"> S0220 </a> </td> <td> <a href="/versions/v9/software/S0220"> Chaos </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0220">Chaos</a> is Linux malware that compromises systems by brute force attacks against SSH services. Once installed, it provides a reverse shell to its controllers, triggered by unsolicited packets. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0323"> S0323 </a> </td> <td> <a href="/versions/v9/software/S0323"> Charger </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0323">Charger</a> is Android malware that steals steals contacts and SMS messages from the user's device. It can also lock the device and demand ransom payment if it receives admin permissions. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0144"> S0144 </a> </td> <td> <a href="/versions/v9/software/S0144"> ChChes </a> </td> <td> Scorpion, HAYMAKER </td> <td> <p><a href="/versions/v9/software/S0144">ChChes</a> is a Trojan that appears to be used exclusively by <a href="/versions/v9/groups/G0045">menuPass</a>. It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0555"> S0555 </a> </td> <td> <a href="/versions/v9/software/S0555"> CHEMISTGAMES </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0555">CHEMISTGAMES</a> is a modular backdoor that has been deployed by <a href="/versions/v9/groups/G0034">Sandworm Team</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0107"> S0107 </a> </td> <td> <a href="/versions/v9/software/S0107"> Cherry Picker </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0107">Cherry Picker</a> is a point of sale (PoS) memory scraper. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0020"> S0020 </a> </td> <td> <a href="/versions/v9/software/S0020"> China Chopper </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0020">China Chopper</a> is a <a href="/versions/v9/techniques/T1505/003">Web Shell</a> hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server. It has been used by several threat groups. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0023"> S0023 </a> </td> <td> <a href="/versions/v9/software/S0023"> CHOPSTICK </a> </td> <td> Backdoor.SofacyX, SPLM, Xagent, X-Agent, webhp </td> <td> <p><a href="/versions/v9/software/S0023">CHOPSTICK</a> is a malware family of modular backdoors used by <a href="/versions/v9/groups/G0007">APT28</a>. It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. It is tracked separately from the <a href="/versions/v9/software/S0314">X-Agent for Android</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0602"> S0602 </a> </td> <td> <a href="/versions/v9/software/S0602"> Circles </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0602">Circles</a> reportedly takes advantage of Signaling System 7 (SS7) weaknesses, the protocol suite used to route phone calls, to both track the location of mobile devices and intercept voice calls and SMS messages. It can be connected to a telecommunications company’s infrastructure or purchased as a cloud service. Circles has reportedly been linked to the NSO Group.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0054"> S0054 </a> </td> <td> <a href="/versions/v9/software/S0054"> CloudDuke </a> </td> <td> MiniDionis, CloudLook </td> <td> <p><a href="/versions/v9/software/S0054">CloudDuke</a> is malware that was used by <a href="/versions/v9/groups/G0016">APT29</a> in 2015. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0106"> S0106 </a> </td> <td> <a href="/versions/v9/software/S0106"> cmd </a> </td> <td> cmd.exe </td> <td> <p><a href="/versions/v9/software/S0106">cmd</a> is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. </p><p>Cmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., <code>dir</code> ), deleting files (e.g., <code>del</code> ), and copying files (e.g., <code>copy</code> ).</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0154"> S0154 </a> </td> <td> <a href="/versions/v9/software/S0154"> Cobalt Strike </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0154">Cobalt Strike</a> is a commercial, full-featured, remote access tool that bills itself as "adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors". Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&amp;CK tactics, all executed within a single, integrated system.</p><p>In addition to its own capabilities, <a href="/versions/v9/software/S0154">Cobalt Strike</a> leverages the capabilities of other well-known tools such as Metasploit and <a href="/versions/v9/software/S0002">Mimikatz</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0338"> S0338 </a> </td> <td> <a href="/versions/v9/software/S0338"> Cobian RAT </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0338">Cobian RAT</a> is a backdoor, remote access tool that has been observed since 2016.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0369"> S0369 </a> </td> <td> <a href="/versions/v9/software/S0369"> CoinTicker </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0369">CoinTicker</a> is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0244"> S0244 </a> </td> <td> <a href="/versions/v9/software/S0244"> Comnie </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0244">Comnie</a> is a remote backdoor which has been used in attacks in East Asia. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0126"> S0126 </a> </td> <td> <a href="/versions/v9/software/S0126"> ComRAT </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0126">ComRAT</a> is a second stage implant suspected of being a descendant of <a href="/versions/v9/software/S0092">Agent.btz</a> and used by <a href="/versions/v9/groups/G0010">Turla</a>. The first version of <a href="/versions/v9/software/S0126">ComRAT</a> was identified in 2007, but the tool has undergone substantial development for many years since.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0426"> S0426 </a> </td> <td> <a href="/versions/v9/software/S0426"> Concipit1248 </a> </td> <td> Corona Updates </td> <td> <p><a href="/versions/v9/software/S0426">Concipit1248</a> is iOS spyware that was discovered using the same name as the developer of the Android spyware <a href="/versions/v9/software/S0425">Corona Updates</a>. Further investigation revealed that the two pieces of software contained the same C2 URL and similar functionality.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0591"> S0591 </a> </td> <td> <a href="/versions/v9/software/S0591"> ConnectWise </a> </td> <td> ScreenConnect </td> <td> <p><a href="/versions/v9/software/S0591">ConnectWise</a> is a legitimate remote administration tool that has been used since at least 2016 by threat actors including <a href="/versions/v9/groups/G0069">MuddyWater</a> and <a href="/versions/v9/groups/G0115">GOLD SOUTHFIELD</a> to connect to and conduct lateral movement in target environments.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0575"> S0575 </a> </td> <td> <a href="/versions/v9/software/S0575"> Conti </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0575">Conti</a> is a Ransomware-as-a-Service that was first observed in December 2019, and has being distributed via <a href="/versions/v9/software/S0266">TrickBot</a>. It has been used against major corporations and government agencies, particularly those in North America. As with other ransomware families, actors using <a href="/versions/v9/software/S0575">Conti</a> steal sensitive files and information from compromised networks, and threaten to publish this data unless the ransom is paid.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0492"> S0492 </a> </td> <td> <a href="/versions/v9/software/S0492"> CookieMiner </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0492">CookieMiner</a> is mac-based malware that targets information associated with cryptocurrency exchanges as well as enabling cryptocurrency mining on the victim system itself. It was first discovered in the wild in 2019.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0212"> S0212 </a> </td> <td> <a href="/versions/v9/software/S0212"> CORALDECK </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0212">CORALDECK</a> is an exfiltration tool used by <a href="/versions/v9/groups/G0067">APT37</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0137"> S0137 </a> </td> <td> <a href="/versions/v9/software/S0137"> CORESHELL </a> </td> <td> Sofacy, SOURFACE </td> <td> <p><a href="/versions/v9/software/S0137">CORESHELL</a> is a downloader used by <a href="/versions/v9/groups/G0007">APT28</a>. The older versions of this malware are known as SOURFACE and newer versions as CORESHELL. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0425"> S0425 </a> </td> <td> <a href="/versions/v9/software/S0425"> Corona Updates </a> </td> <td> Wabi Music, Concipit1248 </td> <td> <p><a href="/versions/v9/software/S0425">Corona Updates</a> is Android spyware that took advantage of the Coronavirus pandemic. The campaign distributing this spyware is tracked as Project Spy. Multiple variants of this spyware have been discovered to have been hosted on the Google Play Store.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0050"> S0050 </a> </td> <td> <a href="/versions/v9/software/S0050"> CosmicDuke </a> </td> <td> TinyBaron, BotgenStudios, NemesisGemina </td> <td> <p><a href="/versions/v9/software/S0050">CosmicDuke</a> is malware that was used by <a href="/versions/v9/groups/G0016">APT29</a> from 2010 to 2015. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0046"> S0046 </a> </td> <td> <a href="/versions/v9/software/S0046"> CozyCar </a> </td> <td> CozyDuke, CozyBear, Cozer, EuroAPT </td> <td> <p><a href="/versions/v9/software/S0046">CozyCar</a> is malware that was used by <a href="/versions/v9/groups/G0016">APT29</a> from 2010 to 2015. It is a modular malware platform, and its backdoor component can be instructed to download and execute a variety of modules with different functionality. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0488"> S0488 </a> </td> <td> <a href="/versions/v9/software/S0488"> CrackMapExec </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0488">CrackMapExec</a>, or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. <a href="/versions/v9/software/S0488">CrackMapExec</a> collects Active Directory information to conduct lateral movement through targeted networks.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0115"> S0115 </a> </td> <td> <a href="/versions/v9/software/S0115"> Crimson </a> </td> <td> MSIL/Crimson </td> <td> <p><a href="/versions/v9/software/S0115">Crimson</a> is malware used as part of a campaign known as Operation Transparent Tribe that targeted Indian diplomatic and military victims. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0235"> S0235 </a> </td> <td> <a href="/versions/v9/software/S0235"> CrossRAT </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0235">CrossRAT</a> is a cross platform RAT.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0538"> S0538 </a> </td> <td> <a href="/versions/v9/software/S0538"> Crutch </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0538">Crutch</a> is a backdoor designed for document theft that has been used by <a href="/versions/v9/groups/G0010">Turla</a> since at least 2015.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0498"> S0498 </a> </td> <td> <a href="/versions/v9/software/S0498"> Cryptoistic </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0498">Cryptoistic</a> is a backdoor, written in Swift, that has been used by <a href="/versions/v9/groups/G0032">Lazarus Group</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0527"> S0527 </a> </td> <td> <a href="/versions/v9/software/S0527"> CSPY Downloader </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0527">CSPY Downloader</a> is a tool designed to evade analysis and download additional payloads used by <a href="/versions/v9/groups/G0094">Kimsuky</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0497"> S0497 </a> </td> <td> <a href="/versions/v9/software/S0497"> Dacls </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0497">Dacls</a> is a multi-platform remote access tool used by <a href="/versions/v9/groups/G0032">Lazarus Group</a> since at least December 2019.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0334"> S0334 </a> </td> <td> <a href="/versions/v9/software/S0334"> DarkComet </a> </td> <td> DarkKomet, Fynloski, Krademok, FYNLOS </td> <td> <p><a href="/versions/v9/software/S0334">DarkComet</a> is a Windows remote administration tool and backdoor.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0187"> S0187 </a> </td> <td> <a href="/versions/v9/software/S0187"> Daserf </a> </td> <td> Muirim, Nioupale </td> <td> <p><a href="/versions/v9/software/S0187">Daserf</a> is a backdoor that has been used to spy on and steal from Japanese, South Korean, Russian, Singaporean, and Chinese victims. Researchers have identified versions written in both Visual C and Delphi. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0255"> S0255 </a> </td> <td> <a href="/versions/v9/software/S0255"> DDKONG </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0255">DDKONG</a> is a malware sample that was part of a campaign by <a href="/versions/v9/groups/G0075">Rancor</a>. <a href="/versions/v9/software/S0255">DDKONG</a> was first seen used in February 2017. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0243"> S0243 </a> </td> <td> <a href="/versions/v9/software/S0243"> DealersChoice </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0243">DealersChoice</a> is a Flash exploitation framework used by <a href="/versions/v9/groups/G0007">APT28</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0479"> S0479 </a> </td> <td> <a href="/versions/v9/software/S0479"> DEFENSOR ID </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0479">DEFENSOR ID</a> is a banking trojan capable of clearing a victim’s bank account or cryptocurrency wallet and taking over email or social media accounts. <a href="/versions/v9/software/S0479">DEFENSOR ID</a> performs the majority of its malicious functionality by abusing Android’s accessibility service. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0301"> S0301 </a> </td> <td> <a href="/versions/v9/software/S0301"> Dendroid </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0301">Dendroid</a> is an Android remote access tool (RAT) primarily targeting Western countries. The RAT was available for purchase for $300 and came bundled with a utility to inject the RAT into legitimate applications.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0354"> S0354 </a> </td> <td> <a href="/versions/v9/software/S0354"> Denis </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0354">Denis</a> is a Windows backdoor and Trojan used by <a href="/versions/v9/groups/G0050">APT32</a>. <a href="/versions/v9/software/S0354">Denis</a> shares several similarities to the <a href="/versions/v9/software/S0157">SOUNDBITE</a> backdoor and has been used in conjunction with the <a href="/versions/v9/software/S0477">Goopy</a> backdoor.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0021"> S0021 </a> </td> <td> <a href="/versions/v9/software/S0021"> Derusbi </a> </td> <td> PHOTO </td> <td> <p><a href="/versions/v9/software/S0021">Derusbi</a> is malware used by multiple Chinese APT groups. Both Windows and Linux variants have been observed. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0505"> S0505 </a> </td> <td> <a href="/versions/v9/software/S0505"> Desert Scorpion </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0505">Desert Scorpion</a> is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. <a href="/versions/v9/software/S0505">Desert Scorpion</a> is suspected to have been operated by the threat actor APT-C-23. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0200"> S0200 </a> </td> <td> <a href="/versions/v9/software/S0200"> Dipsind </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0200">Dipsind</a> is a malware family of backdoors that appear to be used exclusively by <a href="/versions/v9/groups/G0068">PLATINUM</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0213"> S0213 </a> </td> <td> <a href="/versions/v9/software/S0213"> DOGCALL </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0213">DOGCALL</a> is a backdoor used by <a href="/versions/v9/groups/G0067">APT37</a> that has been used to target South Korean government and military organizations in 2017. It is typically dropped using a Hangul Word Processor (HWP) exploit. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0281"> S0281 </a> </td> <td> <a href="/versions/v9/software/S0281"> Dok </a> </td> <td> Retefe </td> <td> <p><a href="/versions/v9/software/S0281">Dok</a> steals banking information through man-in-the-middle .</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0600"> S0600 </a> </td> <td> <a href="/versions/v9/software/S0600"> Doki </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0600">Doki</a> is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July 2020. <a href="/versions/v9/software/S0600">Doki</a> was used in conjunction with the <a href="/versions/v9/software/S0508">Ngrok</a> Mining Botnet in a campaign that targeted Docker servers in cloud platforms. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0550"> S0550 </a> </td> <td> <a href="/versions/v9/software/S0550"> DoubleAgent </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0550">DoubleAgent</a> is a family of RAT malware dating back to 2013, known to target groups with contentious relationships with the Chinese government.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0472"> S0472 </a> </td> <td> <a href="/versions/v9/software/S0472"> down_new </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0472">down_new</a> is a downloader that has been used by <a href="/versions/v9/groups/G0060">BRONZE BUTLER</a> since at least 2019.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0134"> S0134 </a> </td> <td> <a href="/versions/v9/software/S0134"> Downdelph </a> </td> <td> Delphacy </td> <td> <p><a href="/versions/v9/software/S0134">Downdelph</a> is a first-stage downloader written in Delphi that has been used by <a href="/versions/v9/groups/G0007">APT28</a> in rare instances between 2013 and 2015. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0186"> S0186 </a> </td> <td> <a href="/versions/v9/software/S0186"> DownPaper </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0186">DownPaper</a> is a backdoor Trojan; its main functionality is to download and run second stage malware. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0300"> S0300 </a> </td> <td> <a href="/versions/v9/software/S0300"> DressCode </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0300">DressCode</a> is an Android malware family. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0384"> S0384 </a> </td> <td> <a href="/versions/v9/software/S0384"> Dridex </a> </td> <td> Bugat v5 </td> <td> <p><a href="/versions/v9/software/S0384">Dridex</a> is a banking Trojan that has been used for financial gain. Dridex was created from the source code of the Bugat banking trojan (also known as Cridex).</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0320"> S0320 </a> </td> <td> <a href="/versions/v9/software/S0320"> DroidJack </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0320">DroidJack</a> is an Android remote access tool that has been observed posing as legitimate applications including the Super Mario Run and Pokemon GO games. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0547"> S0547 </a> </td> <td> <a href="/versions/v9/software/S0547"> DropBook </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0547">DropBook</a> is a Python-based backdoor compiled with PyInstaller.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0502"> S0502 </a> </td> <td> <a href="/versions/v9/software/S0502"> Drovorub </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0502">Drovorub</a> is a Linux malware toolset comprised of an agent, client, server, and kernel modules, that has been used by <a href="/versions/v9/groups/G0007">APT28</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0105"> S0105 </a> </td> <td> <a href="/versions/v9/software/S0105"> dsquery </a> </td> <td> dsquery.exe </td> <td> <p><a href="/versions/v9/software/S0105">dsquery</a> is a command-line utility that can be used to query Active Directory for information from a system within a domain. It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0567"> S0567 </a> </td> <td> <a href="/versions/v9/software/S0567"> Dtrack </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0567">Dtrack</a> is spyware that was discovered in 2019 and has been used against Indian financial institutions, research facilities, and the Kudankulam Nuclear Power Plant. <a href="/versions/v9/software/S0567">Dtrack</a> shares similarities with the DarkSeoul campaign, which was attributed to <a href="/versions/v9/groups/G0032">Lazarus Group</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0315"> S0315 </a> </td> <td> <a href="/versions/v9/software/S0315"> DualToy </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0315">DualToy</a> is Windows malware that installs malicious applications onto Android and iOS devices connected over USB. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0038"> S0038 </a> </td> <td> <a href="/versions/v9/software/S0038"> Duqu </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0038">Duqu</a> is a malware platform that uses a modular approach to extend functionality after deployment within a target network. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0062"> S0062 </a> </td> <td> <a href="/versions/v9/software/S0062"> DustySky </a> </td> <td> NeD Worm </td> <td> <p><a href="/versions/v9/software/S0062">DustySky</a> is multi-stage malware written in .NET that has been used by <a href="/versions/v9/groups/G0021">Molerats</a> since May 2015. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0420"> S0420 </a> </td> <td> <a href="/versions/v9/software/S0420"> Dvmap </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0420">Dvmap</a> is rooting malware that injects malicious code into system runtime libraries. It is credited with being the first malware that performs this type of code injection.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0024"> S0024 </a> </td> <td> <a href="/versions/v9/software/S0024"> Dyre </a> </td> <td> Dyzap, Dyreza </td> <td> <p><a href="/versions/v9/software/S0024">Dyre</a> is a banking Trojan that has been used for financial gain. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0377"> S0377 </a> </td> <td> <a href="/versions/v9/software/S0377"> Ebury </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0377">Ebury</a> is an SSH backdoor targeting Linux operating systems. Attackers require root-level access, which allows them to replace SSH binaries (ssh, sshd, ssh-add, etc) or modify a shared library used by OpenSSH (libkeyutils).</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0593"> S0593 </a> </td> <td> <a href="/versions/v9/software/S0593"> ECCENTRICBANDWAGON </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0593">ECCENTRICBANDWAGON</a> is a Remote Access Tool (RAT) used by <a href="/versions/v9/groups/G0032">Lazarus Group</a> that was first identified in August 2020. It is a reconnaissance tool--with keylogging and screen capture functionality--used for information gathering on compromised systems.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0554"> S0554 </a> </td> <td> <a href="/versions/v9/software/S0554"> Egregor </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0554">Egregor</a> is a Ransomware-as-a-Service (RaaS) tool that was first observed in September 2020. Researchers have noted code similarities between <a href="/versions/v9/software/S0554">Egregor</a> and Sekhmet ransomware, as well as <a href="/versions/v9/software/S0449">Maze</a> ransomware.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0081"> S0081 </a> </td> <td> <a href="/versions/v9/software/S0081"> Elise </a> </td> <td> BKDR_ESILE, Page </td> <td> <p><a href="/versions/v9/software/S0081">Elise</a> is a custom backdoor Trojan that appears to be used exclusively by <a href="/versions/v9/groups/G0030">Lotus Blossom</a>. It is part of a larger group oftools referred to as LStudio, ST Group, and APT0LSTU. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0064"> S0064 </a> </td> <td> <a href="/versions/v9/software/S0064"> ELMER </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0064">ELMER</a> is a non-persistent, proxy-aware HTTP backdoor written in Delphi that has been used by <a href="/versions/v9/groups/G0023">APT16</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0082"> S0082 </a> </td> <td> <a href="/versions/v9/software/S0082"> Emissary </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0082">Emissary</a> is a Trojan that has been used by <a href="/versions/v9/groups/G0030">Lotus Blossom</a>. It shares code with <a href="/versions/v9/software/S0081">Elise</a>, with both Trojans being part of a malware group referred to as LStudio. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0367"> S0367 </a> </td> <td> <a href="/versions/v9/software/S0367"> Emotet </a> </td> <td> Geodo </td> <td> <p><a href="/versions/v9/software/S0367">Emotet</a> is a modular malware variant which is primarily used as a downloader for other malware variants such as <a href="/versions/v9/software/S0266">TrickBot</a> and <a href="/versions/v9/software/S0483">IcedID</a>. Emotet first emerged in June 2014 and has been primarily used to target the banking sector. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0363"> S0363 </a> </td> <td> <a href="/versions/v9/software/S0363"> Empire </a> </td> <td> EmPyre, PowerShell Empire </td> <td> <p><a href="/versions/v9/software/S0363">Empire</a> is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure <a href="/versions/v9/techniques/T1059/001">PowerShell</a> for Windows and Python for Linux/macOS. <a href="/versions/v9/software/S0363">Empire</a> was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0091"> S0091 </a> </td> <td> <a href="/versions/v9/software/S0091"> Epic </a> </td> <td> Tavdig, Wipbot, WorldCupSec, TadjMakhal </td> <td> <p><a href="/versions/v9/software/S0091">Epic</a> is a backdoor that has been used by <a href="/versions/v9/groups/G0010">Turla</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0404"> S0404 </a> </td> <td> <a href="/versions/v9/software/S0404"> esentutl </a> </td> <td> esentutl.exe </td> <td> <p><a href="/versions/v9/software/S0404">esentutl</a> is a command-line tool that provides database utilities for the Windows Extensible Storage Engine.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0507"> S0507 </a> </td> <td> <a href="/versions/v9/software/S0507"> eSurv </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0507">eSurv</a> is mobile surveillanceware designed for the lawful intercept market that was developed over the course of many years.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0478"> S0478 </a> </td> <td> <a href="/versions/v9/software/S0478"> EventBot </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0478">EventBot</a> is an Android banking trojan and information stealer that abuses Android’s accessibility service to steal data from various applications. <a href="/versions/v9/software/S0478">EventBot</a> was designed to target over 200 different banking and financial applications, the majority of which are European bank and cryptocurrency exchange applications.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0396"> S0396 </a> </td> <td> <a href="/versions/v9/software/S0396"> EvilBunny </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0396">EvilBunny</a> is a C++ malware sample observed since 2011 that was designed to be a execution platform for Lua scripts.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0152"> S0152 </a> </td> <td> <a href="/versions/v9/software/S0152"> EvilGrab </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0152">EvilGrab</a> is a malware family with common reconnaissance capabilities. It has been deployed by <a href="/versions/v9/groups/G0045">menuPass</a> via malicious Microsoft Office documents as part of spearphishing campaigns. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0568"> S0568 </a> </td> <td> <a href="/versions/v9/software/S0568"> EVILNUM </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0568">EVILNUM</a> is fully capable backdoor that was first identified in 2018. <a href="/versions/v9/software/S0568">EVILNUM</a> is used by the APT group <a href="/versions/v9/groups/G0120">Evilnum</a> which has the same name.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0401"> S0401 </a> </td> <td> <a href="/versions/v9/software/S0401"> Exaramel for Linux </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0401">Exaramel for Linux</a> is a backdoor written in the Go Programming Language and compiled as a 64-bit ELF binary. The Windows version is tracked separately under <a href="/versions/v9/software/S0343">Exaramel for Windows</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0343"> S0343 </a> </td> <td> <a href="/versions/v9/software/S0343"> Exaramel for Windows </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0343">Exaramel for Windows</a> is a backdoor used for targeting Windows systems. The Linux version is tracked separately under <a href="/versions/v9/software/S0401">Exaramel for Linux</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0522"> S0522 </a> </td> <td> <a href="/versions/v9/software/S0522"> Exobot </a> </td> <td> Marcher </td> <td> <p><a href="/versions/v9/software/S0522">Exobot</a> is Android banking malware, primarily targeting financial institutions in Germany, Austria, and France.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0405"> S0405 </a> </td> <td> <a href="/versions/v9/software/S0405"> Exodus </a> </td> <td> Exodus One, Exodus Two </td> <td> <p><a href="/versions/v9/software/S0405">Exodus</a> is Android spyware deployed in two distinct stages named Exodus One (dropper) and Exodus Two (payload).</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0361"> S0361 </a> </td> <td> <a href="/versions/v9/software/S0361"> Expand </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0361">Expand</a> is a Windows utility used to expand one or more compressed CAB files. It has been used by <a href="/versions/v9/software/S0127">BBSRAT</a> to decompress a CAB file into executable content.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0569"> S0569 </a> </td> <td> <a href="/versions/v9/software/S0569"> Explosive </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0569">Explosive</a> is a custom-made remote access tool used by the group <a href="/versions/v9/groups/G0123">Volatile Cedar</a>. It was first identified in the wild in 2015. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0076"> S0076 </a> </td> <td> <a href="/versions/v9/software/S0076"> FakeM </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0076">FakeM</a> is a shellcode-based Windows backdoor that has been used by <a href="/versions/v9/groups/G0029">Scarlet Mimic</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0509"> S0509 </a> </td> <td> <a href="/versions/v9/software/S0509"> FakeSpy </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0509">FakeSpy</a> is Android spyware that has been operated by the Chinese threat actor behind the Roaming Mantis campaigns.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0181"> S0181 </a> </td> <td> <a href="/versions/v9/software/S0181"> FALLCHILL </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0181">FALLCHILL</a> is a RAT that has been used by <a href="/versions/v9/groups/G0032">Lazarus Group</a> since at least 2016 to target the aerospace, telecommunications, and finance industries. It is usually dropped by other <a href="/versions/v9/groups/G0032">Lazarus Group</a> malware or delivered when a victim unknowingly visits a compromised website. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0512"> S0512 </a> </td> <td> <a href="/versions/v9/software/S0512"> FatDuke </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0512">FatDuke</a> is a backdoor used by <a href="/versions/v9/groups/G0016">APT29</a> since at least 2016.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0171"> S0171 </a> </td> <td> <a href="/versions/v9/software/S0171"> Felismus </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0171">Felismus</a> is a modular backdoor that has been used by <a href="/versions/v9/groups/G0054">Sowbug</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0267"> S0267 </a> </td> <td> <a href="/versions/v9/software/S0267"> FELIXROOT </a> </td> <td> GreyEnergy mini </td> <td> <p><a href="/versions/v9/software/S0267">FELIXROOT</a> is a backdoor that has been used to target Ukrainian victims. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0120"> S0120 </a> </td> <td> <a href="/versions/v9/software/S0120"> Fgdump </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0120">Fgdump</a> is a Windows password hash dumper. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0355"> S0355 </a> </td> <td> <a href="/versions/v9/software/S0355"> Final1stspy </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0355">Final1stspy</a> is a dropper family that has been used to deliver <a href="/versions/v9/software/S0213">DOGCALL</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0182"> S0182 </a> </td> <td> <a href="/versions/v9/software/S0182"> FinFisher </a> </td> <td> FinSpy </td> <td> <p><a href="/versions/v9/software/S0182">FinFisher</a> is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including <a href="/versions/v9/software/S0176">Wingbird</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0143"> S0143 </a> </td> <td> <a href="/versions/v9/software/S0143"> Flame </a> </td> <td> Flamer, sKyWIper </td> <td> <p>Flame is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0036"> S0036 </a> </td> <td> <a href="/versions/v9/software/S0036"> FLASHFLOOD </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0036">FLASHFLOOD</a> is malware developed by <a href="/versions/v9/groups/G0013">APT30</a> that allows propagation and exfiltration of data over removable devices. <a href="/versions/v9/groups/G0013">APT30</a> may use this capability to exfiltrate data across air-gaps. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0381"> S0381 </a> </td> <td> <a href="/versions/v9/software/S0381"> FlawedAmmyy </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0381">FlawedAmmyy</a> is a remote access tool (RAT) that was first seen in early 2016. The code for <a href="/versions/v9/software/S0381">FlawedAmmyy</a> was based on leaked source code for a version of Ammyy Admin, a remote access software.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0383"> S0383 </a> </td> <td> <a href="/versions/v9/software/S0383"> FlawedGrace </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0383">FlawedGrace</a> is a fully featured remote access tool (RAT) written in C++ that was first observed in late 2017.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0408"> S0408 </a> </td> <td> <a href="/versions/v9/software/S0408"> FlexiSpy </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0408">FlexiSpy</a> is sophisticated surveillanceware for iOS and Android. Publicly-available, comprehensive analysis has only been found for the Android version.</p><p><a href="/versions/v9/software/S0408">FlexiSpy</a> markets itself as a parental control and employee monitoring application.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0173"> S0173 </a> </td> <td> <a href="/versions/v9/software/S0173"> FLIPSIDE </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0173">FLIPSIDE</a> is a simple tool similar to Plink that is used by <a href="/versions/v9/groups/G0053">FIN5</a> to maintain access to victims. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0193"> S0193 </a> </td> <td> <a href="/versions/v9/software/S0193"> Forfiles </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0193">Forfiles</a> is a Windows utility commonly used in batch jobs to execute commands on one or more selected files or directories (ex: list all directories in a drive, read the first line of all files created yesterday, etc.). Forfiles can be executed from either the command line, Run window, or batch files/scripts. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0503"> S0503 </a> </td> <td> <a href="/versions/v9/software/S0503"> FrameworkPOS </a> </td> <td> Trinity </td> <td> <p><a href="/versions/v9/software/S0503">FrameworkPOS</a> is a point of sale (POS) malware used by <a href="/versions/v9/groups/G0037">FIN6</a> to steal payment card data from sytems that run physical POS devices.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0577"> S0577 </a> </td> <td> <a href="/versions/v9/software/S0577"> FrozenCell </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0577">FrozenCell</a> is the mobile component of a family of surveillanceware, with a corresponding desktop component known as KasperAgent and <a href="/versions/v9/software/S0339">Micropsia</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0277"> S0277 </a> </td> <td> <a href="/versions/v9/software/S0277"> FruitFly </a> </td> <td> </td> <td> <p>FruitFly is designed to spy on mac users .</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0095"> S0095 </a> </td> <td> <a href="/versions/v9/software/S0095"> FTP </a> </td> <td> ftp.exe </td> <td> <p><a href="/versions/v9/software/S0095">FTP</a> is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0410"> S0410 </a> </td> <td> <a href="/versions/v9/software/S0410"> Fysbis </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0410">Fysbis</a> is a Linux-based backdoor used by <a href="/versions/v9/groups/G0007">APT28</a> that dates back to at least 2014.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0168"> S0168 </a> </td> <td> <a href="/versions/v9/software/S0168"> Gazer </a> </td> <td> WhiteBear </td> <td> <p><a href="/versions/v9/software/S0168">Gazer</a> is a backdoor used by <a href="/versions/v9/groups/G0010">Turla</a> since at least 2016. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0049"> S0049 </a> </td> <td> <a href="/versions/v9/software/S0049"> GeminiDuke </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0049">GeminiDuke</a> is malware that was used by <a href="/versions/v9/groups/G0016">APT29</a> from 2009 to 2012. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0460"> S0460 </a> </td> <td> <a href="/versions/v9/software/S0460"> Get2 </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0460">Get2</a> is a downloader written in C++ that has been used by <a href="/versions/v9/groups/G0092">TA505</a> to deliver <a href="/versions/v9/software/S0383">FlawedGrace</a>, <a href="/versions/v9/software/S0381">FlawedAmmyy</a>, Snatch and <a href="/versions/v9/software/S0461">SDBbot</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0032"> S0032 </a> </td> <td> <a href="/versions/v9/software/S0032"> gh0st RAT </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0032">gh0st RAT</a> is a remote access tool (RAT). The source code is public and it has been used by multiple groups. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0423"> S0423 </a> </td> <td> <a href="/versions/v9/software/S0423"> Ginp </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0423">Ginp</a> is an Android banking trojan that has been used to target Spanish banks. Some of the code was taken directly from <a href="/versions/v9/software/S0422">Anubis</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0026"> S0026 </a> </td> <td> <a href="/versions/v9/software/S0026"> GLOOXMAIL </a> </td> <td> Trojan.GTALK </td> <td> <p><a href="/versions/v9/software/S0026">GLOOXMAIL</a> is malware used by <a href="/versions/v9/groups/G0006">APT1</a> that mimics legitimate Jabber/XMPP traffic. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0249"> S0249 </a> </td> <td> <a href="/versions/v9/software/S0249"> Gold Dragon </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0249">Gold Dragon</a> is a Korean-language, data gathering implant that was first observed in the wild in South Korea in July 2017. <a href="/versions/v9/software/S0249">Gold Dragon</a> was used along with <a href="/versions/v9/software/S0252">Brave Prince</a> and <a href="/versions/v9/software/S0253">RunningRAT</a> in operations targeting organizations associated with the 2018 Pyeongchang Winter Olympics. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0535"> S0535 </a> </td> <td> <a href="/versions/v9/software/S0535"> Golden Cup </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0535">Golden Cup</a> is Android spyware that has been used to target World Cup fans. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0551"> S0551 </a> </td> <td> <a href="/versions/v9/software/S0551"> GoldenEagle </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0551">GoldenEagle</a> is a piece of Android malware that has been used in targeting of Uyghurs, Muslims, Tibetans, individuals in Turkey, and individuals in China. Samples have been found as early as 2012.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0493"> S0493 </a> </td> <td> <a href="/versions/v9/software/S0493"> GoldenSpy </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0493">GoldenSpy</a> is a backdoor malware which has been packaged with legitimate tax preparation software. <a href="/versions/v9/software/S0493">GoldenSpy</a> was discovered targeting organizations in China, being delivered with the "Intelligent Tax" software suite which is produced by the Golden Tax Department of Aisino Credit Information Co. and required to pay local taxes. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0597"> S0597 </a> </td> <td> <a href="/versions/v9/software/S0597"> GoldFinder </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0597">GoldFinder</a> is a custom HTTP tracer tool written in Go that logs the route a packet takes between a compromised network and a C2 server. It can be used to inform threat actors of potential points of discovery or logging of their actions, including C2 related to other malware. <a href="/versions/v9/software/S0597">GoldFinder</a> was discovered in early 2021 during an investigation into the SolarWinds cyber intrusion by <a href="/versions/v9/groups/G0016">APT29</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0588"> S0588 </a> </td> <td> <a href="/versions/v9/software/S0588"> GoldMax </a> </td> <td> SUNSHUTTLE </td> <td> <p><a href="/versions/v9/software/S0588">GoldMax</a> is a second-stage C2 backdoor written in Go that was used by <a href="/versions/v9/groups/G0016">APT29</a> and discovered in early 2021 during the investigation into breaches related to the SolarWinds intrusion. <a href="/versions/v9/software/S0588">GoldMax</a> uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0421"> S0421 </a> </td> <td> <a href="/versions/v9/software/S0421"> GolfSpy </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0421">GolfSpy</a> is Android spyware deployed by the group <a href="/versions/v9/groups/G0097">Bouncing Golf</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0290"> S0290 </a> </td> <td> <a href="/versions/v9/software/S0290"> Gooligan </a> </td> <td> Ghost Push </td> <td> <p><a href="/versions/v9/software/S0290">Gooligan</a> is a malware family that runs privilege escalation exploits on Android devices and then uses its escalated privileges to steal authentication tokens that can be used to access data from many Google applications. <a href="/versions/v9/software/S0290">Gooligan</a> has been described as part of the Ghost Push Android malware family. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0477"> S0477 </a> </td> <td> <a href="/versions/v9/software/S0477"> Goopy </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0477">Goopy</a> is a Windows backdoor and Trojan used by <a href="/versions/v9/groups/G0050">APT32</a> and shares several similarities to another backdoor used by the group (<a href="/versions/v9/software/S0354">Denis</a>). <a href="/versions/v9/software/S0477">Goopy</a> is named for its impersonation of the legitimate Google Updater executable.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0536"> S0536 </a> </td> <td> <a href="/versions/v9/software/S0536"> GPlayed </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0536">GPlayed</a> is an Android trojan with a broad range of capabilities. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0531"> S0531 </a> </td> <td> <a href="/versions/v9/software/S0531"> Grandoreiro </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0531">Grandoreiro</a> is a banking trojan written in Delphi that was first observed in 2016 and uses a Malware-as-a-Service (MaaS) business model. <a href="/versions/v9/software/S0531">Grandoreiro</a> has confirmed victims in Brazil, Mexico, Portugal, and Spain.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0237"> S0237 </a> </td> <td> <a href="/versions/v9/software/S0237"> GravityRAT </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0237">GravityRAT</a> is a remote access tool (RAT) and has been in ongoing development since 2016. The actor behind the tool remains unknown, but two usernames have been recovered that link to the author, which are "TheMartian" and "The Invincible." According to the National Computer Emergency Response Team (CERT) of India, the malware has been identified in attacks against organization and entities in India. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0342"> S0342 </a> </td> <td> <a href="/versions/v9/software/S0342"> GreyEnergy </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0342">GreyEnergy</a> is a backdoor written in C and compiled in Visual Studio. <a href="/versions/v9/software/S0342">GreyEnergy</a> shares similarities with the <a href="/versions/v9/software/S0089">BlackEnergy</a> malware and is thought to be the successor of it.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0417"> S0417 </a> </td> <td> <a href="/versions/v9/software/S0417"> GRIFFON </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0417">GRIFFON</a> is a JavaScript backdoor used by <a href="/versions/v9/groups/G0046">FIN7</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0008"> S0008 </a> </td> <td> <a href="/versions/v9/software/S0008"> gsecdump </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0008">gsecdump</a> is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0561"> S0561 </a> </td> <td> <a href="/versions/v9/software/S0561"> GuLoader </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0561">GuLoader</a> is a file downloader that has been used since at least December 2019 to distribute a variety of remote administration tool (RAT) malware, including <a href="/versions/v9/software/S0198">NETWIRE</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0406"> S0406 </a> </td> <td> <a href="/versions/v9/software/S0406"> Gustuff </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0406">Gustuff</a> is mobile malware designed to steal users' banking and virtual currency credentials.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0132"> S0132 </a> </td> <td> <a href="/versions/v9/software/S0132"> H1N1 </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0132">H1N1</a> is a malware variant that has been distributed via a campaign using VBA macros to infect victims. Although it initially had only loader capabilities, it has evolved to include information-stealing functionality. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0047"> S0047 </a> </td> <td> <a href="/versions/v9/software/S0047"> Hacking Team UEFI Rootkit </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0047">Hacking Team UEFI Rootkit</a> is a rootkit developed by the company Hacking Team as a method of persistence for remote access software. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0151"> S0151 </a> </td> <td> <a href="/versions/v9/software/S0151"> HALFBAKED </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0151">HALFBAKED</a> is a malware family consisting of multiple components intended to establish persistence in victim networks. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0037"> S0037 </a> </td> <td> <a href="/versions/v9/software/S0037"> HAMMERTOSS </a> </td> <td> HammerDuke, NetDuke </td> <td> <p><a href="/versions/v9/software/S0037">HAMMERTOSS</a> is a backdoor that was used by <a href="/versions/v9/groups/G0016">APT29</a> in 2015. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0499"> S0499 </a> </td> <td> <a href="/versions/v9/software/S0499"> Hancitor </a> </td> <td> Chanitor </td> <td> <p><a href="/versions/v9/software/S0499">Hancitor</a> is a downloader that has been used by <a href="/versions/v9/software/S0453">Pony</a> and other information stealing malware.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0214"> S0214 </a> </td> <td> <a href="/versions/v9/software/S0214"> HAPPYWORK </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0214">HAPPYWORK</a> is a downloader used by <a href="/versions/v9/groups/G0067">APT37</a> to target South Korean government and financial victims in November 2016. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0246"> S0246 </a> </td> <td> <a href="/versions/v9/software/S0246"> HARDRAIN </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0246">HARDRAIN</a> is a Trojan malware variant reportedly used by the North Korean government. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0224"> S0224 </a> </td> <td> <a href="/versions/v9/software/S0224"> Havij </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0224">Havij</a> is an automatic SQL Injection tool distributed by the Iranian ITSecTeam security company. Havij has been used by penetration testers and adversaries. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0391"> S0391 </a> </td> <td> <a href="/versions/v9/software/S0391"> HAWKBALL </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0391">HAWKBALL</a> is a backdoor that was observed in targeting of the government sector in Central Asia.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0071"> S0071 </a> </td> <td> <a href="/versions/v9/software/S0071"> hcdLoader </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0071">hcdLoader</a> is a remote access tool (RAT) that has been used by <a href="/versions/v9/groups/G0026">APT18</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0061"> S0061 </a> </td> <td> <a href="/versions/v9/software/S0061"> HDoor </a> </td> <td> Custom HDoor </td> <td> <p><a href="/versions/v9/software/S0061">HDoor</a> is malware that has been customized and used by the <a href="/versions/v9/groups/G0019">Naikon</a> group. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0170"> S0170 </a> </td> <td> <a href="/versions/v9/software/S0170"> Helminth </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0170">Helminth</a> is a backdoor that has at least two variants - one written in VBScript and PowerShell that is delivered via a macros in Excel spreadsheets, and one that is a standalone Windows executable. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0544"> S0544 </a> </td> <td> <a href="/versions/v9/software/S0544"> HenBox </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0544">HenBox</a> is Android malware that attempts to only execute on Xiaomi devices running the MIUI operating system. <a href="/versions/v9/software/S0544">HenBox</a> has primarily been used to target Uyghurs, a minority Turkic ethnic group.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0087"> S0087 </a> </td> <td> <a href="/versions/v9/software/S0087"> Hi-Zor </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0087">Hi-Zor</a> is a remote access tool (RAT) that has characteristics similar to <a href="/versions/v9/software/S0074">Sakula</a>. It was used in a campaign named INOCNATION. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0394"> S0394 </a> </td> <td> <a href="/versions/v9/software/S0394"> HiddenWasp </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0394">HiddenWasp</a> is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statically linked ELF binary with stdlibc++.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0135"> S0135 </a> </td> <td> <a href="/versions/v9/software/S0135"> HIDEDRV </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0135">HIDEDRV</a> is a rootkit used by <a href="/versions/v9/groups/G0007">APT28</a>. It has been deployed along with <a href="/versions/v9/software/S0134">Downdelph</a> to execute and hide that malware. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0009"> S0009 </a> </td> <td> <a href="/versions/v9/software/S0009"> Hikit </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0009">Hikit</a> is malware that has been used by <a href="/versions/v9/groups/G0001">Axiom</a> for late-stage persistence and exfiltration after the initial compromise.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0601"> S0601 </a> </td> <td> <a href="/versions/v9/software/S0601"> Hildegard </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0601">Hildegard</a> is malware that targets misconfigured kubelets for initial access and runs cryptocurrency miner operations. The malware was first observed in January 2021. The TeamTNT activity group is believed to be behind <a href="/versions/v9/software/S0601">Hildegard</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0232"> S0232 </a> </td> <td> <a href="/versions/v9/software/S0232"> HOMEFRY </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0232">HOMEFRY</a> is a 64-bit Windows password dumper/cracker that has previously been used in conjunction with other <a href="/versions/v9/groups/G0065">Leviathan</a> backdoors. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0376"> S0376 </a> </td> <td> <a href="/versions/v9/software/S0376"> HOPLIGHT </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0376">HOPLIGHT</a> is a backdoor Trojan that has reportedly been used by the North Korean government.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0431"> S0431 </a> </td> <td> <a href="/versions/v9/software/S0431"> HotCroissant </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0431">HotCroissant</a> is a remote access trojan (RAT) attributed by U.S. government entities to malicious North Korean government cyber activity, tracked collectively as HIDDEN COBRA. <a href="/versions/v9/software/S0431">HotCroissant</a> shares numerous code similarities with <a href="/versions/v9/software/S0433">Rifdoor</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0040"> S0040 </a> </td> <td> <a href="/versions/v9/software/S0040"> HTRAN </a> </td> <td> HUC Packet Transmit Tool </td> <td> <p><a href="/versions/v9/software/S0040">HTRAN</a> is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0070"> S0070 </a> </td> <td> <a href="/versions/v9/software/S0070"> HTTPBrowser </a> </td> <td> Token Control, HttpDump </td> <td> <p><a href="/versions/v9/software/S0070">HTTPBrowser</a> is malware that has been used by several threat groups. It is believed to be of Chinese origin. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0068"> S0068 </a> </td> <td> <a href="/versions/v9/software/S0068"> httpclient </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0068">httpclient</a> is malware used by <a href="/versions/v9/groups/G0024">Putter Panda</a>. It is a simple tool that provides a limited range of functionality, suggesting it is likely used as a second-stage or supplementary/backup tool. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0322"> S0322 </a> </td> <td> <a href="/versions/v9/software/S0322"> HummingBad </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0322">HummingBad</a> is a family of Android malware that generates fraudulent advertising revenue and has the ability to obtain root access on older, vulnerable versions of Android. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0321"> S0321 </a> </td> <td> <a href="/versions/v9/software/S0321"> HummingWhale </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0321">HummingWhale</a> is an Android malware family that performs ad fraud. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0203"> S0203 </a> </td> <td> <a href="/versions/v9/software/S0203"> Hydraq </a> </td> <td> Aurora, 9002 RAT </td> <td> <p><a href="/versions/v9/software/S0203">Hydraq</a> is a data-theft trojan first used by <a href="/versions/v9/groups/G0066">Elderwood</a> in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including <a href="/versions/v9/groups/G0025">APT17</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0398"> S0398 </a> </td> <td> <a href="/versions/v9/software/S0398"> HyperBro </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0398">HyperBro</a> is a custom in-memory backdoor used by <a href="/versions/v9/groups/G0027">Threat Group-3390</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0537"> S0537 </a> </td> <td> <a href="/versions/v9/software/S0537"> HyperStack </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0537">HyperStack</a> is a RPC-based backdoor used by <a href="/versions/v9/groups/G0010">Turla</a> since at least 2018. <a href="/versions/v9/software/S0537">HyperStack</a> has similarities to other backdoors used by <a href="/versions/v9/groups/G0010">Turla</a> including <a href="/versions/v9/software/S0335">Carbon</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0483"> S0483 </a> </td> <td> <a href="/versions/v9/software/S0483"> IcedID </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0483">IcedID</a> is a modular banking malware designed to steal financial information that has been observed in the wild since at least 2017. <a href="/versions/v9/software/S0483">IcedID</a> has been downloaded by <a href="/versions/v9/software/S0367">Emotet</a> in multiple campaigns.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0101"> S0101 </a> </td> <td> <a href="/versions/v9/software/S0101"> ifconfig </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0101">ifconfig</a> is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0278"> S0278 </a> </td> <td> <a href="/versions/v9/software/S0278"> iKitten </a> </td> <td> OSX/MacDownloader </td> <td> <p><a href="/versions/v9/software/S0278">iKitten</a> is a macOS exfiltration agent .</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0434"> S0434 </a> </td> <td> <a href="/versions/v9/software/S0434"> Imminent Monitor </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0434">Imminent Monitor</a> was a commodity remote access tool (RAT) offered for sale from 2012 until 2019, when an operation was conducted to take down the Imminent Monitor infrastructure. Various cracked versions and variations of this RAT are still in circulation.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0357"> S0357 </a> </td> <td> <a href="/versions/v9/software/S0357"> Impacket </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0357">Impacket</a> is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. <a href="/versions/v9/software/S0357">Impacket</a> contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0259"> S0259 </a> </td> <td> <a href="/versions/v9/software/S0259"> InnaputRAT </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0259">InnaputRAT</a> is a remote access tool that can exfiltrate files from a victim’s machine. <a href="/versions/v9/software/S0259">InnaputRAT</a> has been seen out in the wild since 2016. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0463"> S0463 </a> </td> <td> <a href="/versions/v9/software/S0463"> INSOMNIA </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0463">INSOMNIA</a> is spyware that has been used by the group Evil Eye.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0260"> S0260 </a> </td> <td> <a href="/versions/v9/software/S0260"> InvisiMole </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0260">InvisiMole</a> is a modular spyware program that has been used by the InvisiMole Group since at least 2013. <a href="/versions/v9/software/S0260">InvisiMole</a> has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. <a href="/versions/v9/groups/G0047">Gamaredon Group</a> infrastructure has been used to download and execute <a href="/versions/v9/software/S0260">InvisiMole</a> against a small number of victims.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0231"> S0231 </a> </td> <td> <a href="/versions/v9/software/S0231"> Invoke-PSImage </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0231">Invoke-PSImage</a> takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a one liner for executing either from a file of from the web. Example of usage is embedding the PowerShell code from the Invoke-Mimikatz module and embed it into an image file. By calling the image file from a macro for example, the macro will download the picture and execute the PowerShell code, which in this case will dump the passwords. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0100"> S0100 </a> </td> <td> <a href="/versions/v9/software/S0100"> ipconfig </a> </td> <td> ipconfig.exe </td> <td> <p><a href="/versions/v9/software/S0100">ipconfig</a> is a Windows utility that can be used to find information about a system's TCP/IP, DNS, DHCP, and adapter configuration. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0581"> S0581 </a> </td> <td> <a href="/versions/v9/software/S0581"> IronNetInjector </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0581">IronNetInjector</a> is a <a href="/versions/v9/groups/G0010">Turla</a> toolchain that utilizes scripts from the open-source IronPython implementation of Python with a .NET injector to drop one or more payloads including <a href="/versions/v9/software/S0126">ComRAT</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0189"> S0189 </a> </td> <td> <a href="/versions/v9/software/S0189"> ISMInjector </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0189">ISMInjector</a> is a Trojan used to install another <a href="/versions/v9/groups/G0049">OilRig</a> backdoor, ISMAgent. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0015"> S0015 </a> </td> <td> <a href="/versions/v9/software/S0015"> Ixeshe </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0015">Ixeshe</a> is a malware family that has been used since at least 2009 against targets in East Asia. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0163"> S0163 </a> </td> <td> <a href="/versions/v9/software/S0163"> Janicab </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0163">Janicab</a> is an OS X trojan that relied on a valid developer ID and oblivious users to install it. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0528"> S0528 </a> </td> <td> <a href="/versions/v9/software/S0528"> Javali </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0528">Javali</a> is a banking trojan that has targeted Portuguese and Spanish-speaking countries since 2017, primarily focusing on customers of financial institutions in Brazil and Mexico.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0389"> S0389 </a> </td> <td> <a href="/versions/v9/software/S0389"> JCry </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0389">JCry</a> is ransomware written in Go. It was identified as apart of the #OpJerusalem 2019 campaign.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0044"> S0044 </a> </td> <td> <a href="/versions/v9/software/S0044"> JHUHUGIT </a> </td> <td> Trojan.Sofacy, Seduploader, JKEYSKW, Sednit, GAMEFISH, SofacyCarberp </td> <td> <p><a href="/versions/v9/software/S0044">JHUHUGIT</a> is malware used by <a href="/versions/v9/groups/G0007">APT28</a>. It is based on Carberp source code and serves as reconnaissance malware. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0201"> S0201 </a> </td> <td> <a href="/versions/v9/software/S0201"> JPIN </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0201">JPIN</a> is a custom-built backdoor family used by <a href="/versions/v9/groups/G0068">PLATINUM</a>. Evidence suggests developers of <a href="/versions/v9/software/S0201">JPIN</a> and <a href="/versions/v9/software/S0200">Dipsind</a> code bases were related in some way. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0283"> S0283 </a> </td> <td> <a href="/versions/v9/software/S0283"> jRAT </a> </td> <td> JSocket, AlienSpy, Frutas, Sockrat, Unrecom, jFrutas, Adwind, jBiFrost, Trojan.Maljava </td> <td> <p><a href="/versions/v9/software/S0283">jRAT</a> is a cross-platform, Java-based backdoor originally available for purchase in 2012. Variants of <a href="/versions/v9/software/S0283">jRAT</a> have been distributed via a software-as-a-service platform, similar to an online subscription model. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0325"> S0325 </a> </td> <td> <a href="/versions/v9/software/S0325"> Judy </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0325">Judy</a> is auto-clicking adware that was distributed through multiple apps in the Google Play Store. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0215"> S0215 </a> </td> <td> <a href="/versions/v9/software/S0215"> KARAE </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0215">KARAE</a> is a backdoor typically used by <a href="/versions/v9/groups/G0067">APT37</a> as first-stage malware. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0088"> S0088 </a> </td> <td> <a href="/versions/v9/software/S0088"> Kasidet </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0088">Kasidet</a> is a backdoor that has been dropped by using malicious VBA macros. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0265"> S0265 </a> </td> <td> <a href="/versions/v9/software/S0265"> Kazuar </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0265">Kazuar</a> is a fully featured, multi-platform backdoor Trojan written using the Microsoft .NET framework. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0585"> S0585 </a> </td> <td> <a href="/versions/v9/software/S0585"> Kerrdown </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0585">Kerrdown</a> is a downloader used by <a href="/versions/v9/groups/G0050">APT32</a> to install spyware from a server on the victim's network.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0487"> S0487 </a> </td> <td> <a href="/versions/v9/software/S0487"> Kessel </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0487">Kessel</a> is an advanced version of OpenSSH which acts as a custom backdoor, mainly acting to steal credentials and function as a bot. <a href="/versions/v9/software/S0487">Kessel</a> has been active since its C2 domain began resolving in August 2018.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0387"> S0387 </a> </td> <td> <a href="/versions/v9/software/S0387"> KeyBoy </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0387">KeyBoy</a> is malware that has been used in targeted campaigns against members of the Tibetan Parliament in 2016.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0276"> S0276 </a> </td> <td> <a href="/versions/v9/software/S0276"> Keydnap </a> </td> <td> OSX/Keydnap </td> <td> <p>This piece of malware steals the content of the user's keychain while maintaining a permanent backdoor .</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0271"> S0271 </a> </td> <td> <a href="/versions/v9/software/S0271"> KEYMARBLE </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0271">KEYMARBLE</a> is a Trojan that has reportedly been used by the North Korean government. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0288"> S0288 </a> </td> <td> <a href="/versions/v9/software/S0288"> KeyRaider </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0288">KeyRaider</a> is malware that steals Apple account credentials and other data from jailbroken iOS devices. It also has ransomware functionality. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0526"> S0526 </a> </td> <td> <a href="/versions/v9/software/S0526"> KGH_SPY </a> </td> <td> KGH_SPY </td> <td> <p><a href="/versions/v9/software/S0526">KGH_SPY</a> is a modular suite of tools used by <a href="/versions/v9/groups/G0094">Kimsuky</a> for reconnaissance, information stealing, and backdoor capabilities. <a href="/versions/v9/software/S0526">KGH_SPY</a> derived its name from PDB paths and internal names found in samples containing "KGH".</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0599"> S0599 </a> </td> <td> <a href="/versions/v9/software/S0599"> Kinsing </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0599">Kinsing</a> is Golang-based malware that runs a cryptocurrency miner and attempts to spread itself to other hosts in the victim environment. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0437"> S0437 </a> </td> <td> <a href="/versions/v9/software/S0437"> Kivars </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0437">Kivars</a> is a modular remote access tool (RAT), derived from the Bifrost RAT, that was used by <a href="/versions/v9/groups/G0098">BlackTech</a> in a 2010 campaign.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0250"> S0250 </a> </td> <td> <a href="/versions/v9/software/S0250"> Koadic </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0250">Koadic</a> is a Windows post-exploitation framework and penetration testing tool. <a href="/versions/v9/software/S0250">Koadic</a> is publicly available on GitHub and the tool is executed via the command-line. <a href="/versions/v9/software/S0250">Koadic</a> has several options for staging payloads and creating implants. <a href="/versions/v9/software/S0250">Koadic</a> performs most of its operations using Windows Script Host. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0162"> S0162 </a> </td> <td> <a href="/versions/v9/software/S0162"> Komplex </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0162">Komplex</a> is a backdoor that has been used by <a href="/versions/v9/groups/G0007">APT28</a> on OS X and appears to be developed in a similar manner to <a href="/versions/v9/software/S0161">XAgentOSX</a> .</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0156"> S0156 </a> </td> <td> <a href="/versions/v9/software/S0156"> KOMPROGO </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0156">KOMPROGO</a> is a signature backdoor used by <a href="/versions/v9/groups/G0050">APT32</a> that is capable of process, file, and registry management. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0356"> S0356 </a> </td> <td> <a href="/versions/v9/software/S0356"> KONNI </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0356">KONNI</a> is a Windows remote administration too that has been seen in use since 2014 and evolved in its capabilities through at least 2017. <a href="/versions/v9/software/S0356">KONNI</a> has been linked to several campaigns involving North Korean themes. <a href="/versions/v9/software/S0356">KONNI</a> has significant code overlap with the <a href="/versions/v9/software/S0353">NOKKI</a> malware family. There is some evidence potentially linking <a href="/versions/v9/software/S0356">KONNI</a> to <a href="/versions/v9/groups/G0067">APT37</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0236"> S0236 </a> </td> <td> <a href="/versions/v9/software/S0236"> Kwampirs </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0236">Kwampirs</a> is a backdoor Trojan used by <a href="/versions/v9/groups/G0071">Orangeworm</a>. It has been found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0349"> S0349 </a> </td> <td> <a href="/versions/v9/software/S0349"> LaZagne </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0349">LaZagne</a> is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows systems. <a href="/versions/v9/software/S0349">LaZagne</a> is publicly available on GitHub.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0395"> S0395 </a> </td> <td> <a href="/versions/v9/software/S0395"> LightNeuron </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0395">LightNeuron</a> is a sophisticated backdoor that has targeted Microsoft Exchange servers since at least 2014. <a href="/versions/v9/software/S0395">LightNeuron</a> has been used by <a href="/versions/v9/groups/G0010">Turla</a> to target diplomatic and foreign affairs-related organizations. The presence of certain strings in the malware suggests a Linux variant of <a href="/versions/v9/software/S0395">LightNeuron</a> exists.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0211"> S0211 </a> </td> <td> <a href="/versions/v9/software/S0211"> Linfo </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0211">Linfo</a> is a rootkit trojan used by <a href="/versions/v9/groups/G0066">Elderwood</a> to open a backdoor on compromised hosts. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0362"> S0362 </a> </td> <td> <a href="/versions/v9/software/S0362"> Linux Rabbit </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0362">Linux Rabbit</a> is malware that targeted Linux servers and IoT devices in a campaign lasting from August to October 2018. It shares code with another strain of malware known as Rabbot. The goal of the campaign was to install cryptocurrency miners onto the targeted servers and devices.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0372"> S0372 </a> </td> <td> <a href="/versions/v9/software/S0372"> LockerGoga </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0372">LockerGoga</a> is ransomware that has been tied to various attacks on European companies. It was first reported upon in January 2019.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0397"> S0397 </a> </td> <td> <a href="/versions/v9/software/S0397"> LoJax </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0397">LoJax</a> is a UEFI rootkit used by <a href="/versions/v9/groups/G0007">APT28</a> to persist remote access software on targeted systems.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0447"> S0447 </a> </td> <td> <a href="/versions/v9/software/S0447"> Lokibot </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0447">Lokibot</a> is a malware designed to collect credentials and security tokens from an infected machine. <a href="/versions/v9/software/S0447">Lokibot</a> has also been used to establish backdoors in enterprise environments.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0582"> S0582 </a> </td> <td> <a href="/versions/v9/software/S0582"> LookBack </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0582">LookBack</a> is a remote access trojan written in C++ that was used against at least three US utility companies in July 2019. The TALONITE activity group has been observed using <a href="/versions/v9/software/S0582">LookBack</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0451"> S0451 </a> </td> <td> <a href="/versions/v9/software/S0451"> LoudMiner </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0451">LoudMiner</a> is a cryptocurrency miner which uses virtualization software to siphon system resources. The miner has been bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0042"> S0042 </a> </td> <td> <a href="/versions/v9/software/S0042"> LOWBALL </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0042">LOWBALL</a> is malware used by <a href="/versions/v9/groups/G0018">admin@338</a>. It was used in August 2015 in email messages targeting Hong Kong-based media organizations. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0121"> S0121 </a> </td> <td> <a href="/versions/v9/software/S0121"> Lslsass </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0121">Lslsass</a> is a publicly-available tool that can dump active logon session password hashes from the lsass process. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0532"> S0532 </a> </td> <td> <a href="/versions/v9/software/S0532"> Lucifer </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0532">Lucifer</a> is a crypto miner and DDoS hybrid malware that leverages well-known exploits to spread laterally on Windows platforms.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0010"> S0010 </a> </td> <td> <a href="/versions/v9/software/S0010"> Lurid </a> </td> <td> Enfal </td> <td> <p><a href="/versions/v9/software/S0010">Lurid</a> is a malware family that has been used by several groups, including <a href="/versions/v9/groups/G0011">PittyTiger</a>, in targeted attacks as far back as 2006. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0409"> S0409 </a> </td> <td> <a href="/versions/v9/software/S0409"> Machete </a> </td> <td> Pyark </td> <td> <p><a href="/versions/v9/software/S0409">Machete</a> is a cyber espionage toolset used by <a href="/versions/v9/groups/G0095">Machete</a>. It is a Python-based backdoor targeting Windows machines that was first observed in 2010.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0282"> S0282 </a> </td> <td> <a href="/versions/v9/software/S0282"> MacSpy </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0282">MacSpy</a> is a malware-as-a-service offered on the darkweb .</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0413"> S0413 </a> </td> <td> <a href="/versions/v9/software/S0413"> MailSniper </a> </td> <td> </td> <td> <p>MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used by a non-administrative user to search their own email, or by an Exchange administrator to search the mailboxes of every user in a domain.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0485"> S0485 </a> </td> <td> <a href="/versions/v9/software/S0485"> Mandrake </a> </td> <td> oxide, briar, ricinus, darkmatter </td> <td> <p><a href="/versions/v9/software/S0485">Mandrake</a> is a sophisticated Android espionage platform that has been active in the wild since at least 2016. <a href="/versions/v9/software/S0485">Mandrake</a> is very actively maintained, with sophisticated features and attacks that are executed with surgical precision.</p><p><a href="/versions/v9/software/S0485">Mandrake</a> has gone undetected for several years by providing legitimate, ad-free applications with social media and real reviews to back the apps. The malware is only activated when the operators issue a specific command.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0317"> S0317 </a> </td> <td> <a href="/versions/v9/software/S0317"> Marcher </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0317">Marcher</a> is Android malware that is used for financial fraud. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0167"> S0167 </a> </td> <td> <a href="/versions/v9/software/S0167"> Matryoshka </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0167">Matryoshka</a> is a malware framework used by <a href="/versions/v9/groups/G0052">CopyKittens</a> that consists of a dropper, loader, and RAT. It has multiple versions; v1 was seen in the wild from July 2016 until January 2017. v2 has fewer commands and other minor differences. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0303"> S0303 </a> </td> <td> <a href="/versions/v9/software/S0303"> MazarBOT </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0303">MazarBOT</a> is Android malware that was distributed via SMS in Denmark in 2016. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0449"> S0449 </a> </td> <td> <a href="/versions/v9/software/S0449"> Maze </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0449">Maze</a> ransomware, previously known as "ChaCha", was discovered in May 2019. In addition to encrypting files on victim machines for impact, <a href="/versions/v9/software/S0449">Maze</a> operators conduct information stealing campaigns prior to encryption and post the information online to extort affected companies.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0500"> S0500 </a> </td> <td> <a href="/versions/v9/software/S0500"> MCMD </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0500">MCMD</a> is a remote access tool that provides remote command shell capability used by <a href="/versions/v9/groups/G0074">Dragonfly 2.0</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0459"> S0459 </a> </td> <td> <a href="/versions/v9/software/S0459"> MechaFlounder </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0459">MechaFlounder</a> is a python-based remote access tool (RAT) that has been used by <a href="/versions/v9/groups/G0087">APT39</a>. The payload uses a combination of actor developed code and code snippets freely available online in development communities.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0175"> S0175 </a> </td> <td> <a href="/versions/v9/software/S0175"> meek </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0175">meek</a> is an open-source Tor plugin that tunnels Tor traffic through HTTPS connections.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0576"> S0576 </a> </td> <td> <a href="/versions/v9/software/S0576"> MegaCortex </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0576">MegaCortex</a> is ransomware that first appeared in May 2019. <a href="/versions/v9/software/S0576">MegaCortex</a> has mainly targeted industrial organizations. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0530"> S0530 </a> </td> <td> <a href="/versions/v9/software/S0530"> Melcoz </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0530">Melcoz</a> is a banking trojan family built from the open source tool Remote Access PC. <a href="/versions/v9/software/S0530">Melcoz</a> was first observed in attacks in Brazil and since 2018 has spread to Chile, Mexico, Spain, and Portugal.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0443"> S0443 </a> </td> <td> <a href="/versions/v9/software/S0443"> MESSAGETAP </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0443">MESSAGETAP</a> is a data mining malware family deployed by <a href="/versions/v9/groups/G0096">APT41</a> into telecommunications networks to monitor and save SMS traffic from specific phone numbers, IMSI numbers, or that contain specific keywords. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0455"> S0455 </a> </td> <td> <a href="/versions/v9/software/S0455"> Metamorfo </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0455">Metamorfo</a> is a banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting mostly Brazilian users.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0339"> S0339 </a> </td> <td> <a href="/versions/v9/software/S0339"> Micropsia </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0339">Micropsia</a> is a remote access tool written in Delphi.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0002"> S0002 </a> </td> <td> <a href="/versions/v9/software/S0002"> Mimikatz </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0002">Mimikatz</a> is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0179"> S0179 </a> </td> <td> <a href="/versions/v9/software/S0179"> MimiPenguin </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0179">MimiPenguin</a> is a credential dumper, similar to <a href="/versions/v9/software/S0002">Mimikatz</a>, designed specifically for Linux platforms. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0133"> S0133 </a> </td> <td> <a href="/versions/v9/software/S0133"> Miner-C </a> </td> <td> Mal/Miner-C, PhotoMiner </td> <td> <p><a href="/versions/v9/software/S0133">Miner-C</a> is malware that mines victims for the Monero cryptocurrency. It has targeted FTP servers and Network Attached Storage (NAS) devices to spread. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0051"> S0051 </a> </td> <td> <a href="/versions/v9/software/S0051"> MiniDuke </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0051">MiniDuke</a> is malware that was used by <a href="/versions/v9/groups/G0016">APT29</a> from 2010 to 2015. The <a href="/versions/v9/software/S0051">MiniDuke</a> toolset consists of multiple downloader and backdoor components. The loader has been used with other <a href="/versions/v9/software/S0051">MiniDuke</a> components as well as in conjunction with <a href="/versions/v9/software/S0050">CosmicDuke</a> and <a href="/versions/v9/software/S0048">PinchDuke</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0280"> S0280 </a> </td> <td> <a href="/versions/v9/software/S0280"> MirageFox </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0280">MirageFox</a> is a remote access tool used against Windows systems. It appears to be an upgraded version of a tool known as Mirage, which is a RAT believed to originate in 2012. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0084"> S0084 </a> </td> <td> <a href="/versions/v9/software/S0084"> Mis-Type </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0084">Mis-Type</a> is a backdoor hybrid that was used by <a href="/versions/v9/groups/G0031">Dust Storm</a> in 2012. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0083"> S0083 </a> </td> <td> <a href="/versions/v9/software/S0083"> Misdat </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0083">Misdat</a> is a backdoor that was used by <a href="/versions/v9/groups/G0031">Dust Storm</a> from 2010 to 2011. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0080"> S0080 </a> </td> <td> <a href="/versions/v9/software/S0080"> Mivast </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0080">Mivast</a> is a backdoor that has been used by <a href="/versions/v9/groups/G0009">Deep Panda</a>. It was reportedly used in the Anthem breach. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0079"> S0079 </a> </td> <td> <a href="/versions/v9/software/S0079"> MobileOrder </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0079">MobileOrder</a> is a Trojan intended to compromise Android mobile devices. It has been used by <a href="/versions/v9/groups/G0029">Scarlet Mimic</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0553"> S0553 </a> </td> <td> <a href="/versions/v9/software/S0553"> MoleNet </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0553">MoleNet</a> is a downloader tool with backdoor capabilities that has been observed in use since at least 2019.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0407"> S0407 </a> </td> <td> <a href="/versions/v9/software/S0407"> Monokle </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0407">Monokle</a> is targeted, sophisticated mobile surveillanceware. It is developed for Android, but there are some code artifacts that suggests an iOS version may be in development.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0149"> S0149 </a> </td> <td> <a href="/versions/v9/software/S0149"> MoonWind </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0149">MoonWind</a> is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0284"> S0284 </a> </td> <td> <a href="/versions/v9/software/S0284"> More_eggs </a> </td> <td> SKID, Terra Loader, SpicyOmelette </td> <td> <p><a href="/versions/v9/software/S0284">More_eggs</a> is a JScript backdoor used by <a href="/versions/v9/groups/G0080">Cobalt Group</a> and <a href="/versions/v9/groups/G0037">FIN6</a>. Its name was given based on the variable "More_eggs" being present in its code. There are at least two different versions of the backdoor being used, version 2.0 and version 4.4. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0256"> S0256 </a> </td> <td> <a href="/versions/v9/software/S0256"> Mosquito </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0256">Mosquito</a> is a Win32 backdoor that has been used by <a href="/versions/v9/groups/G0010">Turla</a>. <a href="/versions/v9/software/S0256">Mosquito</a> is made up of three parts: the installer, the launcher, and the backdoor. The main backdoor is called CommanderDLL and is launched by the loader program. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0233"> S0233 </a> </td> <td> <a href="/versions/v9/software/S0233"> MURKYTOP </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0233">MURKYTOP</a> is a reconnaissance tool used by <a href="/versions/v9/groups/G0065">Leviathan</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0205"> S0205 </a> </td> <td> <a href="/versions/v9/software/S0205"> Naid </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0205">Naid</a> is a trojan used by <a href="/versions/v9/groups/G0066">Elderwood</a> to open a backdoor on compromised hosts. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0228"> S0228 </a> </td> <td> <a href="/versions/v9/software/S0228"> NanHaiShu </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0228">NanHaiShu</a> is a remote access tool and JScript backdoor used by <a href="/versions/v9/groups/G0065">Leviathan</a>. <a href="/versions/v9/software/S0228">NanHaiShu</a> has been used to target government and private-sector organizations that have relations to the South China Sea dispute. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0336"> S0336 </a> </td> <td> <a href="/versions/v9/software/S0336"> NanoCore </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0336">NanoCore</a> is a modular remote access tool developed in .NET that can be used to spy on victims and steal information. It has been used by threat actors since 2013.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0247"> S0247 </a> </td> <td> <a href="/versions/v9/software/S0247"> NavRAT </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0247">NavRAT</a> is a remote access tool designed to upload, download, and execute files. It has been observed in attacks targeting South Korea. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0590"> S0590 </a> </td> <td> <a href="/versions/v9/software/S0590"> NBTscan </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0590">NBTscan</a> is an open source tool that has been used by state groups to conduct internal reconnaissance within a compromised network.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0102"> S0102 </a> </td> <td> <a href="/versions/v9/software/S0102"> nbtstat </a> </td> <td> nbtstat.exe </td> <td> <p><a href="/versions/v9/software/S0102">nbtstat</a> is a utility used to troubleshoot NetBIOS name resolution. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0272"> S0272 </a> </td> <td> <a href="/versions/v9/software/S0272"> NDiskMonitor </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0272">NDiskMonitor</a> is a custom backdoor written in .NET that appears to be unique to <a href="/versions/v9/groups/G0040">Patchwork</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0210"> S0210 </a> </td> <td> <a href="/versions/v9/software/S0210"> Nerex </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0210">Nerex</a> is a Trojan used by <a href="/versions/v9/groups/G0066">Elderwood</a> to open a backdoor on compromised hosts. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0039"> S0039 </a> </td> <td> <a href="/versions/v9/software/S0039"> Net </a> </td> <td> net.exe </td> <td> <p>The <a href="/versions/v9/software/S0039">Net</a> utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. </p><p><a href="/versions/v9/software/S0039">Net</a> has a great deal of functionality, much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through <a href="/versions/v9/techniques/T1021/002">SMB/Windows Admin Shares</a> using <code>net use</code> commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as <code>net1 user</code>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0056"> S0056 </a> </td> <td> <a href="/versions/v9/software/S0056"> Net Crawler </a> </td> <td> NetC </td> <td> <p><a href="/versions/v9/software/S0056">Net Crawler</a> is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using <a href="/versions/v9/software/S0029">PsExec</a> to execute a copy of <a href="/versions/v9/software/S0056">Net Crawler</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0034"> S0034 </a> </td> <td> <a href="/versions/v9/software/S0034"> NETEAGLE </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0034">NETEAGLE</a> is a backdoor developed by <a href="/versions/v9/groups/G0013">APT30</a> with compile dates as early as 2008. It has two main variants known as "Scout" and "Norton." </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0108"> S0108 </a> </td> <td> <a href="/versions/v9/software/S0108"> netsh </a> </td> <td> netsh.exe </td> <td> <p><a href="/versions/v9/software/S0108">netsh</a> is a scripting utility used to interact with networking components on local or remote systems. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0104"> S0104 </a> </td> <td> <a href="/versions/v9/software/S0104"> netstat </a> </td> <td> netstat.exe </td> <td> <p><a href="/versions/v9/software/S0104">netstat</a> is an operating system utility that displays active TCP connections, listening ports, and network statistics. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0033"> S0033 </a> </td> <td> <a href="/versions/v9/software/S0033"> NetTraveler </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0033">NetTraveler</a> is malware that has been used in multiple cyber espionage campaigns for basic surveillance of victims. The earliest known samples have timestamps back to 2005, and the largest number of observed samples were created between 2010 and 2013. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0457"> S0457 </a> </td> <td> <a href="/versions/v9/software/S0457"> Netwalker </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0457">Netwalker</a> is fileless ransomware written in PowerShell and executed directly in memory.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0198"> S0198 </a> </td> <td> <a href="/versions/v9/software/S0198"> NETWIRE </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0198">NETWIRE</a> is a publicly available, multiplatform remote administration tool (RAT) that has been used by criminal and APT groups since at least 2012. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0508"> S0508 </a> </td> <td> <a href="/versions/v9/software/S0508"> Ngrok </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0508">Ngrok</a> is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. <a href="/versions/v9/software/S0508">Ngrok</a> has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0118"> S0118 </a> </td> <td> <a href="/versions/v9/software/S0118"> Nidiran </a> </td> <td> Backdoor.Nidiran </td> <td> <p><a href="/versions/v9/software/S0118">Nidiran</a> is a custom backdoor developed and used by <a href="/versions/v9/groups/G0039">Suckfly</a>. It has been delivered via strategic web compromise. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0385"> S0385 </a> </td> <td> <a href="/versions/v9/software/S0385"> njRAT </a> </td> <td> Njw0rm, LV, Bladabindi </td> <td> <p><a href="/versions/v9/software/S0385">njRAT</a> is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0359"> S0359 </a> </td> <td> <a href="/versions/v9/software/S0359"> Nltest </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0359">Nltest</a> is a Windows command-line utility used to list domain controllers and enumerate domain trusts.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0353"> S0353 </a> </td> <td> <a href="/versions/v9/software/S0353"> NOKKI </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0353">NOKKI</a> is a modular remote access tool. The earliest observed attack using <a href="/versions/v9/software/S0353">NOKKI</a> was in January 2018. <a href="/versions/v9/software/S0353">NOKKI</a> has significant code overlap with the <a href="/versions/v9/software/S0356">KONNI</a> malware family. There is some evidence potentially linking <a href="/versions/v9/software/S0353">NOKKI</a> to <a href="/versions/v9/groups/G0067">APT37</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0299"> S0299 </a> </td> <td> <a href="/versions/v9/software/S0299"> NotCompatible </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0299">NotCompatible</a> is an Android malware family that was used between at least 2014 and 2016. It has multiple variants that have become more sophisticated over time. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0368"> S0368 </a> </td> <td> <a href="/versions/v9/software/S0368"> NotPetya </a> </td> <td> ExPetr, Diskcoder.C, GoldenEye, Petrwrap, Nyetya </td> <td> <p><a href="/versions/v9/software/S0368">NotPetya</a> is malware that was used by <a href="/versions/v9/groups/G0034">Sandworm Team</a> in a worldwide attack starting on June 27, 2017. While <a href="/versions/v9/software/S0368">NotPetya</a> appears as a form of ransomware, its main purpose was to destroy data and disk structures on compromised systems; the attackers never intended to make the encrypted data recoverable. As such, <a href="/versions/v9/software/S0368">NotPetya</a> may be more appropriately thought of as a form of wiper malware. <a href="/versions/v9/software/S0368">NotPetya</a> contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0286"> S0286 </a> </td> <td> <a href="/versions/v9/software/S0286"> OBAD </a> </td> <td> </td> <td> <p>OBAD is an Android malware family. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0346"> S0346 </a> </td> <td> <a href="/versions/v9/software/S0346"> OceanSalt </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0346">OceanSalt</a> is a Trojan that was used in a campaign targeting victims in South Korea, United States, and Canada. <a href="/versions/v9/software/S0346">OceanSalt</a> shares code similarity with <a href="/versions/v9/software/S0305">SpyNote RAT</a>, which has been linked to <a href="/versions/v9/groups/G0006">APT1</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0340"> S0340 </a> </td> <td> <a href="/versions/v9/software/S0340"> Octopus </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0340">Octopus</a> is a Windows Trojan.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0439"> S0439 </a> </td> <td> <a href="/versions/v9/software/S0439"> Okrum </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0439">Okrum</a> is a Windows backdoor that has been seen in use since December 2016 with strong links to <a href="/versions/v9/groups/G0004">Ke3chang</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0138"> S0138 </a> </td> <td> <a href="/versions/v9/software/S0138"> OLDBAIT </a> </td> <td> Sasfis </td> <td> <p><a href="/versions/v9/software/S0138">OLDBAIT</a> is a credential harvester used by <a href="/versions/v9/groups/G0007">APT28</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0285"> S0285 </a> </td> <td> <a href="/versions/v9/software/S0285"> OldBoot </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0285">OldBoot</a> is an Android malware family. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0365"> S0365 </a> </td> <td> <a href="/versions/v9/software/S0365"> Olympic Destroyer </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0365">Olympic Destroyer</a> is malware that was used by <a href="/versions/v9/groups/G0034">Sandworm Team</a> against the 2018 Winter Olympics, held in Pyeongchang, South Korea. The main purpose of the malware was to render infected computer systems inoperable. The malware leverages various native Windows utilities and API calls to carry out its destructive tasks. <a href="/versions/v9/software/S0365">Olympic Destroyer</a> has worm-like features to spread itself across a computer network in order to maximize its destructive impact. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0052"> S0052 </a> </td> <td> <a href="/versions/v9/software/S0052"> OnionDuke </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0052">OnionDuke</a> is malware that was used by <a href="/versions/v9/groups/G0016">APT29</a> from 2013 to 2015. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0264"> S0264 </a> </td> <td> <a href="/versions/v9/software/S0264"> OopsIE </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0264">OopsIE</a> is a Trojan used by <a href="/versions/v9/groups/G0049">OilRig</a> to remotely execute commands as well as upload/download files to/from victims. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0229"> S0229 </a> </td> <td> <a href="/versions/v9/software/S0229"> Orz </a> </td> <td> AIRBREAK </td> <td> <p><a href="/versions/v9/software/S0229">Orz</a> is a custom JavaScript backdoor used by <a href="/versions/v9/groups/G0065">Leviathan</a>. It was observed being used in 2014 as well as in August 2017 when it was dropped by Microsoft Publisher files. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0165"> S0165 </a> </td> <td> <a href="/versions/v9/software/S0165"> OSInfo </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0165">OSInfo</a> is a custom tool used by <a href="/versions/v9/groups/G0022">APT3</a> to do internal discovery on a victim's computer and network. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0402"> S0402 </a> </td> <td> <a href="/versions/v9/software/S0402"> OSX/Shlayer </a> </td> <td> Crossrider </td> <td> <p><a href="/versions/v9/software/S0402">OSX/Shlayer</a> is a Trojan designed to install adware on macOS. It was first discovered in 2018.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0352"> S0352 </a> </td> <td> <a href="/versions/v9/software/S0352"> OSX_OCEANLOTUS.D </a> </td> <td> Backdoor.MacOS.OCEANLOTUS.F </td> <td> <p><a href="/versions/v9/software/S0352">OSX_OCEANLOTUS.D</a> is a MacOS backdoor with several variants that has been used by <a href="/versions/v9/groups/G0050">APT32</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0594"> S0594 </a> </td> <td> <a href="/versions/v9/software/S0594"> Out1 </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0594">Out1</a> is a remote access tool written in python and used by <a href="/versions/v9/groups/G0069">MuddyWater</a> since at least 2021.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0072"> S0072 </a> </td> <td> <a href="/versions/v9/software/S0072"> OwaAuth </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0072">OwaAuth</a> is a Web shell and credential stealer deployed to Microsoft Exchange servers that appears to be exclusively used by <a href="/versions/v9/groups/G0027">Threat Group-3390</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0598"> S0598 </a> </td> <td> <a href="/versions/v9/software/S0598"> P.A.S. Webshell </a> </td> <td> Fobushell </td> <td> <p><a href="/versions/v9/software/S0598">P.A.S. Webshell</a> is a publicly available multifunctional PHP webshell in use since at least 2016 that provides remote access and execution on target web servers.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0016"> S0016 </a> </td> <td> <a href="/versions/v9/software/S0016"> P2P ZeuS </a> </td> <td> Peer-to-Peer ZeuS, Gameover ZeuS </td> <td> <p><a href="/versions/v9/software/S0016">P2P ZeuS</a> is a closed-source fork of the leaked version of the ZeuS botnet. It presents improvements over the leaked version, including a peer-to-peer architecture. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0399"> S0399 </a> </td> <td> <a href="/versions/v9/software/S0399"> Pallas </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0399">Pallas</a> is mobile surveillanceware that was custom-developed by <a href="/versions/v9/groups/G0070">Dark Caracal</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0208"> S0208 </a> </td> <td> <a href="/versions/v9/software/S0208"> Pasam </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0208">Pasam</a> is a trojan used by <a href="/versions/v9/groups/G0066">Elderwood</a> to open a backdoor on compromised hosts. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0122"> S0122 </a> </td> <td> <a href="/versions/v9/software/S0122"> Pass-The-Hash Toolkit </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0122">Pass-The-Hash Toolkit</a> is a toolkit that allows an adversary to "pass" a password hash (without knowing the original password) to log in to systems. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0556"> S0556 </a> </td> <td> <a href="/versions/v9/software/S0556"> Pay2Key </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0556">Pay2Key</a> is a ransomware written in C++ that has been used by <a href="/versions/v9/groups/G0117">Fox Kitten</a> since at least July 2020 including campaigns against Israeli companies. <a href="/versions/v9/software/S0556">Pay2Key</a> has been incorporated with a leak site to display stolen sensitive information to further pressure victims into payment.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0316"> S0316 </a> </td> <td> <a href="/versions/v9/software/S0316"> Pegasus for Android </a> </td> <td> Chrysaor </td> <td> <p><a href="/versions/v9/software/S0316">Pegasus for Android</a> is the Android version of malware that has reportedly been linked to the NSO Group. The iOS version is tracked separately under <a href="/versions/v9/software/S0289">Pegasus for iOS</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0289"> S0289 </a> </td> <td> <a href="/versions/v9/software/S0289"> Pegasus for iOS </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0289">Pegasus for iOS</a> is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims. The Android version is tracked separately under <a href="/versions/v9/software/S0316">Pegasus for Android</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0587"> S0587 </a> </td> <td> <a href="/versions/v9/software/S0587"> Penquin </a> </td> <td> Penquin 2.0, Penquin_x64 </td> <td> <p><a href="/versions/v9/software/S0587">Penquin</a> is a remote access trojan (RAT) with multiple versions used by <a href="/versions/v9/groups/G0010">Turla</a> to target Linux systems since at least 2014.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0158"> S0158 </a> </td> <td> <a href="/versions/v9/software/S0158"> PHOREAL </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0158">PHOREAL</a> is a signature backdoor used by <a href="/versions/v9/groups/G0050">APT32</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0517"> S0517 </a> </td> <td> <a href="/versions/v9/software/S0517"> Pillowmint </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0517">Pillowmint</a> is a point-of-sale malware used by <a href="/versions/v9/groups/G0046">FIN7</a> designed to capture credit card information.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0048"> S0048 </a> </td> <td> <a href="/versions/v9/software/S0048"> PinchDuke </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0048">PinchDuke</a> is malware that was used by <a href="/versions/v9/groups/G0016">APT29</a> from 2008 to 2010. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0097"> S0097 </a> </td> <td> <a href="/versions/v9/software/S0097"> Ping </a> </td> <td> Ping </td> <td> <p><a href="/versions/v9/software/S0097">Ping</a> is an operating system utility commonly used to troubleshoot and verify network connections. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0501"> S0501 </a> </td> <td> <a href="/versions/v9/software/S0501"> PipeMon </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0501">PipeMon</a> is a multi-stage modular backdoor used by <a href="/versions/v9/groups/G0044">Winnti Group</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0124"> S0124 </a> </td> <td> <a href="/versions/v9/software/S0124"> Pisloader </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0124">Pisloader</a> is a malware family that is notable due to its use of DNS as a C2 protocol as well as its use of anti-analysis tactics. It has been used by <a href="/versions/v9/groups/G0026">APT18</a> and is similar to another malware family, <a href="/versions/v9/software/S0070">HTTPBrowser</a>, that has been used by the group. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0291"> S0291 </a> </td> <td> <a href="/versions/v9/software/S0291"> PJApps </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0291">PJApps</a> is an Android malware family. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0254"> S0254 </a> </td> <td> <a href="/versions/v9/software/S0254"> PLAINTEE </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0254">PLAINTEE</a> is a malware sample that has been used by <a href="/versions/v9/groups/G0075">Rancor</a> in targeted attacks in Singapore and Cambodia. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0435"> S0435 </a> </td> <td> <a href="/versions/v9/software/S0435"> PLEAD </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0435">PLEAD</a> is a remote access tool (RAT) and downloader used by <a href="/versions/v9/groups/G0098">BlackTech</a> in targeted attacks in East Asia including Taiwan, Japan, and Hong Kong. <a href="/versions/v9/software/S0435">PLEAD</a> has also been referred to as <a href="/versions/v9/software/S0436">TSCookie</a>, though more recent reporting indicates likely separation between the two. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0013"> S0013 </a> </td> <td> <a href="/versions/v9/software/S0013"> PlugX </a> </td> <td> DestroyRAT, Sogu, Kaba, Korplug </td> <td> <p><a href="/versions/v9/software/S0013">PlugX</a> is a remote access tool (RAT) that uses modular plugins. It has been used by multiple threat groups. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0067"> S0067 </a> </td> <td> <a href="/versions/v9/software/S0067"> pngdowner </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0067">pngdowner</a> is malware used by <a href="/versions/v9/groups/G0024">Putter Panda</a>. It is a simple tool with limited functionality and no persistence mechanism, suggesting it is used only as a simple "download-and-execute" utility. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0428"> S0428 </a> </td> <td> <a href="/versions/v9/software/S0428"> PoetRAT </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0428">PoetRAT</a> is a remote access trojan (RAT) that was first identified in April 2020. <a href="/versions/v9/software/S0428">PoetRAT</a> has been used in multiple campaigns against the private and public sectors in Azerbaijan, including ICS and SCADA systems in the energy sector. The STIBNITE activity group has been observed using the malware. <a href="/versions/v9/software/S0428">PoetRAT</a> derived its name from references in the code to poet William Shakespeare. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0012"> S0012 </a> </td> <td> <a href="/versions/v9/software/S0012"> PoisonIvy </a> </td> <td> Poison Ivy, Darkmoon </td> <td> <p><a href="/versions/v9/software/S0012">PoisonIvy</a> is a popular remote access tool (RAT) that has been used by many groups. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0518"> S0518 </a> </td> <td> <a href="/versions/v9/software/S0518"> PolyglotDuke </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0518">PolyglotDuke</a> is a downloader that has been used by <a href="/versions/v9/groups/G0016">APT29</a> since at least 2013. <a href="/versions/v9/software/S0518">PolyglotDuke</a> has been used to drop <a href="/versions/v9/software/S0051">MiniDuke</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0453"> S0453 </a> </td> <td> <a href="/versions/v9/software/S0453"> Pony </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0453">Pony</a> is a credential stealing malware, though has also been used among adversaries for its downloader capabilities. The source code for Pony Loader 1.0 and 2.0 were leaked online, leading to their use by various threat actors.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0216"> S0216 </a> </td> <td> <a href="/versions/v9/software/S0216"> POORAIM </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0216">POORAIM</a> is a backdoor used by <a href="/versions/v9/groups/G0067">APT37</a> in campaigns since at least 2014. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0378"> S0378 </a> </td> <td> <a href="/versions/v9/software/S0378"> PoshC2 </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0378">PoshC2</a> is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in <a href="/versions/v9/techniques/T1059/001">PowerShell</a>. Although <a href="/versions/v9/software/S0378">PoshC2</a> is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0150"> S0150 </a> </td> <td> <a href="/versions/v9/software/S0150"> POSHSPY </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0150">POSHSPY</a> is a backdoor that has been used by <a href="/versions/v9/groups/G0016">APT29</a> since at least 2015. It appears to be used as a secondary backdoor used if the actors lost access to their primary backdoors. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0177"> S0177 </a> </td> <td> <a href="/versions/v9/software/S0177"> Power Loader </a> </td> <td> Win32/Agent.UAW </td> <td> <p><a href="/versions/v9/software/S0177">Power Loader</a> is modular code sold in the cybercrime market used as a downloader in malware families such as Carberp, Redyms and Gapz. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0139"> S0139 </a> </td> <td> <a href="/versions/v9/software/S0139"> PowerDuke </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0139">PowerDuke</a> is a backdoor that was used by <a href="/versions/v9/groups/G0016">APT29</a> in 2016. It has primarily been delivered through Microsoft Word or Excel attachments containing malicious macros. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0441"> S0441 </a> </td> <td> <a href="/versions/v9/software/S0441"> PowerShower </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0441">PowerShower</a> is a PowerShell backdoor used by <a href="/versions/v9/groups/G0100">Inception</a> for initial reconnaissance and to download and execute second stage payloads.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0145"> S0145 </a> </td> <td> <a href="/versions/v9/software/S0145"> POWERSOURCE </a> </td> <td> DNSMessenger </td> <td> <p><a href="/versions/v9/software/S0145">POWERSOURCE</a> is a PowerShell backdoor that is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. It was observed in February 2017 in spearphishing campaigns against personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. The malware was delivered when macros were enabled by the victim and a VBS script was dropped. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0194"> S0194 </a> </td> <td> <a href="/versions/v9/software/S0194"> PowerSploit </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0194">PowerSploit</a> is an open source, offensive security framework comprised of <a href="/versions/v9/techniques/T1059/001">PowerShell</a> modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0393"> S0393 </a> </td> <td> <a href="/versions/v9/software/S0393"> PowerStallion </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0393">PowerStallion</a> is a lightweight <a href="/versions/v9/techniques/T1059/001">PowerShell</a> backdoor used by <a href="/versions/v9/groups/G0010">Turla</a>, possibly as a recovery access tool to install other backdoors.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0223"> S0223 </a> </td> <td> <a href="/versions/v9/software/S0223"> POWERSTATS </a> </td> <td> Powermud </td> <td> <p><a href="/versions/v9/software/S0223">POWERSTATS</a> is a PowerShell-based first stage backdoor used by <a href="/versions/v9/groups/G0069">MuddyWater</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0371"> S0371 </a> </td> <td> <a href="/versions/v9/software/S0371"> POWERTON </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0371">POWERTON</a> is a custom PowerShell backdoor first observed in 2018. It has typically been deployed as a late-stage backdoor by <a href="/versions/v9/groups/G0064">APT33</a>. At least two variants of the backdoor have been identified, with the later version containing improved functionality.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0184"> S0184 </a> </td> <td> <a href="/versions/v9/software/S0184"> POWRUNER </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0184">POWRUNER</a> is a PowerShell script that sends and receives commands to and from the C2 server. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0113"> S0113 </a> </td> <td> <a href="/versions/v9/software/S0113"> Prikormka </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0113">Prikormka</a> is a malware family used in a campaign known as Operation Groundbait. It has predominantly been observed in Ukraine and was used as early as 2008. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0279"> S0279 </a> </td> <td> <a href="/versions/v9/software/S0279"> Proton </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0279">Proton</a> is a macOS backdoor focusing on data theft and credential access .</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0238"> S0238 </a> </td> <td> <a href="/versions/v9/software/S0238"> Proxysvc </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0238">Proxysvc</a> is a malicious DLL used by <a href="/versions/v9/groups/G0032">Lazarus Group</a> in a campaign known as Operation GhostSecret. It has appeared to be operating undetected since 2017 and was mostly observed in higher education organizations. The goal of <a href="/versions/v9/software/S0238">Proxysvc</a> is to deliver additional payloads to the target and to maintain control for the attacker. It is in the form of a DLL that can also be executed as a standalone process. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0029"> S0029 </a> </td> <td> <a href="/versions/v9/software/S0029"> PsExec </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0029">PsExec</a> is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0078"> S0078 </a> </td> <td> <a href="/versions/v9/software/S0078"> Psylo </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0078">Psylo</a> is a shellcode-based Trojan that has been used by <a href="/versions/v9/groups/G0029">Scarlet Mimic</a>. It has similar characteristics as <a href="/versions/v9/software/S0076">FakeM</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0147"> S0147 </a> </td> <td> <a href="/versions/v9/software/S0147"> Pteranodon </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0147">Pteranodon</a> is a custom backdoor used by <a href="/versions/v9/groups/G0047">Gamaredon Group</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0196"> S0196 </a> </td> <td> <a href="/versions/v9/software/S0196"> PUNCHBUGGY </a> </td> <td> ShellTea </td> <td> <p><a href="/versions/v9/software/S0196">PUNCHBUGGY</a> is a backdoor malware used by <a href="/versions/v9/groups/G0061">FIN8</a> that has been observed targeting POS networks in the hospitality industry. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0197"> S0197 </a> </td> <td> <a href="/versions/v9/software/S0197"> PUNCHTRACK </a> </td> <td> PSVC </td> <td> <p><a href="/versions/v9/software/S0197">PUNCHTRACK</a> is non-persistent point of sale (POS) system malware utilized by <a href="/versions/v9/groups/G0061">FIN8</a> to scrape payment card data. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0192"> S0192 </a> </td> <td> <a href="/versions/v9/software/S0192"> Pupy </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0192">Pupy</a> is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). <a href="/versions/v9/software/S0192">Pupy</a> is publicly available on GitHub. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0006"> S0006 </a> </td> <td> <a href="/versions/v9/software/S0006"> pwdump </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0006">pwdump</a> is a credential dumper. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0583"> S0583 </a> </td> <td> <a href="/versions/v9/software/S0583"> Pysa </a> </td> <td> Mespinoza </td> <td> <p><a href="/versions/v9/software/S0583">Pysa</a> is a ransomware that was first used in October 2018 and has been seen to target particularly high-value finance, government and healthcare organizations.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0269"> S0269 </a> </td> <td> <a href="/versions/v9/software/S0269"> QUADAGENT </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0269">QUADAGENT</a> is a PowerShell backdoor used by <a href="/versions/v9/groups/G0049">OilRig</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0262"> S0262 </a> </td> <td> <a href="/versions/v9/software/S0262"> QuasarRAT </a> </td> <td> xRAT </td> <td> <p><a href="/versions/v9/software/S0262">QuasarRAT</a> is an open-source, remote access tool that is publicly available on GitHub. <a href="/versions/v9/software/S0262">QuasarRAT</a> is developed in the C# language. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0481"> S0481 </a> </td> <td> <a href="/versions/v9/software/S0481"> Ragnar Locker </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0481">Ragnar Locker</a> is a ransomware that has been in use since at least December 2019.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0565"> S0565 </a> </td> <td> <a href="/versions/v9/software/S0565"> Raindrop </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0565">Raindrop</a> is a loader used by <a href="/versions/v9/groups/G0016">APT29</a> that was discovered on some victim machines during investigations related to the 2020 SolarWinds cyber intrusion. It was discovered in January 2021 and was likely used since at least May 2020.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0458"> S0458 </a> </td> <td> <a href="/versions/v9/software/S0458"> Ramsay </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0458">Ramsay</a> is an information stealing malware framework designed to collect and exfiltrate sensitive documents, including from air-gapped systems. Researchers have identified overlaps between <a href="/versions/v9/software/S0458">Ramsay</a> and the <a href="/versions/v9/groups/G0012">Darkhotel</a>-associated Retro malware.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0055"> S0055 </a> </td> <td> <a href="/versions/v9/software/S0055"> RARSTONE </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0055">RARSTONE</a> is malware used by the <a href="/versions/v9/groups/G0019">Naikon</a> group that has some characteristics similar to <a href="/versions/v9/software/S0013">PlugX</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0241"> S0241 </a> </td> <td> <a href="/versions/v9/software/S0241"> RATANKBA </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0241">RATANKBA</a> is a remote controller tool used by <a href="/versions/v9/groups/G0032">Lazarus Group</a>. <a href="/versions/v9/software/S0241">RATANKBA</a> has been used in attacks targeting financial institutions in Poland, Mexico, Uruguay, the United Kingdom, and Chile. It was also seen used against organizations related to telecommunications, management consulting, information technology, insurance, aviation, and education. <a href="/versions/v9/software/S0241">RATANKBA</a> has a graphical user interface to allow the attacker to issue jobs to perform on the infected machines. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0364"> S0364 </a> </td> <td> <a href="/versions/v9/software/S0364"> RawDisk </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0364">RawDisk</a> is a legitimate commercial driver from the EldoS Corporation that is used for interacting with files, disks, and partitions. The driver allows for direct modification of data on a local computer's hard drive. In some cases, the tool can enact these raw disk modifications from user-mode processes, circumventing Windows operating system security features.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0169"> S0169 </a> </td> <td> <a href="/versions/v9/software/S0169"> RawPOS </a> </td> <td> FIENDCRY, DUEBREW, DRIFTWOOD </td> <td> <p><a href="/versions/v9/software/S0169">RawPOS</a> is a point-of-sale (POS) malware family that searches for cardholder data on victims. It has been in use since at least 2008. FireEye divides RawPOS into three components: FIENDCRY, DUEBREW, and DRIFTWOOD. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0295"> S0295 </a> </td> <td> <a href="/versions/v9/software/S0295"> RCSAndroid </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0295">RCSAndroid</a> is Android malware. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0495"> S0495 </a> </td> <td> <a href="/versions/v9/software/S0495"> RDAT </a> </td> <td> RDAT </td> <td> <p><a href="/versions/v9/software/S0495">RDAT</a> is a backdoor used by the suspected Iranian threat group <a href="/versions/v9/groups/G0049">OilRig</a>. <a href="/versions/v9/software/S0495">RDAT</a> was originally identified in 2017 and targeted companies in the telecommunications sector.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0416"> S0416 </a> </td> <td> <a href="/versions/v9/software/S0416"> RDFSNIFFER </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0416">RDFSNIFFER</a> is a module loaded by <a href="/versions/v9/software/S0415">BOOSTWRITE</a> which allows an attacker to monitor and tamper with legitimate connections made via an application designed to provide visibility and system management capabilities to remote IT techs.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0172"> S0172 </a> </td> <td> <a href="/versions/v9/software/S0172"> Reaver </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0172">Reaver</a> is a malware family that has been in the wild since at least late 2016. Reporting indicates victims have primarily been associated with the "Five Poisons," which are movements the Chinese government considers dangerous. The type of malware is rare due to its final payload being in the form of <a href="/versions/v9/techniques/T1218/002">Control Panel</a> items.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0539"> S0539 </a> </td> <td> <a href="/versions/v9/software/S0539"> Red Alert 2.0 </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0539">Red Alert 2.0</a> is a banking trojan that masquerades as a VPN client. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0326"> S0326 </a> </td> <td> <a href="/versions/v9/software/S0326"> RedDrop </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0326">RedDrop</a> is an Android malware family that exfiltrates sensitive data from devices. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0153"> S0153 </a> </td> <td> <a href="/versions/v9/software/S0153"> RedLeaves </a> </td> <td> BUGJUICE </td> <td> <p><a href="/versions/v9/software/S0153">RedLeaves</a> is a malware family used by <a href="/versions/v9/groups/G0045">menuPass</a>. The code overlaps with <a href="/versions/v9/software/S0013">PlugX</a> and may be based upon the open source tool Trochilus. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0075"> S0075 </a> </td> <td> <a href="/versions/v9/software/S0075"> Reg </a> </td> <td> reg.exe </td> <td> <p><a href="/versions/v9/software/S0075">Reg</a> is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. </p><p>Utilities such as <a href="/versions/v9/software/S0075">Reg</a> are known to be used by persistent threats. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0511"> S0511 </a> </td> <td> <a href="/versions/v9/software/S0511"> RegDuke </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0511">RegDuke</a> is a first stage implant written in .NET and used by <a href="/versions/v9/groups/G0016">APT29</a> since at least 2017. <a href="/versions/v9/software/S0511">RegDuke</a> has been used to control a compromised machine when control of other implants on the machine was lost.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0019"> S0019 </a> </td> <td> <a href="/versions/v9/software/S0019"> Regin </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0019">Regin</a> is a malware platform that has targeted victims in a range of industries, including telecom, government, and financial institutions. Some <a href="/versions/v9/software/S0019">Regin</a> timestamps date back to 2003. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0332"> S0332 </a> </td> <td> <a href="/versions/v9/software/S0332"> Remcos </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0332">Remcos</a> is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. <a href="/versions/v9/software/S0332">Remcos</a> has been observed being used in malware campaigns.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0375"> S0375 </a> </td> <td> <a href="/versions/v9/software/S0375"> Remexi </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0375">Remexi</a> is a Windows-based Trojan that was developed in the C programming language.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0166"> S0166 </a> </td> <td> <a href="/versions/v9/software/S0166"> RemoteCMD </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0166">RemoteCMD</a> is a custom tool used by <a href="/versions/v9/groups/G0022">APT3</a> to execute commands on a remote system similar to SysInternal's PSEXEC functionality. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0592"> S0592 </a> </td> <td> <a href="/versions/v9/software/S0592"> RemoteUtilities </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0592">RemoteUtilities</a> is a legitimate remote administration tool that has been used by <a href="/versions/v9/groups/G0069">MuddyWater</a> since at least 2021 for execution on target machines.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0125"> S0125 </a> </td> <td> <a href="/versions/v9/software/S0125"> Remsec </a> </td> <td> Backdoor.Remsec, ProjectSauron </td> <td> <p><a href="/versions/v9/software/S0125">Remsec</a> is a modular backdoor that has been used by <a href="/versions/v9/groups/G0041">Strider</a> and appears to have been designed primarily for espionage purposes. Many of its modules are written in Lua. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0174"> S0174 </a> </td> <td> <a href="/versions/v9/software/S0174"> Responder </a> </td> <td> </td> <td> <p>Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0379"> S0379 </a> </td> <td> <a href="/versions/v9/software/S0379"> Revenge RAT </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0379">Revenge RAT</a> is a freely available remote access tool written in .NET (C#).</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0496"> S0496 </a> </td> <td> <a href="/versions/v9/software/S0496"> REvil </a> </td> <td> Sodin, Sodinokibi </td> <td> <p><a href="/versions/v9/software/S0496">REvil</a> is a ransomware family that has been linked to the <a href="/versions/v9/groups/G0115">GOLD SOUTHFIELD</a> group and operated as ransomware-as-a-service (RaaS) since at least April 2019. <a href="/versions/v9/software/S0496">REvil</a> is highly configurable and shares code similarities with the GandCrab RaaS.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0258"> S0258 </a> </td> <td> <a href="/versions/v9/software/S0258"> RGDoor </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0258">RGDoor</a> is a malicious Internet Information Services (IIS) backdoor developed in the C++ language. <a href="/versions/v9/software/S0258">RGDoor</a> has been seen deployed on webservers belonging to the Middle East government organizations. <a href="/versions/v9/software/S0258">RGDoor</a> provides backdoor access to compromised IIS servers. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0433"> S0433 </a> </td> <td> <a href="/versions/v9/software/S0433"> Rifdoor </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0433">Rifdoor</a> is a remote access trojan (RAT) that shares numerous code similarities with <a href="/versions/v9/software/S0431">HotCroissant</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0403"> S0403 </a> </td> <td> <a href="/versions/v9/software/S0403"> Riltok </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0403">Riltok</a> is banking malware that uses phishing popups to collect user credentials.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0003"> S0003 </a> </td> <td> <a href="/versions/v9/software/S0003"> RIPTIDE </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0003">RIPTIDE</a> is a proxy-aware backdoor used by <a href="/versions/v9/groups/G0005">APT12</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0448"> S0448 </a> </td> <td> <a href="/versions/v9/software/S0448"> Rising Sun </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0448">Rising Sun</a> is a modular backdoor malware used extensively in Operation <a href="/versions/v9/groups/G0104">Sharpshooter</a>. The malware has been observed targeting nuclear, defense, energy, and financial services companies across the world. <a href="/versions/v9/software/S0448">Rising Sun</a> uses source code from <a href="/versions/v9/groups/G0032">Lazarus Group</a>'s Trojan Duuzer.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0400"> S0400 </a> </td> <td> <a href="/versions/v9/software/S0400"> RobbinHood </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0400">RobbinHood</a> is ransomware that was first observed being used in an attack against the Baltimore city government's computer network.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0112"> S0112 </a> </td> <td> <a href="/versions/v9/software/S0112"> ROCKBOOT </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0112">ROCKBOOT</a> is a <a href="/versions/v9/techniques/T1542/003">Bootkit</a> that has been used by an unidentified, suspected China-based group. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0270"> S0270 </a> </td> <td> <a href="/versions/v9/software/S0270"> RogueRobin </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0270">RogueRobin</a> is a payload used by <a href="/versions/v9/groups/G0079">DarkHydrus</a> that has been developed in PowerShell and C#. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0240"> S0240 </a> </td> <td> <a href="/versions/v9/software/S0240"> ROKRAT </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0240">ROKRAT</a> is a cloud-based remote access tool (RAT) used by <a href="/versions/v9/groups/G0067">APT37</a>. This software has been used to target victims in South Korea. <a href="/versions/v9/groups/G0067">APT37</a> used ROKRAT during several campaigns in 2016 through 2018. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0411"> S0411 </a> </td> <td> <a href="/versions/v9/software/S0411"> Rotexy </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0411">Rotexy</a> is an Android banking malware that has evolved over several years. It was originally an SMS spyware Trojan first spotted in October 2014, and since then has evolved to contain more features, including ransomware functionality.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0103"> S0103 </a> </td> <td> <a href="/versions/v9/software/S0103"> route </a> </td> <td> route.exe </td> <td> <p><a href="/versions/v9/software/S0103">route</a> can be used to find or change information within the local system IP routing table. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0090"> S0090 </a> </td> <td> <a href="/versions/v9/software/S0090"> Rover </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0090">Rover</a> is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0148"> S0148 </a> </td> <td> <a href="/versions/v9/software/S0148"> RTM </a> </td> <td> Redaman </td> <td> <p><a href="/versions/v9/software/S0148">RTM</a> is custom malware written in Delphi. It is used by the group of the same name (<a href="/versions/v9/groups/G0048">RTM</a>). Newer versions of the malware have been reported publicly as Redaman.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0358"> S0358 </a> </td> <td> <a href="/versions/v9/software/S0358"> Ruler </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0358">Ruler</a> is a tool to abuse Microsoft Exchange services. It is publicly available on GitHub and the tool is executed via the command line. The creators of <a href="/versions/v9/software/S0358">Ruler</a> have also released a defensive tool, NotRuler, to detect its usage.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0313"> S0313 </a> </td> <td> <a href="/versions/v9/software/S0313"> RuMMS </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0313">RuMMS</a> is an Android malware family. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0253"> S0253 </a> </td> <td> <a href="/versions/v9/software/S0253"> RunningRAT </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0253">RunningRAT</a> is a remote access tool that appeared in operations surrounding the 2018 Pyeongchang Winter Olympics along with <a href="/versions/v9/software/S0249">Gold Dragon</a> and <a href="/versions/v9/software/S0252">Brave Prince</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0446"> S0446 </a> </td> <td> <a href="/versions/v9/software/S0446"> Ryuk </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0446">Ryuk</a> is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. <a href="/versions/v9/software/S0446">Ryuk</a> shares code similarities with Hermes ransomware.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0085"> S0085 </a> </td> <td> <a href="/versions/v9/software/S0085"> S-Type </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0085">S-Type</a> is a backdoor that was used by <a href="/versions/v9/groups/G0031">Dust Storm</a> from 2013 to 2014. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0074"> S0074 </a> </td> <td> <a href="/versions/v9/software/S0074"> Sakula </a> </td> <td> Sakurel, VIPER </td> <td> <p><a href="/versions/v9/software/S0074">Sakula</a> is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0370"> S0370 </a> </td> <td> <a href="/versions/v9/software/S0370"> SamSam </a> </td> <td> Samas </td> <td> <p><a href="/versions/v9/software/S0370">SamSam</a> is ransomware that appeared in early 2016. Unlike some ransomware, its variants have required operators to manually interact with the malware to execute some of its core components.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0111"> S0111 </a> </td> <td> <a href="/versions/v9/software/S0111"> schtasks </a> </td> <td> schtasks.exe </td> <td> <p><a href="/versions/v9/software/S0111">schtasks</a> is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0461"> S0461 </a> </td> <td> <a href="/versions/v9/software/S0461"> SDBbot </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0461">SDBbot</a> is a backdoor with installer and loader components that has been used by <a href="/versions/v9/groups/G0092">TA505</a> since at least 2019.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0195"> S0195 </a> </td> <td> <a href="/versions/v9/software/S0195"> SDelete </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0195">SDelete</a> is an application that securely deletes data in a way that makes it unrecoverable. It is part of the Microsoft Sysinternals suite of tools. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0053"> S0053 </a> </td> <td> <a href="/versions/v9/software/S0053"> SeaDuke </a> </td> <td> SeaDaddy, SeaDesk </td> <td> <p><a href="/versions/v9/software/S0053">SeaDuke</a> is malware that was used by <a href="/versions/v9/groups/G0016">APT29</a> from 2014 to 2015. It was used primarily as a secondary backdoor for victims that were already compromised with <a href="/versions/v9/software/S0046">CozyCar</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0345"> S0345 </a> </td> <td> <a href="/versions/v9/software/S0345"> Seasalt </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0345">Seasalt</a> is malware that has been linked to <a href="/versions/v9/groups/G0006">APT1</a>'s 2010 operations. It shares some code similarities with <a href="/versions/v9/software/S0346">OceanSalt</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0185"> S0185 </a> </td> <td> <a href="/versions/v9/software/S0185"> SEASHARPEE </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0185">SEASHARPEE</a> is a Web shell that has been used by <a href="/versions/v9/groups/G0049">OilRig</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0382"> S0382 </a> </td> <td> <a href="/versions/v9/software/S0382"> ServHelper </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0382">ServHelper</a> is a backdoor first observed in late 2018. The backdoor is written in Delphi and is typically delivered as a DLL file.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0596"> S0596 </a> </td> <td> <a href="/versions/v9/software/S0596"> ShadowPad </a> </td> <td> POISONPLUG.SHADOW </td> <td> <p><a href="/versions/v9/software/S0596">ShadowPad</a> is a modular backdoor that was first identified in a supply chain compromise of the NetSarang software in mid-July 2017. The malware was originally thought to be exclusively used by <a href="/versions/v9/groups/G0096">APT41</a>, but has since been observed to be used by various Chinese threat activity groups. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0140"> S0140 </a> </td> <td> <a href="/versions/v9/software/S0140"> Shamoon </a> </td> <td> Disttrack </td> <td> <p><a href="/versions/v9/software/S0140">Shamoon</a> is wiper malware that was first used by an Iranian group known as the "Cutting Sword of Justice" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. <a href="/versions/v9/software/S0140">Shamoon</a> has also been seen leveraging <a href="/versions/v9/software/S0364">RawDisk</a> and Filerase to carry out data wiping tasks. The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0546"> S0546 </a> </td> <td> <a href="/versions/v9/software/S0546"> SharpStage </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0546">SharpStage</a> is a .NET malware with backdoor capabilities.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0450"> S0450 </a> </td> <td> <a href="/versions/v9/software/S0450"> SHARPSTATS </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0450">SHARPSTATS</a> is a .NET backdoor used by <a href="/versions/v9/groups/G0069">MuddyWater</a> since at least 2019.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0294"> S0294 </a> </td> <td> <a href="/versions/v9/software/S0294"> ShiftyBug </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0294">ShiftyBug</a> is an auto-rooting adware family of malware for Android. The family is very similar to the other Android families known as Shedun, Shuanet, Kemoge, though it is not believed all the families were created by the same group. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0444"> S0444 </a> </td> <td> <a href="/versions/v9/software/S0444"> ShimRat </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0444">ShimRat</a> has been used by the suspected China-based adversary <a href="/versions/v9/groups/G0103">Mofang</a> in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development. The name "<a href="/versions/v9/software/S0444">ShimRat</a>" comes from the malware's extensive use of Windows Application Shimming to maintain persistence. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0445"> S0445 </a> </td> <td> <a href="/versions/v9/software/S0445"> ShimRatReporter </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0445">ShimRatReporter</a> is a tool used by suspected Chinese adversary <a href="/versions/v9/groups/G0103">Mofang</a> to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as <a href="/versions/v9/software/S0444">ShimRat</a>) as well as set up faux infrastructure which mimics the adversary's targets. <a href="/versions/v9/software/S0445">ShimRatReporter</a> has been used in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0028"> S0028 </a> </td> <td> <a href="/versions/v9/software/S0028"> SHIPSHAPE </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0028">SHIPSHAPE</a> is malware developed by <a href="/versions/v9/groups/G0013">APT30</a> that allows propagation and exfiltration of data over removable devices. <a href="/versions/v9/groups/G0013">APT30</a> may use this capability to exfiltrate data across air-gaps. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0063"> S0063 </a> </td> <td> <a href="/versions/v9/software/S0063"> SHOTPUT </a> </td> <td> Backdoor.APT.CookieCutter, Pirpi </td> <td> <p><a href="/versions/v9/software/S0063">SHOTPUT</a> is a custom backdoor used by <a href="/versions/v9/groups/G0022">APT3</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0217"> S0217 </a> </td> <td> <a href="/versions/v9/software/S0217"> SHUTTERSPEED </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0217">SHUTTERSPEED</a> is a backdoor used by <a href="/versions/v9/groups/G0067">APT37</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0589"> S0589 </a> </td> <td> <a href="/versions/v9/software/S0589"> Sibot </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0589">Sibot</a> is dual-purpose malware written in VBScript designed to achieve persistence on a compromised system as well as download and execute additional payloads. Microsoft discovered three <a href="/versions/v9/software/S0589">Sibot</a> variants in early 2021 during its investigation of <a href="/versions/v9/groups/G0016">APT29</a> and the SolarWinds cyber intrusion campaign.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0549"> S0549 </a> </td> <td> <a href="/versions/v9/software/S0549"> SilkBean </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0549">SilkBean</a> is a piece of Android surveillanceware containing comprehensive remote access tool (RAT) functionality that has been used in targeting of the Uyghur ethnic group.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0419"> S0419 </a> </td> <td> <a href="/versions/v9/software/S0419"> SimBad </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0419">SimBad</a> was a strain of adware on the Google Play Store, distributed through the RXDroider Software Development Kit. The name "SimBad" was derived from the fact that most of the infected applications were simulator games. The adware was controlled using an instance of the open source framework Parse Server.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0007"> S0007 </a> </td> <td> <a href="/versions/v9/software/S0007"> Skeleton Key </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0007">Skeleton Key</a> is malware used to inject false credentials into domain controllers with the intent of creating a backdoor password. Functionality similar to <a href="/versions/v9/software/S0007">Skeleton Key</a> is included as a module in <a href="/versions/v9/software/S0002">Mimikatz</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0468"> S0468 </a> </td> <td> <a href="/versions/v9/software/S0468"> Skidmap </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0468">Skidmap</a> is a kernel-mode rootkit used for cryptocurrency mining.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0327"> S0327 </a> </td> <td> <a href="/versions/v9/software/S0327"> Skygofree </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0327">Skygofree</a> is Android spyware that is believed to have been developed in 2014 and used through at least 2017. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0533"> S0533 </a> </td> <td> <a href="/versions/v9/software/S0533"> SLOTHFULMEDIA </a> </td> <td> JackOfHearts, QueenOfClubs </td> <td> <p><a href="/versions/v9/software/S0533">SLOTHFULMEDIA</a> is a remote access Trojan written in C++ that has been used by an unidentified "sophisticated cyber actor" since at least January 2017. It has been used to target government organizations, defense contractors, universities, and energy companies in Russia, India, Kazakhstan, Kyrgyzstan, Malaysia, Ukraine, and Eastern Europe. </p><p>In October 2020, Kaspersky Labs assessed <a href="/versions/v9/software/S0533">SLOTHFULMEDIA</a> is part of an activity cluster it refers to as "IAmTheKing". ESET also noted code similarity between <a href="/versions/v9/software/S0533">SLOTHFULMEDIA</a> and droppers used by a group it refers to as "PowerPool". </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0218"> S0218 </a> </td> <td> <a href="/versions/v9/software/S0218"> SLOWDRIFT </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0218">SLOWDRIFT</a> is a backdoor used by <a href="/versions/v9/groups/G0067">APT37</a> against academic and strategic victims in South Korea. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0226"> S0226 </a> </td> <td> <a href="/versions/v9/software/S0226"> Smoke Loader </a> </td> <td> Dofoil </td> <td> <p><a href="/versions/v9/software/S0226">Smoke Loader</a> is a malicious bot application that can be used to load other malware.<a href="/versions/v9/software/S0226">Smoke Loader</a> has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0159"> S0159 </a> </td> <td> <a href="/versions/v9/software/S0159"> SNUGRIDE </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0159">SNUGRIDE</a> is a backdoor that has been used by <a href="/versions/v9/groups/G0045">menuPass</a> as first stage malware. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0273"> S0273 </a> </td> <td> <a href="/versions/v9/software/S0273"> Socksbot </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0273">Socksbot</a> is a backdoor that abuses Socket Secure (SOCKS) proxies. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0516"> S0516 </a> </td> <td> <a href="/versions/v9/software/S0516"> SoreFang </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0516">SoreFang</a> is first stage downloader used by <a href="/versions/v9/groups/G0016">APT29</a> for exfiltration and to load other malware.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0157"> S0157 </a> </td> <td> <a href="/versions/v9/software/S0157"> SOUNDBITE </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0157">SOUNDBITE</a> is a signature backdoor used by <a href="/versions/v9/groups/G0050">APT32</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0035"> S0035 </a> </td> <td> <a href="/versions/v9/software/S0035"> SPACESHIP </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0035">SPACESHIP</a> is malware developed by <a href="/versions/v9/groups/G0013">APT30</a> that allows propagation and exfiltration of data over removable devices. <a href="/versions/v9/groups/G0013">APT30</a> may use this capability to exfiltrate data across air-gaps. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0543"> S0543 </a> </td> <td> <a href="/versions/v9/software/S0543"> Spark </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0543">Spark</a> is a Windows backdoor and has been in use since as early as 2017. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0374"> S0374 </a> </td> <td> <a href="/versions/v9/software/S0374"> SpeakUp </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0374">SpeakUp</a> is a Trojan backdoor that targets both Linux and OSX devices. It was first observed in January 2019. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0227"> S0227 </a> </td> <td> <a href="/versions/v9/software/S0227"> spwebmember </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0227">spwebmember</a> is a Microsoft SharePoint enumeration and data dumping tool written in .NET. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0324"> S0324 </a> </td> <td> <a href="/versions/v9/software/S0324"> SpyDealer </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0324">SpyDealer</a> is Android malware that exfiltrates sensitive data from Android devices. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0305"> S0305 </a> </td> <td> <a href="/versions/v9/software/S0305"> SpyNote RAT </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0305">SpyNote RAT</a> (Remote Access Trojan) is a family of malicious Android apps. The <a href="/versions/v9/software/S0305">SpyNote RAT</a> builder tool can be used to develop malicious apps with the malware's functionality. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0225"> S0225 </a> </td> <td> <a href="/versions/v9/software/S0225"> sqlmap </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0225">sqlmap</a> is an open source penetration testing tool that can be used to automate the process of detecting and exploiting SQL injection flaws. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0390"> S0390 </a> </td> <td> <a href="/versions/v9/software/S0390"> SQLRat </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0390">SQLRat</a> is malware that executes SQL scripts to avoid leaving traditional host artifacts. <a href="/versions/v9/groups/G0046">FIN7</a> has been observed using it.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0058"> S0058 </a> </td> <td> <a href="/versions/v9/software/S0058"> SslMM </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0058">SslMM</a> is a full-featured backdoor used by <a href="/versions/v9/groups/G0019">Naikon</a> that has multiple variants. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0188"> S0188 </a> </td> <td> <a href="/versions/v9/software/S0188"> Starloader </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0188">Starloader</a> is a loader component that has been observed loading <a href="/versions/v9/software/S0171">Felismus</a> and associated tools. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0328"> S0328 </a> </td> <td> <a href="/versions/v9/software/S0328"> Stealth Mango </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0328">Stealth Mango</a> is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as <a href="/versions/v9/software/S0329">Tangelo</a> is believed to be from the same developer. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0380"> S0380 </a> </td> <td> <a href="/versions/v9/software/S0380"> StoneDrill </a> </td> <td> DROPSHOT </td> <td> <p><a href="/versions/v9/software/S0380">StoneDrill</a> is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with <a href="/versions/v9/groups/G0064">APT33</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0142"> S0142 </a> </td> <td> <a href="/versions/v9/software/S0142"> StreamEx </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0142">StreamEx</a> is a malware family that has been used by <a href="/versions/v9/groups/G0009">Deep Panda</a> since at least 2015. In 2016, it was distributed via legitimate compromised Korean websites. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0491"> S0491 </a> </td> <td> <a href="/versions/v9/software/S0491"> StrongPity </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0491">StrongPity</a> is an information stealing malware used by <a href="/versions/v9/groups/G0056">PROMETHIUM</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0559"> S0559 </a> </td> <td> <a href="/versions/v9/software/S0559"> SUNBURST </a> </td> <td> Solorigate </td> <td> <p><a href="/versions/v9/software/S0559">SUNBURST</a> is a trojanized DLL designed to fit within the SolarWinds Orion software update framework. It was used by <a href="/versions/v9/groups/G0016">APT29</a> since at least February 2020.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0562"> S0562 </a> </td> <td> <a href="/versions/v9/software/S0562"> SUNSPOT </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0562">SUNSPOT</a> is an implant that injected the <a href="/versions/v9/software/S0559">SUNBURST</a> backdoor into the SolarWinds Orion software update framework. It was used by <a href="/versions/v9/groups/G0016">APT29</a> since at least February 2020. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0578"> S0578 </a> </td> <td> <a href="/versions/v9/software/S0578"> SUPERNOVA </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0578">SUPERNOVA</a> is an in-memory web shell written in .NET C#. It was discovered in November 2020 during the investigation of <a href="/versions/v9/groups/G0016">APT29</a>'s SolarWinds cyber operation but determined to be unrelated. Subsequent analysis suggests <a href="/versions/v9/software/S0578">SUPERNOVA</a> may have been used by the China-based threat group SPIRAL.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0018"> S0018 </a> </td> <td> <a href="/versions/v9/software/S0018"> Sykipot </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0018">Sykipot</a> is malware that has been used in spearphishing campaigns since approximately 2007 against victims primarily in the US. One variant of <a href="/versions/v9/software/S0018">Sykipot</a> hijacks smart cards on victims. The group using this malware has also been referred to as Sykipot. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0242"> S0242 </a> </td> <td> <a href="/versions/v9/software/S0242"> SynAck </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0242">SynAck</a> is variant of Trojan ransomware targeting mainly English-speaking users since at least fall 2017. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0519"> S0519 </a> </td> <td> <a href="/versions/v9/software/S0519"> SYNful Knock </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0519">SYNful Knock</a> is a stealthy modification of the operating system of network devices that can be used to maintain persistence within a victim's network and provide new capabilities to the adversary.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0060"> S0060 </a> </td> <td> <a href="/versions/v9/software/S0060"> Sys10 </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0060">Sys10</a> is a backdoor that was used throughout 2013 by <a href="/versions/v9/groups/G0019">Naikon</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0464"> S0464 </a> </td> <td> <a href="/versions/v9/software/S0464"> SYSCON </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0464">SYSCON</a> is a backdoor that has been in use since at least 2017 and has been associated with campaigns involving North Korean themes. <a href="/versions/v9/software/S0464">SYSCON</a> has been delivered by the <a href="/versions/v9/software/S0465">CARROTBALL</a> and <a href="/versions/v9/software/S0462">CARROTBAT</a> droppers.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0096"> S0096 </a> </td> <td> <a href="/versions/v9/software/S0096"> Systeminfo </a> </td> <td> Systeminfo </td> <td> <p><a href="/versions/v9/software/S0096">Systeminfo</a> is a Windows utility that can be used to gather detailed information about a computer. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0098"> S0098 </a> </td> <td> <a href="/versions/v9/software/S0098"> T9000 </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0098">T9000</a> is a backdoor that is a newer variant of the T5000 malware family, also known as Plat1. Its primary function is to gather information about the victim. It has been used in multiple targeted attacks against U.S.-based organizations. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0011"> S0011 </a> </td> <td> <a href="/versions/v9/software/S0011"> Taidoor </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0011">Taidoor</a> is malware that has been used since at least 2010, primarily to target Taiwanese government organizations. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0586"> S0586 </a> </td> <td> <a href="/versions/v9/software/S0586"> TAINTEDSCRIBE </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0586">TAINTEDSCRIBE</a> is a fully-featured beaconing implant integrated with command modules used by <a href="/versions/v9/groups/G0032">Lazarus Group</a>. It was first reported in May 2020.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0467"> S0467 </a> </td> <td> <a href="/versions/v9/software/S0467"> TajMahal </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0467">TajMahal</a> is a multifunctional spying framework that has been in use since at least 2014. <a href="/versions/v9/software/S0467">TajMahal</a> is comprised of two separate packages, named Tokyo and Yokohama, and can deploy up to 80 plugins.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0329"> S0329 </a> </td> <td> <a href="/versions/v9/software/S0329"> Tangelo </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0329">Tangelo</a> is iOS malware that is believed to be from the same developers as the <a href="/versions/v9/software/S0328">Stealth Mango</a> Android malware. It is not a mobile application, but rather a Debian package that can only run on jailbroken iOS devices. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0057"> S0057 </a> </td> <td> <a href="/versions/v9/software/S0057"> Tasklist </a> </td> <td> </td> <td> <p>The <a href="/versions/v9/software/S0057">Tasklist</a> utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0164"> S0164 </a> </td> <td> <a href="/versions/v9/software/S0164"> TDTESS </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0164">TDTESS</a> is a 64-bit .NET binary backdoor used by <a href="/versions/v9/groups/G0052">CopyKittens</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0560"> S0560 </a> </td> <td> <a href="/versions/v9/software/S0560"> TEARDROP </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0560">TEARDROP</a> is a memory-only dropper that was discovered on some victim machines during investigations related to the 2020 SolarWinds cyber intrusion. It was likely used by <a href="/versions/v9/groups/G0016">APT29</a> since at least May 2020.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0545"> S0545 </a> </td> <td> <a href="/versions/v9/software/S0545"> TERRACOTTA </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0545">TERRACOTTA</a> is an ad fraud botnet that has been capable of generating over 2 billion fraudulent requests per week.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0146"> S0146 </a> </td> <td> <a href="/versions/v9/software/S0146"> TEXTMATE </a> </td> <td> DNSMessenger </td> <td> <p><a href="/versions/v9/software/S0146">TEXTMATE</a> is a second-stage PowerShell backdoor that is memory-resident. It was observed being used along with <a href="/versions/v9/software/S0145">POWERSOURCE</a> in February 2017. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0595"> S0595 </a> </td> <td> <a href="/versions/v9/software/S0595"> ThiefQuest </a> </td> <td> MacRansom.K, EvilQuest </td> <td> <p><a href="/versions/v9/software/S0595">ThiefQuest</a> is a virus, data stealer, and wiper that presents itself as ransomware targeting macOS systems. <a href="/versions/v9/software/S0595">ThiefQuest</a> was first seen in 2020 distributed via trojanized pirated versions of popular macOS software on Russian forums sharing torrent links. Even though <a href="/versions/v9/software/S0595">ThiefQuest</a> presents itself as ransomware, since the dynamically generated encryption key is never sent to the attacker it may be more appropriately thought of as a form of wiper malware.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0558"> S0558 </a> </td> <td> <a href="/versions/v9/software/S0558"> Tiktok Pro </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0558">Tiktok Pro</a> is spyware that has been masquerading as the TikTok application.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0131"> S0131 </a> </td> <td> <a href="/versions/v9/software/S0131"> TINYTYPHON </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0131">TINYTYPHON</a> is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0004"> S0004 </a> </td> <td> <a href="/versions/v9/software/S0004"> TinyZBot </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0004">TinyZBot</a> is a bot written in C# that was developed by <a href="/versions/v9/groups/G0003">Cleaver</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0183"> S0183 </a> </td> <td> <a href="/versions/v9/software/S0183"> Tor </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0183">Tor</a> is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. <a href="/versions/v9/software/S0183">Tor</a> utilizes "Onion Routing," in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0424"> S0424 </a> </td> <td> <a href="/versions/v9/software/S0424"> Triada </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0424">Triada</a> was first reported in 2016 as a second stage malware. Later versions in 2019 appeared with new techniques and as an initial downloader of other Trojan apps.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0266"> S0266 </a> </td> <td> <a href="/versions/v9/software/S0266"> TrickBot </a> </td> <td> Totbrick, TSPY_TRICKLOAD </td> <td> <p><a href="/versions/v9/software/S0266">TrickBot</a> is a Trojan spyware program that has mainly been used for targeting banking sites in United States, Canada, UK, Germany, Australia, Austria, Ireland, London, Switzerland, and Scotland. TrickBot first emerged in the wild in September 2016 and appears to be a successor to <a href="/versions/v9/software/S0024">Dyre</a>. <a href="/versions/v9/software/S0266">TrickBot</a> is developed in the C++ programming language. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0427"> S0427 </a> </td> <td> <a href="/versions/v9/software/S0427"> TrickMo </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0427">TrickMo</a> a 2FA bypass mobile banking trojan, most likely being distributed by <a href="/versions/v9/software/S0266">TrickBot</a>. <a href="/versions/v9/software/S0427">TrickMo</a> has been primarily targeting users located in Germany.</p><p><a href="/versions/v9/software/S0427">TrickMo</a> is designed to steal transaction authorization numbers (TANs), which are typically used as one-time passwords. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0307"> S0307 </a> </td> <td> <a href="/versions/v9/software/S0307"> Trojan-SMS.AndroidOS.Agent.ao </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0307">Trojan-SMS.AndroidOS.Agent.ao</a> is Android malware. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0306"> S0306 </a> </td> <td> <a href="/versions/v9/software/S0306"> Trojan-SMS.AndroidOS.FakeInst.a </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0306">Trojan-SMS.AndroidOS.FakeInst.a</a> is Android malware. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0308"> S0308 </a> </td> <td> <a href="/versions/v9/software/S0308"> Trojan-SMS.AndroidOS.OpFake.a </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0308">Trojan-SMS.AndroidOS.OpFake.a</a> is Android malware. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0094"> S0094 </a> </td> <td> <a href="/versions/v9/software/S0094"> Trojan.Karagany </a> </td> <td> xFrost, Karagany </td> <td> <p><a href="/versions/v9/software/S0094">Trojan.Karagany</a> is a modular remote access tool used for recon and linked to <a href="/versions/v9/groups/G0035">Dragonfly</a> and <a href="/versions/v9/groups/G0074">Dragonfly 2.0</a>. The source code for <a href="/versions/v9/software/S0094">Trojan.Karagany</a> originated from Dream Loader malware which was leaked in 2010 and sold on underground forums. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0001"> S0001 </a> </td> <td> <a href="/versions/v9/software/S0001"> Trojan.Mebromi </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0001">Trojan.Mebromi</a> is BIOS-level malware that takes control of the victim before MBR. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0178"> S0178 </a> </td> <td> <a href="/versions/v9/software/S0178"> Truvasys </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0178">Truvasys</a> is first-stage malware that has been used by <a href="/versions/v9/groups/G0056">PROMETHIUM</a>. It is a collection of modules written in the Delphi programming language. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0436"> S0436 </a> </td> <td> <a href="/versions/v9/software/S0436"> TSCookie </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0436">TSCookie</a> is a remote access tool (RAT) that has been used by <a href="/versions/v9/groups/G0098">BlackTech</a> in campaigns against Japanese targets.. <a href="/versions/v9/software/S0436">TSCookie</a> has been referred to as <a href="/versions/v9/software/S0435">PLEAD</a> though more recent reporting indicates a separation between the two.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0199"> S0199 </a> </td> <td> <a href="/versions/v9/software/S0199"> TURNEDUP </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0199">TURNEDUP</a> is a non-public backdoor. It has been dropped by <a href="/versions/v9/groups/G0064">APT33</a>'s <a href="/versions/v9/software/S0380">StoneDrill</a> malware. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0302"> S0302 </a> </td> <td> <a href="/versions/v9/software/S0302"> Twitoor </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0302">Twitoor</a> is a dropper application capable of receiving commands from social media.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0263"> S0263 </a> </td> <td> <a href="/versions/v9/software/S0263"> TYPEFRAME </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0263">TYPEFRAME</a> is a remote access tool that has been used by <a href="/versions/v9/groups/G0032">Lazarus Group</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0116"> S0116 </a> </td> <td> <a href="/versions/v9/software/S0116"> UACMe </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0116">UACMe</a> is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0333"> S0333 </a> </td> <td> <a href="/versions/v9/software/S0333"> UBoatRAT </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0333">UBoatRAT</a> is a remote access tool that was identified in May 2017.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0221"> S0221 </a> </td> <td> <a href="/versions/v9/software/S0221"> Umbreon </a> </td> <td> </td> <td> <p>A Linux rootkit that provides backdoor access and hides from defenders.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0130"> S0130 </a> </td> <td> <a href="/versions/v9/software/S0130"> Unknown Logger </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0130">Unknown Logger</a> is a publicly released, free backdoor. Version 1.5 of the backdoor has been used by the actors responsible for the MONSOON campaign. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0275"> S0275 </a> </td> <td> <a href="/versions/v9/software/S0275"> UPPERCUT </a> </td> <td> ANEL </td> <td> <p><a href="/versions/v9/software/S0275">UPPERCUT</a> is a backdoor that has been used by <a href="/versions/v9/groups/G0045">menuPass</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0022"> S0022 </a> </td> <td> <a href="/versions/v9/software/S0022"> Uroburos </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0022">Uroburos</a> is a rootkit used by <a href="/versions/v9/groups/G0010">Turla</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0386"> S0386 </a> </td> <td> <a href="/versions/v9/software/S0386"> Ursnif </a> </td> <td> Gozi-ISFB, PE_URSNIF, Dreambot </td> <td> <p><a href="/versions/v9/software/S0386">Ursnif</a> is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, <a href="/versions/v9/techniques/T1566/001">Spearphishing Attachment</a>s, and malicious links. <a href="/versions/v9/software/S0386">Ursnif</a> is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0452"> S0452 </a> </td> <td> <a href="/versions/v9/software/S0452"> USBferry </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0452">USBferry</a> is an information stealing malware and has been used by <a href="/versions/v9/groups/G0081">Tropic Trooper</a> in targeted attacks against Taiwanese and Philippine air-gapped military environments. <a href="/versions/v9/software/S0452">USBferry</a> shares an overlapping codebase with <a href="/versions/v9/software/S0388">YAHOYAH</a>, though it has several features which makes it a distinct piece of malware.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0136"> S0136 </a> </td> <td> <a href="/versions/v9/software/S0136"> USBStealer </a> </td> <td> USB Stealer, Win32/USBStealer </td> <td> <p><a href="/versions/v9/software/S0136">USBStealer</a> is malware that has used by <a href="/versions/v9/groups/G0007">APT28</a> since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with <a href="/versions/v9/software/S0045">ADVSTORESHELL</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0476"> S0476 </a> </td> <td> <a href="/versions/v9/software/S0476"> Valak </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0476">Valak</a> is a multi-stage modular malware that can function as a standalone information stealer or downloader, first observed in 2019 targeting enterprises in the US and Germany.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0207"> S0207 </a> </td> <td> <a href="/versions/v9/software/S0207"> Vasport </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0207">Vasport</a> is a trojan used by <a href="/versions/v9/groups/G0066">Elderwood</a> to open a backdoor on compromised hosts. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0442"> S0442 </a> </td> <td> <a href="/versions/v9/software/S0442"> VBShower </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0442">VBShower</a> is a backdoor that has been used by <a href="/versions/v9/groups/G0100">Inception</a> since at least 2019. <a href="/versions/v9/software/S0442">VBShower</a> has been used as a downloader for second stage payloads, including <a href="/versions/v9/software/S0441">PowerShower</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0257"> S0257 </a> </td> <td> <a href="/versions/v9/software/S0257"> VERMIN </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0257">VERMIN</a> is a remote access tool written in the Microsoft .NET framework. It is mostly composed of original code, but also has some open source code. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0418"> S0418 </a> </td> <td> <a href="/versions/v9/software/S0418"> ViceLeaker </a> </td> <td> Triout </td> <td> <p><a href="/versions/v9/software/S0418">ViceLeaker</a> is a spyware framework, capable of extensive surveillance and data exfiltration operations, primarily targeting devices belonging to Israeli citizens.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0506"> S0506 </a> </td> <td> <a href="/versions/v9/software/S0506"> ViperRAT </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0506">ViperRAT</a> is sophisticated surveillanceware that has been in operation since at least 2015 and was used to target the Israeli Defense Force. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0180"> S0180 </a> </td> <td> <a href="/versions/v9/software/S0180"> Volgmer </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0180">Volgmer</a> is a backdoor Trojan designed to provide covert access to a compromised system. It has been used since at least 2013 to target the government, financial, automotive, and media industries. Its primary delivery mechanism is suspected to be spearphishing. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0366"> S0366 </a> </td> <td> <a href="/versions/v9/software/S0366"> WannaCry </a> </td> <td> WanaCry, WanaCrypt, WanaCrypt0r, WCry </td> <td> <p><a href="/versions/v9/software/S0366">WannaCry</a> is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0579"> S0579 </a> </td> <td> <a href="/versions/v9/software/S0579"> Waterbear </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0579">Waterbear</a> is modular malware attributed to <a href="/versions/v9/groups/G0098">BlackTech</a> that has been used primarily for lateral movement, decrypting, and triggering payloads and is capable of hiding network behaviors.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0109"> S0109 </a> </td> <td> <a href="/versions/v9/software/S0109"> WEBC2 </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0109">WEBC2</a> is a family of backdoor malware used by <a href="/versions/v9/groups/G0006">APT1</a> as early as July 2006. <a href="/versions/v9/software/S0109">WEBC2</a> backdoors are designed to retrieve a webpage, with commands hidden in HTML comments or special tags, from a predetermined C2 server. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0515"> S0515 </a> </td> <td> <a href="/versions/v9/software/S0515"> WellMail </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0515">WellMail</a> is a lightweight malware written in Golang used by <a href="/versions/v9/groups/G0016">APT29</a>, similar in design and structure to <a href="/versions/v9/software/S0514">WellMess</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0514"> S0514 </a> </td> <td> <a href="/versions/v9/software/S0514"> WellMess </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0514">WellMess</a> is lightweight malware family with variants written in .NET and Golang that has been in use since at least 2018 by <a href="/versions/v9/groups/G0016">APT29</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0206"> S0206 </a> </td> <td> <a href="/versions/v9/software/S0206"> Wiarp </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0206">Wiarp</a> is a trojan used by <a href="/versions/v9/groups/G0066">Elderwood</a> to open a backdoor on compromised hosts. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0005"> S0005 </a> </td> <td> <a href="/versions/v9/software/S0005"> Windows Credential Editor </a> </td> <td> WCE </td> <td> <p><a href="/versions/v9/software/S0005">Windows Credential Editor</a> is a password dumping tool. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0155"> S0155 </a> </td> <td> <a href="/versions/v9/software/S0155"> WINDSHIELD </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0155">WINDSHIELD</a> is a signature backdoor used by <a href="/versions/v9/groups/G0050">APT32</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0466"> S0466 </a> </td> <td> <a href="/versions/v9/software/S0466"> WindTail </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0466">WindTail</a> is a macOS surveillance implant used by <a href="/versions/v9/groups/G0112">Windshift</a>. <a href="/versions/v9/software/S0466">WindTail</a> shares code similarities with Hack Back aka KitM OSX.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0219"> S0219 </a> </td> <td> <a href="/versions/v9/software/S0219"> WINERACK </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0219">WINERACK</a> is a backdoor used by <a href="/versions/v9/groups/G0067">APT37</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0191"> S0191 </a> </td> <td> <a href="/versions/v9/software/S0191"> Winexe </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0191">Winexe</a> is a lightweight, open source tool similar to <a href="/versions/v9/software/S0029">PsExec</a> designed to allow system administrators to execute commands on remote servers. <a href="/versions/v9/software/S0191">Winexe</a> is unique in that it is a GNU/Linux based client. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0176"> S0176 </a> </td> <td> <a href="/versions/v9/software/S0176"> Wingbird </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0176">Wingbird</a> is a backdoor that appears to be a version of commercial software <a href="/versions/v9/software/S0182">FinFisher</a>. It is reportedly used to attack individual computers instead of networks. It was used by <a href="/versions/v9/groups/G0055">NEODYMIUM</a> in a May 2016 campaign. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0059"> S0059 </a> </td> <td> <a href="/versions/v9/software/S0059"> WinMM </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0059">WinMM</a> is a full-featured, simple backdoor used by <a href="/versions/v9/groups/G0019">Naikon</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0430"> S0430 </a> </td> <td> <a href="/versions/v9/software/S0430"> Winnti for Linux </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0430">Winnti for Linux</a> is a trojan, seen since at least 2015, designed specifically for targeting Linux systems. Reporting indicates the winnti malware family is shared across a number of actors including <a href="/versions/v9/groups/G0044">Winnti Group</a>. The Windows variant is tracked separately under <a href="/versions/v9/software/S0141">Winnti for Windows</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0141"> S0141 </a> </td> <td> <a href="/versions/v9/software/S0141"> Winnti for Windows </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0141">Winnti for Windows</a> is a Trojan that has been used by multiple groups to carry out intrusions in varied regions from at least 2010 to 2016. One of the groups using this malware is referred to by the same name, <a href="/versions/v9/groups/G0044">Winnti Group</a>; however, reporting indicates a second distinct group, <a href="/versions/v9/groups/G0001">Axiom</a>, also uses the malware. The Linux variant is tracked separately under <a href="/versions/v9/software/S0430">Winnti for Linux</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0041"> S0041 </a> </td> <td> <a href="/versions/v9/software/S0041"> Wiper </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0041">Wiper</a> is a family of destructive malware used in March 2013 during breaches of South Korean banks and media companies. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0312"> S0312 </a> </td> <td> <a href="/versions/v9/software/S0312"> WireLurker </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0312">WireLurker</a> is a family of macOS malware that targets iOS devices connected over USB. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0489"> S0489 </a> </td> <td> <a href="/versions/v9/software/S0489"> WolfRAT </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0489">WolfRAT</a> is malware based on a leaked version of <a href="/versions/v9/software/S0301">Dendroid</a> that has primarily targeted Thai users. <a href="/versions/v9/software/S0489">WolfRAT</a> has most likely been operated by the now defunct organization Wolf Research. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0314"> S0314 </a> </td> <td> <a href="/versions/v9/software/S0314"> X-Agent for Android </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0314">X-Agent for Android</a> is Android malware that was placed in a repackaged version of a Ukrainian artillery targeting application. The malware reportedly retrieved general location data on where the victim device was used, and therefore could likely indicate the potential location of Ukrainian artillery. Is it tracked separately from the <a href="/versions/v9/software/S0023">CHOPSTICK</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0161"> S0161 </a> </td> <td> <a href="/versions/v9/software/S0161"> XAgentOSX </a> </td> <td> OSX.Sofacy </td> <td> <p><a href="/versions/v9/software/S0161">XAgentOSX</a> is a trojan that has been used by <a href="/versions/v9/groups/G0007">APT28</a> on OS X and appears to be a port of their standard <a href="/versions/v9/software/S0023">CHOPSTICK</a> or XAgent trojan. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0341"> S0341 </a> </td> <td> <a href="/versions/v9/software/S0341"> Xbash </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0341">Xbash</a> is a malware family that has targeted Linux and Microsoft Windows servers. The malware has been tied to the Iron Group, a threat actor group known for previous ransomware attacks. <a href="/versions/v9/software/S0341">Xbash</a> was developed in Python and then converted into a self-contained Linux ELF executable by using PyInstaller.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0298"> S0298 </a> </td> <td> <a href="/versions/v9/software/S0298"> Xbot </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0298">Xbot</a> is an Android malware family that was observed in 2016 primarily targeting Android users in Russia and Australia. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0123"> S0123 </a> </td> <td> <a href="/versions/v9/software/S0123"> xCmd </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0123">xCmd</a> is an open source tool that is similar to <a href="/versions/v9/software/S0029">PsExec</a> and allows the user to execute applications on remote systems. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0297"> S0297 </a> </td> <td> <a href="/versions/v9/software/S0297"> XcodeGhost </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0297">XcodeGhost</a> is iOS malware that infected at least 39 iOS apps in 2015 and potentially affected millions of users. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0318"> S0318 </a> </td> <td> <a href="/versions/v9/software/S0318"> XLoader for Android </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0318">XLoader for Android</a> is a malicious Android app first observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. It has more recently been observed targeting South Korean users as a pornography application. It is tracked separately from the <a href="/versions/v9/software/S0490">XLoader for iOS</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0490"> S0490 </a> </td> <td> <a href="/versions/v9/software/S0490"> XLoader for iOS </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0490">XLoader for iOS</a> is a malicious iOS application that is capable of gathering system information. It is tracked separately from the <a href="/versions/v9/software/S0318">XLoader for Android</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0117"> S0117 </a> </td> <td> <a href="/versions/v9/software/S0117"> XTunnel </a> </td> <td> Trojan.Shunnael, X-Tunnel, XAPS </td> <td> <p><a href="/versions/v9/software/S0117">XTunnel</a> a VPN-like network proxy tool that can relay traffic between a C2 server and a victim. It was first seen in May 2013 and reportedly used by <a href="/versions/v9/groups/G0007">APT28</a> during the compromise of the Democratic National Committee. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0388"> S0388 </a> </td> <td> <a href="/versions/v9/software/S0388"> YAHOYAH </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0388">YAHOYAH</a> is a Trojan used by <a href="/versions/v9/groups/G0081">Tropic Trooper</a> as a second-stage backdoor.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0311"> S0311 </a> </td> <td> <a href="/versions/v9/software/S0311"> YiSpecter </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0311">YiSpecter</a> iOS malware that affects both jailbroken and non-jailbroken iOS devices. It is also unique because it abuses private APIs in the iOS system to implement functionality. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0248"> S0248 </a> </td> <td> <a href="/versions/v9/software/S0248"> yty </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0248">yty</a> is a modular, plugin-based malware framework. The components of the framework are written in a variety of programming languages. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0251"> S0251 </a> </td> <td> <a href="/versions/v9/software/S0251"> Zebrocy </a> </td> <td> Zekapab </td> <td> <p><a href="/versions/v9/software/S0251">Zebrocy</a> is a Trojan that has been used by <a href="/versions/v9/groups/G0007">APT28</a> since at least November 2015. The malware comes in several programming language variants, including C++, Delphi, AutoIt, C#, VB.NET, and Golang. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0494"> S0494 </a> </td> <td> <a href="/versions/v9/software/S0494"> Zen </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0494">Zen</a> is Android malware that was first seen in 2013.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0287"> S0287 </a> </td> <td> <a href="/versions/v9/software/S0287"> ZergHelper </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0287">ZergHelper</a> is iOS riskware that was unique due to its apparent evasion of Apple's App Store review process. No malicious functionality was identified in the app, but it presents security risks. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0027"> S0027 </a> </td> <td> <a href="/versions/v9/software/S0027"> Zeroaccess </a> </td> <td> Trojan.Zeroaccess </td> <td> <p><a href="/versions/v9/software/S0027">Zeroaccess</a> is a kernel-mode <a href="/versions/v9/techniques/T1014">Rootkit</a> that attempts to add victims to the ZeroAccess botnet, often for monetary gain. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0230"> S0230 </a> </td> <td> <a href="/versions/v9/software/S0230"> ZeroT </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0230">ZeroT</a> is a Trojan used by <a href="/versions/v9/groups/G0062">TA459</a>, often in conjunction with <a href="/versions/v9/software/S0013">PlugX</a>. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0330"> S0330 </a> </td> <td> <a href="/versions/v9/software/S0330"> Zeus Panda </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0330">Zeus Panda</a> is a Trojan designed to steal banking information and other sensitive credentials for exfiltration. <a href="/versions/v9/software/S0330">Zeus Panda</a>’s original source code was leaked in 2011, allowing threat actors to use its source code as a basis for new malware variants. It is mainly used to target Windows operating systems ranging from Windows XP through Windows 10.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0086"> S0086 </a> </td> <td> <a href="/versions/v9/software/S0086"> ZLib </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0086">ZLib</a> is a full-featured backdoor that was used as a second-stage implant by <a href="/versions/v9/groups/G0031">Dust Storm</a> from 2014 to 2015. It is malware and should not be confused with the compression library from which its name is derived. </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0350"> S0350 </a> </td> <td> <a href="/versions/v9/software/S0350"> zwShell </a> </td> <td> </td> <td> <p><a href="/versions/v9/software/S0350">zwShell</a> is a remote access tool (RAT) written in Delphi that has been used by <a href="/versions/v9/groups/G0014">Night Dragon</a>.</p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0412"> S0412 </a> </td> <td> <a href="/versions/v9/software/S0412"> ZxShell </a> </td> <td> Sensocode </td> <td> <p><a href="/versions/v9/software/S0412">ZxShell</a> is a remote administration tool and backdoor that can be downloaded from the Internet, particularly from Chinese hacker websites. It has been used since at least 2004.</p> </td> </tr> </tbody> </table> </div> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <footer class="footer p-3"> <div class="container-fluid"> <div class="row"> <div class="col-4 col-sm-4 col-md-3"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v9/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="col-6 col-sm-6 text-center"> <p> © 2015-2021, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </p> <div class="row"> <div class="col text-right"> <small> <a href="/versions/v9/resources/privacy" class="footer-link">Privacy Policy</a> </small> </div> <div class="col text-center"> <small> <a href="/versions/v9/resources/terms-of-use" class="footer-link">Terms of Use</a> </small> </div> <div class="col text-left "> <small> <a href="/versions/v9/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" title="ATT&amp;CK content version 9.0&#013;Website version 3.3.1">ATT&CK v9.0</a> </small> </div> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col"> <div class="footer-float-right-responsive-brand"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-primary w-100"> <!-- <i class="fa fa-twitter"></i> --> <img src="/versions/v9/theme/images/twitter.png" class="mr-1 twitter-icon"> <b>@MITREattack</b> </a> </div> <div class=""> <a href="/versions/v9/contact" class="btn btn-primary w-100"> Contact </a> </div> </div> </div> </div> </div> </div> </footer> </div> <!--SCRIPTS--> <script src="/versions/v9/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v9/theme/scripts/popper.min.js"></script> <script src="/versions/v9/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v9/theme/scripts/site.js"></script> <script src="/versions/v9/theme/scripts/flexsearch.es5.js"></script> <script src="/versions/v9/theme/scripts/localforage.min.js"></script> <script src="/versions/v9/theme/scripts/settings.js?1056"></script> <script src="/versions/v9/theme/scripts/search_babelized.js"></script> <!--SCRIPTS--> <script src="/versions/v9/theme/scripts/navigation.js"></script> </body> </html>