Input Capture: Keylogging, Sub-technique T1056.001 - Enterprise

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>Input Capture: Keylogging, Sub-technique T1056.001 - Enterprise | MITRE ATT&CK®</title>   <link rel='stylesheet' href='/theme/style/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-select.min.css' />  <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1">  <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> Matrices </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> Tactics </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> Techniques </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> Defenses </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> Mitigations </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> CTI </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> Resources </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" >Benefactors</a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> Blog  <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1">  <div class="col px-0">   <div class="container-fluid banner-message"> ATT&CK v16 has been released! Check out the <a href='https://medium.com/mitre-attack/attack-v16-561c76af94cf'>blog post</a> for more information. </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0">   <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div>  <div id="sidebars"></div>  </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/techniques/enterprise">Techniques</a></li> <li class="breadcrumb-item"><a href="/techniques/enterprise">Enterprise</a></li> <li class="breadcrumb-item"><a href="/techniques/T1056">Input Capture</a></li> <li class="breadcrumb-item">Keylogging</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1 id=""> Input Capture: Keylogging </h1> <div class="row"> <div class="col-md-8">  <div class="card-block pb-2"> <div class="card"> <div class="card-header collapsed" id="subtechniques-card-header" data-toggle="collapse" data-target="#subtechniques-card-body" aria-expanded="false" aria-controls="subtechniques-card-body"> <h5 class="mb-0" id ="sub-techniques">Other sub-techniques of Input Capture (4)</h5> </div> <div id="subtechniques-card-body" class="card-body p-0 collapse" aria-labelledby="subtechniques-card-header"> <table class="table table-bordered"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> </tr> </thead> <tbody> <tr> <td class="active"> T1056.001 </td> <td class="active"> Keylogging </td> </tr> <tr> <td> <a href="/techniques/T1056/002/" class="subtechnique-table-item" data-subtechnique_id="T1056.002"> T1056.002 </a> </td> <td> <a href="/techniques/T1056/002/" class="subtechnique-table-item" data-subtechnique_id="T1056.002"> GUI Input Capture </a> </td> </tr> <tr> <td> <a href="/techniques/T1056/003/" class="subtechnique-table-item" data-subtechnique_id="T1056.003"> T1056.003 </a> </td> <td> <a href="/techniques/T1056/003/" class="subtechnique-table-item" data-subtechnique_id="T1056.003"> Web Portal Capture </a> </td> </tr> <tr> <td> <a href="/techniques/T1056/004/" class="subtechnique-table-item" data-subtechnique_id="T1056.004"> T1056.004 </a> </td> <td> <a href="/techniques/T1056/004/" class="subtechnique-table-item" data-subtechnique_id="T1056.004"> Credential API Hooking </a> </td> </tr> </tbody> </table> </div> </div> </div>  <div class="description-body"> Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when <a href="/techniques/T1003">OS Credential Dumping</a> efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. In order to increase the likelihood of capturing credentials quickly, an adversary may also perform actions such as clearing browser cookies to force users to reauthenticate to systems.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021."data-reference="Talos Kimsuky Nov 2021"><a href="https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth look into keyloggers on Windows. Retrieved April 27, 2016."data-reference="Adventures of a Keystroke"><a href="http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a> Some methods include:<ul><li>Hooking API callbacks used for processing keystrokes. Unlike <a href="/techniques/T1056/004">Credential API Hooking</a>, this focuses solely on API functions intended for processing keystroke data.</li><li>Reading raw keystroke data from the hardware buffer.</li><li>Windows Registry modifications.</li><li>Custom drivers.</li><li><a href="/techniques/T1601">Modify System Image</a> may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020."data-reference="Cisco Blog Legacy Device Attacks"><a href="https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a> </li></ul> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data" id="card-id"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> ID: T1056.001 </div> </div>  <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> Sub-technique of:  <a href="/techniques/T1056">T1056</a> </div> </div>  <div id="card-tactics" class="row card-data"> <div class="col-md-1 px-0 text-center"> ⓘ </div> <div class="col-md-11 pl-0"> Tactics: <a href="/tactics/TA0009">Collection</a>, <a href="/tactics/TA0006">Credential Access</a> </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> ⓘ </div> <div class="col-md-11 pl-0"> Platforms: Linux, Network, Windows, macOS </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> Contributors: TruKno </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> Version: 1.2 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> Created: 11 February 2020 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> Last Modified: 01 October 2023 </div> </div> </div> </div> <div class="text-center pt-2 version-button live"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of T1056.001" href="/versions/v16/techniques/T1056/001/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of T1056.001" href="/versions/v16/techniques/T1056/001/" data-test-ignore="true">Live Version</a> </div> </div> </div> </div> <h2 class="pt-3" id ="examples">Procedure Examples</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/campaigns/C0028"> C0028 </a> </td> <td> <a href="/campaigns/C0028"> 2015 Ukraine Electric Power Attack </a> </td> <td> During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/groups/G0034">Sandworm Team</a> gathered account credentials via a <a href="/software/S0089">BlackEnergy</a> keylogger plugin. <a href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018."data-reference="Ukraine15 - EISAC - 201603"><a href="https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a> </td> </tr> <tr> <td> <a href="/software/S0045"> S0045 </a> </td> <td> <a href="/software/S0045"> ADVSTORESHELL </a> </td> <td> <a href="/software/S0045">ADVSTORESHELL</a> can perform keylogging.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016."data-reference="ESET Sednit Part 2"><a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017."data-reference="Bitdefender APT28 Dec 2015"><a href="https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a> </td> </tr> <tr> <td> <a href="/software/S0331"> S0331 </a> </td> <td> <a href="/software/S0331"> Agent Tesla </a> </td> <td> <a href="/software/S0331">Agent Tesla</a> can log keystrokes on the victim’s machine.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018."data-reference="Talos Agent Tesla Oct 2018"><a href="https://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a><span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018."data-reference="DigiTrust Agent Tesla Jan 2017"><a href="https://www.digitrustgroup.com/agent-tesla-keylogger/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018."data-reference="Fortinet Agent Tesla June 2017"><a href="https://www.fortinet.com/blog/threat-research/in-depth-analysis-of-net-malware-javaupdtr.html" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020."data-reference="Bitdefender Agent Tesla April 2020"><a href="https://labs.bitdefender.com/2020/04/oil-gas-spearphishing-campaigns-drop-agent-tesla-spyware-in-advance-of-historic-opec-deal/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a><span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Walter, J. (2020, August 10). Agent Tesla | Old RAT Uses New Tricks to Stay on Top. Retrieved December 11, 2020."data-reference="SentinelLabs Agent Tesla Aug 2020"><a href="https://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a> </td> </tr> <tr> <td> <a href="/groups/G0130"> G0130 </a> </td> <td> <a href="/groups/G0130"> Ajax Security Team </a> </td> <td> <a href="/groups/G0130">Ajax Security Team</a> has used CWoolger and MPK, custom-developed malware, which recorded all keystrokes on an infected system.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018."data-reference="Check Point Rocket Kitten"><a href="https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a> </td> </tr> <tr> <td> <a href="/software/S0622"> S0622 </a> </td> <td> <a href="/software/S0622"> AppleSeed </a> </td> <td> <a href="/software/S0622">AppleSeed</a> can use <code>GetKeyState</code> and <code>GetKeyboardState</code> to capture keystrokes on the victim’s machine.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021."data-reference="Malwarebytes Kimsuky June 2021"><a href="https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a><span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024."data-reference="KISA Operation Muzabi"><a href="https://web.archive.org/web/20220328121326/https://boho.or.kr/filedownload.do?attach_file_seq=2695&attach_file_id=EpF2695.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a> </td> </tr> <tr> <td> <a href="/groups/G0007"> G0007 </a> </td> <td> <a href="/groups/G0007"> APT28 </a> </td> <td> <a href="/groups/G0007">APT28</a> has used tools to perform keylogging.<span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015."data-reference="Microsoft SIR Vol 19"><a href="http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018."data-reference="DOJ GRU Indictment Jul 2018"><a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021."data-reference="TrendMicro Pawn Storm Dec 2020"><a href="https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a> </td> </tr> <tr> <td> <a href="/groups/G0022"> G0022 </a> </td> <td> <a href="/groups/G0022"> APT3 </a> </td> <td> <a href="/groups/G0022">APT3</a> has used a keylogging tool that records keystrokes in encrypted files.<span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016."data-reference="Symantec Buckeye"><a href="http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a> </td> </tr> <tr> <td> <a href="/groups/G0050"> G0050 </a> </td> <td> <a href="/groups/G0050"> APT32 </a> </td> <td> <a href="/groups/G0050">APT32</a> has abused the PasswordChangeNotify to monitor for and capture account password changes.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018."data-reference="Cybereason Cobalt Kitty 2017"><a href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a> </td> </tr> <tr> <td> <a href="/groups/G0082"> G0082 </a> </td> <td> <a href="/groups/G0082"> APT38 </a> </td> <td> <a href="/groups/G0082">APT38</a> used a Trojan called KEYLIME to capture keystrokes from the victim’s machine.<span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018."data-reference="FireEye APT38 Oct 2018"><a href="https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a> </td> </tr> <tr> <td> <a href="/groups/G0087"> G0087 </a> </td> <td> <a href="/groups/G0087"> APT39 </a> </td> <td> <a href="/groups/G0087">APT39</a> has used tools for capturing keystrokes.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020."data-reference="Symantec Chafer February 2018"><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a><span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020."data-reference="FBI FLASH APT39 September 2020"><a href="https://www.iranwatch.org/sites/default/files/public-intelligence-alert.pdf" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a> </td> </tr> <tr> <td> <a href="/groups/G0096"> G0096 </a> </td> <td> <a href="/groups/G0096"> APT41 </a> </td> <td> <a href="/groups/G0096">APT41</a> used a keylogger called GEARSHIFT on a target system.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019."data-reference="FireEye APT41 Aug 2019"><a href="https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a> </td> </tr> <tr> <td> <a href="/groups/G1023"> G1023 </a> </td> <td> <a href="/groups/G1023"> APT5 </a> </td> <td> <a href="/groups/G1023">APT5</a> has used malware with keylogging capabilities to monitor the communications of targeted entities.<span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="FireEye. (2015, March). SOUTHEAST ASIA: AN EVOLVING CYBER THREAT LANDSCAPE. Retrieved February 5, 2024."data-reference="FireEye Southeast Asia Threat Landscape March 2015"><a href="https://web.archive.org/web/20220122121143/https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a><span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Mandiant. (n.d.). Advanced Persistent Threats (APTs). Retrieved February 14, 2024."data-reference="Mandiant Advanced Persistent Threats"><a href="https://www.mandiant.com/resources/insights/apt-groups" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a> </td> </tr> <tr> <td> <a href="/software/S0373"> S0373 </a> </td> <td> <a href="/software/S0373"> Astaroth </a> </td> <td> <a href="/software/S0373">Astaroth</a> logs keystrokes from the victim's machine. <span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved September 25, 2024."data-reference="Cofense Astaroth Sept 2018"><a href="https://web.archive.org/web/20200302071436/https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a> </td> </tr> <tr> <td> <a href="/software/S1087"> S1087 </a> </td> <td> <a href="/software/S1087"> AsyncRAT </a> </td> <td> <a href="/software/S1087">AsyncRAT</a> can capture keystrokes on the victim’s machine.<a href="https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp/blob/master/README.md" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a> </td> </tr> <tr> <td> <a href="/software/S0438"> S0438 </a> </td> <td> <a href="/software/S0438"> Attor </a> </td> <td> One of <a href="/software/S0438">Attor</a>'s plugins can collect user credentials via capturing keystrokes and can capture keystrokes pressed within the window of the injected process.<span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" title="Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."data-reference="ESET Attor Oct 2019"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a> </td> </tr> <tr> <td> <a href="/software/S0414"> S0414 </a> </td> <td> <a href="/software/S0414"> BabyShark </a> </td> <td> <a href="/software/S0414">BabyShark</a> has a <a href="/techniques/T1059/001">PowerShell</a>-based remote administration ability that can implement a PowerShell or C# based keylogger.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Lim, M.. (2019, April 26). BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat . Retrieved October 7, 2019."data-reference="Unit42 BabyShark Apr 2019"><a href="https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a> </td> </tr> <tr> <td> <a href="/software/S0128"> S0128 </a> </td> <td> <a href="/software/S0128"> BADNEWS </a> </td> <td> When it first starts, <a href="/software/S0128">BADNEWS</a> spawns a new thread to log keystrokes.<span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016."data-reference="Forcepoint Monsoon"><a href="https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a><span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" title="Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018."data-reference="PaloAlto Patchwork Mar 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a><span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018."data-reference="TrendMicro Patchwork Dec 2017"><a href="https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a> </td> </tr> <tr> <td> <a href="/software/S0337"> S0337 </a> </td> <td> <a href="/software/S0337"> BadPatch </a> </td> <td> <a href="/software/S0337">BadPatch</a> has a keylogging capability.<span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" title="Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018."data-reference="Unit 42 BadPatch Oct 2017"><a href="https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a> </td> </tr> <tr> <td> <a href="/software/S0234"> S0234 </a> </td> <td> <a href="/software/S0234"> Bandook </a> </td> <td> <a href="/software/S0234">Bandook</a> contains keylogging capabilities.<span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Galperin, E., Et al.. (2016, August 4). When Governments Attack: State Sponsored Malware Attacks Against Activists, Lawyers, and Journalists. Retrieved May 23, 2018."data-reference="BH Manul Aug 2016"><a href="https://www.blackhat.com/docs/us-16/materials/us-16-Quintin-When-Governments-Attack-State-Sponsored-Malware-Attacks-Against-Activists-Lawyers-And-Journalists.pdf" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a> </td> </tr> <tr> <td> <a href="/software/S0017"> S0017 </a> </td> <td> <a href="/software/S0017"> BISCUIT </a> </td> <td> <a href="/software/S0017">BISCUIT</a> can capture keystrokes.<span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" title="Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016."data-reference="Mandiant APT1 Appendix"><a href="https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a> </td> </tr> <tr> <td> <a href="/software/S0089"> S0089 </a> </td> <td> <a href="/software/S0089"> BlackEnergy </a> </td> <td> <a href="/software/S0089">BlackEnergy</a> has run a keylogger plug-in on a victim.<span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016."data-reference="Securelist BlackEnergy Nov 2014"><a href="https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a> </td> </tr> <tr> <td> <a href="/software/S0454"> S0454 </a> </td> <td> <a href="/software/S0454"> Cadelspy </a> </td> <td> <a href="/software/S0454">Cadelspy</a> has the ability to log keystrokes on the compromised host.<span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" title="Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019."data-reference="Symantec Chafer Dec 2015"><a href="https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a> </td> </tr> <tr> <td> <a href="/software/S0030"> S0030 </a> </td> <td> <a href="/software/S0030"> Carbanak </a> </td> <td> <a href="/software/S0030">Carbanak</a> logs key strokes for configured processes and sends them back to the C2 server.<span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018."data-reference="Kaspersky Carbanak"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a><span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" title="Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018."data-reference="FireEye CARBANAK June 2017"><a href="https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a> </td> </tr> <tr> <td> <a href="/software/S0348"> S0348 </a> </td> <td> <a href="/software/S0348"> Cardinal RAT </a> </td> <td> <a href="/software/S0348">Cardinal RAT</a> can log keystrokes.<span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" title="Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018."data-reference="PaloAlto CardinalRat Apr 2017"><a href="https://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a> </td> </tr> <tr> <td> <a href="/software/S0261"> S0261 </a> </td> <td> <a href="/software/S0261"> Catchamas </a> </td> <td> <a href="/software/S0261">Catchamas</a> collects keystrokes from the victim’s machine.<span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" title="Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018."data-reference="Symantec Catchamas April 2018"><a href="https://www-west.symantec.com/content/symantec/english/en/security-center/writeup.html/2018-040209-1742-99" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a> </td> </tr> <tr> <td> <a href="/software/S1149"> S1149 </a> </td> <td> <a href="/software/S1149"> CHIMNEYSWEEP </a> </td> <td> <a href="/software/S1149">CHIMNEYSWEEP</a> has the ability to support keylogging.<span onclick=scrollToRef('scite-43') id="scite-ref-43-a" class="scite-citeref-number" title="Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024."data-reference="Mandiant ROADSWEEP August 2022"><a href="https://cloud.google.com/blog/topics/threat-intelligence/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against/" target="_blank" data-hasqtip="42" aria-describedby="qtip-42">[43]</a> </td> </tr> <tr> <td> <a href="/software/S0023"> S0023 </a> </td> <td> <a href="/software/S0023"> CHOPSTICK </a> </td> <td> <a href="/software/S0023">CHOPSTICK</a> is capable of performing keylogging.<span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016."data-reference="Crowdstrike DNC June 2016"><a href="https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016."data-reference="ESET Sednit Part 2"><a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018."data-reference="DOJ GRU Indictment Jul 2018"><a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a> </td> </tr> <tr> <td> <a href="/software/S0660"> S0660 </a> </td> <td> <a href="/software/S0660"> Clambling </a> </td> <td> <a href="/software/S0660">Clambling</a> can capture keystrokes on a compromised host.<span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" title="Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021."data-reference="Trend Micro DRBControl February 2020"><a href="https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a><span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" title="Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021."data-reference="Talent-Jump Clambling February 2020"><a href="https://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a> </td> </tr> <tr> <td> <a href="/software/S0154"> S0154 </a> </td> <td> <a href="/software/S0154"> Cobalt Strike </a> </td> <td> <a href="/software/S0154">Cobalt Strike</a> can track key presses with a keylogger module.<span onclick=scrollToRef('scite-47') id="scite-ref-47-a" class="scite-citeref-number" title="Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017."data-reference="cobaltstrike manual"><a href="https://web.archive.org/web/20210825130434/https://cobaltstrike.com/downloads/csmanual38.pdf" target="_blank" data-hasqtip="46" aria-describedby="qtip-46">[47]</a><span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" title="Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021."data-reference="Amnesty Intl. Ocean Lotus February 2021"><a href="https://www.amnestyusa.org/wp-content/uploads/2021/02/Click-and-Bait_Vietnamese-Human-Rights-Defenders-Targeted-with-Spyware-Attacks.pdf" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a><span onclick=scrollToRef('scite-49') id="scite-ref-49-a" class="scite-citeref-number" title="Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021."data-reference="Cobalt Strike Manual 4.3 November 2020"><a href="https://web.archive.org/web/20210708035426/https://www.cobaltstrike.com/downloads/csmanual43.pdf" target="_blank" data-hasqtip="48" aria-describedby="qtip-48">[49]</a> </td> </tr> <tr> <td> <a href="/software/S0338"> S0338 </a> </td> <td> <a href="/software/S0338"> Cobian RAT </a> </td> <td> <a href="/software/S0338">Cobian RAT</a> has a feature to perform keylogging on the victim’s machine.<span onclick=scrollToRef('scite-50') id="scite-ref-50-a" class="scite-citeref-number" title="Yadav, A., et al. (2017, August 31). Cobian RAT – A backdoored RAT. Retrieved November 13, 2018."data-reference="Zscaler Cobian Aug 2017"><a href="https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat" target="_blank" data-hasqtip="49" aria-describedby="qtip-49">[50]</a> </td> </tr> <tr> <td> <a href="/software/S0050"> S0050 </a> </td> <td> <a href="/software/S0050"> CosmicDuke </a> </td> <td> <a href="/software/S0050">CosmicDuke</a> uses a keylogger.<span onclick=scrollToRef('scite-51') id="scite-ref-51-a" class="scite-citeref-number" title="F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015."data-reference="F-Secure The Dukes"><a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" data-hasqtip="50" aria-describedby="qtip-50">[51]</a> </td> </tr> <tr> <td> <a href="/software/S0115"> S0115 </a> </td> <td> <a href="/software/S0115"> Crimson </a> </td> <td> <a href="/software/S0115">Crimson</a> can use a module to perform keylogging on compromised hosts.<span onclick=scrollToRef('scite-52') id="scite-ref-52-a" class="scite-citeref-number" title="Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016."data-reference="Proofpoint Operation Transparent Tribe March 2016"><a href="https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" target="_blank" data-hasqtip="51" aria-describedby="qtip-51">[52]</a><span onclick=scrollToRef('scite-53') id="scite-ref-53-a" class="scite-citeref-number" title="Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021."data-reference="Kaspersky Transparent Tribe August 2020"><a href="https://securelist.com/transparent-tribe-part-1/98127/" target="_blank" data-hasqtip="52" aria-describedby="qtip-52">[53]</a><span onclick=scrollToRef('scite-54') id="scite-ref-54-a" class="scite-citeref-number" title="N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022."data-reference="Cisco Talos Transparent Tribe Education Campaign July 2022"><a href="https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html" target="_blank" data-hasqtip="53" aria-describedby="qtip-53">[54]</a> </td> </tr> <tr> <td> <a href="/software/S0625"> S0625 </a> </td> <td> <a href="/software/S0625"> Cuba </a> </td> <td> <a href="/software/S0625">Cuba</a> logs keystrokes via polling by using <code>GetKeyState</code> and <code>VkKeyScan</code> functions.<span onclick=scrollToRef('scite-55') id="scite-ref-55-a" class="scite-citeref-number" title="Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021."data-reference="McAfee Cuba April 2021"><a href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf" target="_blank" data-hasqtip="54" aria-describedby="qtip-54">[55]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0029"> C0029 </a> </td> <td> <a href="/campaigns/C0029"> Cutting Edge </a> </td> <td> During <a href="https://attack.mitre.org/campaigns/C0029">Cutting Edge</a>, threat actors modified a JavaScript file on the Web SSL VPN component of Ivanti Connect Secure devices to keylog credentials.<span onclick=scrollToRef('scite-56') id="scite-ref-56-a" class="scite-citeref-number" title="Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024."data-reference="Volexity Ivanti Zero-Day Exploitation January 2024"><a href="https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/" target="_blank" data-hasqtip="55" aria-describedby="qtip-55">[56]</a> </td> </tr> <tr> <td> <a href="/software/S0334"> S0334 </a> </td> <td> <a href="/software/S0334"> DarkComet </a> </td> <td> <a href="/software/S0334">DarkComet</a> has a keylogging capability.<span onclick=scrollToRef('scite-57') id="scite-ref-57-a" class="scite-citeref-number" title="TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018."data-reference="TrendMicro DarkComet Sept 2014"><a href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/DARKCOMET" target="_blank" data-hasqtip="56" aria-describedby="qtip-56">[57]</a> </td> </tr> <tr> <td> <a href="/software/S1111"> S1111 </a> </td> <td> <a href="/software/S1111"> DarkGate </a> </td> <td> <a href="/software/S1111">DarkGate</a> will spawn a thread on execution to capture all keyboard events and write them to a predefined log file.<span onclick=scrollToRef('scite-58') id="scite-ref-58-a" class="scite-citeref-number" title="Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024."data-reference="Ensilo Darkgate 2018"><a href="https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign" target="_blank" data-hasqtip="57" aria-describedby="qtip-57">[58]</a> </td> </tr> <tr> <td> <a href="/groups/G0012"> G0012 </a> </td> <td> <a href="/groups/G0012"> Darkhotel </a> </td> <td> <a href="/groups/G0012">Darkhotel</a> has used a keylogger.<span onclick=scrollToRef('scite-59') id="scite-ref-59-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research and Analysis Team. (2014, November). The Darkhotel APT A Story of Unusual Hospitality. Retrieved November 12, 2014."data-reference="Kaspersky Darkhotel"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070903/darkhotel_kl_07.11.pdf" target="_blank" data-hasqtip="58" aria-describedby="qtip-58">[59]</a> </td> </tr> <tr> <td> <a href="/software/S1066"> S1066 </a> </td> <td> <a href="/software/S1066"> DarkTortilla </a> </td> <td> <a href="/software/S1066">DarkTortilla</a> can download a keylogging module.<span onclick=scrollToRef('scite-60') id="scite-ref-60-a" class="scite-citeref-number" title="Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022."data-reference="Secureworks DarkTortilla Aug 2022"><a href="https://www.secureworks.com/research/darktortilla-malware-analysis" target="_blank" data-hasqtip="59" aria-describedby="qtip-59">[60]</a> </td> </tr> <tr> <td> <a href="/software/S0673"> S0673 </a> </td> <td> <a href="/software/S0673"> DarkWatchman </a> </td> <td> <a href="/software/S0673">DarkWatchman</a> can track key presses with a keylogger module.<span onclick=scrollToRef('scite-61') id="scite-ref-61-a" class="scite-citeref-number" title="Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022."data-reference="Prevailion DarkWatchman 2021"><a href="https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/" target="_blank" data-hasqtip="60" aria-describedby="qtip-60">[61]</a> </td> </tr> <tr> <td> <a href="/software/S0187"> S0187 </a> </td> <td> <a href="/software/S0187"> Daserf </a> </td> <td> <a href="/software/S0187">Daserf</a> can log keystrokes.<span onclick=scrollToRef('scite-62') id="scite-ref-62-a" class="scite-citeref-number" title="Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017."data-reference="Trend Micro Daserf Nov 2017"><a href="http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/" target="_blank" data-hasqtip="61" aria-describedby="qtip-61">[62]</a><span onclick=scrollToRef('scite-63') id="scite-ref-63-a" class="scite-citeref-number" title="Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018."data-reference="Secureworks BRONZE BUTLER Oct 2017"><a href="https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" target="_blank" data-hasqtip="62" aria-describedby="qtip-62">[63]</a> </td> </tr> <tr> <td> <a href="/software/S0021"> S0021 </a> </td> <td> <a href="/software/S0021"> Derusbi </a> </td> <td> <a href="/software/S0021">Derusbi</a> is capable of logging keystrokes.<span onclick=scrollToRef('scite-64') id="scite-ref-64-a" class="scite-citeref-number" title="FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018."data-reference="FireEye Periscope March 2018"><a href="https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" target="_blank" data-hasqtip="63" aria-describedby="qtip-63">[64]</a> </td> </tr> <tr> <td> <a href="/software/S0213"> S0213 </a> </td> <td> <a href="/software/S0213"> DOGCALL </a> </td> <td> <a href="/software/S0213">DOGCALL</a> is capable of logging keystrokes.<span onclick=scrollToRef('scite-65') id="scite-ref-65-a" class="scite-citeref-number" title="FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018."data-reference="FireEye APT37 Feb 2018"><a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" target="_blank" data-hasqtip="64" aria-describedby="qtip-64">[65]</a><span onclick=scrollToRef('scite-66') id="scite-ref-66-a" class="scite-citeref-number" title="Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018."data-reference="Unit 42 Nokki Oct 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/" target="_blank" data-hasqtip="65" aria-describedby="qtip-65">[66]</a> </td> </tr> <tr> <td> <a href="/software/S0567"> S0567 </a> </td> <td> <a href="/software/S0567"> Dtrack </a> </td> <td> <a href="/software/S0567">Dtrack</a>’s dropper contains a keylogging executable.<span onclick=scrollToRef('scite-67') id="scite-ref-67-a" class="scite-citeref-number" title="Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021."data-reference="Securelist Dtrack"><a href="https://securelist.com/my-name-is-dtrack/93338/" target="_blank" data-hasqtip="66" aria-describedby="qtip-66">[67]</a> </td> </tr> <tr> <td> <a href="/software/S0038"> S0038 </a> </td> <td> <a href="/software/S0038"> Duqu </a> </td> <td> <a href="/software/S0038">Duqu</a> can track key presses with a keylogger module.<span onclick=scrollToRef('scite-68') id="scite-ref-68-a" class="scite-citeref-number" title="Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015."data-reference="Symantec W32.Duqu"><a href="https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf" target="_blank" data-hasqtip="67" aria-describedby="qtip-67">[68]</a> </td> </tr> <tr> <td> <a href="/software/S1159"> S1159 </a> </td> <td> <a href="/software/S1159"> DUSTTRAP </a> </td> <td> <a href="/software/S1159">DUSTTRAP</a> can perform keylogging operations.<span onclick=scrollToRef('scite-69') id="scite-ref-69-a" class="scite-citeref-number" title="Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024."data-reference="Google Cloud APT41 2024"><a href="https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust" target="_blank" data-hasqtip="68" aria-describedby="qtip-68">[69]</a> </td> </tr> <tr> <td> <a href="/software/S0062"> S0062 </a> </td> <td> <a href="/software/S0062"> DustySky </a> </td> <td> <a href="/software/S0062">DustySky</a> contains a keylogger.<a href="https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf" target="_blank" data-hasqtip="69" aria-describedby="qtip-69">[70]</a> </td> </tr> <tr> <td> <a href="/software/S0593"> S0593 </a> </td> <td> <a href="/software/S0593"> ECCENTRICBANDWAGON </a> </td> <td> <a href="/software/S0593">ECCENTRICBANDWAGON</a> can capture and store keystrokes.<span onclick=scrollToRef('scite-71') id="scite-ref-71-a" class="scite-citeref-number" title="Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021."data-reference="CISA EB Aug 2020"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a" target="_blank" data-hasqtip="70" aria-describedby="qtip-70">[71]</a> </td> </tr> <tr> <td> <a href="/software/S0363"> S0363 </a> </td> <td> <a href="/software/S0363"> Empire </a> </td> <td> <a href="/software/S0363">Empire</a> includes keylogging capabilities for Windows, Linux, and macOS systems.<span onclick=scrollToRef('scite-72') id="scite-ref-72-a" class="scite-citeref-number" title="Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016."data-reference="Github PowerShell Empire"><a href="https://github.com/PowerShellEmpire/Empire" target="_blank" data-hasqtip="71" aria-describedby="qtip-71">[72]</a> </td> </tr> <tr> <td> <a href="/software/S0152"> S0152 </a> </td> <td> <a href="/software/S0152"> EvilGrab </a> </td> <td> <a href="/software/S0152">EvilGrab</a> has the capability to capture keystrokes.<span onclick=scrollToRef('scite-73') id="scite-ref-73-a" class="scite-citeref-number" title="PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017."data-reference="PWC Cloud Hopper Technical Annex April 2017"><a href="https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf" target="_blank" data-hasqtip="72" aria-describedby="qtip-72">[73]</a> </td> </tr> <tr> <td> <a href="/software/S0569"> S0569 </a> </td> <td> <a href="/software/S0569"> Explosive </a> </td> <td> <a href="/software/S0569">Explosive</a> has leveraged its keylogging capabilities to gain access to administrator accounts on target servers.<span onclick=scrollToRef('scite-74') id="scite-ref-74-a" class="scite-citeref-number" title="Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021."data-reference="CheckPoint Volatile Cedar March 2015"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf" target="_blank" data-hasqtip="73" aria-describedby="qtip-73">[74]</a><span onclick=scrollToRef('scite-75') id="scite-ref-75-a" class="scite-citeref-number" title="ClearSky Cyber Security. (2021, January). "Lebanese Cedar" APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021."data-reference="ClearSky Lebanese Cedar Jan 2021"><a href="https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf" target="_blank" data-hasqtip="74" aria-describedby="qtip-74">[75]</a> </td> </tr> <tr> <td> <a href="/software/S0076"> S0076 </a> </td> <td> <a href="/software/S0076"> FakeM </a> </td> <td> <a href="/software/S0076">FakeM</a> contains a keylogger module.<span onclick=scrollToRef('scite-76') id="scite-ref-76-a" class="scite-citeref-number" title="Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016."data-reference="Scarlet Mimic Jan 2016"><a href="http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" target="_blank" data-hasqtip="75" aria-describedby="qtip-75">[76]</a> </td> </tr> <tr> <td> <a href="/groups/G1016"> G1016 </a> </td> <td> <a href="/groups/G1016"> FIN13 </a> </td> <td> <a href="/groups/G1016">FIN13</a> has logged the keystrokes of victims to escalate privileges.<span onclick=scrollToRef('scite-77') id="scite-ref-77-a" class="scite-citeref-number" title="Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023."data-reference="Mandiant FIN13 Aug 2022"><a href="https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico" target="_blank" data-hasqtip="76" aria-describedby="qtip-76">[77]</a> </td> </tr> <tr> <td> <a href="/groups/G0085"> G0085 </a> </td> <td> <a href="/groups/G0085"> FIN4 </a> </td> <td> <a href="/groups/G0085">FIN4</a> has captured credentials via fake Outlook Web App (OWA) login pages and has also used a .NET based keylogger.<span onclick=scrollToRef('scite-78') id="scite-ref-78-a" class="scite-citeref-number" title="Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018."data-reference="FireEye Hacking FIN4 Dec 2014"><a href="https://www.mandiant.com/sites/default/files/2021-09/rpt-fin4.pdf" target="_blank" data-hasqtip="77" aria-describedby="qtip-77">[78]</a><span onclick=scrollToRef('scite-79') id="scite-ref-79-a" class="scite-citeref-number" title="Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019."data-reference="FireEye Hacking FIN4 Video Dec 2014"><a href="https://www2.fireeye.com/WBNR-14Q4NAMFIN4.html" target="_blank" data-hasqtip="78" aria-describedby="qtip-78">[79]</a> </td> </tr> <tr> <td> <a href="/software/S0381"> S0381 </a> </td> <td> <a href="/software/S0381"> FlawedAmmyy </a> </td> <td> <a href="/software/S0381">FlawedAmmyy</a> can collect keyboard events.<span onclick=scrollToRef('scite-80') id="scite-ref-80-a" class="scite-citeref-number" title="Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022."data-reference="Korean FSI TA505 2020"><a href="https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1382.do?page=1&column=&search=&searchSDate=&searchEDate=&bbsDataCategory=" target="_blank" data-hasqtip="79" aria-describedby="qtip-79">[80]</a> </td> </tr> <tr> <td> <a href="/software/S1044"> S1044 </a> </td> <td> <a href="/software/S1044"> FunnyDream </a> </td> <td> The <a href="/software/S1044">FunnyDream</a> Keyrecord component can capture keystrokes.<span onclick=scrollToRef('scite-81') id="scite-ref-81-a" class="scite-citeref-number" title="Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022."data-reference="Bitdefender FunnyDream Campaign November 2020"><a href="https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" target="_blank" data-hasqtip="80" aria-describedby="qtip-80">[81]</a> </td> </tr> <tr> <td> <a href="/software/S0410"> S0410 </a> </td> <td> <a href="/software/S0410"> Fysbis </a> </td> <td> <a href="/software/S0410">Fysbis</a> can perform keylogging.<span onclick=scrollToRef('scite-82') id="scite-ref-82-a" class="scite-citeref-number" title="Bryan Lee and Rob Downs. (2016, February 12). A Look Into Fysbis: Sofacy’s Linux Backdoor. Retrieved September 10, 2017."data-reference="Fysbis Palo Alto Analysis"><a href="https://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/" target="_blank" data-hasqtip="81" aria-describedby="qtip-81">[82]</a> </td> </tr> <tr> <td> <a href="/software/S0032"> S0032 </a> </td> <td> <a href="/software/S0032"> gh0st RAT </a> </td> <td> <a href="/software/S0032">gh0st RAT</a> has a keylogger.<span onclick=scrollToRef('scite-83') id="scite-ref-83-a" class="scite-citeref-number" title="Alintanahin, K. (2014, March 13). Kunming Attack Leads to Gh0st RAT Variant. Retrieved November 12, 2014."data-reference="Alintanahin 2014"><a href="http://blog.trendmicro.com/trendlabs-security-intelligence/kunming-attack-leads-to-gh0st-rat-variant/" target="_blank" data-hasqtip="82" aria-describedby="qtip-82">[83]</a><span onclick=scrollToRef('scite-84') id="scite-ref-84-a" class="scite-citeref-number" title="Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020."data-reference="Gh0stRAT ATT March 2019"><a href="https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant" target="_blank" data-hasqtip="83" aria-describedby="qtip-83">[84]</a> </td> </tr> <tr> <td> <a href="/software/S0531"> S0531 </a> </td> <td> <a href="/software/S0531"> Grandoreiro </a> </td> <td> <a href="/software/S0531">Grandoreiro</a> can log keystrokes on the victim's machine.<span onclick=scrollToRef('scite-85') id="scite-ref-85-a" class="scite-citeref-number" title="ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020."data-reference="ESET Grandoreiro April 2020"><a href="https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/" target="_blank" data-hasqtip="84" aria-describedby="qtip-84">[85]</a> </td> </tr> <tr> <td> <a href="/software/S0342"> S0342 </a> </td> <td> <a href="/software/S0342"> GreyEnergy </a> </td> <td> <a href="/software/S0342">GreyEnergy</a> has a module to harvest pressed keystrokes.<span onclick=scrollToRef('scite-86') id="scite-ref-86-a" class="scite-citeref-number" title="Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018."data-reference="ESET GreyEnergy Oct 2018"><a href="https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf" target="_blank" data-hasqtip="85" aria-describedby="qtip-85">[86]</a> </td> </tr> <tr> <td> <a href="/groups/G0043"> G0043 </a> </td> <td> <a href="/groups/G0043"> Group5 </a> </td> <td> Malware used by <a href="/groups/G0043">Group5</a> is capable of capturing keystrokes.<span onclick=scrollToRef('scite-87') id="scite-ref-87-a" class="scite-citeref-number" title="Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016."data-reference="Citizen Lab Group5"><a href="https://citizenlab.ca/2016/08/group5-syria/" target="_blank" data-hasqtip="86" aria-describedby="qtip-86">[87]</a> </td> </tr> <tr> <td> <a href="/software/S0170"> S0170 </a> </td> <td> <a href="/software/S0170"> Helminth </a> </td> <td> The executable version of <a href="/software/S0170">Helminth</a> has a module to log keystrokes.<span onclick=scrollToRef('scite-88') id="scite-ref-88-a" class="scite-citeref-number" title="Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017."data-reference="Palo Alto OilRig May 2016"><a href="http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" target="_blank" data-hasqtip="87" aria-describedby="qtip-87">[88]</a> </td> </tr> <tr> <td> <a href="/groups/G1001"> G1001 </a> </td> <td> <a href="/groups/G1001"> HEXANE </a> </td> <td> <a href="/groups/G1001">HEXANE</a> has used a PowerShell-based keylogger named <code>kl.ps1</code>.<span onclick=scrollToRef('scite-89') id="scite-ref-89-a" class="scite-citeref-number" title="SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19 "data-reference="SecureWorks August 2019"><a href="https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign" target="_blank" data-hasqtip="88" aria-describedby="qtip-88">[89]</a><span onclick=scrollToRef('scite-90') id="scite-ref-90-a" class="scite-citeref-number" title="Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022."data-reference="Kaspersky Lyceum October 2021"><a href="https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf" target="_blank" data-hasqtip="89" aria-describedby="qtip-89">[90]</a> </td> </tr> <tr> <td> <a href="/software/S0070"> S0070 </a> </td> <td> <a href="/software/S0070"> HTTPBrowser </a> </td> <td> <a href="/software/S0070">HTTPBrowser</a> is capable of capturing keystrokes on victims.<span onclick=scrollToRef('scite-91') id="scite-ref-91-a" class="scite-citeref-number" title="Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018."data-reference="Dell TG-3390"><a href="https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage" target="_blank" data-hasqtip="90" aria-describedby="qtip-90">[91]</a> </td> </tr> <tr> <td> <a href="/software/S0434"> S0434 </a> </td> <td> <a href="/software/S0434"> Imminent Monitor </a> </td> <td> <a href="/software/S0434">Imminent Monitor</a> has a keylogging module.<span onclick=scrollToRef('scite-92') id="scite-ref-92-a" class="scite-citeref-number" title="Unit 42. (2019, December 2). Imminent Monitor – a RAT Down Under. Retrieved May 5, 2020."data-reference="Imminent Unit42 Dec2019"><a href="https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/" target="_blank" data-hasqtip="91" aria-describedby="qtip-91">[92]</a> </td> </tr> <tr> <td> <a href="/software/S0260"> S0260 </a> </td> <td> <a href="/software/S0260"> InvisiMole </a> </td> <td> <a href="/software/S0260">InvisiMole</a> can capture keystrokes on a compromised host.<span onclick=scrollToRef('scite-93') id="scite-ref-93-a" class="scite-citeref-number" title="Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020."data-reference="ESET InvisiMole June 2020"><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" target="_blank" data-hasqtip="92" aria-describedby="qtip-92">[93]</a> </td> </tr> <tr> <td> <a href="/software/S0201"> S0201 </a> </td> <td> <a href="/software/S0201"> JPIN </a> </td> <td> <a href="/software/S0201">JPIN</a> contains a custom keylogger.<span onclick=scrollToRef('scite-94') id="scite-ref-94-a" class="scite-citeref-number" title="Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018."data-reference="Microsoft PLATINUM April 2016"><a href="https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" target="_blank" data-hasqtip="93" aria-describedby="qtip-93">[94]</a> </td> </tr> <tr> <td> <a href="/software/S0283"> S0283 </a> </td> <td> <a href="/software/S0283"> jRAT </a> </td> <td> <a href="/software/S0283">jRAT</a> has the capability to log keystrokes from the victim’s machine, both offline and online.<span onclick=scrollToRef('scite-95') id="scite-ref-95-a" class="scite-citeref-number" title="Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018."data-reference="jRAT Symantec Aug 2018"><a href="https://www.symantec.com/blogs/threat-intelligence/jrat-new-anti-parsing-techniques" target="_blank" data-hasqtip="94" aria-describedby="qtip-94">[95]</a><span onclick=scrollToRef('scite-96') id="scite-ref-96-a" class="scite-citeref-number" title="Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019."data-reference="Kaspersky Adwind Feb 2016"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07195002/KL_AdwindPublicReport_2016.pdf" target="_blank" data-hasqtip="95" aria-describedby="qtip-95">[96]</a> </td> </tr> <tr> <td> <a href="/software/S0088"> S0088 </a> </td> <td> <a href="/software/S0088"> Kasidet </a> </td> <td> <a href="/software/S0088">Kasidet</a> has the ability to initiate keylogging.<span onclick=scrollToRef('scite-97') id="scite-ref-97-a" class="scite-citeref-number" title="Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016."data-reference="Zscaler Kasidet"><a href="http://research.zscaler.com/2016/01/malicious-office-files-dropping-kasidet.html" target="_blank" data-hasqtip="96" aria-describedby="qtip-96">[97]</a> </td> </tr> <tr> <td> <a href="/groups/G0004"> G0004 </a> </td> <td> <a href="/groups/G0004"> Ke3chang </a> </td> <td> <a href="/groups/G0004">Ke3chang</a> has used keyloggers.<span onclick=scrollToRef('scite-98') id="scite-ref-98-a" class="scite-citeref-number" title="Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018."data-reference="NCC Group APT15 Alive and Strong"><a href="https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" target="_blank" data-hasqtip="97" aria-describedby="qtip-97">[98]</a><span onclick=scrollToRef('scite-99') id="scite-ref-99-a" class="scite-citeref-number" title="MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022."data-reference="Microsoft NICKEL December 2021"><a href="https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe" target="_blank" data-hasqtip="98" aria-describedby="qtip-98">[99]</a> </td> </tr> <tr> <td> <a href="/software/S0387"> S0387 </a> </td> <td> <a href="/software/S0387"> KeyBoy </a> </td> <td> <a href="/software/S0387">KeyBoy</a> installs a keylogger for intercepting credentials and keystrokes.<span onclick=scrollToRef('scite-100') id="scite-ref-100-a" class="scite-citeref-number" title="Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019."data-reference="Rapid7 KeyBoy Jun 2013"><a href="https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/" target="_blank" data-hasqtip="99" aria-describedby="qtip-99">[100]</a> </td> </tr> <tr> <td> <a href="/software/S0526"> S0526 </a> </td> <td> <a href="/software/S0526"> KGH_SPY </a> </td> <td> <a href="/software/S0526">KGH_SPY</a> can perform keylogging by polling the <code>GetAsyncKeyState()</code> function.<span onclick=scrollToRef('scite-101') id="scite-ref-101-a" class="scite-citeref-number" title="Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020."data-reference="Cybereason Kimsuky November 2020"><a href="https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" target="_blank" data-hasqtip="100" aria-describedby="qtip-100">[101]</a> </td> </tr> <tr> <td> <a href="/groups/G0094"> G0094 </a> </td> <td> <a href="/groups/G0094"> Kimsuky </a> </td> <td> <a href="/groups/G0094">Kimsuky</a> has used a PowerShell-based keylogger as well as a tool called MECHANICAL to log keystrokes.<span onclick=scrollToRef('scite-102') id="scite-ref-102-a" class="scite-citeref-number" title="Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019."data-reference="EST Kimsuky April 2019"><a href="https://blog.alyac.co.kr/2234" target="_blank" data-hasqtip="101" aria-describedby="qtip-101">[102]</a><span onclick=scrollToRef('scite-103') id="scite-ref-103-a" class="scite-citeref-number" title="Tarakanov , D.. (2013, September 11). The "Kimsuky" Operation: A North Korean APT?. Retrieved August 13, 2019."data-reference="Securelist Kimsuky Sept 2013"><a href="https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/" target="_blank" data-hasqtip="102" aria-describedby="qtip-102">[103]</a><span onclick=scrollToRef('scite-104') id="scite-ref-104-a" class="scite-citeref-number" title="CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020."data-reference="CISA AA20-301A Kimsuky"><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-301a" target="_blank" data-hasqtip="103" aria-describedby="qtip-103">[104]</a><span onclick=scrollToRef('scite-105') id="scite-ref-105-a" class="scite-citeref-number" title="ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019."data-reference="Netscout Stolen Pencil Dec 2018"><a href="https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/" target="_blank" data-hasqtip="104" aria-describedby="qtip-104">[105]</a><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021."data-reference="Talos Kimsuky Nov 2021"><a href="https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a><span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024."data-reference="KISA Operation Muzabi"><a href="https://web.archive.org/web/20220328121326/https://boho.or.kr/filedownload.do?attach_file_seq=2695&attach_file_id=EpF2695.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a> </td> </tr> <tr> <td> <a href="/software/S0437"> S0437 </a> </td> <td> <a href="/software/S0437"> Kivars </a> </td> <td> <a href="/software/S0437">Kivars</a> has the ability to initiate keylogging on the infected host.<span onclick=scrollToRef('scite-106') id="scite-ref-106-a" class="scite-citeref-number" title="Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020."data-reference="TrendMicro BlackTech June 2017"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/" target="_blank" data-hasqtip="105" aria-describedby="qtip-105">[106]</a> </td> </tr> <tr> <td> <a href="/software/S0356"> S0356 </a> </td> <td> <a href="/software/S0356"> KONNI </a> </td> <td> <a href="/software/S0356">KONNI</a> has the capability to perform keylogging.<span onclick=scrollToRef('scite-107') id="scite-ref-107-a" class="scite-citeref-number" title="Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018."data-reference="Talos Konni May 2017"><a href="https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html" target="_blank" data-hasqtip="106" aria-describedby="qtip-106">[107]</a> </td> </tr> <tr> <td> <a href="/groups/G0032"> G0032 </a> </td> <td> <a href="/groups/G0032"> Lazarus Group </a> </td> <td> <a href="/groups/G0032">Lazarus Group</a> malware KiloAlfa contains keylogging functionality.<span onclick=scrollToRef('scite-108') id="scite-ref-108-a" class="scite-citeref-number" title="Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016."data-reference="Novetta Blockbuster"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" data-hasqtip="107" aria-describedby="qtip-107">[108]</a><span onclick=scrollToRef('scite-109') id="scite-ref-109-a" class="scite-citeref-number" title="Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Tools Report. Retrieved March 10, 2016."data-reference="Novetta Blockbuster Tools"><a href="https://web.archive.org/web/20220425194457/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Tools-Report.pdf" target="_blank" data-hasqtip="108" aria-describedby="qtip-108">[109]</a> </td> </tr> <tr> <td> <a href="/software/S0447"> S0447 </a> </td> <td> <a href="/software/S0447"> Lokibot </a> </td> <td> <a href="/software/S0447">Lokibot</a> has the ability to capture input on the compromised host via keylogging.<span onclick=scrollToRef('scite-110') id="scite-ref-110-a" class="scite-citeref-number" title="Kazem, M. (2019, November 25). Trojan:W32/Lokibot. Retrieved May 15, 2020."data-reference="FSecure Lokibot November 2019"><a href="https://www.f-secure.com/v-descs/trojan_w32_lokibot.shtml" target="_blank" data-hasqtip="109" aria-describedby="qtip-109">[110]</a> </td> </tr> <tr> <td> <a href="/software/S0409"> S0409 </a> </td> <td> <a href="/software/S0409"> Machete </a> </td> <td> <a href="/software/S0409">Machete</a> logs keystrokes from the victim’s machine.<span onclick=scrollToRef('scite-111') id="scite-ref-111-a" class="scite-citeref-number" title="ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019."data-reference="ESET Machete July 2019"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf" target="_blank" data-hasqtip="110" aria-describedby="qtip-110">[111]</a><span onclick=scrollToRef('scite-112') id="scite-ref-112-a" class="scite-citeref-number" title="Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019."data-reference="Securelist Machete Aug 2014"><a href="https://securelist.com/el-machete/66108/" target="_blank" data-hasqtip="111" aria-describedby="qtip-111">[112]</a><span onclick=scrollToRef('scite-113') id="scite-ref-113-a" class="scite-citeref-number" title="The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019."data-reference="Cylance Machete Mar 2017"><a href="https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html" target="_blank" data-hasqtip="112" aria-describedby="qtip-112">[113]</a><span onclick=scrollToRef('scite-114') id="scite-ref-114-a" class="scite-citeref-number" title="kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020."data-reference="360 Machete Sep 2020"><a href="https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/" target="_blank" data-hasqtip="113" aria-describedby="qtip-113">[114]</a> </td> </tr> <tr> <td> <a href="/software/S1016"> S1016 </a> </td> <td> <a href="/software/S1016"> MacMa </a> </td> <td> <a href="/software/S1016">MacMa</a> can use Core Graphics Event Taps to intercept user keystrokes from any text input field and saves them to text files. Text input fields include Spotlight, Finder, Safari, Mail, Messages, and other apps that have text fields for passwords.<span onclick=scrollToRef('scite-115') id="scite-ref-115-a" class="scite-citeref-number" title="Wardle, P. (2021, November 11). OSX.CDDS (OSX.MacMa). Retrieved June 30, 2022."data-reference="Objective-See MacMa Nov 2021"><a href="https://objective-see.org/blog/blog_0x69.html" target="_blank" data-hasqtip="114" aria-describedby="qtip-114">[115]</a><span onclick=scrollToRef('scite-116') id="scite-ref-116-a" class="scite-citeref-number" title="Stokes, P. (2021, November 15). Infect If Needed | A Deeper Dive Into Targeted Backdoor macOS.Macma. Retrieved June 30, 2022."data-reference="SentinelOne MacMa Nov 2021"><a href="https://www.sentinelone.com/labs/infect-if-needed-a-deeper-dive-into-targeted-backdoor-macos-macma/" target="_blank" data-hasqtip="115" aria-describedby="qtip-115">[116]</a> </td> </tr> <tr> <td> <a href="/software/S0282"> S0282 </a> </td> <td> <a href="/software/S0282"> MacSpy </a> </td> <td> <a href="/software/S0282">MacSpy</a> captures keystrokes.<span onclick=scrollToRef('scite-117') id="scite-ref-117-a" class="scite-citeref-number" title="Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018."data-reference="objsee mac malware 2017"><a href="https://objective-see.com/blog/blog_0x25.html" target="_blank" data-hasqtip="116" aria-describedby="qtip-116">[117]</a> </td> </tr> <tr> <td> <a href="/groups/G0059"> G0059 </a> </td> <td> <a href="/groups/G0059"> Magic Hound </a> </td> <td> <a href="/groups/G0059">Magic Hound</a> malware is capable of keylogging.<span onclick=scrollToRef('scite-118') id="scite-ref-118-a" class="scite-citeref-number" title="Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017."data-reference="Unit 42 Magic Hound Feb 2017"><a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank" data-hasqtip="117" aria-describedby="qtip-117">[118]</a> </td> </tr> <tr> <td> <a href="/software/S0652"> S0652 </a> </td> <td> <a href="/software/S0652"> MarkiRAT </a> </td> <td> <a href="/software/S0652">MarkiRAT</a> can capture all keystrokes on a compromised host.<span onclick=scrollToRef('scite-119') id="scite-ref-119-a" class="scite-citeref-number" title="GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021."data-reference="Kaspersky Ferocious Kitten Jun 2021"><a href="https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/" target="_blank" data-hasqtip="118" aria-describedby="qtip-118">[119]</a> </td> </tr> <tr> <td> <a href="/software/S0167"> S0167 </a> </td> <td> <a href="/software/S0167"> Matryoshka </a> </td> <td> <a href="/software/S0167">Matryoshka</a> is capable of keylogging.<span onclick=scrollToRef('scite-120') id="scite-ref-120-a" class="scite-citeref-number" title="ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017."data-reference="ClearSky Wilted Tulip July 2017"><a href="http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf" target="_blank" data-hasqtip="119" aria-describedby="qtip-119">[120]</a><span onclick=scrollToRef('scite-121') id="scite-ref-121-a" class="scite-citeref-number" title="Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017."data-reference="CopyKittens Nov 2015"><a href="https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf" target="_blank" data-hasqtip="120" aria-describedby="qtip-120">[121]</a> </td> </tr> <tr> <td> <a href="/groups/G0045"> G0045 </a> </td> <td> <a href="/groups/G0045"> menuPass </a> </td> <td> <a href="/groups/G0045">menuPass</a> has used key loggers to steal usernames and passwords.<span onclick=scrollToRef('scite-122') id="scite-ref-122-a" class="scite-citeref-number" title="US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020."data-reference="District Court of NY APT10 Indictment December 2018"><a href="https://www.justice.gov/opa/page/file/1122671/download" target="_blank" data-hasqtip="121" aria-describedby="qtip-121">[122]</a> </td> </tr> <tr> <td> <a href="/software/S1059"> S1059 </a> </td> <td> <a href="/software/S1059"> metaMain </a> </td> <td> <a href="/software/S1059">metaMain</a> has the ability to log keyboard events.<span onclick=scrollToRef('scite-123') id="scite-ref-123-a" class="scite-citeref-number" title="Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023."data-reference="SentinelLabs Metador Sept 2022"><a href="https://assets.sentinelone.com/sentinellabs22/metador#page=1" target="_blank" data-hasqtip="122" aria-describedby="qtip-122">[123]</a><span onclick=scrollToRef('scite-124') id="scite-ref-124-a" class="scite-citeref-number" title="SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023."data-reference="SentinelLabs Metador Technical Appendix Sept 2022"><a href="https://docs.google.com/document/d/1e9ZTW9b71YwFWS_18ZwDAxa-cYbV8q1wUefmKZLYVsA/edit#heading=h.lmnbtht1ikzm" target="_blank" data-hasqtip="123" aria-describedby="qtip-123">[124]</a> </td> </tr> <tr> <td> <a href="/software/S0455"> S0455 </a> </td> <td> <a href="/software/S0455"> Metamorfo </a> </td> <td> <a href="/software/S0455">Metamorfo</a> has a command to launch a keylogger and capture keystrokes on the victim’s machine.<span onclick=scrollToRef('scite-125') id="scite-ref-125-a" class="scite-citeref-number" title="Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020."data-reference="Fortinet Metamorfo Feb 2020"><a href="https://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions" target="_blank" data-hasqtip="124" aria-describedby="qtip-124">[125]</a><span onclick=scrollToRef('scite-126') id="scite-ref-126-a" class="scite-citeref-number" title="ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021."data-reference="ESET Casbaneiro Oct 2019"><a href="https://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/" target="_blank" data-hasqtip="125" aria-describedby="qtip-125">[126]</a> </td> </tr> <tr> <td> <a href="/software/S1146"> S1146 </a> </td> <td> <a href="/software/S1146"> MgBot </a> </td> <td> <a href="/software/S1146">MgBot</a> includes keylogger payloads focused on the QQ chat application.<span onclick=scrollToRef('scite-127') id="scite-ref-127-a" class="scite-citeref-number" title="Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024."data-reference="ESET EvasivePanda 2023"><a href="https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/" target="_blank" data-hasqtip="126" aria-describedby="qtip-126">[127]</a><span onclick=scrollToRef('scite-128') id="scite-ref-128-a" class="scite-citeref-number" title="Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024."data-reference="Symantec Daggerfly 2023"><a href="https://symantec-enterprise-blogs.security.com/threat-intelligence/apt-attacks-telecoms-africa-mgbot" target="_blank" data-hasqtip="127" aria-describedby="qtip-127">[128]</a> </td> </tr> <tr> <td> <a href="/software/S0339"> S0339 </a> </td> <td> <a href="/software/S0339"> Micropsia </a> </td> <td> <a href="/software/S0339">Micropsia</a> has keylogging capabilities.<span onclick=scrollToRef('scite-129') id="scite-ref-129-a" class="scite-citeref-number" title="Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018."data-reference="Radware Micropsia July 2018"><a href="https://www.radware.com/blog/security/2018/07/micropsia-malware/" target="_blank" data-hasqtip="128" aria-describedby="qtip-128">[129]</a> </td> </tr> <tr> <td> <a href="/software/S1122"> S1122 </a> </td> <td> <a href="/software/S1122"> Mispadu </a> </td> <td> <a href="/software/S1122">Mispadu</a> can log keystrokes on the victim's machine.<span onclick=scrollToRef('scite-130') id="scite-ref-130-a" class="scite-citeref-number" title="ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024."data-reference="ESET Security Mispadu Facebook Ads 2019"><a href="https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/" target="_blank" data-hasqtip="129" aria-describedby="qtip-129">[130]</a><span onclick=scrollToRef('scite-131') id="scite-ref-131-a" class="scite-citeref-number" title="Garcia, F., Regalado, D. (2023, March 7). Inside Mispadu massive infection campaign in LATAM. Retrieved March 15, 2024."data-reference="Metabase Q Mispadu Trojan 2023"><a href="https://www.metabaseq.com/mispadu-banking-trojan/" target="_blank" data-hasqtip="130" aria-describedby="qtip-130">[131]</a><span onclick=scrollToRef('scite-132') id="scite-ref-132-a" class="scite-citeref-number" title="SCILabs. (2023, May 23). Evolution of banking trojan URSA/Mispadu. Retrieved March 13, 2024."data-reference="SCILabs URSA/Mispadu Evolution 2023"><a href="https://blog.scilabs.mx/en/evolution-of-banking-trojan-ursa-mispadu/" target="_blank" data-hasqtip="131" aria-describedby="qtip-131">[132]</a> </td> </tr> <tr> <td> <a href="/software/S0149"> S0149 </a> </td> <td> <a href="/software/S0149"> MoonWind </a> </td> <td> <a href="/software/S0149">MoonWind</a> has a keylogger.<span onclick=scrollToRef('scite-133') id="scite-ref-133-a" class="scite-citeref-number" title="Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017."data-reference="Palo Alto MoonWind March 2017"><a href="http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/" target="_blank" data-hasqtip="132" aria-describedby="qtip-132">[133]</a> </td> </tr> <tr> <td> <a href="/software/S0336"> S0336 </a> </td> <td> <a href="/software/S0336"> NanoCore </a> </td> <td> <a href="/software/S0336">NanoCore</a> can perform keylogging on the victim’s machine.<span onclick=scrollToRef('scite-134') id="scite-ref-134-a" class="scite-citeref-number" title="Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018."data-reference="PaloAlto NanoCore Feb 2016"><a href="https://researchcenter.paloaltonetworks.com/2016/02/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/" target="_blank" data-hasqtip="133" aria-describedby="qtip-133">[134]</a> </td> </tr> <tr> <td> <a href="/software/S0247"> S0247 </a> </td> <td> <a href="/software/S0247"> NavRAT </a> </td> <td> <a href="/software/S0247">NavRAT</a> logs the keystrokes on the targeted system.<span onclick=scrollToRef('scite-135') id="scite-ref-135-a" class="scite-citeref-number" title="Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018."data-reference="Talos NavRAT May 2018"><a href="https://blog.talosintelligence.com/2018/05/navrat.html" target="_blank" data-hasqtip="134" aria-describedby="qtip-134">[135]</a> </td> </tr> <tr> <td> <a href="/software/S0033"> S0033 </a> </td> <td> <a href="/software/S0033"> NetTraveler </a> </td> <td> <a href="/software/S0033">NetTraveler</a> contains a keylogger.<span onclick=scrollToRef('scite-136') id="scite-ref-136-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research and Analysis Team. (n.d.). The NetTraveler (aka ‘Travnet’). Retrieved November 12, 2014."data-reference="Kaspersky NetTraveler"><a href="http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf" target="_blank" data-hasqtip="135" aria-describedby="qtip-135">[136]</a> </td> </tr> <tr> <td> <a href="/software/S0198"> S0198 </a> </td> <td> <a href="/software/S0198"> NETWIRE </a> </td> <td> <a href="/software/S0198">NETWIRE</a> can perform keylogging.<span onclick=scrollToRef('scite-137') id="scite-ref-137-a" class="scite-citeref-number" title="McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018."data-reference="McAfee Netwire Mar 2015"><a href="https://securingtomorrow.mcafee.com/mcafee-labs/netwire-rat-behind-recent-targeted-attacks/" target="_blank" data-hasqtip="136" aria-describedby="qtip-136">[137]</a><span onclick=scrollToRef('scite-138') id="scite-ref-138-a" class="scite-citeref-number" title="Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018."data-reference="FireEye APT33 Webinar Sept 2017"><a href="https://www.brighttalk.com/webcast/10703/275683" target="_blank" data-hasqtip="137" aria-describedby="qtip-137">[138]</a><span onclick=scrollToRef('scite-139') id="scite-ref-139-a" class="scite-citeref-number" title="Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021."data-reference="FireEye NETWIRE March 2019"><a href="https://www.mandiant.com/resources/blog/dissecting-netwire-phishing-campaigns-usage-process-hollowing" target="_blank" data-hasqtip="138" aria-describedby="qtip-138">[139]</a><span onclick=scrollToRef('scite-140') id="scite-ref-140-a" class="scite-citeref-number" title="Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021."data-reference="Red Canary NETWIRE January 2020"><a href="https://redcanary.com/blog/netwire-remote-access-trojan-on-linux/" target="_blank" data-hasqtip="139" aria-describedby="qtip-139">[140]</a><span onclick=scrollToRef('scite-141') id="scite-ref-141-a" class="scite-citeref-number" title="Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021."data-reference="Proofpoint NETWIRE December 2020"><a href="https://www.proofpoint.com/us/blog/threat-insight/geofenced-netwire-campaigns" target="_blank" data-hasqtip="140" aria-describedby="qtip-140">[141]</a> </td> </tr> <tr> <td> <a href="/software/S1090"> S1090 </a> </td> <td> <a href="/software/S1090"> NightClub </a> </td> <td> <a href="/software/S1090">NightClub</a> can use a plugin for keylogging.<span onclick=scrollToRef('scite-142') id="scite-ref-142-a" class="scite-citeref-number" title="Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023."data-reference="MoustachedBouncer ESET August 2023"><a href="https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" target="_blank" data-hasqtip="141" aria-describedby="qtip-141">[142]</a> </td> </tr> <tr> <td> <a href="/software/S0385"> S0385 </a> </td> <td> <a href="/software/S0385"> njRAT </a> </td> <td> <a href="/software/S0385">njRAT</a> is capable of logging keystrokes.<span onclick=scrollToRef('scite-143') id="scite-ref-143-a" class="scite-citeref-number" title="Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019."data-reference="Fidelis njRAT June 2013"><a href="https://www.threatminer.org/_reports/2013/fta-1009---njrat-uncovered-1.pdf" target="_blank" data-hasqtip="142" aria-describedby="qtip-142">[143]</a><span onclick=scrollToRef('scite-144') id="scite-ref-144-a" class="scite-citeref-number" title="Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019."data-reference="Trend Micro njRAT 2018"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/" target="_blank" data-hasqtip="143" aria-describedby="qtip-143">[144]</a><span onclick=scrollToRef('scite-87') id="scite-ref-87-a" class="scite-citeref-number" title="Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016."data-reference="Citizen Lab Group5"><a href="https://citizenlab.ca/2016/08/group5-syria/" target="_blank" data-hasqtip="86" aria-describedby="qtip-86">[87]</a> </td> </tr> <tr> <td> <a href="/groups/G0049"> G0049 </a> </td> <td> <a href="/groups/G0049"> OilRig </a> </td> <td> <a href="/groups/G0049">OilRig</a> has used keylogging tools called KEYPUNCH and LONGWATCH.<span onclick=scrollToRef('scite-145') id="scite-ref-145-a" class="scite-citeref-number" title="Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017."data-reference="FireEye APT34 Webinar Dec 2017"><a href="https://www.brighttalk.com/webcast/10703/296317/apt34-new-targeted-attack-in-the-middle-east" target="_blank" data-hasqtip="144" aria-describedby="qtip-144">[145]</a><span onclick=scrollToRef('scite-146') id="scite-ref-146-a" class="scite-citeref-number" title="Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019."data-reference="FireEye APT34 July 2019"><a href="https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html" target="_blank" data-hasqtip="145" aria-describedby="qtip-145">[146]</a> </td> </tr> <tr> <td> <a href="/software/S0439"> S0439 </a> </td> <td> <a href="/software/S0439"> Okrum </a> </td> <td> <a href="/software/S0439">Okrum</a> was seen using a keylogger tool to capture keystrokes. <span onclick=scrollToRef('scite-147') id="scite-ref-147-a" class="scite-citeref-number" title="Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."data-reference="ESET Okrum July 2019"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf" target="_blank" data-hasqtip="146" aria-describedby="qtip-146">[147]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0014"> C0014 </a> </td> <td> <a href="/campaigns/C0014"> Operation Wocao </a> </td> <td> During <a href="https://attack.mitre.org/campaigns/C0014">Operation Wocao</a>, threat actors obtained the password for the victim's password manager via a custom keylogger.<span onclick=scrollToRef('scite-148') id="scite-ref-148-a" class="scite-citeref-number" title="Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020."data-reference="FoxIT Wocao December 2019"><a href="https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf" target="_blank" data-hasqtip="147" aria-describedby="qtip-147">[148]</a> </td> </tr> <tr> <td> <a href="/software/S0072"> S0072 </a> </td> <td> <a href="/software/S0072"> OwaAuth </a> </td> <td> <a href="/software/S0072">OwaAuth</a> captures and DES-encrypts credentials before writing the username and password to a log file, <code>C:\log.txt</code>.<span onclick=scrollToRef('scite-91') id="scite-ref-91-a" class="scite-citeref-number" title="Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018."data-reference="Dell TG-3390"><a href="https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage" target="_blank" data-hasqtip="90" aria-describedby="qtip-90">[91]</a> </td> </tr> <tr> <td> <a href="/software/S1050"> S1050 </a> </td> <td> <a href="/software/S1050"> PcShare </a> </td> <td> <a href="/software/S1050">PcShare</a> has the ability to capture keystrokes.<span onclick=scrollToRef('scite-81') id="scite-ref-81-a" class="scite-citeref-number" title="Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022."data-reference="Bitdefender FunnyDream Campaign November 2020"><a href="https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" target="_blank" data-hasqtip="80" aria-describedby="qtip-80">[81]</a> </td> </tr> <tr> <td> <a href="/software/S0643"> S0643 </a> </td> <td> <a href="/software/S0643"> Peppy </a> </td> <td> <a href="/software/S0643">Peppy</a> can log keystrokes on compromised hosts.<span onclick=scrollToRef('scite-52') id="scite-ref-52-a" class="scite-citeref-number" title="Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016."data-reference="Proofpoint Operation Transparent Tribe March 2016"><a href="https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" target="_blank" data-hasqtip="51" aria-describedby="qtip-51">[52]</a> </td> </tr> <tr> <td> <a href="/groups/G0068"> G0068 </a> </td> <td> <a href="/groups/G0068"> PLATINUM </a> </td> <td> <a href="/groups/G0068">PLATINUM</a> has used several different keyloggers.<span onclick=scrollToRef('scite-94') id="scite-ref-94-a" class="scite-citeref-number" title="Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018."data-reference="Microsoft PLATINUM April 2016"><a href="https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" target="_blank" data-hasqtip="93" aria-describedby="qtip-93">[94]</a> </td> </tr> <tr> <td> <a href="/software/S0013"> S0013 </a> </td> <td> <a href="/software/S0013"> PlugX </a> </td> <td> <a href="/software/S0013">PlugX</a> has a module for capturing keystrokes per process including window titles.<span onclick=scrollToRef('scite-149') id="scite-ref-149-a" class="scite-citeref-number" title="Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018."data-reference="CIRCL PlugX March 2013"><a href="http://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf" target="_blank" data-hasqtip="148" aria-describedby="qtip-148">[149]</a> </td> </tr> <tr> <td> <a href="/software/S0428"> S0428 </a> </td> <td> <a href="/software/S0428"> PoetRAT </a> </td> <td> <a href="/software/S0428">PoetRAT</a> has used a Python tool named klog.exe for keylogging.<span onclick=scrollToRef('scite-150') id="scite-ref-150-a" class="scite-citeref-number" title="Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020."data-reference="Talos PoetRAT April 2020"><a href="https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html" target="_blank" data-hasqtip="149" aria-describedby="qtip-149">[150]</a> </td> </tr> <tr> <td> <a href="/software/S0012"> S0012 </a> </td> <td> <a href="/software/S0012"> PoisonIvy </a> </td> <td> <a href="/software/S0012">PoisonIvy</a> contains a keylogger.<span onclick=scrollToRef('scite-151') id="scite-ref-151-a" class="scite-citeref-number" title="FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved September 19, 2024."data-reference="FireEye Poison Ivy"><a href="https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf" target="_blank" data-hasqtip="150" aria-describedby="qtip-150">[151]</a><span onclick=scrollToRef('scite-152') id="scite-ref-152-a" class="scite-citeref-number" title="Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018."data-reference="Symantec Darkmoon Aug 2005"><a href="https://www.symantec.com/security_response/writeup.jsp?docid=2005-081910-3934-99" target="_blank" data-hasqtip="151" aria-describedby="qtip-151">[152]</a> </td> </tr> <tr> <td> <a href="/software/S0378"> S0378 </a> </td> <td> <a href="/software/S0378"> PoshC2 </a> </td> <td> <a href="/software/S0378">PoshC2</a> has modules for keystroke logging and capturing credentials from spoofed Outlook authentication messages.<a href="https://github.com/nettitude/PoshC2_Python" target="_blank" data-hasqtip="152" aria-describedby="qtip-152">[153]</a> </td> </tr> <tr> <td> <a href="/software/S1012"> S1012 </a> </td> <td> <a href="/software/S1012"> PowerLess </a> </td> <td> <a href="/software/S1012">PowerLess</a> can use a module to log keystrokes.<span onclick=scrollToRef('scite-154') id="scite-ref-154-a" class="scite-citeref-number" title="Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022."data-reference="Cybereason PowerLess February 2022"><a href="https://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage" target="_blank" data-hasqtip="153" aria-describedby="qtip-153">[154]</a> </td> </tr> <tr> <td> <a href="/software/S0194"> S0194 </a> </td> <td> <a href="/software/S0194"> PowerSploit </a> </td> <td> <a href="/software/S0194">PowerSploit</a>'s <code>Get-Keystrokes</code> Exfiltration module can log keystrokes.<span onclick=scrollToRef('scite-155') id="scite-ref-155-a" class="scite-citeref-number" title="PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018."data-reference="GitHub PowerSploit May 2012"><a href="https://github.com/PowerShellMafia/PowerSploit" target="_blank" data-hasqtip="154" aria-describedby="qtip-154">[155]</a><a href="http://powersploit.readthedocs.io" target="_blank" data-hasqtip="155" aria-describedby="qtip-155">[156]</a> </td> </tr> <tr> <td> <a href="/software/S0113"> S0113 </a> </td> <td> <a href="/software/S0113"> Prikormka </a> </td> <td> <a href="/software/S0113">Prikormka</a> contains a keylogger module that collects keystrokes and the titles of foreground windows.<span onclick=scrollToRef('scite-157') id="scite-ref-157-a" class="scite-citeref-number" title="Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016."data-reference="ESET Operation Groundbait"><a href="http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf" target="_blank" data-hasqtip="156" aria-describedby="qtip-156">[157]</a> </td> </tr> <tr> <td> <a href="/software/S0279"> S0279 </a> </td> <td> <a href="/software/S0279"> Proton </a> </td> <td> <a href="/software/S0279">Proton</a> uses a keylogger to capture keystrokes.<span onclick=scrollToRef('scite-117') id="scite-ref-117-a" class="scite-citeref-number" title="Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018."data-reference="objsee mac malware 2017"><a href="https://objective-see.com/blog/blog_0x25.html" target="_blank" data-hasqtip="116" aria-describedby="qtip-116">[117]</a> </td> </tr> <tr> <td> <a href="/software/S0192"> S0192 </a> </td> <td> <a href="/software/S0192"> Pupy </a> </td> <td> <a href="/software/S0192">Pupy</a> uses a keylogger to capture keystrokes it then sends back to the server after it is stopped.<a href="https://github.com/n1nj4sec/pupy" target="_blank" data-hasqtip="157" aria-describedby="qtip-157">[158]</a> </td> </tr> <tr> <td> <a href="/software/S0650"> S0650 </a> </td> <td> <a href="/software/S0650"> QakBot </a> </td> <td> <a href="/software/S0650">QakBot</a> can capture keystrokes on a compromised host.<span onclick=scrollToRef('scite-159') id="scite-ref-159-a" class="scite-citeref-number" title="Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021."data-reference="Kroll Qakbot June 2020"><a href="https://www.kroll.com/en/insights/publications/cyber/qakbot-malware-exfiltrating-emails-thread-hijacking-attacks" target="_blank" data-hasqtip="158" aria-describedby="qtip-158">[159]</a><span onclick=scrollToRef('scite-160') id="scite-ref-160-a" class="scite-citeref-number" title="Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021."data-reference="Trend Micro Qakbot December 2020"><a href="https://success.trendmicro.com/solution/000283381" target="_blank" data-hasqtip="159" aria-describedby="qtip-159">[160]</a><span onclick=scrollToRef('scite-161') id="scite-ref-161-a" class="scite-citeref-number" title="Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021."data-reference="Kaspersky QakBot September 2021"><a href="https://securelist.com/qakbot-technical-analysis/103931/" target="_blank" data-hasqtip="160" aria-describedby="qtip-160">[161]</a> </td> </tr> <tr> <td> <a href="/software/S0262"> S0262 </a> </td> <td> <a href="/software/S0262"> QuasarRAT </a> </td> <td> <a href="/software/S0262">QuasarRAT</a> has a built-in keylogger.<a href="https://github.com/quasar/QuasarRAT" target="_blank" data-hasqtip="161" aria-describedby="qtip-161">[162]</a><span onclick=scrollToRef('scite-163') id="scite-ref-163-a" class="scite-citeref-number" title="Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018."data-reference="Volexity Patchwork June 2018"><a href="https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" target="_blank" data-hasqtip="162" aria-describedby="qtip-162">[163]</a> </td> </tr> <tr> <td> <a href="/software/S0662"> S0662 </a> </td> <td> <a href="/software/S0662"> RCSession </a> </td> <td> <a href="/software/S0662">RCSession</a> has the ability to capture keystrokes on a compromised host.<span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" title="Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021."data-reference="Trend Micro DRBControl February 2020"><a href="https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a><span onclick=scrollToRef('scite-164') id="scite-ref-164-a" class="scite-citeref-number" title="Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021."data-reference="Profero APT27 December 2020"><a href="https://web.archive.org/web/20210104144857/https://shared-public-reports.s3-eu-west-1.amazonaws.com/APT27+turns+to+ransomware.pdf" target="_blank" data-hasqtip="163" aria-describedby="qtip-163">[164]</a> </td> </tr> <tr> <td> <a href="/software/S0019"> S0019 </a> </td> <td> <a href="/software/S0019"> Regin </a> </td> <td> <a href="/software/S0019">Regin</a> contains a keylogger.<span onclick=scrollToRef('scite-165') id="scite-ref-165-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014."data-reference="Kaspersky Regin"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf" target="_blank" data-hasqtip="164" aria-describedby="qtip-164">[165]</a> </td> </tr> <tr> <td> <a href="/software/S0332"> S0332 </a> </td> <td> <a href="/software/S0332"> Remcos </a> </td> <td> <a href="/software/S0332">Remcos</a> has a command for keylogging.<span onclick=scrollToRef('scite-166') id="scite-ref-166-a" class="scite-citeref-number" title="Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018."data-reference="Fortinet Remcos Feb 2017"><a href="https://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html" target="_blank" data-hasqtip="165" aria-describedby="qtip-165">[166]</a><span onclick=scrollToRef('scite-167') id="scite-ref-167-a" class="scite-citeref-number" title="Brumaghin, E., Unterbrink, H. (2018, August 22). Picking Apart Remcos Botnet-In-A-Box. Retrieved November 6, 2018."data-reference="Talos Remcos Aug 2018"><a href="https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html" target="_blank" data-hasqtip="166" aria-describedby="qtip-166">[167]</a> </td> </tr> <tr> <td> <a href="/software/S0375"> S0375 </a> </td> <td> <a href="/software/S0375"> Remexi </a> </td> <td> <a href="/software/S0375">Remexi</a> gathers and exfiltrates keystrokes from the machine.<span onclick=scrollToRef('scite-168') id="scite-ref-168-a" class="scite-citeref-number" title="Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019."data-reference="Securelist Remexi Jan 2019"><a href="https://securelist.com/chafer-used-remexi-malware/89538/" target="_blank" data-hasqtip="167" aria-describedby="qtip-167">[168]</a> </td> </tr> <tr> <td> <a href="/software/S0125"> S0125 </a> </td> <td> <a href="/software/S0125"> Remsec </a> </td> <td> <a href="/software/S0125">Remsec</a> contains a keylogger component.<span onclick=scrollToRef('scite-169') id="scite-ref-169-a" class="scite-citeref-number" title="Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016."data-reference="Symantec Remsec IOCs"><a href="http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Symantec_Remsec_IOCs.pdf" target="_blank" data-hasqtip="168" aria-describedby="qtip-168">[169]</a><span onclick=scrollToRef('scite-170') id="scite-ref-170-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016."data-reference="Kaspersky ProjectSauron Technical Analysis"><a href="https://securelist.com/files/2016/07/The-ProjectSauron-APT_Technical_Analysis_KL.pdf" target="_blank" data-hasqtip="169" aria-describedby="qtip-169">[170]</a> </td> </tr> <tr> <td> <a href="/software/S0379"> S0379 </a> </td> <td> <a href="/software/S0379"> Revenge RAT </a> </td> <td> <a href="/software/S0379">Revenge RAT</a> has a plugin for keylogging.<span onclick=scrollToRef('scite-171') id="scite-ref-171-a" class="scite-citeref-number" title="Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019."data-reference="Cylance Shaheen Nov 2018"><a href="https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/WhiteCompanyOperationShaheenReport.pdf?_ga=2.161661948.1943296560.1555683782-1066572390.1555511517" target="_blank" data-hasqtip="170" aria-describedby="qtip-170">[171]</a><span onclick=scrollToRef('scite-172') id="scite-ref-172-a" class="scite-citeref-number" title="Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved May 1, 2019."data-reference="Cofense RevengeRAT Feb 2019"><a href="https://cofense.com/upgrades-delivery-support-infrastructure-revenge-rat-malware-bigger-threat/" target="_blank" data-hasqtip="171" aria-describedby="qtip-171">[172]</a> </td> </tr> <tr> <td> <a href="/software/S0240"> S0240 </a> </td> <td> <a href="/software/S0240"> ROKRAT </a> </td> <td> <a href="/software/S0240">ROKRAT</a> can use <code>SetWindowsHookEx</code> and <code>GetKeyNameText</code> to capture keystrokes.<span onclick=scrollToRef('scite-173') id="scite-ref-173-a" class="scite-citeref-number" title="Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018."data-reference="Talos ROKRAT"><a href="https://blog.talosintelligence.com/2017/04/introducing-rokrat.html" target="_blank" data-hasqtip="172" aria-describedby="qtip-172">[173]</a><span onclick=scrollToRef('scite-174') id="scite-ref-174-a" class="scite-citeref-number" title="Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021."data-reference="Volexity InkySquid RokRAT August 2021"><a href="https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/" target="_blank" data-hasqtip="173" aria-describedby="qtip-173">[174]</a> </td> </tr> <tr> <td> <a href="/software/S0090"> S0090 </a> </td> <td> <a href="/software/S0090"> Rover </a> </td> <td> <a href="/software/S0090">Rover</a> has keylogging functionality.<span onclick=scrollToRef('scite-175') id="scite-ref-175-a" class="scite-citeref-number" title="Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016."data-reference="Palo Alto Rover"><a href="http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/" target="_blank" data-hasqtip="174" aria-describedby="qtip-174">[175]</a> </td> </tr> <tr> <td> <a href="/software/S0148"> S0148 </a> </td> <td> <a href="/software/S0148"> RTM </a> </td> <td> <a href="/software/S0148">RTM</a> can record keystrokes from both the keyboard and virtual keyboard.<span onclick=scrollToRef('scite-176') id="scite-ref-176-a" class="scite-citeref-number" title="Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017."data-reference="ESET RTM Feb 2017"><a href="https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf" target="_blank" data-hasqtip="175" aria-describedby="qtip-175">[176]</a><span onclick=scrollToRef('scite-177') id="scite-ref-177-a" class="scite-citeref-number" title="Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020."data-reference="Unit42 Redaman January 2019"><a href="https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/" target="_blank" data-hasqtip="176" aria-describedby="qtip-176">[177]</a> </td> </tr> <tr> <td> <a href="/software/S0253"> S0253 </a> </td> <td> <a href="/software/S0253"> RunningRAT </a> </td> <td> <a href="/software/S0253">RunningRAT</a> captures keystrokes and sends them back to the C2 server.<span onclick=scrollToRef('scite-178') id="scite-ref-178-a" class="scite-citeref-number" title="Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018."data-reference="McAfee Gold Dragon"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" target="_blank" data-hasqtip="177" aria-describedby="qtip-177">[178]</a> </td> </tr> <tr> <td> <a href="/groups/G0034"> G0034 </a> </td> <td> <a href="/groups/G0034"> Sandworm Team </a> </td> <td> <a href="/groups/G0034">Sandworm Team</a> has used a keylogger to capture keystrokes by using the SetWindowsHookEx function.<span onclick=scrollToRef('scite-179') id="scite-ref-179-a" class="scite-citeref-number" title="Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."data-reference="ESET Telebots Dec 2016"><a href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank" data-hasqtip="178" aria-describedby="qtip-178">[179]</a> </td> </tr> <tr> <td> <a href="/software/S0692"> S0692 </a> </td> <td> <a href="/software/S0692"> SILENTTRINITY </a> </td> <td> <a href="/software/S0692">SILENTTRINITY</a> has a keylogging capability.<span onclick=scrollToRef('scite-180') id="scite-ref-180-a" class="scite-citeref-number" title="Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022."data-reference="GitHub SILENTTRINITY Modules July 2019"><a href="https://github.com/byt3bl33d3r/SILENTTRINITY/tree/master/silenttrinity/core/teamserver/modules/boo" target="_blank" data-hasqtip="179" aria-describedby="qtip-179">[180]</a> </td> </tr> <tr> <td> <a href="/software/S0533"> S0533 </a> </td> <td> <a href="/software/S0533"> SLOTHFULMEDIA </a> </td> <td> <a href="/software/S0533">SLOTHFULMEDIA</a> has a keylogging capability.<span onclick=scrollToRef('scite-181') id="scite-ref-181-a" class="scite-citeref-number" title="DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020."data-reference="CISA MAR SLOTHFULMEDIA October 2020"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a" target="_blank" data-hasqtip="180" aria-describedby="qtip-180">[181]</a> </td> </tr> <tr> <td> <a href="/software/S0649"> S0649 </a> </td> <td> <a href="/software/S0649"> SMOKEDHAM </a> </td> <td> <a href="/software/S0649">SMOKEDHAM</a> can continuously capture keystrokes.<span onclick=scrollToRef('scite-182') id="scite-ref-182-a" class="scite-citeref-number" title="FireEye. (2021, May 11). Shining a Light on DARKSIDE Ransomware Operations. Retrieved September 22, 2021."data-reference="FireEye Shining A Light on DARKSIDE May 2021"><a href="https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html" target="_blank" data-hasqtip="181" aria-describedby="qtip-181">[182]</a><span onclick=scrollToRef('scite-183') id="scite-ref-183-a" class="scite-citeref-number" title="FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021."data-reference="FireEye SMOKEDHAM June 2021"><a href="https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html" target="_blank" data-hasqtip="182" aria-describedby="qtip-182">[183]</a> </td> </tr> <tr> <td> <a href="/groups/G0054"> G0054 </a> </td> <td> <a href="/groups/G0054"> Sowbug </a> </td> <td> <a href="/groups/G0054">Sowbug</a> has used keylogging tools.<span onclick=scrollToRef('scite-184') id="scite-ref-184-a" class="scite-citeref-number" title="Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017."data-reference="Symantec Sowbug Nov 2017"><a href="https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" target="_blank" data-hasqtip="183" aria-describedby="qtip-183">[184]</a> </td> </tr> <tr> <td> <a href="/software/S0058"> S0058 </a> </td> <td> <a href="/software/S0058"> SslMM </a> </td> <td> <a href="/software/S0058">SslMM</a> creates a new thread implementing a keylogging facility using Windows Keyboard Accelerators.<span onclick=scrollToRef('scite-185') id="scite-ref-185-a" class="scite-citeref-number" title="Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019."data-reference="Baumgartner Naikon 2015"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" target="_blank" data-hasqtip="184" aria-describedby="qtip-184">[185]</a> </td> </tr> <tr> <td> <a href="/software/S0018"> S0018 </a> </td> <td> <a href="/software/S0018"> Sykipot </a> </td> <td> <a href="/software/S0018">Sykipot</a> contains keylogging functionality to steal passwords.<span onclick=scrollToRef('scite-186') id="scite-ref-186-a" class="scite-citeref-number" title="Blasco, J. (2012, January 12). Sykipot variant hijacks DOD and Windows smart cards. Retrieved January 10, 2016."data-reference="Alienvault Sykipot DOD Smart Cards"><a href="https://www.alienvault.com/open-threat-exchange/blog/sykipot-variant-hijacks-dod-and-windows-smart-cards" target="_blank" data-hasqtip="185" aria-describedby="qtip-185">[186]</a> </td> </tr> <tr> <td> <a href="/software/S0467"> S0467 </a> </td> <td> <a href="/software/S0467"> TajMahal </a> </td> <td> <a href="/software/S0467">TajMahal</a> has the ability to capture keystrokes on an infected host.<span onclick=scrollToRef('scite-187') id="scite-ref-187-a" class="scite-citeref-number" title="GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019."data-reference="Kaspersky TajMahal April 2019"><a href="https://securelist.com/project-tajmahal/90240/" target="_blank" data-hasqtip="186" aria-describedby="qtip-186">[187]</a> </td> </tr> <tr> <td> <a href="/software/S0595"> S0595 </a> </td> <td> <a href="/software/S0595"> ThiefQuest </a> </td> <td> <a href="/software/S0595">ThiefQuest</a> uses the <code>CGEventTap</code> functions to perform keylogging.<span onclick=scrollToRef('scite-188') id="scite-ref-188-a" class="scite-citeref-number" title="Gabrielle Joyce Mabutas, Luis Magisa, Steven Du. (2020, July 17). Updates on Quickly-Evolving ThiefQuest macOS Malware. Retrieved April 26, 2021."data-reference="Trendmicro Evolving ThiefQuest 2020"><a href="https://www.trendmicro.com/en_us/research/20/g/updates-on-quickly-evolving-thiefquest-macos-malware.html" target="_blank" data-hasqtip="187" aria-describedby="qtip-187">[188]</a> </td> </tr> <tr> <td> <a href="/groups/G0027"> G0027 </a> </td> <td> <a href="/groups/G0027"> Threat Group-3390 </a> </td> <td> <a href="/groups/G0027">Threat Group-3390</a> actors installed a credential logger on Microsoft Exchange servers. <a href="/groups/G0027">Threat Group-3390</a> also leveraged the reconnaissance framework, ScanBox, to capture keystrokes.<span onclick=scrollToRef('scite-91') id="scite-ref-91-a" class="scite-citeref-number" title="Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018."data-reference="Dell TG-3390"><a href="https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage" target="_blank" data-hasqtip="90" aria-describedby="qtip-90">[91]</a><span onclick=scrollToRef('scite-189') id="scite-ref-189-a" class="scite-citeref-number" title="Khandelwal, S. (2018, June 14). Chinese Hackers Carried Out Country-Level Watering Hole Attack. Retrieved August 18, 2018."data-reference="Hacker News LuckyMouse June 2018"><a href="https://thehackernews.com/2018/06/chinese-watering-hole-attack.html" target="_blank" data-hasqtip="188" aria-describedby="qtip-188">[189]</a><span onclick=scrollToRef('scite-190') id="scite-ref-190-a" class="scite-citeref-number" title="Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018."data-reference="Securelist LuckyMouse June 2018"><a href="https://securelist.com/luckymouse-hits-national-data-center/86083/" target="_blank" data-hasqtip="189" aria-describedby="qtip-189">[190]</a> </td> </tr> <tr> <td> <a href="/software/S0004"> S0004 </a> </td> <td> <a href="/software/S0004"> TinyZBot </a> </td> <td> <a href="/software/S0004">TinyZBot</a> contains keylogger functionality.<a href="https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" target="_blank" data-hasqtip="190" aria-describedby="qtip-190">[191]</a> </td> </tr> <tr> <td> <a href="/groups/G0131"> G0131 </a> </td> <td> <a href="/groups/G0131"> Tonto Team </a> </td> <td> <a href="/groups/G0131">Tonto Team</a> has used keylogging tools in their operations.<span onclick=scrollToRef('scite-192') id="scite-ref-192-a" class="scite-citeref-number" title="Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021."data-reference="TrendMicro Tonto Team October 2020"><a href="https://vb2020.vblocalhost.com/uploads/VB2020-06.pdf" target="_blank" data-hasqtip="191" aria-describedby="qtip-191">[192]</a> </td> </tr> <tr> <td> <a href="/software/S0094"> S0094 </a> </td> <td> <a href="/software/S0094"> Trojan.Karagany </a> </td> <td> <a href="/software/S0094">Trojan.Karagany</a> can capture keystrokes on a compromised host.<span onclick=scrollToRef('scite-193') id="scite-ref-193-a" class="scite-citeref-number" title="Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020."data-reference="Secureworks Karagany July 2019"><a href="https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" target="_blank" data-hasqtip="192" aria-describedby="qtip-192">[193]</a> </td> </tr> <tr> <td> <a href="/software/S0130"> S0130 </a> </td> <td> <a href="/software/S0130"> Unknown Logger </a> </td> <td> <a href="/software/S0130">Unknown Logger</a> is capable of recording keystrokes.<span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016."data-reference="Forcepoint Monsoon"><a href="https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a> </td> </tr> <tr> <td> <a href="/software/S0257"> S0257 </a> </td> <td> <a href="/software/S0257"> VERMIN </a> </td> <td> <a href="/software/S0257">VERMIN</a> collects keystrokes from the victim machine.<span onclick=scrollToRef('scite-194') id="scite-ref-194-a" class="scite-citeref-number" title="Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018."data-reference="Unit 42 VERMIN Jan 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/" target="_blank" data-hasqtip="193" aria-describedby="qtip-193">[194]</a> </td> </tr> <tr> <td> <a href="/groups/G1017"> G1017 </a> </td> <td> <a href="/groups/G1017"> Volt Typhoon </a> </td> <td> <a href="/groups/G1017">Volt Typhoon</a> has created and accessed a file named rult3uil.log on compromised domain controllers to capture keypresses and command execution.<span onclick=scrollToRef('scite-195') id="scite-ref-195-a" class="scite-citeref-number" title="CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024."data-reference="CISA AA24-038A PRC Critical Infrastructure February 2024"><a href="https://www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf" target="_blank" data-hasqtip="194" aria-describedby="qtip-194">[195]</a> </td> </tr> <tr> <td> <a href="/software/S0670"> S0670 </a> </td> <td> <a href="/software/S0670"> WarzoneRAT </a> </td> <td> <a href="/software/S0670">WarzoneRAT</a> has the capability to install a live and offline keylogger, including through the use of the <code>GetAsyncKeyState</code> Windows API.<span onclick=scrollToRef('scite-196') id="scite-ref-196-a" class="scite-citeref-number" title="Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021."data-reference="Check Point Warzone Feb 2020"><a href="https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/" target="_blank" data-hasqtip="195" aria-describedby="qtip-195">[196]</a><span onclick=scrollToRef('scite-197') id="scite-ref-197-a" class="scite-citeref-number" title="Mohanta, A. (2020, November 25). Warzone RAT comes with UAC bypass technique. Retrieved April 7, 2022."data-reference="Uptycs Warzone UAC Bypass November 2020"><a href="https://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique" target="_blank" data-hasqtip="196" aria-describedby="qtip-196">[197]</a> </td> </tr> <tr> <td> <a href="/software/S0161"> S0161 </a> </td> <td> <a href="/software/S0161"> XAgentOSX </a> </td> <td> <a href="/software/S0161">XAgentOSX</a> contains keylogging functionality that will monitor for active application windows and write them to the log, it can handle special characters, and it will buffer by default 50 characters before sending them out over the C2 infrastructure.<span onclick=scrollToRef('scite-198') id="scite-ref-198-a" class="scite-citeref-number" title="Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017."data-reference="XAgentOSX 2017"><a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/" target="_blank" data-hasqtip="197" aria-describedby="qtip-197">[198]</a> </td> </tr> <tr> <td> <a href="/software/S0248"> S0248 </a> </td> <td> <a href="/software/S0248"> yty </a> </td> <td> <a href="/software/S0248">yty</a> uses a keylogger plugin to gather keystrokes.<span onclick=scrollToRef('scite-199') id="scite-ref-199-a" class="scite-citeref-number" title="Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018."data-reference="ASERT Donot March 2018"><a href="https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/" target="_blank" data-hasqtip="198" aria-describedby="qtip-198">[199]</a> </td> </tr> <tr> <td> <a href="/software/S0330"> S0330 </a> </td> <td> <a href="/software/S0330"> Zeus Panda </a> </td> <td> <a href="/software/S0330">Zeus Panda</a> can perform keylogging on the victim’s machine by hooking the functions TranslateMessage and WM_KEYDOWN.<span onclick=scrollToRef('scite-200') id="scite-ref-200-a" class="scite-citeref-number" title="Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018."data-reference="GDATA Zeus Panda June 2017"><a href="https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf" target="_blank" data-hasqtip="199" aria-describedby="qtip-199">[200]</a> </td> </tr> <tr> <td> <a href="/software/S0412"> S0412 </a> </td> <td> <a href="/software/S0412"> ZxShell </a> </td> <td> <a href="/software/S0412">ZxShell</a> has a feature to capture a remote computer's keystrokes using a keylogger.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019."data-reference="FireEye APT41 Aug 2019"><a href="https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a><span onclick=scrollToRef('scite-201') id="scite-ref-201-a" class="scite-citeref-number" title="Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019."data-reference="Talos ZxShell Oct 2014"><a href="https://blogs.cisco.com/security/talos/opening-zxshell" target="_blank" data-hasqtip="200" aria-describedby="qtip-200">[201]</a> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id ="mitigations">Mitigations</h2> This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features. <h2 class="pt-3" id="detection">Detection</h2> <div class="tables-mobile"> <table class="table datasources-table table-bordered"> <thead> <tr> <th class="p-2" scope="col">ID</th> <th class="p-2 nowrap" scope="col">Data Source</th> <th class="p-2 nowrap" scope="col">Data Component</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="datasource" id="uses-DS0027"> <td> <a href="/datasources/DS0027">DS0027</a> </td> <td class="nowrap"> <a href="/datasources/DS0027">Driver</a> </td>  <td> <a href="/datasources/DS0027/#Driver%20Load">Driver Load</a> </td> <td> Monitor for unusual kernel driver installation activity </td> </tr> <tr class="datasource" id="uses-DS0009"> <td> <a href="/datasources/DS0009">DS0009</a> </td> <td class="nowrap"> <a href="/datasources/DS0009">Process</a> </td>  <td> <a href="/datasources/DS0009/#OS%20API%20Execution">OS API Execution</a> </td> <td> Monitor for API calls to the SetWindowsHook, GetKeyState, and GetAsyncKeyState.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth look into keyloggers on Windows. Retrieved April 27, 2016."data-reference="Adventures of a Keystroke"><a href="http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a> and look for common keylogging API calls. API calls alone are not an indicator of keylogging, but may provide behavioral data that is useful when combined with other information such as new files written to disk and unusual processes. </td> </tr> <tr class="datasource" id="uses-DS0024"> <td> <a href="/datasources/DS0024">DS0024</a> </td> <td class="nowrap"> <a href="/datasources/DS0024">Windows Registry</a> </td>  <td> <a href="/datasources/DS0024/#Windows%20Registry%20Key%20Modification">Windows Registry Key Modification</a> </td> <td> Monitor for changes made to windows registry keys or values for unexpected modifications </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <a rel="nofollow" class="external text" name="scite-1" href="https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html" target="_blank"> An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-2" href="http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf" target="_blank"> Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth look into keyloggers on Windows. Retrieved April 27, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-3" href="https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954" target="_blank"> Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-4" href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank"> Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 </a> </li> <li> <a rel="nofollow" class="external text" name="scite-5" href="https://nsarchive.gwu.edu/sites/default/files/documents/3891751/SANS-and-Electricity-Information-Sharing-and.pdf" target="_blank"> Electricity Information Sharing and Analysis Center; SANS Industrial Control Systems. (2016, March 18). Analysis of the Cyber Attack on the Ukranian Power Grid: Defense Use Case. Retrieved March 27, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-6" href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" target="_blank"> ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-7" href="https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" target="_blank"> Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-8" href="https://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html" target="_blank"> Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-9" href="https://www.digitrustgroup.com/agent-tesla-keylogger/" target="_blank"> The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-10" href="https://www.fortinet.com/blog/threat-research/in-depth-analysis-of-net-malware-javaupdtr.html" target="_blank"> Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-11" href="https://labs.bitdefender.com/2020/04/oil-gas-spearphishing-campaigns-drop-agent-tesla-spyware-in-advance-of-historic-opec-deal/" target="_blank"> Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-12" href="https://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/" target="_blank"> Walter, J. (2020, August 10). Agent Tesla | Old RAT Uses New Tricks to Stay on Top. Retrieved December 11, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-13" href="https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" target="_blank"> Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-14" href="https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/" target="_blank"> Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-15" href="https://web.archive.org/web/20220328121326/https://boho.or.kr/filedownload.do?attach_file_seq=2695&attach_file_id=EpF2695.pdf" target="_blank"> KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-16" href="http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf" target="_blank"> Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-17" href="https://www.justice.gov/file/1080281/download" target="_blank"> Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-18" href="https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" target="_blank"> Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-19" href="http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" target="_blank"> Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-20" href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank"> Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-21" href="https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf" target="_blank"> FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-22" href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions" target="_blank"> Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-23" href="https://www.iranwatch.org/sites/default/files/public-intelligence-alert.pdf" target="_blank"> FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-24" href="https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" target="_blank"> Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-25" href="https://web.archive.org/web/20220122121143/https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf" target="_blank"> FireEye. (2015, March). SOUTHEAST ASIA: AN EVOLVING CYBER THREAT LANDSCAPE. Retrieved February 5, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-26" href="https://www.mandiant.com/resources/insights/apt-groups" target="_blank"> Mandiant. (n.d.). Advanced Persistent Threats (APTs). Retrieved February 14, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-27" href="https://web.archive.org/web/20200302071436/https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/" target="_blank"> Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved September 25, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-28" href="https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp/blob/master/README.md" target="_blank"> Nyan-x-Cat. (n.d.). NYAN-x-CAT / AsyncRAT-C-Sharp. Retrieved October 3, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-29" href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf" target="_blank"> Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-30" href="https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/" target="_blank"> Lim, M.. (2019, April 26). BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat . Retrieved October 7, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-31" href="https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" target="_blank"> Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-32" href="https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/" target="_blank"> Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-33" href="https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" target="_blank"> Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-34" href="https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/" target="_blank"> Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-35" href="https://www.blackhat.com/docs/us-16/materials/us-16-Quintin-When-Governments-Attack-State-Sponsored-Malware-Attacks-Against-Activists-Lawyers-And-Journalists.pdf" target="_blank"> Galperin, E., Et al.. (2016, August 4). When Governments Attack: State Sponsored Malware Attacks Against Activists, Lawyers, and Journalists. Retrieved May 23, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-36" href="https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf" target="_blank"> Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-37" href="https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/" target="_blank"> Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-38" href="https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" target="_blank"> Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-39" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf" target="_blank"> Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-40" href="https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html" target="_blank"> Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-41" href="https://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/" target="_blank"> Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-42" href="https://www-west.symantec.com/content/symantec/english/en/security-center/writeup.html/2018-040209-1742-99" target="_blank"> Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-43" href="https://cloud.google.com/blog/topics/threat-intelligence/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against/" target="_blank"> Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-44" href="https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" target="_blank"> Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-45" href="https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf" target="_blank"> Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-46" href="https://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/" target="_blank"> Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-47" href="https://web.archive.org/web/20210825130434/https://cobaltstrike.com/downloads/csmanual38.pdf" target="_blank"> Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-48" href="https://www.amnestyusa.org/wp-content/uploads/2021/02/Click-and-Bait_Vietnamese-Human-Rights-Defenders-Targeted-with-Spyware-Attacks.pdf" target="_blank"> Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-49" href="https://web.archive.org/web/20210708035426/https://www.cobaltstrike.com/downloads/csmanual43.pdf" target="_blank"> Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-50" href="https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat" target="_blank"> Yadav, A., et al. (2017, August 31). Cobian RAT – A backdoored RAT. Retrieved November 13, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-51" href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank"> F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-52" href="https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" target="_blank"> Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-53" href="https://securelist.com/transparent-tribe-part-1/98127/" target="_blank"> Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-54" href="https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html" target="_blank"> N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-55" href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf" target="_blank"> Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-56" href="https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/" target="_blank"> Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-57" href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/DARKCOMET" target="_blank"> TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-58" href="https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign" target="_blank"> Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-59" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070903/darkhotel_kl_07.11.pdf" target="_blank"> Kaspersky Lab's Global Research and Analysis Team. (2014, November). The Darkhotel APT A Story of Unusual Hospitality. Retrieved November 12, 2014. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-60" href="https://www.secureworks.com/research/darktortilla-malware-analysis" target="_blank"> Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-61" href="https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/" target="_blank"> Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-62" href="http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/" target="_blank"> Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-63" href="https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" target="_blank"> Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-64" href="https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" target="_blank"> FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-65" href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" target="_blank"> FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-66" href="https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/" target="_blank"> Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-67" href="https://securelist.com/my-name-is-dtrack/93338/" target="_blank"> Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-68" href="https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf" target="_blank"> Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-69" href="https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust" target="_blank"> Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-70" href="https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf" target="_blank"> ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-71" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a" target="_blank"> Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-72" href="https://github.com/PowerShellEmpire/Empire" target="_blank"> Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-73" href="https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf" target="_blank"> PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-74" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf" target="_blank"> Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-75" href="https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf" target="_blank"> ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-76" href="http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" target="_blank"> Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-77" href="https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico" target="_blank"> Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-78" href="https://www.mandiant.com/sites/default/files/2021-09/rpt-fin4.pdf" target="_blank"> Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-79" href="https://www2.fireeye.com/WBNR-14Q4NAMFIN4.html" target="_blank"> Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-80" href="https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1382.do?page=1&column=&search=&searchSDate=&searchEDate=&bbsDataCategory=" target="_blank"> Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-81" href="https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" target="_blank"> Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-82" href="https://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/" target="_blank"> Bryan Lee and Rob Downs. (2016, February 12). A Look Into Fysbis: Sofacy’s Linux Backdoor. Retrieved September 10, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-83" href="http://blog.trendmicro.com/trendlabs-security-intelligence/kunming-attack-leads-to-gh0st-rat-variant/" target="_blank"> Alintanahin, K. (2014, March 13). Kunming Attack Leads to Gh0st RAT Variant. Retrieved November 12, 2014. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-84" href="https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant" target="_blank"> Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-85" href="https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/" target="_blank"> ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-86" href="https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf" target="_blank"> Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-87" href="https://citizenlab.ca/2016/08/group5-syria/" target="_blank"> Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-88" href="http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" target="_blank"> Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-89" href="https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign" target="_blank"> SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19 </a> </li> <li> <a rel="nofollow" class="external text" name="scite-90" href="https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf" target="_blank"> Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-91" href="https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage" target="_blank"> Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-92" href="https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/" target="_blank"> Unit 42. (2019, December 2). Imminent Monitor – a RAT Down Under. Retrieved May 5, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-93" href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" target="_blank"> Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-94" href="https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" target="_blank"> Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-95" href="https://www.symantec.com/blogs/threat-intelligence/jrat-new-anti-parsing-techniques" target="_blank"> Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-96" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07195002/KL_AdwindPublicReport_2016.pdf" target="_blank"> Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-97" href="http://research.zscaler.com/2016/01/malicious-office-files-dropping-kasidet.html" target="_blank"> Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-98" href="https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" target="_blank"> Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-99" href="https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe" target="_blank"> MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-100" href="https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/" target="_blank"> Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-101" href="https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" target="_blank"> Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. </a> </li> </ol> </div> <div class="col"> <ol start="102.0"> <li> <a rel="nofollow" class="external text" name="scite-102" href="https://blog.alyac.co.kr/2234" target="_blank"> Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-103" href="https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/" target="_blank"> Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-104" href="https://us-cert.cisa.gov/ncas/alerts/aa20-301a" target="_blank"> CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-105" href="https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/" target="_blank"> ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-106" href="https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/" target="_blank"> Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-107" href="https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html" target="_blank"> Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-108" href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank"> Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-109" href="https://web.archive.org/web/20220425194457/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Tools-Report.pdf" target="_blank"> Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Tools Report. Retrieved March 10, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-110" href="https://www.f-secure.com/v-descs/trojan_w32_lokibot.shtml" target="_blank"> Kazem, M. (2019, November 25). Trojan:W32/Lokibot. Retrieved May 15, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-111" href="https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf" target="_blank"> ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-112" href="https://securelist.com/el-machete/66108/" target="_blank"> Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-113" href="https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html" target="_blank"> The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-114" href="https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/" target="_blank"> kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-115" href="https://objective-see.org/blog/blog_0x69.html" target="_blank"> Wardle, P. (2021, November 11). OSX.CDDS (OSX.MacMa). Retrieved June 30, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-116" href="https://www.sentinelone.com/labs/infect-if-needed-a-deeper-dive-into-targeted-backdoor-macos-macma/" target="_blank"> Stokes, P. (2021, November 15). Infect If Needed | A Deeper Dive Into Targeted Backdoor macOS.Macma. Retrieved June 30, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-117" href="https://objective-see.com/blog/blog_0x25.html" target="_blank"> Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-118" href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank"> Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-119" href="https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/" target="_blank"> GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-120" href="http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf" target="_blank"> ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-121" href="https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf" target="_blank"> Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-122" href="https://www.justice.gov/opa/page/file/1122671/download" target="_blank"> US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-123" href="https://assets.sentinelone.com/sentinellabs22/metador#page=1" target="_blank"> Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-124" href="https://docs.google.com/document/d/1e9ZTW9b71YwFWS_18ZwDAxa-cYbV8q1wUefmKZLYVsA/edit#heading=h.lmnbtht1ikzm" target="_blank"> SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-125" href="https://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions" target="_blank"> Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-126" href="https://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/" target="_blank"> ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-127" href="https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/" target="_blank"> Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-128" href="https://symantec-enterprise-blogs.security.com/threat-intelligence/apt-attacks-telecoms-africa-mgbot" target="_blank"> Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-129" href="https://www.radware.com/blog/security/2018/07/micropsia-malware/" target="_blank"> Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-130" href="https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/" target="_blank"> ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-131" href="https://www.metabaseq.com/mispadu-banking-trojan/" target="_blank"> Garcia, F., Regalado, D. (2023, March 7). Inside Mispadu massive infection campaign in LATAM. Retrieved March 15, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-132" href="https://blog.scilabs.mx/en/evolution-of-banking-trojan-ursa-mispadu/" target="_blank"> SCILabs. (2023, May 23). Evolution of banking trojan URSA/Mispadu. Retrieved March 13, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-133" href="http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/" target="_blank"> Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-134" href="https://researchcenter.paloaltonetworks.com/2016/02/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/" target="_blank"> Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-135" href="https://blog.talosintelligence.com/2018/05/navrat.html" target="_blank"> Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-136" href="http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf" target="_blank"> Kaspersky Lab's Global Research and Analysis Team. (n.d.). The NetTraveler (aka ‘Travnet’). Retrieved November 12, 2014. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-137" href="https://securingtomorrow.mcafee.com/mcafee-labs/netwire-rat-behind-recent-targeted-attacks/" target="_blank"> McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-138" href="https://www.brighttalk.com/webcast/10703/275683" target="_blank"> Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-139" href="https://www.mandiant.com/resources/blog/dissecting-netwire-phishing-campaigns-usage-process-hollowing" target="_blank"> Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-140" href="https://redcanary.com/blog/netwire-remote-access-trojan-on-linux/" target="_blank"> Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-141" href="https://www.proofpoint.com/us/blog/threat-insight/geofenced-netwire-campaigns" target="_blank"> Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-142" href="https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" target="_blank"> Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-143" href="https://www.threatminer.org/_reports/2013/fta-1009---njrat-uncovered-1.pdf" target="_blank"> Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-144" href="https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/" target="_blank"> Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-145" href="https://www.brighttalk.com/webcast/10703/296317/apt34-new-targeted-attack-in-the-middle-east" target="_blank"> Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-146" href="https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html" target="_blank"> Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-147" href="https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf" target="_blank"> Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-148" href="https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf" target="_blank"> Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-149" href="http://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf" target="_blank"> Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-150" href="https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html" target="_blank"> Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-151" href="https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf" target="_blank"> FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved September 19, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-152" href="https://www.symantec.com/security_response/writeup.jsp?docid=2005-081910-3934-99" target="_blank"> Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-153" href="https://github.com/nettitude/PoshC2_Python" target="_blank"> Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-154" href="https://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage" target="_blank"> Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-155" href="https://github.com/PowerShellMafia/PowerSploit" target="_blank"> PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-156" href="http://powersploit.readthedocs.io" target="_blank"> PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-157" href="http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf" target="_blank"> Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-158" href="https://github.com/n1nj4sec/pupy" target="_blank"> Nicolas Verdier. (n.d.). Retrieved January 29, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-159" href="https://www.kroll.com/en/insights/publications/cyber/qakbot-malware-exfiltrating-emails-thread-hijacking-attacks" target="_blank"> Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-160" href="https://success.trendmicro.com/solution/000283381" target="_blank"> Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-161" href="https://securelist.com/qakbot-technical-analysis/103931/" target="_blank"> Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-162" href="https://github.com/quasar/QuasarRAT" target="_blank"> MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-163" href="https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" target="_blank"> Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-164" href="https://web.archive.org/web/20210104144857/https://shared-public-reports.s3-eu-west-1.amazonaws.com/APT27+turns+to+ransomware.pdf" target="_blank"> Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-165" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf" target="_blank"> Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-166" href="https://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html" target="_blank"> Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-167" href="https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html" target="_blank"> Brumaghin, E., Unterbrink, H. (2018, August 22). Picking Apart Remcos Botnet-In-A-Box. Retrieved November 6, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-168" href="https://securelist.com/chafer-used-remexi-malware/89538/" target="_blank"> Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-169" href="http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Symantec_Remsec_IOCs.pdf" target="_blank"> Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-170" href="https://securelist.com/files/2016/07/The-ProjectSauron-APT_Technical_Analysis_KL.pdf" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-171" href="https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/WhiteCompanyOperationShaheenReport.pdf?_ga=2.161661948.1943296560.1555683782-1066572390.1555511517" target="_blank"> Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-172" href="https://cofense.com/upgrades-delivery-support-infrastructure-revenge-rat-malware-bigger-threat/" target="_blank"> Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved May 1, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-173" href="https://blog.talosintelligence.com/2017/04/introducing-rokrat.html" target="_blank"> Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-174" href="https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/" target="_blank"> Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-175" href="http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/" target="_blank"> Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-176" href="https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf" target="_blank"> Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-177" href="https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/" target="_blank"> Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-178" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" target="_blank"> Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-179" href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank"> Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-180" href="https://github.com/byt3bl33d3r/SILENTTRINITY/tree/master/silenttrinity/core/teamserver/modules/boo" target="_blank"> Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-181" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a" target="_blank"> DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-182" href="https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html" target="_blank"> FireEye. (2021, May 11). Shining a Light on DARKSIDE Ransomware Operations. Retrieved September 22, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-183" href="https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html" target="_blank"> FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-184" href="https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" target="_blank"> Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-185" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" target="_blank"> Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-186" href="https://www.alienvault.com/open-threat-exchange/blog/sykipot-variant-hijacks-dod-and-windows-smart-cards" target="_blank"> Blasco, J. (2012, January 12). Sykipot variant hijacks DOD and Windows smart cards. Retrieved January 10, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-187" href="https://securelist.com/project-tajmahal/90240/" target="_blank"> GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-188" href="https://www.trendmicro.com/en_us/research/20/g/updates-on-quickly-evolving-thiefquest-macos-malware.html" target="_blank"> Gabrielle Joyce Mabutas, Luis Magisa, Steven Du. (2020, July 17). Updates on Quickly-Evolving ThiefQuest macOS Malware. Retrieved April 26, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-189" href="https://thehackernews.com/2018/06/chinese-watering-hole-attack.html" target="_blank"> Khandelwal, S. (2018, June 14). Chinese Hackers Carried Out Country-Level Watering Hole Attack. Retrieved August 18, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-190" href="https://securelist.com/luckymouse-hits-national-data-center/86083/" target="_blank"> Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-191" href="https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" target="_blank"> Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-192" href="https://vb2020.vblocalhost.com/uploads/VB2020-06.pdf" target="_blank"> Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-193" href="https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" target="_blank"> Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-194" href="https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/" target="_blank"> Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-195" href="https://www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf" target="_blank"> CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-196" href="https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/" target="_blank"> Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-197" href="https://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique" target="_blank"> Mohanta, A. (2020, November 25). Warzone RAT comes with UAC bypass technique. Retrieved April 7, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-198" href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/" target="_blank"> Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-199" href="https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/" target="_blank"> Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-200" href="https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf" target="_blank"> Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-201" href="https://blogs.cisco.com/security/talos/opening-zxshell" target="_blank"> Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019. </a> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div>   <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner">  <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div>  <div id="search-body" class="search-body"> <div class="results" id="search-results">  </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1">  <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a> </div> <div class="px-3 col-footer"> <a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a> </div> <div class="px-3 col-footer"> <a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a> </div> <div class="px-3"> <a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&CK content v16.1Website v4.2.1">Website Changelog</a> </div> </div> <div class="row"> © 2015 - 2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div>  </div>  <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script>  <script src="/theme/scripts/resizer.js"></script>  <script src="/theme/scripts/bootstrap-tourist.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/tour/tour-subtechniques.js"></script> <script src="/theme/scripts/sidebar-load-all.js"></script> </body> </html>

CINXE.COM

Input Capture: Keylogging, Sub-technique T1056.001 - Enterprise | MITRE ATT&CK®