Ingress Tool Transfer, Technique T1105 - Enterprise

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>Ingress Tool Transfer, Technique T1105 - Enterprise | MITRE ATT&CK®</title>   <link rel='stylesheet' href='/theme/style/vendors/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/vendors/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/vendors/bootstrap-select.min.css' />  <link rel="stylesheet" href="/theme/style/vendors/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/vendors/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/vendors/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" href="/theme/style-attack.css"/> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1">  <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> Matrices </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> Tactics </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> Techniques </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> Defenses </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> Mitigations </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> CTI </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> Resources </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/updates/">Updates</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" >Benefactors</a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> Blog  <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1">  <div class="col px-0">   <div class="container-fluid banner-message"> ATT&CKcon 6.0 returns October 14-15, 2025 in McLean, VA. More details about tickets and our CFP can be found <a href='https://na.eventscloud.com/attackcon6'>here</a> </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0">   <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div>  <div id="sidebars"></div>  </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/techniques/enterprise">Techniques</a></li> <li class="breadcrumb-item"><a href="/techniques/enterprise">Enterprise</a></li> <li class="breadcrumb-item">Ingress Tool Transfer</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1 id=""> Ingress Tool Transfer </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as <a href="/software/S0095">ftp</a>. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. <a href="/techniques/T1570">Lateral Tool Transfer</a>). On Windows, adversaries may use various utilities to download tools, such as <code>copy</code>, <code>finger</code>, <a href="/software/S0160">certutil</a>, and <a href="/techniques/T1059/001">PowerShell</a> commands such as <code>IEX(New-Object Net.WebClient).downloadString()</code> and <code>Invoke-WebRequest</code>. On Linux and macOS systems, a variety of utilities also exist, such as <code>curl</code>, <code>scp</code>, <code>sftp</code>, <code>tftp</code>, <code>rsync</code>, <code>finger</code>, and <code>wget</code>.<a href="https://lolbas-project.github.io/#t1105" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>Adversaries may also abuse installers and package managers, such as <code>yum</code> or <code>winget</code>, to download tools to victim hosts. Adversaries have also abused file application features, such as the Windows <code>search-ms</code> protocol handler, to deliver malicious files to victims through remote file searches invoked by <a href="/techniques/T1204">User Execution</a> (typically after interacting with <a href="/techniques/T1566">Phishing</a> lures).<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title=" Mathanraj Thangaraju, Sijo Jacob. (2023, July 26). Beyond File Search: A Novel Method for Exploiting the "search-ms" URI Protocol Handler. Retrieved March 15, 2024."data-reference="T1105: Trellix_search-ms"><a href="https://www.trellix.com/blogs/research/beyond-file-search-a-novel-method/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>Files can also be transferred using various <a href="/techniques/T1102">Web Service</a>s as well as native or otherwise present tools on the victim system.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018."data-reference="PTSecurity Cobalt Dec 2016"><a href="https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a> In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="David Talbot. (2013, August 21). Dropbox and Similar Services Can Sync Malware. Retrieved May 31, 2023."data-reference="Dropbox Malware Sync"><a href="https://www.technologyreview.com/2013/08/21/83143/dropbox-and-similar-services-can-sync-malware/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data" id="card-id"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> ID: T1105 </div> </div>  <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> Sub-techniques:  No sub-techniques </div> </div>  <div id="card-tactics" class="row card-data"> <div class="col-md-1 px-0 text-center"> ⓘ </div> <div class="col-md-11 pl-0"> Tactic: <a href="/tactics/TA0011">Command and Control</a> </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> ⓘ </div> <div class="col-md-11 pl-0"> Platforms: Linux, Network, Windows, macOS </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> Contributors: Alain Homewood; Jeremy Hedges; Joe Wise; John Page (aka hyp3rlinx), ApparitionSec; Mark Wee; Selena Larson, @selenalarson; Shailesh Tiwary (Indian Army); The DFIR Report </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> Version: 2.4 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> Created: 31 May 2017 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> Last Modified: 11 April 2024 </div> </div> </div> </div> <div class="text-center pt-2 version-button live"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of T1105" href="/versions/v16/techniques/T1105/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of T1105" href="/versions/v16/techniques/T1105/" data-test-ignore="true">Live Version</a> </div> </div> </div> </div> <h2 class="pt-3" id ="examples">Procedure Examples</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/campaigns/C0028"> C0028 </a> </td> <td> <a href="/campaigns/C0028"> 2015 Ukraine Electric Power Attack </a> </td> <td> During the <a href="https://attack.mitre.org/campaigns/C0028">2015 Ukraine Electric Power Attack</a>, <a href="/groups/G0034">Sandworm Team</a> pushed additional malicious tools onto an infected system to steal user credentials, move laterally, and destroy data. <a href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a> </td> </tr> <tr> <td> <a href="/software/S0469"> S0469 </a> </td> <td> <a href="/software/S0469"> ABK </a> </td> <td> <a href="/software/S0469">ABK</a> has the ability to download files from C2.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."data-reference="Trend Micro Tick November 2019"><a href="https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a> </td> </tr> <tr> <td> <a href="/software/S1028"> S1028 </a> </td> <td> <a href="/software/S1028"> Action RAT </a> </td> <td> <a href="/software/S1028">Action RAT</a> has the ability to download additional payloads onto an infected machine.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022."data-reference="MalwareBytes SideCopy Dec 2021"><a href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a> </td> </tr> <tr> <td> <a href="/software/S0331"> S0331 </a> </td> <td> <a href="/software/S0331"> Agent Tesla </a> </td> <td> <a href="/software/S0331">Agent Tesla</a> can download additional files for execution on the victim’s machine.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018."data-reference="Talos Agent Tesla Oct 2018"><a href="https://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a><span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018."data-reference="DigiTrust Agent Tesla Jan 2017"><a href="https://www.digitrustgroup.com/agent-tesla-keylogger/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a> </td> </tr> <tr> <td> <a href="/software/S0092"> S0092 </a> </td> <td> <a href="/software/S0092"> Agent.btz </a> </td> <td> <a href="/software/S0092">Agent.btz</a> attempts to download an encrypted binary from a specified domain.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Shevchenko, S.. (2008, November 30). Agent.btz - A Threat That Hit Pentagon. Retrieved April 8, 2016."data-reference="ThreatExpert Agent.btz"><a href="http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a> </td> </tr> <tr> <td> <a href="/groups/G0130"> G0130 </a> </td> <td> <a href="/groups/G0130"> Ajax Security Team </a> </td> <td> <a href="/groups/G0130">Ajax Security Team</a> has used Wrapper/Gholee, custom-developed malware, which downloaded additional malware to the infected system.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018."data-reference="Check Point Rocket Kitten"><a href="https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a> </td> </tr> <tr> <td> <a href="/software/S1025"> S1025 </a> </td> <td> <a href="/software/S1025"> Amadey </a> </td> <td> <a href="/software/S1025">Amadey</a> can download and execute files to further infect a host machine with additional malware.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022."data-reference="BlackBerry Amadey 2020"><a href="https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a> </td> </tr> <tr> <td> <a href="/software/S0504"> S0504 </a> </td> <td> <a href="/software/S0504"> Anchor </a> </td> <td> <a href="/software/S0504">Anchor</a> can download additional payloads.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020."data-reference="Cyberreason Anchor December 2019"><a href="https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020."data-reference="Medium Anchor DNS July 2020"><a href="https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a> </td> </tr> <tr> <td> <a href="/groups/G0138"> G0138 </a> </td> <td> <a href="/groups/G0138"> Andariel </a> </td> <td> <a href="/groups/G0138">Andariel</a> has downloaded additional tools and malware onto compromised hosts.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="AhnLab. (2018, June 23). Targeted attacks by Andariel Threat Group, a subgroup of the Lazarus. Retrieved September 29, 2021."data-reference="AhnLab Andariel Subgroup of Lazarus June 2018"><a href="https://web.archive.org/web/20230213154832/http://download.ahnlab.com/global/brochure/%5BAnalysis%5DAndariel_Group.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a> </td> </tr> <tr> <td> <a href="/software/S1074"> S1074 </a> </td> <td> <a href="/software/S1074"> ANDROMEDA </a> </td> <td> <a href="/software/S1074">ANDROMEDA</a> can download additional payloads from C2.<span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023."data-reference="Mandiant Suspected Turla Campaign February 2023"><a href="https://www.mandiant.com/resources/blog/turla-galaxy-opportunity" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a> </td> </tr> <tr> <td> <a href="/groups/G0099"> G0099 </a> </td> <td> <a href="/groups/G0099"> APT-C-36 </a> </td> <td> <a href="/groups/G0099">APT-C-36</a> has downloaded binary data from a specified domain after the malicious document is opened.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020."data-reference="QiAnXin APT-C-36 Feb2019"><a href="https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a> </td> </tr> <tr> <td> <a href="/groups/G0026"> G0026 </a> </td> <td> <a href="/groups/G0026"> APT18 </a> </td> <td> <a href="/groups/G0026">APT18</a> can upload a file to the victim’s machine.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018."data-reference="PaloAlto DNS Requests May 2016"><a href="https://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a> </td> </tr> <tr> <td> <a href="/groups/G0007"> G0007 </a> </td> <td> <a href="/groups/G0007"> APT28 </a> </td> <td> <a href="/groups/G0007">APT28</a> has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant.<span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017."data-reference="Bitdefender APT28 Dec 2015"><a href="https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a><span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017."data-reference="Unit 42 Playbook Dec 2017"><a href="https://pan-unit42.github.io/playbook_viewer/" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a><span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019."data-reference="Accenture SNAKEMACKEREL Nov 2018"><a href="https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a><span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021."data-reference="TrendMicro Pawn Storm Dec 2020"><a href="https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a><span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021"><a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a> </td> </tr> <tr> <td> <a href="/groups/G0016"> G0016 </a> </td> <td> <a href="/groups/G0016"> APT29 </a> </td> <td> <a href="/groups/G0016">APT29</a> has downloaded additional tools and malware onto compromised networks.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024."data-reference="Mandiant No Easy Breach"><a href="https://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a><span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020."data-reference="PWC WellMess July 2020"><a href="https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a><span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015."data-reference="F-Secure The Dukes"><a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a><span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023."data-reference="Mandiant APT29 Eye Spy Email Nov 22"><a href="https://www.mandiant.com/resources/blog/unc3524-eye-spy-email" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a> </td> </tr> <tr> <td> <a href="/groups/G0022"> G0022 </a> </td> <td> <a href="/groups/G0022"> APT3 </a> </td> <td> <a href="/groups/G0022">APT3</a> has a tool that can copy files to remote machines.<span onclick=scrollToRef('scite-28') id="scite-ref-28-a" class="scite-citeref-number" title="Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016."data-reference="FireEye Clandestine Fox"><a href="https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a> </td> </tr> <tr> <td> <a href="/groups/G0050"> G0050 </a> </td> <td> <a href="/groups/G0050"> APT32 </a> </td> <td> <a href="/groups/G0050">APT32</a> has added JavaScript to victim websites to download additional frameworks that profile and compromise website visitors.<span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" title="Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017."data-reference="Volexity OceanLotus Nov 2017"><a href="https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a> </td> </tr> <tr> <td> <a href="/groups/G0064"> G0064 </a> </td> <td> <a href="/groups/G0064"> APT33 </a> </td> <td> <a href="/groups/G0064">APT33</a> has downloaded additional files and programs from its C2 server.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019."data-reference="Symantec Elfin Mar 2019"><a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a><span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020."data-reference="Microsoft Holmium June 2020"><a href="https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a> </td> </tr> <tr> <td> <a href="/groups/G0067"> G0067 </a> </td> <td> <a href="/groups/G0067"> APT37 </a> </td> <td> <a href="/groups/G0067">APT37</a> has downloaded second stage malware from compromised websites.<span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" title="FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018."data-reference="FireEye APT37 Feb 2018"><a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a><span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019."data-reference="Securelist ScarCruft May 2019"><a href="https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a><span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" title="Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021."data-reference="Volexity InkySquid BLUELIGHT August 2021"><a href="https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a><span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021."data-reference="Volexity InkySquid RokRAT August 2021"><a href="https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a> </td> </tr> <tr> <td> <a href="/groups/G0082"> G0082 </a> </td> <td> <a href="/groups/G0082"> APT38 </a> </td> <td> <a href="/groups/G0082">APT38</a> used a backdoor, NESTEGG, that has the capability to download and upload files to and from a victim’s machine.<span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" title="FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018."data-reference="FireEye APT38 Oct 2018"><a href="https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a> </td> </tr> <tr> <td> <a href="/groups/G0087"> G0087 </a> </td> <td> <a href="/groups/G0087"> APT39 </a> </td> <td> <a href="/groups/G0087">APT39</a> has downloaded tools to compromised hosts.<span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020."data-reference="Symantec Chafer February 2018"><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a><span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" title="FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020."data-reference="FBI FLASH APT39 September 2020"><a href="https://www.iranwatch.org/sites/default/files/public-intelligence-alert.pdf" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a> </td> </tr> <tr> <td> <a href="/groups/G0096"> G0096 </a> </td> <td> <a href="/groups/G0096"> APT41 </a> </td> <td> <a href="/groups/G0096">APT41</a> used <a href="/software/S0160">certutil</a> to download additional files.<span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020."data-reference="FireEye APT41 March 2020"><a href="https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a><span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" title="Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020."data-reference="Crowdstrike GTR2020 Mar 2020"><a href="https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a><span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" title="Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021."data-reference="Group IB APT 41 June 2021"><a href="https://www.group-ib.com/blog/colunmtk-apt41/" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a> <a href="/groups/G0096">APT41</a> downloaded post-exploitation tools such as <a href="/software/S0154">Cobalt Strike</a> via command shell following initial access.<span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" title="Nikita Rostovcev. (2022, August 18). APT41 World Tour 2021 on a tight schedule. Retrieved February 22, 2024."data-reference="Rostovcev APT41 2021"><a href="https://www.group-ib.com/blog/apt41-world-tour-2021/" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a> <a href="/groups/G0096">APT41</a> has uploaded Procdump and NATBypass to a staging directory and has used these tools in follow-on activities.<span onclick=scrollToRef('scite-43') id="scite-ref-43-a" class="scite-citeref-number" title="DCSO CyTec Blog. (2022, December 24). APT41 — The spy who failed to encrypt me. Retrieved June 13, 2024."data-reference="apt41_dcsocytec_dec2022"><a href="https://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1" target="_blank" data-hasqtip="42" aria-describedby="qtip-42">[43]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0040"> C0040 </a> </td> <td> <a href="/campaigns/C0040"> APT41 DUST </a> </td> <td> <a href="https://attack.mitre.org/campaigns/C0040">APT41 DUST</a> involved execution of <code>certutil.exe</code> via web shell to download the <a href="/software/S1158">DUSTPAN</a> dropper.<span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024."data-reference="Google Cloud APT41 2024"><a href="https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a> </td> </tr> <tr> <td> <a href="/groups/G0143"> G0143 </a> </td> <td> <a href="/groups/G0143"> Aquatic Panda </a> </td> <td> <a href="/groups/G0143">Aquatic Panda</a> has downloaded additional malware onto compromised hosts.<span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" title="Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022."data-reference="CrowdStrike AQUATIC PANDA December 2021"><a href="https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a> </td> </tr> <tr> <td> <a href="/software/S0456"> S0456 </a> </td> <td> <a href="/software/S0456"> Aria-body </a> </td> <td> <a href="/software/S0456">Aria-body</a> has the ability to download additional payloads from C2.<span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" title="CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."data-reference="CheckPoint Naikon May 2020"><a href="https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a> </td> </tr> <tr> <td> <a href="/software/S0373"> S0373 </a> </td> <td> <a href="/software/S0373"> Astaroth </a> </td> <td> <a href="/software/S0373">Astaroth</a> uses <a href="/software/S0160">certutil</a> and <a href="/software/S0190">BITSAdmin</a> to download additional malware. <span onclick=scrollToRef('scite-47') id="scite-ref-47-a" class="scite-citeref-number" title="Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved September 25, 2024."data-reference="Cofense Astaroth Sept 2018"><a href="https://web.archive.org/web/20200302071436/https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/" target="_blank" data-hasqtip="46" aria-describedby="qtip-46">[47]</a><span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" title="Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019."data-reference="Cybereason Astaroth Feb 2019"><a href="https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a><span onclick=scrollToRef('scite-49') id="scite-ref-49-a" class="scite-citeref-number" title="GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020."data-reference="Securelist Brazilian Banking Malware July 2020"><a href="https://securelist.com/the-tetrade-brazilian-banking-malware/97779/" target="_blank" data-hasqtip="48" aria-describedby="qtip-48">[49]</a> </td> </tr> <tr> <td> <a href="/software/S1087"> S1087 </a> </td> <td> <a href="/software/S1087"> AsyncRAT </a> </td> <td> <a href="/software/S1087">AsyncRAT</a> has the ability to download files over SFTP.<a href="https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp/blob/master/README.md" target="_blank" data-hasqtip="49" aria-describedby="qtip-49">[50]</a> </td> </tr> <tr> <td> <a href="/software/S0438"> S0438 </a> </td> <td> <a href="/software/S0438"> Attor </a> </td> <td> <a href="/software/S0438">Attor</a> can download additional plugins, updates and other files. <span onclick=scrollToRef('scite-51') id="scite-ref-51-a" class="scite-citeref-number" title="Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."data-reference="ESET Attor Oct 2019"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf" target="_blank" data-hasqtip="50" aria-describedby="qtip-50">[51]</a> </td> </tr> <tr> <td> <a href="/software/S0347"> S0347 </a> </td> <td> <a href="/software/S0347"> AuditCred </a> </td> <td> <a href="/software/S0347">AuditCred</a> can download files and additional malware.<span onclick=scrollToRef('scite-52') id="scite-ref-52-a" class="scite-citeref-number" title="Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018."data-reference="TrendMicro Lazarus Nov 2018"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/" target="_blank" data-hasqtip="51" aria-describedby="qtip-51">[52]</a> </td> </tr> <tr> <td> <a href="/software/S0473"> S0473 </a> </td> <td> <a href="/software/S0473"> Avenger </a> </td> <td> <a href="/software/S0473">Avenger</a> has the ability to download files from C2 to a compromised host.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."data-reference="Trend Micro Tick November 2019"><a href="https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a> </td> </tr> <tr> <td> <a href="/software/S0344"> S0344 </a> </td> <td> <a href="/software/S0344"> Azorult </a> </td> <td> <a href="/software/S0344">Azorult</a> can download and execute additional files. <a href="/software/S0344">Azorult</a> has also downloaded a ransomware payload called Hermes.<span onclick=scrollToRef('scite-53') id="scite-ref-53-a" class="scite-citeref-number" title="Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018."data-reference="Unit42 Azorult Nov 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/" target="_blank" data-hasqtip="52" aria-describedby="qtip-52">[53]</a><span onclick=scrollToRef('scite-54') id="scite-ref-54-a" class="scite-citeref-number" title="Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018."data-reference="Proofpoint Azorult July 2018"><a href="https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" target="_blank" data-hasqtip="53" aria-describedby="qtip-53">[54]</a> </td> </tr> <tr> <td> <a href="/software/S0414"> S0414 </a> </td> <td> <a href="/software/S0414"> BabyShark </a> </td> <td> <a href="/software/S0414">BabyShark</a> has downloaded additional files from the C2.<span onclick=scrollToRef('scite-55') id="scite-ref-55-a" class="scite-citeref-number" title="Lim, M.. (2019, April 26). BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat . Retrieved October 7, 2019."data-reference="Unit42 BabyShark Apr 2019"><a href="https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/" target="_blank" data-hasqtip="54" aria-describedby="qtip-54">[55]</a><span onclick=scrollToRef('scite-56') id="scite-ref-56-a" class="scite-citeref-number" title="CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020."data-reference="CISA AA20-301A Kimsuky"><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-301a" target="_blank" data-hasqtip="55" aria-describedby="qtip-55">[56]</a> </td> </tr> <tr> <td> <a href="/software/S0475"> S0475 </a> </td> <td> <a href="/software/S0475"> BackConfig </a> </td> <td> <a href="/software/S0475">BackConfig</a> can download and execute additional payloads on a compromised host.<span onclick=scrollToRef('scite-57') id="scite-ref-57-a" class="scite-citeref-number" title="Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020."data-reference="Unit 42 BackConfig May 2020"><a href="https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/" target="_blank" data-hasqtip="56" aria-describedby="qtip-56">[57]</a> </td> </tr> <tr> <td> <a href="/software/S0093"> S0093 </a> </td> <td> <a href="/software/S0093"> Backdoor.Oldrea </a> </td> <td> <a href="/software/S0093">Backdoor.Oldrea</a> can download additional modules from C2.<span onclick=scrollToRef('scite-58') id="scite-ref-58-a" class="scite-citeref-number" title="Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021."data-reference="Gigamon Berserk Bear October 2021"><a href="https://vblocalhost.com/uploads/VB2021-Slowik.pdf" target="_blank" data-hasqtip="57" aria-describedby="qtip-57">[58]</a> </td> </tr> <tr> <td> <a href="/groups/G0135"> G0135 </a> </td> <td> <a href="/groups/G0135"> BackdoorDiplomacy </a> </td> <td> <a href="/groups/G0135">BackdoorDiplomacy</a> has downloaded additional files and tools onto a compromised host.<span onclick=scrollToRef('scite-59') id="scite-ref-59-a" class="scite-citeref-number" title="Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021"data-reference="ESET BackdoorDiplomacy Jun 2021"><a href="https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/" target="_blank" data-hasqtip="58" aria-describedby="qtip-58">[59]</a> </td> </tr> <tr> <td> <a href="/software/S0642"> S0642 </a> </td> <td> <a href="/software/S0642"> BADFLICK </a> </td> <td> <a href="/software/S0642">BADFLICK</a> has download files from its C2 server.<span onclick=scrollToRef('scite-60') id="scite-ref-60-a" class="scite-citeref-number" title="Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021."data-reference="Accenture MUDCARP March 2019"><a href="https://www.accenture.com/us-en/blogs/cyber-defense/mudcarps-focus-on-submarine-technologies" target="_blank" data-hasqtip="59" aria-describedby="qtip-59">[60]</a> </td> </tr> <tr> <td> <a href="/software/S1081"> S1081 </a> </td> <td> <a href="/software/S1081"> BADHATCH </a> </td> <td> <a href="/software/S1081">BADHATCH</a> has the ability to load a second stage malicious DLL file onto a compromised machine.<span onclick=scrollToRef('scite-61') id="scite-ref-61-a" class="scite-citeref-number" title="Savelesky, K., et al. (2019, July 23). ABADBABE 8BADFOOD: Discovering BADHATCH and a Detailed Look at FIN8's Tooling. Retrieved September 8, 2021."data-reference="Gigamon BADHATCH Jul 2019"><a href="https://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/" target="_blank" data-hasqtip="60" aria-describedby="qtip-60">[61]</a> </td> </tr> <tr> <td> <a href="/software/S0128"> S0128 </a> </td> <td> <a href="/software/S0128"> BADNEWS </a> </td> <td> <a href="/software/S0128">BADNEWS</a> is capable of downloading additional files through C2 channels, including a new version of itself.<span onclick=scrollToRef('scite-62') id="scite-ref-62-a" class="scite-citeref-number" title="Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016."data-reference="Forcepoint Monsoon"><a href="https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" target="_blank" data-hasqtip="61" aria-describedby="qtip-61">[62]</a><span onclick=scrollToRef('scite-63') id="scite-ref-63-a" class="scite-citeref-number" title="Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018."data-reference="PaloAlto Patchwork Mar 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/" target="_blank" data-hasqtip="62" aria-describedby="qtip-62">[63]</a><span onclick=scrollToRef('scite-64') id="scite-ref-64-a" class="scite-citeref-number" title="Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018."data-reference="TrendMicro Patchwork Dec 2017"><a href="https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" target="_blank" data-hasqtip="63" aria-describedby="qtip-63">[64]</a> </td> </tr> <tr> <td> <a href="/software/S0337"> S0337 </a> </td> <td> <a href="/software/S0337"> BadPatch </a> </td> <td> <a href="/software/S0337">BadPatch</a> can download and execute or update malware.<span onclick=scrollToRef('scite-65') id="scite-ref-65-a" class="scite-citeref-number" title="Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018."data-reference="Unit 42 BadPatch Oct 2017"><a href="https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/" target="_blank" data-hasqtip="64" aria-describedby="qtip-64">[65]</a> </td> </tr> <tr> <td> <a href="/software/S0234"> S0234 </a> </td> <td> <a href="/software/S0234"> Bandook </a> </td> <td> <a href="/software/S0234">Bandook</a> can download files to the system.<span onclick=scrollToRef('scite-66') id="scite-ref-66-a" class="scite-citeref-number" title="Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021."data-reference="CheckPoint Bandook Nov 2020"><a href="https://research.checkpoint.com/2020/bandook-signed-delivered/" target="_blank" data-hasqtip="65" aria-describedby="qtip-65">[66]</a> </td> </tr> <tr> <td> <a href="/software/S0239"> S0239 </a> </td> <td> <a href="/software/S0239"> Bankshot </a> </td> <td> <a href="/software/S0239">Bankshot</a> uploads files and secondary payloads to the victim's machine.<span onclick=scrollToRef('scite-67') id="scite-ref-67-a" class="scite-citeref-number" title="US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018."data-reference="US-CERT Bankshot Dec 2017"><a href="https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF" target="_blank" data-hasqtip="66" aria-describedby="qtip-66">[67]</a> </td> </tr> <tr> <td> <a href="/software/S0534"> S0534 </a> </td> <td> <a href="/software/S0534"> Bazar </a> </td> <td> <a href="/software/S0534">Bazar</a> can download and deploy additional payloads, including ransomware and post-exploitation frameworks such as <a href="/software/S0154">Cobalt Strike</a>.<span onclick=scrollToRef('scite-68') id="scite-ref-68-a" class="scite-citeref-number" title="Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020."data-reference="Cybereason Bazar July 2020"><a href="https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles" target="_blank" data-hasqtip="67" aria-describedby="qtip-67">[68]</a><span onclick=scrollToRef('scite-69') id="scite-ref-69-a" class="scite-citeref-number" title="Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020."data-reference="Zscaler Bazar September 2020"><a href="https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware" target="_blank" data-hasqtip="68" aria-describedby="qtip-68">[69]</a><span onclick=scrollToRef('scite-70') id="scite-ref-70-a" class="scite-citeref-number" title="Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020."data-reference="NCC Group Team9 June 2020"><a href="https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/" target="_blank" data-hasqtip="69" aria-describedby="qtip-69">[70]</a><span onclick=scrollToRef('scite-71') id="scite-ref-71-a" class="scite-citeref-number" title="Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021."data-reference="CrowdStrike Wizard Spider October 2020"><a href="https://www.crowdstrike.com/blog/wizard-spider-adversary-update/" target="_blank" data-hasqtip="70" aria-describedby="qtip-70">[71]</a> </td> </tr> <tr> <td> <a href="/software/S0470"> S0470 </a> </td> <td> <a href="/software/S0470"> BBK </a> </td> <td> <a href="/software/S0470">BBK</a> has the ability to download files from C2 to the infected host.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."data-reference="Trend Micro Tick November 2019"><a href="https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a> </td> </tr> <tr> <td> <a href="/software/S0574"> S0574 </a> </td> <td> <a href="/software/S0574"> BendyBear </a> </td> <td> <a href="/software/S0574">BendyBear</a> is designed to download an implant from a C2 server.<span onclick=scrollToRef('scite-72') id="scite-ref-72-a" class="scite-citeref-number" title="Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021."data-reference="Unit42 BendyBear Feb 2021"><a href="https://unit42.paloaltonetworks.com/bendybear-shellcode-blacktech/" target="_blank" data-hasqtip="71" aria-describedby="qtip-71">[72]</a> </td> </tr> <tr> <td> <a href="/software/S0017"> S0017 </a> </td> <td> <a href="/software/S0017"> BISCUIT </a> </td> <td> <a href="/software/S0017">BISCUIT</a> has a command to download a file from the C2 server.<span onclick=scrollToRef('scite-73') id="scite-ref-73-a" class="scite-citeref-number" title="Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016."data-reference="Mandiant APT1 Appendix"><a href="https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf" target="_blank" data-hasqtip="72" aria-describedby="qtip-72">[73]</a> </td> </tr> <tr> <td> <a href="/software/S0268"> S0268 </a> </td> <td> <a href="/software/S0268"> Bisonal </a> </td> <td> <a href="/software/S0268">Bisonal</a> has the capability to download files to execute on the victim’s machine.<span onclick=scrollToRef('scite-74') id="scite-ref-74-a" class="scite-citeref-number" title="Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018."data-reference="Unit 42 Bisonal July 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/" target="_blank" data-hasqtip="73" aria-describedby="qtip-73">[74]</a><span onclick=scrollToRef('scite-75') id="scite-ref-75-a" class="scite-citeref-number" title="Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021."data-reference="Kaspersky CactusPete Aug 2020"><a href="https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/" target="_blank" data-hasqtip="74" aria-describedby="qtip-74">[75]</a><span onclick=scrollToRef('scite-76') id="scite-ref-76-a" class="scite-citeref-number" title="Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022."data-reference="Talos Bisonal Mar 2020"><a href="https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html" target="_blank" data-hasqtip="75" aria-describedby="qtip-75">[76]</a> </td> </tr> <tr> <td> <a href="/software/S0190"> S0190 </a> </td> <td> <a href="/software/S0190"> BITSAdmin </a> </td> <td> <a href="/software/S0190">BITSAdmin</a> can be used to create <a href="/techniques/T1197">BITS Jobs</a> to upload and/or download files.<a href="https://msdn.microsoft.com/library/aa362813.aspx" target="_blank" data-hasqtip="76" aria-describedby="qtip-76">[77]</a> </td> </tr> <tr> <td> <a href="/groups/G1002"> G1002 </a> </td> <td> <a href="/groups/G1002"> BITTER </a> </td> <td> <a href="/groups/G1002">BITTER</a> has downloaded additional malware and tools onto a compromised host.<span onclick=scrollToRef('scite-78') id="scite-ref-78-a" class="scite-citeref-number" title="Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022."data-reference="Cisco Talos Bitter Bangladesh May 2022"><a href="https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html" target="_blank" data-hasqtip="77" aria-describedby="qtip-77">[78]</a><span onclick=scrollToRef('scite-79') id="scite-ref-79-a" class="scite-citeref-number" title="Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022."data-reference="Forcepoint BITTER Pakistan Oct 2016"><a href="https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan" target="_blank" data-hasqtip="78" aria-describedby="qtip-78">[79]</a> </td> </tr> <tr> <td> <a href="/software/S0564"> S0564 </a> </td> <td> <a href="/software/S0564"> BlackMould </a> </td> <td> <a href="/software/S0564">BlackMould</a> has the ability to download files to the victim's machine.<span onclick=scrollToRef('scite-80') id="scite-ref-80-a" class="scite-citeref-number" title="MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021."data-reference="Microsoft GALLIUM December 2019"><a href="https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/" target="_blank" data-hasqtip="79" aria-describedby="qtip-79">[80]</a> </td> </tr> <tr> <td> <a href="/software/S0520"> S0520 </a> </td> <td> <a href="/software/S0520"> BLINDINGCAN </a> </td> <td> <a href="/software/S0520">BLINDINGCAN</a> has downloaded files to a victim machine.<span onclick=scrollToRef('scite-81') id="scite-ref-81-a" class="scite-citeref-number" title="US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020."data-reference="US-CERT BLINDINGCAN Aug 2020"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a" target="_blank" data-hasqtip="80" aria-describedby="qtip-80">[81]</a> </td> </tr> <tr> <td> <a href="/software/S0657"> S0657 </a> </td> <td> <a href="/software/S0657"> BLUELIGHT </a> </td> <td> <a href="/software/S0657">BLUELIGHT</a> can download additional files onto the host.<span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" title="Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021."data-reference="Volexity InkySquid BLUELIGHT August 2021"><a href="https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a> </td> </tr> <tr> <td> <a href="/software/S0486"> S0486 </a> </td> <td> <a href="/software/S0486"> Bonadan </a> </td> <td> <a href="/software/S0486">Bonadan</a> can download additional modules from the C2 server.<span onclick=scrollToRef('scite-82') id="scite-ref-82-a" class="scite-citeref-number" title="Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020."data-reference="ESET ForSSHe December 2018"><a href="https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" target="_blank" data-hasqtip="81" aria-describedby="qtip-81">[82]</a> </td> </tr> <tr> <td> <a href="/software/S0360"> S0360 </a> </td> <td> <a href="/software/S0360"> BONDUPDATER </a> </td> <td> <a href="/software/S0360">BONDUPDATER</a> can download or upload files from its C2 server.<span onclick=scrollToRef('scite-83') id="scite-ref-83-a" class="scite-citeref-number" title="Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019."data-reference="Palo Alto OilRig Sep 2018"><a href="https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/" target="_blank" data-hasqtip="82" aria-describedby="qtip-82">[83]</a> </td> </tr> <tr> <td> <a href="/software/S0635"> S0635 </a> </td> <td> <a href="/software/S0635"> BoomBox </a> </td> <td> <a href="/software/S0635">BoomBox</a> has the ability to download next stage malware components to a compromised system.<span onclick=scrollToRef('scite-84') id="scite-ref-84-a" class="scite-citeref-number" title="MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021."data-reference="MSTIC Nobelium Toolset May 2021"><a href="https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" target="_blank" data-hasqtip="83" aria-describedby="qtip-83">[84]</a> </td> </tr> <tr> <td> <a href="/software/S0651"> S0651 </a> </td> <td> <a href="/software/S0651"> BoxCaon </a> </td> <td> <a href="/software/S0651">BoxCaon</a> can download files.<span onclick=scrollToRef('scite-85') id="scite-ref-85-a" class="scite-citeref-number" title="CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021."data-reference="Checkpoint IndigoZebra July 2021"><a href="https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/" target="_blank" data-hasqtip="84" aria-describedby="qtip-84">[85]</a> </td> </tr> <tr> <td> <a href="/software/S0204"> S0204 </a> </td> <td> <a href="/software/S0204"> Briba </a> </td> <td> <a href="/software/S0204">Briba</a> downloads files onto infected hosts.<a href="https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-2843-99" target="_blank" data-hasqtip="85" aria-describedby="qtip-85">[86]</a> </td> </tr> <tr> <td> <a href="/groups/G0060"> G0060 </a> </td> <td> <a href="/groups/G0060"> BRONZE BUTLER </a> </td> <td> <a href="/groups/G0060">BRONZE BUTLER</a> has used various tools to download files, including DGet (a similar tool to wget).<span onclick=scrollToRef('scite-87') id="scite-ref-87-a" class="scite-citeref-number" title="Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018."data-reference="Secureworks BRONZE BUTLER Oct 2017"><a href="https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" target="_blank" data-hasqtip="86" aria-describedby="qtip-86">[87]</a> </td> </tr> <tr> <td> <a href="/software/S1063"> S1063 </a> </td> <td> <a href="/software/S1063"> Brute Ratel C4 </a> </td> <td> <a href="/software/S1063">Brute Ratel C4</a> can download files to compromised hosts.<span onclick=scrollToRef('scite-88') id="scite-ref-88-a" class="scite-citeref-number" title="Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023."data-reference="Palo Alto Brute Ratel July 2022"><a href="https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/" target="_blank" data-hasqtip="87" aria-describedby="qtip-87">[88]</a><span onclick=scrollToRef('scite-89') id="scite-ref-89-a" class="scite-citeref-number" title="Elkins, T. (2024, July 24). Malware Campaign Lures Users With Fake W2 Form. Retrieved September 13, 2024."data-reference="Rapid7 Fake W2 July 2024"><a href="https://www.rapid7.com/blog/post/2024/07/24/malware-campaign-lures-users-with-fake-w2-form/" target="_blank" data-hasqtip="88" aria-describedby="qtip-88">[89]</a> </td> </tr> <tr> <td> <a href="/software/S0471"> S0471 </a> </td> <td> <a href="/software/S0471"> build_downer </a> </td> <td> <a href="/software/S0471">build_downer</a> has the ability to download files from C2 to the infected host.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."data-reference="Trend Micro Tick November 2019"><a href="https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a> </td> </tr> <tr> <td> <a href="/software/S1039"> S1039 </a> </td> <td> <a href="/software/S1039"> Bumblebee </a> </td> <td> <a href="/software/S1039">Bumblebee</a> can download and execute additional payloads including through the use of a <code>Dex</code> command.<span onclick=scrollToRef('scite-90') id="scite-ref-90-a" class="scite-citeref-number" title="Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022."data-reference="Google EXOTIC LILY March 2022"><a href="https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/" target="_blank" data-hasqtip="89" aria-describedby="qtip-89">[90]</a><span onclick=scrollToRef('scite-91') id="scite-ref-91-a" class="scite-citeref-number" title="Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022."data-reference="Proofpoint Bumblebee April 2022"><a href="https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming" target="_blank" data-hasqtip="90" aria-describedby="qtip-90">[91]</a><span onclick=scrollToRef('scite-92') id="scite-ref-92-a" class="scite-citeref-number" title="Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022."data-reference="Symantec Bumblebee June 2022"><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime" target="_blank" data-hasqtip="91" aria-describedby="qtip-91">[92]</a> </td> </tr> <tr> <td> <a href="/software/S0482"> S0482 </a> </td> <td> <a href="/software/S0482"> Bundlore </a> </td> <td> <a href="/software/S0482">Bundlore</a> can download and execute new versions of itself.<span onclick=scrollToRef('scite-93') id="scite-ref-93-a" class="scite-citeref-number" title="Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020."data-reference="MacKeeper Bundlore Apr 2019"><a href="https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/" target="_blank" data-hasqtip="92" aria-describedby="qtip-92">[93]</a> </td> </tr> <tr> <td> <a href="/software/S1118"> S1118 </a> </td> <td> <a href="/software/S1118"> BUSHWALK </a> </td> <td> <a href="/software/S1118">BUSHWALK</a> can write malicious payloads sent through a web request’s command parameter.<span onclick=scrollToRef('scite-94') id="scite-ref-94-a" class="scite-citeref-number" title="Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024."data-reference="Mandiant Cutting Edge Part 2 January 2024"><a href="https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation" target="_blank" data-hasqtip="93" aria-describedby="qtip-93">[94]</a><span onclick=scrollToRef('scite-95') id="scite-ref-95-a" class="scite-citeref-number" title="Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024."data-reference="Mandiant Cutting Edge Part 3 February 2024"><a href="https://www.mandiant.com/resources/blog/investigating-ivanti-exploitation-persistence" target="_blank" data-hasqtip="94" aria-describedby="qtip-94">[95]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0010"> C0010 </a> </td> <td> <a href="/campaigns/C0010"> C0010 </a> </td> <td> During <a href="https://attack.mitre.org/campaigns/C0010">C0010</a>, UNC3890 actors downloaded tools and malware onto a compromised host.<span onclick=scrollToRef('scite-96') id="scite-ref-96-a" class="scite-citeref-number" title="Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022."data-reference="Mandiant UNC3890 Aug 2022"><a href="https://www.mandiant.com/resources/blog/suspected-iranian-actor-targeting-israeli-shipping" target="_blank" data-hasqtip="95" aria-describedby="qtip-95">[96]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0015"> C0015 </a> </td> <td> <a href="/campaigns/C0015"> C0015 </a> </td> <td> During <a href="https://attack.mitre.org/campaigns/C0015">C0015</a>, the threat actors downloaded additional tools and files onto a compromised network.<span onclick=scrollToRef('scite-97') id="scite-ref-97-a" class="scite-citeref-number" title="DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022."data-reference="DFIR Conti Bazar Nov 2021"><a href="https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/" target="_blank" data-hasqtip="96" aria-describedby="qtip-96">[97]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0017"> C0017 </a> </td> <td> <a href="/campaigns/C0017"> C0017 </a> </td> <td> During <a href="https://attack.mitre.org/campaigns/C0017">C0017</a>, <a href="/groups/G0096">APT41</a> downloaded malicious payloads onto compromised systems.<span onclick=scrollToRef('scite-98') id="scite-ref-98-a" class="scite-citeref-number" title="Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022."data-reference="Mandiant APT41"><a href="https://www.mandiant.com/resources/apt41-us-state-governments" target="_blank" data-hasqtip="97" aria-describedby="qtip-97">[98]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0018"> C0018 </a> </td> <td> <a href="/campaigns/C0018"> C0018 </a> </td> <td> During <a href="https://attack.mitre.org/campaigns/C0018">C0018</a>, the threat actors downloaded additional tools, such as <a href="/software/S0002">Mimikatz</a> and <a href="/software/S0633">Sliver</a>, as well as <a href="/software/S0154">Cobalt Strike</a> and <a href="/software/S1053">AvosLocker</a> ransomware onto the victim network.<span onclick=scrollToRef('scite-99') id="scite-ref-99-a" class="scite-citeref-number" title="Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023."data-reference="Cisco Talos Avos Jun 2022"><a href="https://blog.talosintelligence.com/avoslocker-new-arsenal/" target="_blank" data-hasqtip="98" aria-describedby="qtip-98">[99]</a><span onclick=scrollToRef('scite-100') id="scite-ref-100-a" class="scite-citeref-number" title="Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023."data-reference="Costa AvosLocker May 2022"><a href="https://www.linkedin.com/pulse/raas-avoslocker-incident-response-analysis-fl%C3%A1vio-costa?trk=articles_directory" target="_blank" data-hasqtip="99" aria-describedby="qtip-99">[100]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0021"> C0021 </a> </td> <td> <a href="/campaigns/C0021"> C0021 </a> </td> <td> During <a href="https://attack.mitre.org/campaigns/C0021">C0021</a>, the threat actors downloaded additional tools and files onto victim machines.<span onclick=scrollToRef('scite-101') id="scite-ref-101-a" class="scite-citeref-number" title="Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019."data-reference="Microsoft Unidentified Dec 2018"><a href="https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/" target="_blank" data-hasqtip="100" aria-describedby="qtip-100">[101]</a><span onclick=scrollToRef('scite-102') id="scite-ref-102-a" class="scite-citeref-number" title="Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018."data-reference="FireEye APT29 Nov 2018"><a href="https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html" target="_blank" data-hasqtip="101" aria-describedby="qtip-101">[102]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0026"> C0026 </a> </td> <td> <a href="/campaigns/C0026"> C0026 </a> </td> <td> During <a href="https://attack.mitre.org/campaigns/C0026">C0026</a>, the threat actors downloaded malicious payloads onto select compromised hosts.<span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023."data-reference="Mandiant Suspected Turla Campaign February 2023"><a href="https://www.mandiant.com/resources/blog/turla-galaxy-opportunity" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0027"> C0027 </a> </td> <td> <a href="/campaigns/C0027"> C0027 </a> </td> <td> During <a href="https://attack.mitre.org/campaigns/C0027">C0027</a>, <a href="/groups/G1015">Scattered Spider</a> downloaded tools using victim organization systems.<span onclick=scrollToRef('scite-103') id="scite-ref-103-a" class="scite-citeref-number" title="Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023."data-reference="Crowdstrike TELCO BPO Campaign December 2022"><a href="https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/" target="_blank" data-hasqtip="102" aria-describedby="qtip-102">[103]</a> </td> </tr> <tr> <td> <a href="/software/S0274"> S0274 </a> </td> <td> <a href="/software/S0274"> Calisto </a> </td> <td> <a href="/software/S0274">Calisto</a> has the capability to upload and download files to the victim's machine.<span onclick=scrollToRef('scite-104') id="scite-ref-104-a" class="scite-citeref-number" title="Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018."data-reference="Symantec Calisto July 2018"><a href="https://web.archive.org/web/20190111082249/https://www.symantec.com/security-center/writeup/2018-073014-2512-99?om_rssid=sr-latestthreats30days" target="_blank" data-hasqtip="103" aria-describedby="qtip-103">[104]</a> </td> </tr> <tr> <td> <a href="/software/S0077"> S0077 </a> </td> <td> <a href="/software/S0077"> CallMe </a> </td> <td> <a href="/software/S0077">CallMe</a> has the capability to download a file to the victim from the C2 server.<span onclick=scrollToRef('scite-105') id="scite-ref-105-a" class="scite-citeref-number" title="Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016."data-reference="Scarlet Mimic Jan 2016"><a href="http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" target="_blank" data-hasqtip="104" aria-describedby="qtip-104">[105]</a> </td> </tr> <tr> <td> <a href="/software/S0351"> S0351 </a> </td> <td> <a href="/software/S0351"> Cannon </a> </td> <td> <a href="/software/S0351">Cannon</a> can download a payload for execution.<span onclick=scrollToRef('scite-106') id="scite-ref-106-a" class="scite-citeref-number" title="Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018."data-reference="Unit42 Cannon Nov 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/" target="_blank" data-hasqtip="105" aria-describedby="qtip-105">[106]</a> </td> </tr> <tr> <td> <a href="/software/S0484"> S0484 </a> </td> <td> <a href="/software/S0484"> Carberp </a> </td> <td> <a href="/software/S0484">Carberp</a> can download and execute new plugins from the C2 server. <span onclick=scrollToRef('scite-107') id="scite-ref-107-a" class="scite-citeref-number" title="Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved September 12, 2024."data-reference="Prevx Carberp March 2011"><a href="https://web.archive.org/web/20231227000328/http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf" target="_blank" data-hasqtip="106" aria-describedby="qtip-106">[107]</a><span onclick=scrollToRef('scite-108') id="scite-ref-108-a" class="scite-citeref-number" title="Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020."data-reference="Trusteer Carberp October 2010"><a href="https://web.archive.org/web/20111004014029/http://www.trusteer.com/sites/default/files/Carberp_Analysis.pdf" target="_blank" data-hasqtip="107" aria-describedby="qtip-107">[108]</a> </td> </tr> <tr> <td> <a href="/software/S0348"> S0348 </a> </td> <td> <a href="/software/S0348"> Cardinal RAT </a> </td> <td> <a href="/software/S0348">Cardinal RAT</a> can download and execute additional payloads.<span onclick=scrollToRef('scite-109') id="scite-ref-109-a" class="scite-citeref-number" title="Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018."data-reference="PaloAlto CardinalRat Apr 2017"><a href="https://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/" target="_blank" data-hasqtip="108" aria-describedby="qtip-108">[109]</a> </td> </tr> <tr> <td> <a href="/software/S0465"> S0465 </a> </td> <td> <a href="/software/S0465"> CARROTBALL </a> </td> <td> <a href="/software/S0465">CARROTBALL</a> has the ability to download and install a remote payload.<span onclick=scrollToRef('scite-110') id="scite-ref-110-a" class="scite-citeref-number" title="McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020."data-reference="Unit 42 CARROTBAT January 2020"><a href="https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/" target="_blank" data-hasqtip="109" aria-describedby="qtip-109">[110]</a> </td> </tr> <tr> <td> <a href="/software/S0462"> S0462 </a> </td> <td> <a href="/software/S0462"> CARROTBAT </a> </td> <td> <a href="/software/S0462">CARROTBAT</a> has the ability to download and execute a remote file via <a href="/software/S0160">certutil</a>.<span onclick=scrollToRef('scite-111') id="scite-ref-111-a" class="scite-citeref-number" title="Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020."data-reference="Unit 42 CARROTBAT November 2018"><a href="https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/" target="_blank" data-hasqtip="110" aria-describedby="qtip-110">[111]</a> </td> </tr> <tr> <td> <a href="/software/S0572"> S0572 </a> </td> <td> <a href="/software/S0572"> Caterpillar WebShell </a> </td> <td> <a href="/software/S0572">Caterpillar WebShell</a> has a module to download and upload files to the system.<span onclick=scrollToRef('scite-112') id="scite-ref-112-a" class="scite-citeref-number" title="ClearSky Cyber Security. (2021, January). "Lebanese Cedar" APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021."data-reference="ClearSky Lebanese Cedar Jan 2021"><a href="https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf" target="_blank" data-hasqtip="111" aria-describedby="qtip-111">[112]</a> </td> </tr> <tr> <td> <a href="/software/S0160"> S0160 </a> </td> <td> <a href="/software/S0160"> certutil </a> </td> <td> <a href="/software/S0160">certutil</a> can be used to download files from a given URL.<a href="https://technet.microsoft.com/library/cc732443.aspx" target="_blank" data-hasqtip="112" aria-describedby="qtip-112">[113]</a><a href="https://lolbas-project.github.io/lolbas/Binaries/Certutil/" target="_blank" data-hasqtip="113" aria-describedby="qtip-113">[114]</a> </td> </tr> <tr> <td> <a href="/software/S0631"> S0631 </a> </td> <td> <a href="/software/S0631"> Chaes </a> </td> <td> <a href="/software/S0631">Chaes</a> can download additional files onto an infected machine.<span onclick=scrollToRef('scite-115') id="scite-ref-115-a" class="scite-citeref-number" title="Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021."data-reference="Cybereason Chaes Nov 2020"><a href="https://www.cybereason.com/hubfs/dam/collateral/reports/11-2020-Chaes-e-commerce-malware-research.pdf" target="_blank" data-hasqtip="114" aria-describedby="qtip-114">[115]</a> </td> </tr> <tr> <td> <a href="/software/S0674"> S0674 </a> </td> <td> <a href="/software/S0674"> CharmPower </a> </td> <td> <a href="/software/S0674">CharmPower</a> has the ability to download additional modules to a compromised host.<span onclick=scrollToRef('scite-116') id="scite-ref-116-a" class="scite-citeref-number" title="Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022."data-reference="Check Point APT35 CharmPower January 2022"><a href="https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/" target="_blank" data-hasqtip="115" aria-describedby="qtip-115">[116]</a> </td> </tr> <tr> <td> <a href="/software/S0144"> S0144 </a> </td> <td> <a href="/software/S0144"> ChChes </a> </td> <td> <a href="/software/S0144">ChChes</a> is capable of downloading files, including additional modules.<span onclick=scrollToRef('scite-117') id="scite-ref-117-a" class="scite-citeref-number" title="Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017."data-reference="Palo Alto menuPass Feb 2017"><a href="http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/" target="_blank" data-hasqtip="116" aria-describedby="qtip-116">[117]</a><span onclick=scrollToRef('scite-118') id="scite-ref-118-a" class="scite-citeref-number" title="Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017."data-reference="JPCERT ChChes Feb 2017"><a href="http://blog.jpcert.or.jp/2017/02/chches-malware--93d6.html" target="_blank" data-hasqtip="117" aria-describedby="qtip-117">[118]</a><span onclick=scrollToRef('scite-119') id="scite-ref-119-a" class="scite-citeref-number" title="FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017."data-reference="FireEye APT10 April 2017"><a href="https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html" target="_blank" data-hasqtip="118" aria-describedby="qtip-118">[119]</a> </td> </tr> <tr> <td> <a href="/groups/G0114"> G0114 </a> </td> <td> <a href="/groups/G0114"> Chimera </a> </td> <td> <a href="/groups/G0114">Chimera</a> has remotely copied tools and malware onto targeted systems.<span onclick=scrollToRef('scite-120') id="scite-ref-120-a" class="scite-citeref-number" title="Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.."data-reference="Cycraft Chimera April 2020"><a href="https://cycraft.com/download/CyCraft-Whitepaper-Chimera_V4.1.pdf" target="_blank" data-hasqtip="119" aria-describedby="qtip-119">[120]</a> </td> </tr> <tr> <td> <a href="/software/S1149"> S1149 </a> </td> <td> <a href="/software/S1149"> CHIMNEYSWEEP </a> </td> <td> <a href="/software/S1149">CHIMNEYSWEEP</a> can download additional files from C2.<span onclick=scrollToRef('scite-121') id="scite-ref-121-a" class="scite-citeref-number" title="Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024."data-reference="Mandiant ROADSWEEP August 2022"><a href="https://cloud.google.com/blog/topics/threat-intelligence/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against/" target="_blank" data-hasqtip="120" aria-describedby="qtip-120">[121]</a> </td> </tr> <tr> <td> <a href="/software/S0020"> S0020 </a> </td> <td> <a href="/software/S0020"> China Chopper </a> </td> <td> <a href="/software/S0020">China Chopper</a>'s server component can download remote files.<span onclick=scrollToRef('scite-122') id="scite-ref-122-a" class="scite-citeref-number" title="FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018."data-reference="FireEye Periscope March 2018"><a href="https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" target="_blank" data-hasqtip="121" aria-describedby="qtip-121">[122]</a><span onclick=scrollToRef('scite-123') id="scite-ref-123-a" class="scite-citeref-number" title="Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015."data-reference="Lee 2013"><a href="https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html" target="_blank" data-hasqtip="122" aria-describedby="qtip-122">[123]</a><span onclick=scrollToRef('scite-124') id="scite-ref-124-a" class="scite-citeref-number" title="The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019."data-reference="NCSC Joint Report Public Tools"><a href="https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools" target="_blank" data-hasqtip="123" aria-describedby="qtip-123">[124]</a><span onclick=scrollToRef('scite-125') id="scite-ref-125-a" class="scite-citeref-number" title="Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022."data-reference="Rapid7 HAFNIUM Mar 2021"><a href="https://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/" target="_blank" data-hasqtip="124" aria-describedby="qtip-124">[125]</a><span onclick=scrollToRef('scite-126') id="scite-ref-126-a" class="scite-citeref-number" title="Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024."data-reference="Kaspersky ToddyCat June 2022"><a href="https://securelist.com/toddycat/106799/" target="_blank" data-hasqtip="125" aria-describedby="qtip-125">[126]</a> </td> </tr> <tr> <td> <a href="/software/S0023"> S0023 </a> </td> <td> <a href="/software/S0023"> CHOPSTICK </a> </td> <td> <a href="/software/S0023">CHOPSTICK</a> is capable of performing remote file transmission.<span onclick=scrollToRef('scite-127') id="scite-ref-127-a" class="scite-citeref-number" title="Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016."data-reference="Crowdstrike DNC June 2016"><a href="https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" target="_blank" data-hasqtip="126" aria-describedby="qtip-126">[127]</a> </td> </tr> <tr> <td> <a href="/software/S0667"> S0667 </a> </td> <td> <a href="/software/S0667"> Chrommme </a> </td> <td> <a href="/software/S0667">Chrommme</a> can download its code from C2.<span onclick=scrollToRef('scite-128') id="scite-ref-128-a" class="scite-citeref-number" title="Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021."data-reference="ESET Gelsemium June 2021"><a href="https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf" target="_blank" data-hasqtip="127" aria-describedby="qtip-127">[128]</a> </td> </tr> <tr> <td> <a href="/groups/G1021"> G1021 </a> </td> <td> <a href="/groups/G1021"> Cinnamon Tempest </a> </td> <td> <a href="/groups/G1021">Cinnamon Tempest</a> has downloaded files, including <a href="/software/S0154">Cobalt Strike</a>, to compromised hosts.<span onclick=scrollToRef('scite-129') id="scite-ref-129-a" class="scite-citeref-number" title="Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023."data-reference="Sygnia Emperor Dragonfly October 2022"><a href="https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group" target="_blank" data-hasqtip="128" aria-describedby="qtip-128">[129]</a> </td> </tr> <tr> <td> <a href="/software/S0054"> S0054 </a> </td> <td> <a href="/software/S0054"> CloudDuke </a> </td> <td> <a href="/software/S0054">CloudDuke</a> downloads and executes additional malware from either a Web address or a Microsoft OneDrive account.<span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015."data-reference="F-Secure The Dukes"><a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a> </td> </tr> <tr> <td> <a href="/software/S0106"> S0106 </a> </td> <td> <a href="/software/S0106"> cmd </a> </td> <td> <a href="/software/S0106">cmd</a> can be used to copy files to/from a remotely connected external system.<a href="https://technet.microsoft.com/en-us/library/bb490886.aspx" target="_blank" data-hasqtip="129" aria-describedby="qtip-129">[130]</a> </td> </tr> <tr> <td> <a href="/groups/G0080"> G0080 </a> </td> <td> <a href="/groups/G0080"> Cobalt Group </a> </td> <td> <a href="/groups/G0080">Cobalt Group</a> has used public sites such as github.com and sendspace.com to upload files and then download them to victim computers.<span onclick=scrollToRef('scite-131') id="scite-ref-131-a" class="scite-citeref-number" title="Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018."data-reference="PTSecurity Cobalt Group Aug 2017"><a href="https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf" target="_blank" data-hasqtip="130" aria-describedby="qtip-130">[131]</a><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018."data-reference="PTSecurity Cobalt Dec 2016"><a href="https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a> The group's JavaScript backdoor is also capable of downloading files.<span onclick=scrollToRef('scite-132') id="scite-ref-132-a" class="scite-citeref-number" title="Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018."data-reference="Morphisec Cobalt Gang Oct 2018"><a href="https://blog.morphisec.com/cobalt-gang-2.0" target="_blank" data-hasqtip="131" aria-describedby="qtip-131">[132]</a> </td> </tr> <tr> <td> <a href="/software/S0154"> S0154 </a> </td> <td> <a href="/software/S0154"> Cobalt Strike </a> </td> <td> <a href="/software/S0154">Cobalt Strike</a> can deliver additional payloads to victim machines.<span onclick=scrollToRef('scite-133') id="scite-ref-133-a" class="scite-citeref-number" title="Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved September 12, 2024."data-reference="Talos Cobalt Strike September 2020"><a href="https://web.archive.org/web/20210219195905/https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf" target="_blank" data-hasqtip="132" aria-describedby="qtip-132">[133]</a><span onclick=scrollToRef('scite-134') id="scite-ref-134-a" class="scite-citeref-number" title="Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021."data-reference="Cobalt Strike Manual 4.3 November 2020"><a href="https://web.archive.org/web/20210708035426/https://www.cobaltstrike.com/downloads/csmanual43.pdf" target="_blank" data-hasqtip="133" aria-describedby="qtip-133">[134]</a> </td> </tr> <tr> <td> <a href="/software/S0369"> S0369 </a> </td> <td> <a href="/software/S0369"> CoinTicker </a> </td> <td> <a href="/software/S0369">CoinTicker</a> executes a Python script to download its second stage.<span onclick=scrollToRef('scite-135') id="scite-ref-135-a" class="scite-citeref-number" title="Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019."data-reference="CoinTicker 2019"><a href="https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/" target="_blank" data-hasqtip="134" aria-describedby="qtip-134">[135]</a> </td> </tr> <tr> <td> <a href="/software/S0608"> S0608 </a> </td> <td> <a href="/software/S0608"> Conficker </a> </td> <td> <a href="/software/S0608">Conficker</a> downloads an HTTP server to the infected machine.<a href="https://web.archive.org/web/20200125132645/https://www.sans.org/security-resources/malwarefaq/conficker-worm" target="_blank" data-hasqtip="135" aria-describedby="qtip-135">[136]</a> </td> </tr> <tr> <td> <a href="/groups/G0142"> G0142 </a> </td> <td> <a href="/groups/G0142"> Confucius </a> </td> <td> <a href="/groups/G0142">Confucius</a> has downloaded additional files and payloads onto a compromised host following initial access.<span onclick=scrollToRef('scite-137') id="scite-ref-137-a" class="scite-citeref-number" title="Uptycs Threat Research Team. (2021, January 12). Confucius APT deploys Warzone RAT. Retrieved December 17, 2021."data-reference="Uptycs Confucius APT Jan 2021"><a href="https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat" target="_blank" data-hasqtip="136" aria-describedby="qtip-136">[137]</a><span onclick=scrollToRef('scite-138') id="scite-ref-138-a" class="scite-citeref-number" title="Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021."data-reference="TrendMicro Confucius APT Aug 2021"><a href="https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html" target="_blank" data-hasqtip="137" aria-describedby="qtip-137">[138]</a> </td> </tr> <tr> <td> <a href="/software/S0492"> S0492 </a> </td> <td> <a href="/software/S0492"> CookieMiner </a> </td> <td> <a href="/software/S0492">CookieMiner</a> can download additional scripts from a web server.<span onclick=scrollToRef('scite-139') id="scite-ref-139-a" class="scite-citeref-number" title="Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020."data-reference="Unit42 CookieMiner Jan 2019"><a href="https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/" target="_blank" data-hasqtip="138" aria-describedby="qtip-138">[139]</a> </td> </tr> <tr> <td> <a href="/software/S0137"> S0137 </a> </td> <td> <a href="/software/S0137"> CORESHELL </a> </td> <td> <a href="/software/S0137">CORESHELL</a> downloads another dropper from its C2 server.<span onclick=scrollToRef('scite-140') id="scite-ref-140-a" class="scite-citeref-number" title="FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015."data-reference="FireEye APT28"><a href="https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank" data-hasqtip="139" aria-describedby="qtip-139">[140]</a> </td> </tr> <tr> <td> <a href="/software/S0614"> S0614 </a> </td> <td> <a href="/software/S0614"> CostaBricks </a> </td> <td> <a href="/software/S0614">CostaBricks</a> has been used to load <a href="/software/S0615">SombRAT</a> onto a compromised host.<span onclick=scrollToRef('scite-141') id="scite-ref-141-a" class="scite-citeref-number" title="The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021."data-reference="BlackBerry CostaRicto November 2020"><a href="https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced" target="_blank" data-hasqtip="140" aria-describedby="qtip-140">[141]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0004"> C0004 </a> </td> <td> <a href="/campaigns/C0004"> CostaRicto </a> </td> <td> During <a href="https://attack.mitre.org/campaigns/C0004">CostaRicto</a>, the threat actors downloaded malware and tools onto a compromised host.<span onclick=scrollToRef('scite-141') id="scite-ref-141-a" class="scite-citeref-number" title="The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021."data-reference="BlackBerry CostaRicto November 2020"><a href="https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced" target="_blank" data-hasqtip="140" aria-describedby="qtip-140">[141]</a> </td> </tr> <tr> <td> <a href="/software/S1023"> S1023 </a> </td> <td> <a href="/software/S1023"> CreepyDrive </a> </td> <td> <a href="/software/S1023">CreepyDrive</a> can download files to the compromised host.<span onclick=scrollToRef('scite-142') id="scite-ref-142-a" class="scite-citeref-number" title="Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022."data-reference="Microsoft POLONIUM June 2022"><a href="https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/" target="_blank" data-hasqtip="141" aria-describedby="qtip-141">[142]</a> </td> </tr> <tr> <td> <a href="/software/S0115"> S0115 </a> </td> <td> <a href="/software/S0115"> Crimson </a> </td> <td> <a href="/software/S0115">Crimson</a> contains a command to retrieve files from its C2 server.<span onclick=scrollToRef('scite-143') id="scite-ref-143-a" class="scite-citeref-number" title="Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016."data-reference="Proofpoint Operation Transparent Tribe March 2016"><a href="https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" target="_blank" data-hasqtip="142" aria-describedby="qtip-142">[143]</a><span onclick=scrollToRef('scite-144') id="scite-ref-144-a" class="scite-citeref-number" title="Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021."data-reference="Kaspersky Transparent Tribe August 2020"><a href="https://securelist.com/transparent-tribe-part-1/98127/" target="_blank" data-hasqtip="143" aria-describedby="qtip-143">[144]</a><span onclick=scrollToRef('scite-145') id="scite-ref-145-a" class="scite-citeref-number" title="N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022."data-reference="Cisco Talos Transparent Tribe Education Campaign July 2022"><a href="https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html" target="_blank" data-hasqtip="144" aria-describedby="qtip-144">[145]</a> </td> </tr> <tr> <td> <a href="/software/S0498"> S0498 </a> </td> <td> <a href="/software/S0498"> Cryptoistic </a> </td> <td> <a href="/software/S0498">Cryptoistic</a> has the ability to send and receive files.<span onclick=scrollToRef('scite-146') id="scite-ref-146-a" class="scite-citeref-number" title="Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020."data-reference="SentinelOne Lazarus macOS July 2020"><a href="https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/" target="_blank" data-hasqtip="145" aria-describedby="qtip-145">[146]</a> </td> </tr> <tr> <td> <a href="/software/S0527"> S0527 </a> </td> <td> <a href="/software/S0527"> CSPY Downloader </a> </td> <td> <a href="/software/S0527">CSPY Downloader</a> can download additional tools to a compromised host.<span onclick=scrollToRef('scite-147') id="scite-ref-147-a" class="scite-citeref-number" title="Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020."data-reference="Cybereason Kimsuky November 2020"><a href="https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" target="_blank" data-hasqtip="146" aria-describedby="qtip-146">[147]</a> </td> </tr> <tr> <td> <a href="/software/S0625"> S0625 </a> </td> <td> <a href="/software/S0625"> Cuba </a> </td> <td> <a href="/software/S0625">Cuba</a> can download files from its C2 server.<span onclick=scrollToRef('scite-148') id="scite-ref-148-a" class="scite-citeref-number" title="Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021."data-reference="McAfee Cuba April 2021"><a href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf" target="_blank" data-hasqtip="147" aria-describedby="qtip-147">[148]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0029"> C0029 </a> </td> <td> <a href="/campaigns/C0029"> Cutting Edge </a> </td> <td> During <a href="https://attack.mitre.org/campaigns/C0029">Cutting Edge</a>, threat actors leveraged exploits to download remote files to Ivanti Connect Secure VPNs.<span onclick=scrollToRef('scite-149') id="scite-ref-149-a" class="scite-citeref-number" title="Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024."data-reference="Volexity Ivanti Zero-Day Exploitation January 2024"><a href="https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/" target="_blank" data-hasqtip="148" aria-describedby="qtip-148">[149]</a> </td> </tr> <tr> <td> <a href="/software/S0687"> S0687 </a> </td> <td> <a href="/software/S0687"> Cyclops Blink </a> </td> <td> <a href="/software/S0687">Cyclops Blink</a> has the ability to download files to target systems.<span onclick=scrollToRef('scite-150') id="scite-ref-150-a" class="scite-citeref-number" title="NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022."data-reference="NCSC Cyclops Blink February 2022"><a href="https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf" target="_blank" data-hasqtip="149" aria-describedby="qtip-149">[150]</a><span onclick=scrollToRef('scite-151') id="scite-ref-151-a" class="scite-citeref-number" title="Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022."data-reference="Trend Micro Cyclops Blink March 2022"><a href="https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html" target="_blank" data-hasqtip="150" aria-describedby="qtip-150">[151]</a> </td> </tr> <tr> <td> <a href="/software/S0497"> S0497 </a> </td> <td> <a href="/software/S0497"> Dacls </a> </td> <td> <a href="/software/S0497">Dacls</a> can download its payload from a C2 server.<span onclick=scrollToRef('scite-146') id="scite-ref-146-a" class="scite-citeref-number" title="Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020."data-reference="SentinelOne Lazarus macOS July 2020"><a href="https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/" target="_blank" data-hasqtip="145" aria-describedby="qtip-145">[146]</a><span onclick=scrollToRef('scite-152') id="scite-ref-152-a" class="scite-citeref-number" title="Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020."data-reference="TrendMicro macOS Dacls May 2020"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/" target="_blank" data-hasqtip="151" aria-describedby="qtip-151">[152]</a> </td> </tr> <tr> <td> <a href="/groups/G1034"> G1034 </a> </td> <td> <a href="/groups/G1034"> Daggerfly </a> </td> <td> <a href="/groups/G1034">Daggerfly</a> has used PowerShell and <a href="/software/S0190">BITSAdmin</a> to retrieve follow-on payloads from external locations for execution on victim machines.<span onclick=scrollToRef('scite-153') id="scite-ref-153-a" class="scite-citeref-number" title="Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024."data-reference="Symantec Daggerfly 2023"><a href="https://symantec-enterprise-blogs.security.com/threat-intelligence/apt-attacks-telecoms-africa-mgbot" target="_blank" data-hasqtip="152" aria-describedby="qtip-152">[153]</a> </td> </tr> <tr> <td> <a href="/software/S1014"> S1014 </a> </td> <td> <a href="/software/S1014"> DanBot </a> </td> <td> <a href="/software/S1014">DanBot</a> can download additional files to a targeted system.<span onclick=scrollToRef('scite-154') id="scite-ref-154-a" class="scite-citeref-number" title="SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19 "data-reference="SecureWorks August 2019"><a href="https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign" target="_blank" data-hasqtip="153" aria-describedby="qtip-153">[154]</a> </td> </tr> <tr> <td> <a href="/software/S0334"> S0334 </a> </td> <td> <a href="/software/S0334"> DarkComet </a> </td> <td> <a href="/software/S0334">DarkComet</a> can load any files onto the infected machine to execute.<span onclick=scrollToRef('scite-155') id="scite-ref-155-a" class="scite-citeref-number" title="TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018."data-reference="TrendMicro DarkComet Sept 2014"><a href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/DARKCOMET" target="_blank" data-hasqtip="154" aria-describedby="qtip-154">[155]</a><span onclick=scrollToRef('scite-156') id="scite-ref-156-a" class="scite-citeref-number" title="Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018."data-reference="Malwarebytes DarkComet March 2018"><a href="https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/" target="_blank" data-hasqtip="155" aria-describedby="qtip-155">[156]</a> </td> </tr> <tr> <td> <a href="/software/S1111"> S1111 </a> </td> <td> <a href="/software/S1111"> DarkGate </a> </td> <td> <a href="/software/S1111">DarkGate</a> retrieves cryptocurrency mining payloads and commands in encrypted traffic from its command and control server.<span onclick=scrollToRef('scite-157') id="scite-ref-157-a" class="scite-citeref-number" title="Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024."data-reference="Ensilo Darkgate 2018"><a href="https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign" target="_blank" data-hasqtip="156" aria-describedby="qtip-156">[157]</a> <a href="/software/S1111">DarkGate</a> uses Windows Batch scripts executing the <code>curl</code> command to retrieve follow-on payloads.<span onclick=scrollToRef('scite-158') id="scite-ref-158-a" class="scite-citeref-number" title="Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024."data-reference="Trellix Darkgate 2023"><a href="https://www.trellix.com/blogs/research/the-continued-evolution-of-the-darkgate-malware-as-a-service/" target="_blank" data-hasqtip="157" aria-describedby="qtip-157">[158]</a> </td> </tr> <tr> <td> <a href="/groups/G0012"> G0012 </a> </td> <td> <a href="/groups/G0012"> Darkhotel </a> </td> <td> <a href="/groups/G0012">Darkhotel</a> has used first-stage payloads that download additional malware from C2 servers.<span onclick=scrollToRef('scite-159') id="scite-ref-159-a" class="scite-citeref-number" title="Microsoft. (2016, June 9). Reverse-engineering DUBNIUM. Retrieved March 31, 2021."data-reference="Microsoft DUBNIUM June 2016"><a href="https://www.microsoft.com/security/blog/2016/06/09/reverse-engineering-dubnium-2/" target="_blank" data-hasqtip="158" aria-describedby="qtip-158">[159]</a> </td> </tr> <tr> <td> <a href="/software/S1066"> S1066 </a> </td> <td> <a href="/software/S1066"> DarkTortilla </a> </td> <td> <a href="/software/S1066">DarkTortilla</a> can download additional packages for keylogging, cryptocurrency mining, and other capabilities; it can also retrieve malicious payloads such as <a href="/software/S0331">Agent Tesla</a>, AsyncRat, <a href="/software/S0336">NanoCore</a>, RedLine, <a href="/software/S0154">Cobalt Strike</a>, and Metasploit.<span onclick=scrollToRef('scite-160') id="scite-ref-160-a" class="scite-citeref-number" title="Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022."data-reference="Secureworks DarkTortilla Aug 2022"><a href="https://www.secureworks.com/research/darktortilla-malware-analysis" target="_blank" data-hasqtip="159" aria-describedby="qtip-159">[160]</a> </td> </tr> <tr> <td> <a href="/software/S0187"> S0187 </a> </td> <td> <a href="/software/S0187"> Daserf </a> </td> <td> <a href="/software/S0187">Daserf</a> can download remote files.<span onclick=scrollToRef('scite-161') id="scite-ref-161-a" class="scite-citeref-number" title="Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017."data-reference="Trend Micro Daserf Nov 2017"><a href="http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/" target="_blank" data-hasqtip="160" aria-describedby="qtip-160">[161]</a><span onclick=scrollToRef('scite-87') id="scite-ref-87-a" class="scite-citeref-number" title="Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018."data-reference="Secureworks BRONZE BUTLER Oct 2017"><a href="https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" target="_blank" data-hasqtip="86" aria-describedby="qtip-86">[87]</a> </td> </tr> <tr> <td> <a href="/software/S0255"> S0255 </a> </td> <td> <a href="/software/S0255"> DDKONG </a> </td> <td> <a href="/software/S0255">DDKONG</a> downloads and uploads files on the victim’s machine.<span onclick=scrollToRef('scite-162') id="scite-ref-162-a" class="scite-citeref-number" title="Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018."data-reference="Rancor Unit42 June 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" target="_blank" data-hasqtip="161" aria-describedby="qtip-161">[162]</a> </td> </tr> <tr> <td> <a href="/software/S0616"> S0616 </a> </td> <td> <a href="/software/S0616"> DEATHRANSOM </a> </td> <td> <a href="/software/S0616">DEATHRANSOM</a> can download files to a compromised host.<span onclick=scrollToRef('scite-163') id="scite-ref-163-a" class="scite-citeref-number" title="McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021."data-reference="FireEye FiveHands April 2021"><a href="https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html" target="_blank" data-hasqtip="162" aria-describedby="qtip-162">[163]</a> </td> </tr> <tr> <td> <a href="/software/S0354"> S0354 </a> </td> <td> <a href="/software/S0354"> Denis </a> </td> <td> <a href="/software/S0354">Denis</a> deploys additional backdoors and hacking tools to the system.<span onclick=scrollToRef('scite-164') id="scite-ref-164-a" class="scite-citeref-number" title="Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018."data-reference="Cybereason Cobalt Kitty 2017"><a href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank" data-hasqtip="163" aria-describedby="qtip-163">[164]</a> </td> </tr> <tr> <td> <a href="/software/S0659"> S0659 </a> </td> <td> <a href="/software/S0659"> Diavol </a> </td> <td> <a href="/software/S0659">Diavol</a> can receive configuration updates and additional payloads including wscpy.exe from C2.<span onclick=scrollToRef('scite-165') id="scite-ref-165-a" class="scite-citeref-number" title="Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021."data-reference="Fortinet Diavol July 2021"><a href="https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider" target="_blank" data-hasqtip="164" aria-describedby="qtip-164">[165]</a> </td> </tr> <tr> <td> <a href="/software/S0200"> S0200 </a> </td> <td> <a href="/software/S0200"> Dipsind </a> </td> <td> <a href="/software/S0200">Dipsind</a> can download remote files.<span onclick=scrollToRef('scite-166') id="scite-ref-166-a" class="scite-citeref-number" title="Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018."data-reference="Microsoft PLATINUM April 2016"><a href="https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" target="_blank" data-hasqtip="165" aria-describedby="qtip-165">[166]</a> </td> </tr> <tr> <td> <a href="/software/S1088"> S1088 </a> </td> <td> <a href="/software/S1088"> Disco </a> </td> <td> <a href="/software/S1088">Disco</a> can download files to targeted systems via SMB.<span onclick=scrollToRef('scite-167') id="scite-ref-167-a" class="scite-citeref-number" title="Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023."data-reference="MoustachedBouncer ESET August 2023"><a href="https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" target="_blank" data-hasqtip="166" aria-describedby="qtip-166">[167]</a> </td> </tr> <tr> <td> <a href="/software/S1021"> S1021 </a> </td> <td> <a href="/software/S1021"> DnsSystem </a> </td> <td> <a href="/software/S1021">DnsSystem</a> can download files to compromised systems after receiving a command with the string <code>downloaddd</code>.<span onclick=scrollToRef('scite-168') id="scite-ref-168-a" class="scite-citeref-number" title="Shivtarkar, N. and Kumar, A. (2022, June 9). Lyceum .NET DNS Backdoor. Retrieved June 23, 2022."data-reference="Zscaler Lyceum DnsSystem June 2022"><a href="https://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor" target="_blank" data-hasqtip="167" aria-describedby="qtip-167">[168]</a> </td> </tr> <tr> <td> <a href="/software/S0213"> S0213 </a> </td> <td> <a href="/software/S0213"> DOGCALL </a> </td> <td> <a href="/software/S0213">DOGCALL</a> can download and execute additional payloads.<span onclick=scrollToRef('scite-169') id="scite-ref-169-a" class="scite-citeref-number" title="Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018."data-reference="Unit 42 Nokki Oct 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/" target="_blank" data-hasqtip="168" aria-describedby="qtip-168">[169]</a> </td> </tr> <tr> <td> <a href="/software/S0600"> S0600 </a> </td> <td> <a href="/software/S0600"> Doki </a> </td> <td> <a href="/software/S0600">Doki</a> has downloaded scripts from C2.<span onclick=scrollToRef('scite-170') id="scite-ref-170-a" class="scite-citeref-number" title="Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021."data-reference="Intezer Doki July 20"><a href="https://www.intezer.com/blog/cloud-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/" target="_blank" data-hasqtip="169" aria-describedby="qtip-169">[170]</a> </td> </tr> <tr> <td> <a href="/software/S0695"> S0695 </a> </td> <td> <a href="/software/S0695"> Donut </a> </td> <td> <a href="/software/S0695">Donut</a> can download and execute previously staged shellcode payloads.<a href="https://github.com/TheWover/donut" target="_blank" data-hasqtip="170" aria-describedby="qtip-170">[171]</a> </td> </tr> <tr> <td> <a href="/software/S0472"> S0472 </a> </td> <td> <a href="/software/S0472"> down_new </a> </td> <td> <a href="/software/S0472">down_new</a> has the ability to download files to the compromised host.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."data-reference="Trend Micro Tick November 2019"><a href="https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a> </td> </tr> <tr> <td> <a href="/software/S0134"> S0134 </a> </td> <td> <a href="/software/S0134"> Downdelph </a> </td> <td> After downloading its main config file, <a href="/software/S0134">Downdelph</a> downloads multiple payloads from C2 servers.<span onclick=scrollToRef('scite-172') id="scite-ref-172-a" class="scite-citeref-number" title="ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016."data-reference="ESET Sednit Part 3"><a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" target="_blank" data-hasqtip="171" aria-describedby="qtip-171">[172]</a> </td> </tr> <tr> <td> <a href="/groups/G0035"> G0035 </a> </td> <td> <a href="/groups/G0035"> Dragonfly </a> </td> <td> <a href="/groups/G0035">Dragonfly</a> has copied and installed tools for operations once in the victim environment.<span onclick=scrollToRef('scite-173') id="scite-ref-173-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A"><a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="172" aria-describedby="qtip-172">[173]</a> </td> </tr> <tr> <td> <a href="/software/S0694"> S0694 </a> </td> <td> <a href="/software/S0694"> DRATzarus </a> </td> <td> <a href="/software/S0694">DRATzarus</a> can deploy additional tools onto an infected machine.<span onclick=scrollToRef('scite-174') id="scite-ref-174-a" class="scite-citeref-number" title="ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021."data-reference="ClearSky Lazarus Aug 2020"><a href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank" data-hasqtip="173" aria-describedby="qtip-173">[174]</a> </td> </tr> <tr> <td> <a href="/software/S0547"> S0547 </a> </td> <td> <a href="/software/S0547"> DropBook </a> </td> <td> <a href="/software/S0547">DropBook</a> can download and execute additional files.<span onclick=scrollToRef('scite-175') id="scite-ref-175-a" class="scite-citeref-number" title="Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020."data-reference="Cybereason Molerats Dec 2020"><a href="https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf" target="_blank" data-hasqtip="174" aria-describedby="qtip-174">[175]</a><span onclick=scrollToRef('scite-176') id="scite-ref-176-a" class="scite-citeref-number" title="Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020."data-reference="BleepingComputer Molerats Dec 2020"><a href="https://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/" target="_blank" data-hasqtip="175" aria-describedby="qtip-175">[176]</a> </td> </tr> <tr> <td> <a href="/software/S0502"> S0502 </a> </td> <td> <a href="/software/S0502"> Drovorub </a> </td> <td> <a href="/software/S0502">Drovorub</a> can download files to a compromised host.<span onclick=scrollToRef('scite-177') id="scite-ref-177-a" class="scite-citeref-number" title="NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020."data-reference="NSA/FBI Drovorub August 2020"><a href="https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF" target="_blank" data-hasqtip="176" aria-describedby="qtip-176">[177]</a> </td> </tr> <tr> <td> <a href="/software/S0567"> S0567 </a> </td> <td> <a href="/software/S0567"> Dtrack </a> </td> <td> <a href="/software/S0567">Dtrack</a>’s can download and upload a file to the victim’s computer.<span onclick=scrollToRef('scite-178') id="scite-ref-178-a" class="scite-citeref-number" title="Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021."data-reference="Securelist Dtrack"><a href="https://securelist.com/my-name-is-dtrack/93338/" target="_blank" data-hasqtip="177" aria-describedby="qtip-177">[178]</a><span onclick=scrollToRef('scite-179') id="scite-ref-179-a" class="scite-citeref-number" title="Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021."data-reference="CyberBit Dtrack"><a href="https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/" target="_blank" data-hasqtip="178" aria-describedby="qtip-178">[179]</a> </td> </tr> <tr> <td> <a href="/software/S1159"> S1159 </a> </td> <td> <a href="/software/S1159"> DUSTTRAP </a> </td> <td> <a href="/software/S1159">DUSTTRAP</a> can retrieve and load additional payloads.<span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024."data-reference="Google Cloud APT41 2024"><a href="https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a> </td> </tr> <tr> <td> <a href="/software/S0024"> S0024 </a> </td> <td> <a href="/software/S0024"> Dyre </a> </td> <td> <a href="/software/S0024">Dyre</a> has a command to download and executes additional files.<span onclick=scrollToRef('scite-180') id="scite-ref-180-a" class="scite-citeref-number" title="Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018."data-reference="Symantec Dyre June 2015"><a href="http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dyre-emerging-threat.pdf" target="_blank" data-hasqtip="179" aria-describedby="qtip-179">[180]</a> </td> </tr> <tr> <td> <a href="/software/S0624"> S0624 </a> </td> <td> <a href="/software/S0624"> Ecipekac </a> </td> <td> <a href="/software/S0624">Ecipekac</a> can download additional payloads to a compromised host.<span onclick=scrollToRef('scite-181') id="scite-ref-181-a" class="scite-citeref-number" title="GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021."data-reference="Securelist APT10 March 2021"><a href="https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/" target="_blank" data-hasqtip="180" aria-describedby="qtip-180">[181]</a> </td> </tr> <tr> <td> <a href="/software/S0554"> S0554 </a> </td> <td> <a href="/software/S0554"> Egregor </a> </td> <td> <a href="/software/S0554">Egregor</a> has the ability to download files from its C2 server.<span onclick=scrollToRef('scite-182') id="scite-ref-182-a" class="scite-citeref-number" title="Rochberger, L. (2020, November 26). Cybereason vs. Egregor Ransomware. Retrieved December 30, 2020."data-reference="Cybereason Egregor Nov 2020"><a href="https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware" target="_blank" data-hasqtip="181" aria-describedby="qtip-181">[182]</a><span onclick=scrollToRef('scite-183') id="scite-ref-183-a" class="scite-citeref-number" title="Bichet, J. (2020, November 12). Egregor – Prolock: Fraternal Twins ?. Retrieved January 6, 2021."data-reference="Intrinsec Egregor Nov 2020"><a href="https://www.intrinsec.com/egregor-prolock/?cn-reloaded=1" target="_blank" data-hasqtip="182" aria-describedby="qtip-182">[183]</a> </td> </tr> <tr> <td> <a href="/groups/G0066"> G0066 </a> </td> <td> <a href="/groups/G0066"> Elderwood </a> </td> <td> The Ritsol backdoor trojan used by <a href="/groups/G0066">Elderwood</a> can download files onto a compromised host from a remote location.<span onclick=scrollToRef('scite-184') id="scite-ref-184-a" class="scite-citeref-number" title="Ladley, F. (2012, May 15). Backdoor.Ritsol. Retrieved February 23, 2018."data-reference="Symantec Ristol May 2012"><a href="https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-3909-99" target="_blank" data-hasqtip="183" aria-describedby="qtip-183">[184]</a> </td> </tr> <tr> <td> <a href="/software/S0081"> S0081 </a> </td> <td> <a href="/software/S0081"> Elise </a> </td> <td> <a href="/software/S0081">Elise</a> can download additional files from the C2 server for execution.<span onclick=scrollToRef('scite-185') id="scite-ref-185-a" class="scite-citeref-number" title="Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018."data-reference="Accenture Dragonfish Jan 2018"><a href="https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf" target="_blank" data-hasqtip="184" aria-describedby="qtip-184">[185]</a> </td> </tr> <tr> <td> <a href="/software/S0082"> S0082 </a> </td> <td> <a href="/software/S0082"> Emissary </a> </td> <td> <a href="/software/S0082">Emissary</a> has the capability to download files from the C2 server.<span onclick=scrollToRef('scite-186') id="scite-ref-186-a" class="scite-citeref-number" title="Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016."data-reference="Lotus Blossom Dec 2015"><a href="http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linked-to-operation-lotus-blossom/" target="_blank" data-hasqtip="185" aria-describedby="qtip-185">[186]</a> </td> </tr> <tr> <td> <a href="/software/S0363"> S0363 </a> </td> <td> <a href="/software/S0363"> Empire </a> </td> <td> <a href="/software/S0363">Empire</a> can upload and download to and from a victim machine.<span onclick=scrollToRef('scite-187') id="scite-ref-187-a" class="scite-citeref-number" title="Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016."data-reference="Github PowerShell Empire"><a href="https://github.com/PowerShellEmpire/Empire" target="_blank" data-hasqtip="186" aria-describedby="qtip-186">[187]</a> </td> </tr> <tr> <td> <a href="/software/S0404"> S0404 </a> </td> <td> <a href="/software/S0404"> esentutl </a> </td> <td> <a href="/software/S0404">esentutl</a> can be used to copy files from a given URL.<a href="https://lolbas-project.github.io/lolbas/Binaries/Esentutl/" target="_blank" data-hasqtip="187" aria-describedby="qtip-187">[188]</a> </td> </tr> <tr> <td> <a href="/software/S0396"> S0396 </a> </td> <td> <a href="/software/S0396"> EvilBunny </a> </td> <td> <a href="/software/S0396">EvilBunny</a> has downloaded additional Lua scripts from the C2.<span onclick=scrollToRef('scite-189') id="scite-ref-189-a" class="scite-citeref-number" title="Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019."data-reference="Cyphort EvilBunny Dec 2014"><a href="https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/" target="_blank" data-hasqtip="188" aria-describedby="qtip-188">[189]</a> </td> </tr> <tr> <td> <a href="/software/S0568"> S0568 </a> </td> <td> <a href="/software/S0568"> EVILNUM </a> </td> <td> <a href="/software/S0568">EVILNUM</a> can download and upload files to the victim's computer.<span onclick=scrollToRef('scite-190') id="scite-ref-190-a" class="scite-citeref-number" title="Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021."data-reference="ESET EvilNum July 2020"><a href="https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" target="_blank" data-hasqtip="189" aria-describedby="qtip-189">[190]</a><span onclick=scrollToRef('scite-191') id="scite-ref-191-a" class="scite-citeref-number" title="Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021."data-reference="Prevailion EvilNum May 2020"><a href="https://www.prevailion.com/phantom-in-the-command-shell-2/" target="_blank" data-hasqtip="190" aria-describedby="qtip-190">[191]</a> </td> </tr> <tr> <td> <a href="/groups/G0120"> G0120 </a> </td> <td> <a href="/groups/G0120"> Evilnum </a> </td> <td> <a href="/groups/G0120">Evilnum</a> can deploy additional components or tools as needed.<span onclick=scrollToRef('scite-190') id="scite-ref-190-a" class="scite-citeref-number" title="Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021."data-reference="ESET EvilNum July 2020"><a href="https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" target="_blank" data-hasqtip="189" aria-describedby="qtip-189">[190]</a> </td> </tr> <tr> <td> <a href="/software/S0401"> S0401 </a> </td> <td> <a href="/software/S0401"> Exaramel for Linux </a> </td> <td> <a href="/software/S0401">Exaramel for Linux</a> has a command to download a file from and to a remote C2 server.<span onclick=scrollToRef('scite-192') id="scite-ref-192-a" class="scite-citeref-number" title="Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018."data-reference="ESET TeleBots Oct 2018"><a href="https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/" target="_blank" data-hasqtip="191" aria-describedby="qtip-191">[192]</a><span onclick=scrollToRef('scite-193') id="scite-ref-193-a" class="scite-citeref-number" title="ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021."data-reference="ANSSI Sandworm January 2021"><a href="https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" target="_blank" data-hasqtip="192" aria-describedby="qtip-192">[193]</a> </td> </tr> <tr> <td> <a href="/software/S0569"> S0569 </a> </td> <td> <a href="/software/S0569"> Explosive </a> </td> <td> <a href="/software/S0569">Explosive</a> has a function to download a file to the infected system.<span onclick=scrollToRef('scite-194') id="scite-ref-194-a" class="scite-citeref-number" title="Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021."data-reference="CheckPoint Volatile Cedar March 2015"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf" target="_blank" data-hasqtip="193" aria-describedby="qtip-193">[194]</a> </td> </tr> <tr> <td> <a href="/software/S0171"> S0171 </a> </td> <td> <a href="/software/S0171"> Felismus </a> </td> <td> <a href="/software/S0171">Felismus</a> can download files from remote servers.<span onclick=scrollToRef('scite-195') id="scite-ref-195-a" class="scite-citeref-number" title="Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017."data-reference="Forcepoint Felismus Mar 2017"><a href="https://blogs.forcepoint.com/security-labs/playing-cat-mouse-introducing-felismus-malware" target="_blank" data-hasqtip="194" aria-describedby="qtip-194">[195]</a> </td> </tr> <tr> <td> <a href="/software/S0267"> S0267 </a> </td> <td> <a href="/software/S0267"> FELIXROOT </a> </td> <td> <a href="/software/S0267">FELIXROOT</a> downloads and uploads files to and from the victim’s machine.<span onclick=scrollToRef('scite-196') id="scite-ref-196-a" class="scite-citeref-number" title="Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018."data-reference="FireEye FELIXROOT July 2018"><a href="https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html" target="_blank" data-hasqtip="195" aria-describedby="qtip-195">[196]</a><span onclick=scrollToRef('scite-197') id="scite-ref-197-a" class="scite-citeref-number" title="Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018."data-reference="ESET GreyEnergy Oct 2018"><a href="https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf" target="_blank" data-hasqtip="196" aria-describedby="qtip-196">[197]</a> </td> </tr> <tr> <td> <a href="/groups/G1016"> G1016 </a> </td> <td> <a href="/groups/G1016"> FIN13 </a> </td> <td> <a href="/groups/G1016">FIN13</a> has downloaded additional tools and malware to compromised systems.<span onclick=scrollToRef('scite-198') id="scite-ref-198-a" class="scite-citeref-number" title="Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023."data-reference="Mandiant FIN13 Aug 2022"><a href="https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico" target="_blank" data-hasqtip="197" aria-describedby="qtip-197">[198]</a><span onclick=scrollToRef('scite-199') id="scite-ref-199-a" class="scite-citeref-number" title="Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023."data-reference="Sygnia Elephant Beetle Jan 2022"><a href="https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf?__hstc=147695848.3e8f1a482c8f8d4531507747318e660b.1680005306711.1680005306711.1680005306711.1&__hssc=147695848.1.1680005306711&__hsfp=3000179024&hsCtaTracking=189ec409-ae2d-4909-8bf1-62dcdd694372%7Cca91d317-8f10-4a38-9f80-367f551ad64d" target="_blank" data-hasqtip="198" aria-describedby="qtip-198">[199]</a> </td> </tr> <tr> <td> <a href="/groups/G0046"> G0046 </a> </td> <td> <a href="/groups/G0046"> FIN7 </a> </td> <td> <a href="/groups/G0046">FIN7</a> has downloaded additional malware to execute on the victim's machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload.<span onclick=scrollToRef('scite-200') id="scite-ref-200-a" class="scite-citeref-number" title="Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017."data-reference="FireEye FIN7 April 2017"><a href="https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html" target="_blank" data-hasqtip="199" aria-describedby="qtip-199">[200]</a><span onclick=scrollToRef('scite-201') id="scite-ref-201-a" class="scite-citeref-number" title="Department of Justice. (2018, August 01). HOW FIN7 ATTACKED AND STOLE DATA. Retrieved August 24, 2018."data-reference="DOJ FIN7 Aug 2018"><a href="https://www.justice.gov/opa/press-release/file/1084361/download" target="_blank" data-hasqtip="200" aria-describedby="qtip-200">[201]</a><span onclick=scrollToRef('scite-202') id="scite-ref-202-a" class="scite-citeref-number" title="Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022."data-reference="Mandiant FIN7 Apr 2022"><a href="https://www.mandiant.com/resources/evolution-of-fin7" target="_blank" data-hasqtip="201" aria-describedby="qtip-201">[202]</a> </td> </tr> <tr> <td> <a href="/groups/G0061"> G0061 </a> </td> <td> <a href="/groups/G0061"> FIN8 </a> </td> <td> <a href="/groups/G0061">FIN8</a> has used remote code execution to download subsequent payloads.<span onclick=scrollToRef('scite-203') id="scite-ref-203-a" class="scite-citeref-number" title="Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018."data-reference="FireEye Fin8 May 2016"><a href="https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html" target="_blank" data-hasqtip="202" aria-describedby="qtip-202">[203]</a><span onclick=scrollToRef('scite-204') id="scite-ref-204-a" class="scite-citeref-number" title="Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021."data-reference="Bitdefender FIN8 July 2021"><a href="https://businessinsights.bitdefender.com/deep-dive-into-a-fin8-attack-a-forensic-investigation" target="_blank" data-hasqtip="203" aria-describedby="qtip-203">[204]</a> </td> </tr> <tr> <td> <a href="/software/S0696"> S0696 </a> </td> <td> <a href="/software/S0696"> Flagpro </a> </td> <td> <a href="/software/S0696">Flagpro</a> can download additional malware from the C2 server.<span onclick=scrollToRef('scite-205') id="scite-ref-205-a" class="scite-citeref-number" title="Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022."data-reference="NTT Security Flagpro new December 2021"><a href="https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech" target="_blank" data-hasqtip="204" aria-describedby="qtip-204">[205]</a> </td> </tr> <tr> <td> <a href="/software/S0381"> S0381 </a> </td> <td> <a href="/software/S0381"> FlawedAmmyy </a> </td> <td> <a href="/software/S0381">FlawedAmmyy</a> can transfer files from C2.<span onclick=scrollToRef('scite-206') id="scite-ref-206-a" class="scite-citeref-number" title="Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022."data-reference="Korean FSI TA505 2020"><a href="https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1382.do?page=1&column=&search=&searchSDate=&searchEDate=&bbsDataCategory=" target="_blank" data-hasqtip="205" aria-describedby="qtip-205">[206]</a> </td> </tr> <tr> <td> <a href="/software/S0661"> S0661 </a> </td> <td> <a href="/software/S0661"> FoggyWeb </a> </td> <td> <a href="/software/S0661">FoggyWeb</a> can receive additional malicious components from an actor controlled C2 server and execute them on a compromised AD FS server.<span onclick=scrollToRef('scite-207') id="scite-ref-207-a" class="scite-citeref-number" title="Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021."data-reference="MSTIC FoggyWeb September 2021"><a href="https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/" target="_blank" data-hasqtip="206" aria-describedby="qtip-206">[207]</a> </td> </tr> <tr> <td> <a href="/groups/G0117"> G0117 </a> </td> <td> <a href="/groups/G0117"> Fox Kitten </a> </td> <td> <a href="/groups/G0117">Fox Kitten</a> has downloaded additional tools including <a href="/software/S0029">PsExec</a> directly to endpoints.<span onclick=scrollToRef('scite-208') id="scite-ref-208-a" class="scite-citeref-number" title="CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020."data-reference="CISA AA20-259A Iran-Based Actor September 2020"><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-259a" target="_blank" data-hasqtip="207" aria-describedby="qtip-207">[208]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0001"> C0001 </a> </td> <td> <a href="/campaigns/C0001"> Frankenstein </a> </td> <td> During <a href="https://attack.mitre.org/campaigns/C0001">Frankenstein</a>, the threat actors downloaded files and tools onto a victim machine.<span onclick=scrollToRef('scite-209') id="scite-ref-209-a" class="scite-citeref-number" title="Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020."data-reference="Talos Frankenstein June 2019"><a href="https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html" target="_blank" data-hasqtip="208" aria-describedby="qtip-208">[209]</a> </td> </tr> <tr> <td> <a href="/software/S0095"> S0095 </a> </td> <td> <a href="/software/S0095"> ftp </a> </td> <td> <a href="/software/S0095">ftp</a> may be abused by adversaries to transfer tools or files from an external system into a compromised environment.<a href="https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ftp" target="_blank" data-hasqtip="209" aria-describedby="qtip-209">[210]</a><a href="https://linux.die.net/man/1/ftp" target="_blank" data-hasqtip="210" aria-describedby="qtip-210">[211]</a> </td> </tr> <tr> <td> <a href="/software/S1044"> S1044 </a> </td> <td> <a href="/software/S1044"> FunnyDream </a> </td> <td> <a href="/software/S1044">FunnyDream</a> can download additional files onto a compromised host.<span onclick=scrollToRef('scite-212') id="scite-ref-212-a" class="scite-citeref-number" title="Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022."data-reference="Bitdefender FunnyDream Campaign November 2020"><a href="https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" target="_blank" data-hasqtip="211" aria-describedby="qtip-211">[212]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0007"> C0007 </a> </td> <td> <a href="/campaigns/C0007"> FunnyDream </a> </td> <td> During <a href="https://attack.mitre.org/campaigns/C0007">FunnyDream</a>, the threat actors downloaded additional droppers and backdoors onto a compromised system.<span onclick=scrollToRef('scite-212') id="scite-ref-212-a" class="scite-citeref-number" title="Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022."data-reference="Bitdefender FunnyDream Campaign November 2020"><a href="https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" target="_blank" data-hasqtip="211" aria-describedby="qtip-211">[212]</a> </td> </tr> <tr> <td> <a href="/software/S0628"> S0628 </a> </td> <td> <a href="/software/S0628"> FYAnti </a> </td> <td> <a href="/software/S0628">FYAnti</a> can download additional payloads to a compromised host.<span onclick=scrollToRef('scite-181') id="scite-ref-181-a" class="scite-citeref-number" title="GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021."data-reference="Securelist APT10 March 2021"><a href="https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/" target="_blank" data-hasqtip="180" aria-describedby="qtip-180">[181]</a> </td> </tr> <tr> <td> <a href="/groups/G0093"> G0093 </a> </td> <td> <a href="/groups/G0093"> GALLIUM </a> </td> <td> <a href="/groups/G0093">GALLIUM</a> dropped additional tools to victims during their operation, including portqry.exe, a renamed cmd.exe file, winrar, and <a href="/software/S0040">HTRAN</a>.<span onclick=scrollToRef('scite-213') id="scite-ref-213-a" class="scite-citeref-number" title="Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019."data-reference="Cybereason Soft Cell June 2019"><a href="https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" target="_blank" data-hasqtip="212" aria-describedby="qtip-212">[213]</a><span onclick=scrollToRef('scite-80') id="scite-ref-80-a" class="scite-citeref-number" title="MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021."data-reference="Microsoft GALLIUM December 2019"><a href="https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/" target="_blank" data-hasqtip="79" aria-describedby="qtip-79">[80]</a> </td> </tr> <tr> <td> <a href="/groups/G0047"> G0047 </a> </td> <td> <a href="/groups/G0047"> Gamaredon Group </a> </td> <td> <a href="/groups/G0047">Gamaredon Group</a> has downloaded additional malware and tools onto a compromised host.<span onclick=scrollToRef('scite-214') id="scite-ref-214-a" class="scite-citeref-number" title="Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017."data-reference="Palo Alto Gamaredon Feb 2017"><a href="https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/" target="_blank" data-hasqtip="213" aria-describedby="qtip-213">[214]</a><span onclick=scrollToRef('scite-215') id="scite-ref-215-a" class="scite-citeref-number" title="Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020."data-reference="TrendMicro Gamaredon April 2020"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/" target="_blank" data-hasqtip="214" aria-describedby="qtip-214">[215]</a><span onclick=scrollToRef('scite-216') id="scite-ref-216-a" class="scite-citeref-number" title="Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020."data-reference="ESET Gamaredon June 2020"><a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/" target="_blank" data-hasqtip="215" aria-describedby="qtip-215">[216]</a><span onclick=scrollToRef('scite-217') id="scite-ref-217-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022."data-reference="Microsoft Actinium February 2022"><a href="https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/" target="_blank" data-hasqtip="216" aria-describedby="qtip-216">[217]</a> For example, <a href="/groups/G0047">Gamaredon Group</a> uses a backdoor script to retrieve and decode additional payloads once in victim environments.<span onclick=scrollToRef('scite-218') id="scite-ref-218-a" class="scite-citeref-number" title="Unit 42. (2022, December 20). Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. Retrieved September 12, 2024."data-reference="unit42_gamaredon_dec2022"><a href="https://unit42.paloaltonetworks.com/trident-ursa/" target="_blank" data-hasqtip="217" aria-describedby="qtip-217">[218]</a> </td> </tr> <tr> <td> <a href="/software/S0168"> S0168 </a> </td> <td> <a href="/software/S0168"> Gazer </a> </td> <td> <a href="/software/S0168">Gazer</a> can execute a task to download a file.<span onclick=scrollToRef('scite-219') id="scite-ref-219-a" class="scite-citeref-number" title="ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017."data-reference="ESET Gazer Aug 2017"><a href="https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf" target="_blank" data-hasqtip="218" aria-describedby="qtip-218">[219]</a><span onclick=scrollToRef('scite-220') id="scite-ref-220-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017."data-reference="Securelist WhiteBear Aug 2017"><a href="https://securelist.com/introducing-whitebear/81638/" target="_blank" data-hasqtip="219" aria-describedby="qtip-219">[220]</a> </td> </tr> <tr> <td> <a href="/software/S0666"> S0666 </a> </td> <td> <a href="/software/S0666"> Gelsemium </a> </td> <td> <a href="/software/S0666">Gelsemium</a> can download additional plug-ins to a compromised host.<span onclick=scrollToRef('scite-128') id="scite-ref-128-a" class="scite-citeref-number" title="Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021."data-reference="ESET Gelsemium June 2021"><a href="https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf" target="_blank" data-hasqtip="127" aria-describedby="qtip-127">[128]</a> </td> </tr> <tr> <td> <a href="/software/S0032"> S0032 </a> </td> <td> <a href="/software/S0032"> gh0st RAT </a> </td> <td> <a href="/software/S0032">gh0st RAT</a> can download files to the victim’s machine.<span onclick=scrollToRef('scite-221') id="scite-ref-221-a" class="scite-citeref-number" title="Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018."data-reference="Nccgroup Gh0st April 2018"><a href="https://research.nccgroup.com/2018/04/17/decoding-network-data-from-a-gh0st-rat-variant/" target="_blank" data-hasqtip="220" aria-describedby="qtip-220">[221]</a><span onclick=scrollToRef('scite-222') id="scite-ref-222-a" class="scite-citeref-number" title="Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020."data-reference="Gh0stRAT ATT March 2019"><a href="https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant" target="_blank" data-hasqtip="221" aria-describedby="qtip-221">[222]</a> </td> </tr> <tr> <td> <a href="/software/S0249"> S0249 </a> </td> <td> <a href="/software/S0249"> Gold Dragon </a> </td> <td> <a href="/software/S0249">Gold Dragon</a> can download additional components from the C2 server.<span onclick=scrollToRef('scite-223') id="scite-ref-223-a" class="scite-citeref-number" title="Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018."data-reference="McAfee Gold Dragon"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" target="_blank" data-hasqtip="222" aria-describedby="qtip-222">[223]</a> </td> </tr> <tr> <td> <a href="/software/S0493"> S0493 </a> </td> <td> <a href="/software/S0493"> GoldenSpy </a> </td> <td> <a href="/software/S0493">GoldenSpy</a> constantly attempts to download and execute files from the remote C2, including <a href="/software/S0493">GoldenSpy</a> itself if not found on the system.<span onclick=scrollToRef('scite-224') id="scite-ref-224-a" class="scite-citeref-number" title="Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020."data-reference="Trustwave GoldenSpy June 2020"><a href="https://www.trustwave.com/en-us/resources/library/documents/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/" target="_blank" data-hasqtip="223" aria-describedby="qtip-223">[224]</a> </td> </tr> <tr> <td> <a href="/software/S0588"> S0588 </a> </td> <td> <a href="/software/S0588"> GoldMax </a> </td> <td> <a href="/software/S0588">GoldMax</a> can download and execute additional files.<span onclick=scrollToRef('scite-225') id="scite-ref-225-a" class="scite-citeref-number" title="Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021."data-reference="MSTIC NOBELIUM Mar 2021"><a href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank" data-hasqtip="224" aria-describedby="qtip-224">[225]</a><span onclick=scrollToRef('scite-226') id="scite-ref-226-a" class="scite-citeref-number" title="Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021."data-reference="FireEye SUNSHUTTLE Mar 2021"><a href="https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html" target="_blank" data-hasqtip="225" aria-describedby="qtip-225">[226]</a> </td> </tr> <tr> <td> <a href="/software/S1138"> S1138 </a> </td> <td> <a href="/software/S1138"> Gootloader </a> </td> <td> <a href="/software/S1138">Gootloader</a> can fetch second stage code from hardcoded web domains.<span onclick=scrollToRef('scite-227') id="scite-ref-227-a" class="scite-citeref-number" title="Szappanos, G. & Brandt, A. (2021, March 1). "Gootloader" expands its payload delivery options. Retrieved September 30, 2022."data-reference="Sophos Gootloader"><a href="https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/" target="_blank" data-hasqtip="226" aria-describedby="qtip-226">[227]</a><span onclick=scrollToRef('scite-228') id="scite-ref-228-a" class="scite-citeref-number" title="Pirozzi, A. (2021, June 16). Gootloader: ‘Initial Access as a Service’ Platform Expands Its Search for High Value Targets. Retrieved May 28, 2024."data-reference="SentinelOne Gootloader June 2021"><a href="https://www.sentinelone.com/labs/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/" target="_blank" data-hasqtip="227" aria-describedby="qtip-227">[228]</a> </td> </tr> <tr> <td> <a href="/groups/G0078"> G0078 </a> </td> <td> <a href="/groups/G0078"> Gorgon Group </a> </td> <td> <a href="/groups/G0078">Gorgon Group</a> malware can download additional files from C2 servers.<span onclick=scrollToRef('scite-229') id="scite-ref-229-a" class="scite-citeref-number" title="Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018."data-reference="Unit 42 Gorgon Group Aug 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" target="_blank" data-hasqtip="228" aria-describedby="qtip-228">[229]</a> </td> </tr> <tr> <td> <a href="/software/S0531"> S0531 </a> </td> <td> <a href="/software/S0531"> Grandoreiro </a> </td> <td> <a href="/software/S0531">Grandoreiro</a> can download its second stage from a hardcoded URL within the loader's code.<span onclick=scrollToRef('scite-230') id="scite-ref-230-a" class="scite-citeref-number" title="Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020."data-reference="IBM Grandoreiro April 2020"><a href="https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/" target="_blank" data-hasqtip="229" aria-describedby="qtip-229">[230]</a><span onclick=scrollToRef('scite-231') id="scite-ref-231-a" class="scite-citeref-number" title="ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020."data-reference="ESET Grandoreiro April 2020"><a href="https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/" target="_blank" data-hasqtip="230" aria-describedby="qtip-230">[231]</a> </td> </tr> <tr> <td> <a href="/software/S0342"> S0342 </a> </td> <td> <a href="/software/S0342"> GreyEnergy </a> </td> <td> <a href="/software/S0342">GreyEnergy</a> can download additional modules and payloads.<span onclick=scrollToRef('scite-197') id="scite-ref-197-a" class="scite-citeref-number" title="Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018."data-reference="ESET GreyEnergy Oct 2018"><a href="https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf" target="_blank" data-hasqtip="196" aria-describedby="qtip-196">[197]</a> </td> </tr> <tr> <td> <a href="/software/S0632"> S0632 </a> </td> <td> <a href="/software/S0632"> GrimAgent </a> </td> <td> <a href="/software/S0632">GrimAgent</a> has the ability to download and execute additional payloads.<span onclick=scrollToRef('scite-232') id="scite-ref-232-a" class="scite-citeref-number" title="Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024."data-reference="Group IB GrimAgent July 2021"><a href="https://www.group-ib.com/blog/grimagent/" target="_blank" data-hasqtip="231" aria-describedby="qtip-231">[232]</a> </td> </tr> <tr> <td> <a href="/software/S0561"> S0561 </a> </td> <td> <a href="/software/S0561"> GuLoader </a> </td> <td> <a href="/software/S0561">GuLoader</a> can download further malware for execution on the victim's machine.<span onclick=scrollToRef('scite-233') id="scite-ref-233-a" class="scite-citeref-number" title="Salem, E. (2021, April 19). Dancing With Shellcodes: Cracking the latest version of Guloader. Retrieved July 7, 2021."data-reference="Medium Eli Salem GuLoader April 2021"><a href="https://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4" target="_blank" data-hasqtip="232" aria-describedby="qtip-232">[233]</a> </td> </tr> <tr> <td> <a href="/software/S0132"> S0132 </a> </td> <td> <a href="/software/S0132"> H1N1 </a> </td> <td> <a href="/software/S0132">H1N1</a> contains a command to download and execute a file from a remotely hosted URL using WinINet HTTP requests.<span onclick=scrollToRef('scite-234') id="scite-ref-234-a" class="scite-citeref-number" title="Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016."data-reference="Cisco H1N1 Part 2"><a href="http://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities-part-2" target="_blank" data-hasqtip="233" aria-describedby="qtip-233">[234]</a> </td> </tr> <tr> <td> <a href="/groups/G0125"> G0125 </a> </td> <td> <a href="/groups/G0125"> HAFNIUM </a> </td> <td> <a href="/groups/G0125">HAFNIUM</a> has downloaded malware and tools--including Nishang and PowerCat--onto a compromised host.<span onclick=scrollToRef('scite-235') id="scite-ref-235-a" class="scite-citeref-number" title="MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021."data-reference="Microsoft HAFNIUM March 2020"><a href="https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/" target="_blank" data-hasqtip="234" aria-describedby="qtip-234">[235]</a><span onclick=scrollToRef('scite-125') id="scite-ref-125-a" class="scite-citeref-number" title="Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022."data-reference="Rapid7 HAFNIUM Mar 2021"><a href="https://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/" target="_blank" data-hasqtip="124" aria-describedby="qtip-124">[125]</a> </td> </tr> <tr> <td> <a href="/software/S0499"> S0499 </a> </td> <td> <a href="/software/S0499"> Hancitor </a> </td> <td> <a href="/software/S0499">Hancitor</a> has the ability to download additional files from C2.<span onclick=scrollToRef('scite-236') id="scite-ref-236-a" class="scite-citeref-number" title="Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020."data-reference="Threatpost Hancitor"><a href="https://threatpost.com/spammers-revive-hancitor-downloader-campaigns/123011/" target="_blank" data-hasqtip="235" aria-describedby="qtip-235">[236]</a> </td> </tr> <tr> <td> <a href="/software/S0214"> S0214 </a> </td> <td> <a href="/software/S0214"> HAPPYWORK </a> </td> <td> can download and execute a second-stage payload.<span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" title="FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018."data-reference="FireEye APT37 Feb 2018"><a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a> </td> </tr> <tr> <td> <a href="/software/S0170"> S0170 </a> </td> <td> <a href="/software/S0170"> Helminth </a> </td> <td> <a href="/software/S0170">Helminth</a> can download additional files.<span onclick=scrollToRef('scite-237') id="scite-ref-237-a" class="scite-citeref-number" title="Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017."data-reference="Palo Alto OilRig May 2016"><a href="http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" target="_blank" data-hasqtip="236" aria-describedby="qtip-236">[237]</a> </td> </tr> <tr> <td> <a href="/groups/G1001"> G1001 </a> </td> <td> <a href="/groups/G1001"> HEXANE </a> </td> <td> <a href="/groups/G1001">HEXANE</a> has downloaded additional payloads and malicious scripts onto a compromised host.<span onclick=scrollToRef('scite-238') id="scite-ref-238-a" class="scite-citeref-number" title="Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022."data-reference="Kaspersky Lyceum October 2021"><a href="https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf" target="_blank" data-hasqtip="237" aria-describedby="qtip-237">[238]</a> </td> </tr> <tr> <td> <a href="/software/S0087"> S0087 </a> </td> <td> <a href="/software/S0087"> Hi-Zor </a> </td> <td> <a href="/software/S0087">Hi-Zor</a> has the ability to upload and download files from its C2 server.<span onclick=scrollToRef('scite-239') id="scite-ref-239-a" class="scite-citeref-number" title="Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016."data-reference="Fidelis INOCNATION"><a href="https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL_0.pdf" target="_blank" data-hasqtip="238" aria-describedby="qtip-238">[239]</a> </td> </tr> <tr> <td> <a href="/software/S0394"> S0394 </a> </td> <td> <a href="/software/S0394"> HiddenWasp </a> </td> <td> <a href="/software/S0394">HiddenWasp</a> downloads a tar compressed archive from a download server to the system.<span onclick=scrollToRef('scite-240') id="scite-ref-240-a" class="scite-citeref-number" title="Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019."data-reference="Intezer HiddenWasp Map 2019"><a href="https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/" target="_blank" data-hasqtip="239" aria-describedby="qtip-239">[240]</a> </td> </tr> <tr> <td> <a href="/software/S0009"> S0009 </a> </td> <td> <a href="/software/S0009"> Hikit </a> </td> <td> <a href="/software/S0009">Hikit</a> has the ability to download files to a compromised host.<span onclick=scrollToRef('scite-241') id="scite-ref-241-a" class="scite-citeref-number" title="Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014."data-reference="Novetta-Axiom"><a href="https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf" target="_blank" data-hasqtip="240" aria-describedby="qtip-240">[241]</a> </td> </tr> <tr> <td> <a href="/software/S0601"> S0601 </a> </td> <td> <a href="/software/S0601"> Hildegard </a> </td> <td> <a href="/software/S0601">Hildegard</a> has downloaded additional scripts that build and run Monero cryptocurrency miners.<span onclick=scrollToRef('scite-242') id="scite-ref-242-a" class="scite-citeref-number" title="Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021."data-reference="Unit 42 Hildegard Malware"><a href="https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" target="_blank" data-hasqtip="241" aria-describedby="qtip-241">[242]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0038"> C0038 </a> </td> <td> <a href="/campaigns/C0038"> HomeLand Justice </a> </td> <td> During <a href="https://attack.mitre.org/campaigns/C0038">HomeLand Justice</a>, threat actors used web shells to download files to compromised infrastructure.<span onclick=scrollToRef('scite-243') id="scite-ref-243-a" class="scite-citeref-number" title="MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024."data-reference="Microsoft Albanian Government Attacks September 2022"><a href="https://www.microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/" target="_blank" data-hasqtip="242" aria-describedby="qtip-242">[243]</a> </td> </tr> <tr> <td> <a href="/software/S0376"> S0376 </a> </td> <td> <a href="/software/S0376"> HOPLIGHT </a> </td> <td> <a href="/software/S0376">HOPLIGHT</a> has the ability to connect to a remote host in order to upload and download files.<span onclick=scrollToRef('scite-244') id="scite-ref-244-a" class="scite-citeref-number" title="US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019."data-reference="US-CERT HOPLIGHT Apr 2019"><a href="https://www.us-cert.gov/ncas/analysis-reports/AR19-100A" target="_blank" data-hasqtip="243" aria-describedby="qtip-243">[244]</a> </td> </tr> <tr> <td> <a href="/software/S0431"> S0431 </a> </td> <td> <a href="/software/S0431"> HotCroissant </a> </td> <td> <a href="/software/S0431">HotCroissant</a> has the ability to upload a file from the command and control (C2) server to the victim machine.<span onclick=scrollToRef('scite-245') id="scite-ref-245-a" class="scite-citeref-number" title="Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020."data-reference="Carbon Black HotCroissant April 2020"><a href="https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/" target="_blank" data-hasqtip="244" aria-describedby="qtip-244">[245]</a> </td> </tr> <tr> <td> <a href="/software/S0070"> S0070 </a> </td> <td> <a href="/software/S0070"> HTTPBrowser </a> </td> <td> <a href="/software/S0070">HTTPBrowser</a> is capable of writing a file to the compromised system from the C2 server.<span onclick=scrollToRef('scite-246') id="scite-ref-246-a" class="scite-citeref-number" title="Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018."data-reference="Dell TG-3390"><a href="https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage" target="_blank" data-hasqtip="245" aria-describedby="qtip-245">[246]</a> </td> </tr> <tr> <td> <a href="/software/S0203"> S0203 </a> </td> <td> <a href="/software/S0203"> Hydraq </a> </td> <td> <a href="/software/S0203">Hydraq</a> creates a backdoor through which remote attackers can download files and additional malware components.<span onclick=scrollToRef('scite-247') id="scite-ref-247-a" class="scite-citeref-number" title="Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018."data-reference="Symantec Trojan.Hydraq Jan 2010"><a href="https://www.symantec.com/connect/blogs/trojanhydraq-incident" target="_blank" data-hasqtip="246" aria-describedby="qtip-246">[247]</a><span onclick=scrollToRef('scite-248') id="scite-ref-248-a" class="scite-citeref-number" title="Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018."data-reference="Symantec Hydraq Jan 2010"><a href="https://www.symantec.com/security_response/writeup.jsp?docid=2010-011114-1830-99" target="_blank" data-hasqtip="247" aria-describedby="qtip-247">[248]</a> </td> </tr> <tr> <td> <a href="/software/S0398"> S0398 </a> </td> <td> <a href="/software/S0398"> HyperBro </a> </td> <td> <a href="/software/S0398">HyperBro</a> has the ability to download additional files.<span onclick=scrollToRef('scite-249') id="scite-ref-249-a" class="scite-citeref-number" title="Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019."data-reference="Unit42 Emissary Panda May 2019"><a href="https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/" target="_blank" data-hasqtip="248" aria-describedby="qtip-248">[249]</a> </td> </tr> <tr> <td> <a href="/software/S0483"> S0483 </a> </td> <td> <a href="/software/S0483"> IcedID </a> </td> <td> <a href="/software/S0483">IcedID</a> has the ability to download additional modules and a configuration file from C2.<span onclick=scrollToRef('scite-250') id="scite-ref-250-a" class="scite-citeref-number" title="Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020."data-reference="IBM IcedID November 2017"><a href="https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/" target="_blank" data-hasqtip="249" aria-describedby="qtip-249">[250]</a><span onclick=scrollToRef('scite-251') id="scite-ref-251-a" class="scite-citeref-number" title="Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020."data-reference="Juniper IcedID June 2020"><a href="https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware" target="_blank" data-hasqtip="250" aria-describedby="qtip-250">[251]</a><a href="https://thedfirreport.com/2022/04/25/quantum-ransomware/" target="_blank" data-hasqtip="251" aria-describedby="qtip-251">[252]</a><span onclick=scrollToRef('scite-253') id="scite-ref-253-a" class="scite-citeref-number" title="Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024."data-reference="Latrodectus APR 2024"><a href="https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice" target="_blank" data-hasqtip="252" aria-describedby="qtip-252">[253]</a> </td> </tr> <tr> <td> <a href="/software/S1152"> S1152 </a> </td> <td> <a href="/software/S1152"> IMAPLoader </a> </td> <td> <a href="/software/S1152">IMAPLoader</a> is a loader used to retrieve follow-on payload encoded in email messages for execution on victim systems.<span onclick=scrollToRef('scite-254') id="scite-ref-254-a" class="scite-citeref-number" title="PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved August 14, 2024."data-reference="PWC Yellow Liderc 2023"><a href="https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html" target="_blank" data-hasqtip="253" aria-describedby="qtip-253">[254]</a> </td> </tr> <tr> <td> <a href="/groups/G1032"> G1032 </a> </td> <td> <a href="/groups/G1032"> INC Ransom </a> </td> <td> <a href="/groups/G1032">INC Ransom</a> has downloaded tools to compromised servers including Advanced IP Scanner. <span onclick=scrollToRef('scite-255') id="scite-ref-255-a" class="scite-citeref-number" title="Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024."data-reference="Huntress INC Ransom Group August 2023"><a href="https://www.huntress.com/blog/investigating-new-inc-ransom-group-activity" target="_blank" data-hasqtip="254" aria-describedby="qtip-254">[255]</a><span onclick=scrollToRef('scite-256') id="scite-ref-256-a" class="scite-citeref-number" title="Carvey, H. (2024, May 1). LOLBin to INC Ransomware. Retrieved June 5, 2024."data-reference="Huntress INC Ransomware May 2024"><a href="https://www.huntress.com/blog/lolbin-to-inc-ransomware" target="_blank" data-hasqtip="255" aria-describedby="qtip-255">[256]</a> </td> </tr> <tr> <td> <a href="/groups/G0136"> G0136 </a> </td> <td> <a href="/groups/G0136"> IndigoZebra </a> </td> <td> <a href="/groups/G0136">IndigoZebra</a> has downloaded additional files and tools from its C2 server.<span onclick=scrollToRef('scite-85') id="scite-ref-85-a" class="scite-citeref-number" title="CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021."data-reference="Checkpoint IndigoZebra July 2021"><a href="https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/" target="_blank" data-hasqtip="84" aria-describedby="qtip-84">[85]</a> </td> </tr> <tr> <td> <a href="/groups/G0119"> G0119 </a> </td> <td> <a href="/groups/G0119"> Indrik Spider </a> </td> <td> <a href="/groups/G0119">Indrik Spider</a> has downloaded additional scripts, malware, and tools onto a compromised host.<span onclick=scrollToRef('scite-257') id="scite-ref-257-a" class="scite-citeref-number" title="Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021."data-reference="Crowdstrike Indrik November 2018"><a href="https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/" target="_blank" data-hasqtip="256" aria-describedby="qtip-256">[257]</a><span onclick=scrollToRef('scite-258') id="scite-ref-258-a" class="scite-citeref-number" title="Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021."data-reference="Symantec WastedLocker June 2020"><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us" target="_blank" data-hasqtip="257" aria-describedby="qtip-257">[258]</a><span onclick=scrollToRef('scite-259') id="scite-ref-259-a" class="scite-citeref-number" title="Mandiant Intelligence. (2022, June 2). To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions. Retrieved July 29, 2024."data-reference="Mandiant_UNC2165"><a href="https://cloud.google.com/blog/topics/threat-intelligence/unc2165-shifts-to-evade-sanctions/" target="_blank" data-hasqtip="258" aria-describedby="qtip-258">[259]</a> </td> </tr> <tr> <td> <a href="/software/S0604"> S0604 </a> </td> <td> <a href="/software/S0604"> Industroyer </a> </td> <td> <a href="/software/S0604">Industroyer</a> downloads a shellcode payload from a remote C2 server and loads it into memory.<span onclick=scrollToRef('scite-260') id="scite-ref-260-a" class="scite-citeref-number" title="Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020."data-reference="ESET Industroyer"><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="259" aria-describedby="qtip-259">[260]</a> </td> </tr> <tr> <td> <a href="/software/S0260"> S0260 </a> </td> <td> <a href="/software/S0260"> InvisiMole </a> </td> <td> <a href="/software/S0260">InvisiMole</a> can upload files to the victim's machine for operations.<span onclick=scrollToRef('scite-261') id="scite-ref-261-a" class="scite-citeref-number" title="Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018."data-reference="ESET InvisiMole June 2018"><a href="https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" target="_blank" data-hasqtip="260" aria-describedby="qtip-260">[261]</a><span onclick=scrollToRef('scite-262') id="scite-ref-262-a" class="scite-citeref-number" title="Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020."data-reference="ESET InvisiMole June 2020"><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" target="_blank" data-hasqtip="261" aria-describedby="qtip-261">[262]</a> </td> </tr> <tr> <td> <a href="/software/S0015"> S0015 </a> </td> <td> <a href="/software/S0015"> Ixeshe </a> </td> <td> <a href="/software/S0015">Ixeshe</a> can download and execute additional files.<span onclick=scrollToRef('scite-263') id="scite-ref-263-a" class="scite-citeref-number" title="Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019."data-reference="Trend Micro IXESHE 2012"><a href="https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf" target="_blank" data-hasqtip="262" aria-describedby="qtip-262">[263]</a> </td> </tr> <tr> <td> <a href="/software/S0528"> S0528 </a> </td> <td> <a href="/software/S0528"> Javali </a> </td> <td> <a href="/software/S0528">Javali</a> can download payloads from remote C2 servers.<span onclick=scrollToRef('scite-49') id="scite-ref-49-a" class="scite-citeref-number" title="GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020."data-reference="Securelist Brazilian Banking Malware July 2020"><a href="https://securelist.com/the-tetrade-brazilian-banking-malware/97779/" target="_blank" data-hasqtip="48" aria-describedby="qtip-48">[49]</a> </td> </tr> <tr> <td> <a href="/software/S0044"> S0044 </a> </td> <td> <a href="/software/S0044"> JHUHUGIT </a> </td> <td> <a href="/software/S0044">JHUHUGIT</a> can retrieve an additional payload from its C2 server.<span onclick=scrollToRef('scite-264') id="scite-ref-264-a" class="scite-citeref-number" title="ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016."data-reference="ESET Sednit Part 1"><a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf" target="_blank" data-hasqtip="263" aria-describedby="qtip-263">[264]</a><span onclick=scrollToRef('scite-265') id="scite-ref-265-a" class="scite-citeref-number" title="Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018."data-reference="Unit 42 Sofacy Feb 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/" target="_blank" data-hasqtip="264" aria-describedby="qtip-264">[265]</a> <a href="/software/S0044">JHUHUGIT</a> has a command to download files to the victim’s machine.<span onclick=scrollToRef('scite-266') id="scite-ref-266-a" class="scite-citeref-number" title="Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018."data-reference="Talos Seduploader Oct 2017"><a href="https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" target="_blank" data-hasqtip="265" aria-describedby="qtip-265">[266]</a> </td> </tr> <tr> <td> <a href="/software/S0201"> S0201 </a> </td> <td> <a href="/software/S0201"> JPIN </a> </td> <td> <a href="/software/S0201">JPIN</a> can download files and upgrade itself.<span onclick=scrollToRef('scite-166') id="scite-ref-166-a" class="scite-citeref-number" title="Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018."data-reference="Microsoft PLATINUM April 2016"><a href="https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" target="_blank" data-hasqtip="165" aria-describedby="qtip-165">[166]</a> </td> </tr> <tr> <td> <a href="/software/S0283"> S0283 </a> </td> <td> <a href="/software/S0283"> jRAT </a> </td> <td> <a href="/software/S0283">jRAT</a> can download and execute files.<span onclick=scrollToRef('scite-267') id="scite-ref-267-a" class="scite-citeref-number" title="Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018."data-reference="jRAT Symantec Aug 2018"><a href="https://www.symantec.com/blogs/threat-intelligence/jrat-new-anti-parsing-techniques" target="_blank" data-hasqtip="266" aria-describedby="qtip-266">[267]</a><span onclick=scrollToRef('scite-268') id="scite-ref-268-a" class="scite-citeref-number" title="Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019."data-reference="Kaspersky Adwind Feb 2016"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07195002/KL_AdwindPublicReport_2016.pdf" target="_blank" data-hasqtip="267" aria-describedby="qtip-267">[268]</a><span onclick=scrollToRef('scite-269') id="scite-ref-269-a" class="scite-citeref-number" title="Bingham, J. (2013, February 11). Cross-Platform Frutas RAT Builder and Back Door. Retrieved April 23, 2019."data-reference="Symantec Frutas Feb 2013"><a href="https://www.symantec.com/connect/blogs/cross-platform-frutas-rat-builder-and-back-door" target="_blank" data-hasqtip="268" aria-describedby="qtip-268">[269]</a> </td> </tr> <tr> <td> <a href="/software/S0648"> S0648 </a> </td> <td> <a href="/software/S0648"> JSS Loader </a> </td> <td> <a href="/software/S0648">JSS Loader</a> has the ability to download malicious executables to a compromised host.<span onclick=scrollToRef('scite-270') id="scite-ref-270-a" class="scite-citeref-number" title="Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021."data-reference="CrowdStrike Carbon Spider August 2021"><a href="https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/" target="_blank" data-hasqtip="269" aria-describedby="qtip-269">[270]</a> </td> </tr> <tr> <td> <a href="/software/S0215"> S0215 </a> </td> <td> <a href="/software/S0215"> KARAE </a> </td> <td> <a href="/software/S0215">KARAE</a> can upload and download files, including second-stage malware.<span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" title="FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018."data-reference="FireEye APT37 Feb 2018"><a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a> </td> </tr> <tr> <td> <a href="/software/S0088"> S0088 </a> </td> <td> <a href="/software/S0088"> Kasidet </a> </td> <td> <a href="/software/S0088">Kasidet</a> has the ability to download and execute additional files.<span onclick=scrollToRef('scite-271') id="scite-ref-271-a" class="scite-citeref-number" title="Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016."data-reference="Zscaler Kasidet"><a href="http://research.zscaler.com/2016/01/malicious-office-files-dropping-kasidet.html" target="_blank" data-hasqtip="270" aria-describedby="qtip-270">[271]</a> </td> </tr> <tr> <td> <a href="/software/S0265"> S0265 </a> </td> <td> <a href="/software/S0265"> Kazuar </a> </td> <td> <a href="/software/S0265">Kazuar</a> downloads additional plug-ins to load on the victim’s machine, including the ability to upgrade and replace its own binary.<span onclick=scrollToRef('scite-272') id="scite-ref-272-a" class="scite-citeref-number" title="Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018."data-reference="Unit 42 Kazuar May 2017"><a href="https://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/" target="_blank" data-hasqtip="271" aria-describedby="qtip-271">[272]</a> </td> </tr> <tr> <td> <a href="/groups/G0004"> G0004 </a> </td> <td> <a href="/groups/G0004"> Ke3chang </a> </td> <td> <a href="/groups/G0004">Ke3chang</a> has used tools to download files to compromised machines.<span onclick=scrollToRef('scite-273') id="scite-ref-273-a" class="scite-citeref-number" title="MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022."data-reference="Microsoft NICKEL December 2021"><a href="https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe" target="_blank" data-hasqtip="272" aria-describedby="qtip-272">[273]</a> </td> </tr> <tr> <td> <a href="/software/S0585"> S0585 </a> </td> <td> <a href="/software/S0585"> Kerrdown </a> </td> <td> <a href="/software/S0585">Kerrdown</a> can download specific payloads to a compromised host based on OS architecture.<span onclick=scrollToRef('scite-274') id="scite-ref-274-a" class="scite-citeref-number" title="Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021."data-reference="Unit 42 KerrDown February 2019"><a href="https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/" target="_blank" data-hasqtip="273" aria-describedby="qtip-273">[274]</a> </td> </tr> <tr> <td> <a href="/software/S0487"> S0487 </a> </td> <td> <a href="/software/S0487"> Kessel </a> </td> <td> <a href="/software/S0487">Kessel</a> can download additional modules from the C2 server.<span onclick=scrollToRef('scite-82') id="scite-ref-82-a" class="scite-citeref-number" title="Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020."data-reference="ESET ForSSHe December 2018"><a href="https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" target="_blank" data-hasqtip="81" aria-describedby="qtip-81">[82]</a> </td> </tr> <tr> <td> <a href="/software/S1020"> S1020 </a> </td> <td> <a href="/software/S1020"> Kevin </a> </td> <td> <a href="/software/S1020">Kevin</a> can download files to the compromised host.<span onclick=scrollToRef('scite-238') id="scite-ref-238-a" class="scite-citeref-number" title="Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022."data-reference="Kaspersky Lyceum October 2021"><a href="https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf" target="_blank" data-hasqtip="237" aria-describedby="qtip-237">[238]</a> </td> </tr> <tr> <td> <a href="/software/S0387"> S0387 </a> </td> <td> <a href="/software/S0387"> KeyBoy </a> </td> <td> <a href="/software/S0387">KeyBoy</a> has a download and upload functionality.<span onclick=scrollToRef('scite-275') id="scite-ref-275-a" class="scite-citeref-number" title="Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019."data-reference="PWC KeyBoys Feb 2017"><a href="https://web.archive.org/web/20211129064701/https://www.pwc.co.uk/issues/cyber-security-services/research/the-keyboys-are-back-in-town.html" target="_blank" data-hasqtip="274" aria-describedby="qtip-274">[275]</a><span onclick=scrollToRef('scite-276') id="scite-ref-276-a" class="scite-citeref-number" title="Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019."data-reference="Rapid7 KeyBoy Jun 2013"><a href="https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/" target="_blank" data-hasqtip="275" aria-describedby="qtip-275">[276]</a> </td> </tr> <tr> <td> <a href="/software/S0271"> S0271 </a> </td> <td> <a href="/software/S0271"> KEYMARBLE </a> </td> <td> <a href="/software/S0271">KEYMARBLE</a> can upload files to the victim’s machine and can download additional payloads.<span onclick=scrollToRef('scite-277') id="scite-ref-277-a" class="scite-citeref-number" title="US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018."data-reference="US-CERT KEYMARBLE Aug 2018"><a href="https://www.us-cert.gov/ncas/analysis-reports/AR18-221A" target="_blank" data-hasqtip="276" aria-describedby="qtip-276">[277]</a> </td> </tr> <tr> <td> <a href="/software/S0526"> S0526 </a> </td> <td> <a href="/software/S0526"> KGH_SPY </a> </td> <td> <a href="/software/S0526">KGH_SPY</a> has the ability to download and execute code from remote servers.<span onclick=scrollToRef('scite-147') id="scite-ref-147-a" class="scite-citeref-number" title="Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020."data-reference="Cybereason Kimsuky November 2020"><a href="https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" target="_blank" data-hasqtip="146" aria-describedby="qtip-146">[147]</a> </td> </tr> <tr> <td> <a href="/groups/G0094"> G0094 </a> </td> <td> <a href="/groups/G0094"> Kimsuky </a> </td> <td> <a href="/groups/G0094">Kimsuky</a> has downloaded additional scripts, tools, and malware onto victim systems.<span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" title="Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020."data-reference="Crowdstrike GTR2020 Mar 2020"><a href="https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a><span onclick=scrollToRef('scite-278') id="scite-ref-278-a" class="scite-citeref-number" title="An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021."data-reference="Talos Kimsuky Nov 2021"><a href="https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html" target="_blank" data-hasqtip="277" aria-describedby="qtip-277">[278]</a> </td> </tr> <tr> <td> <a href="/software/S0599"> S0599 </a> </td> <td> <a href="/software/S0599"> Kinsing </a> </td> <td> <a href="/software/S0599">Kinsing</a> has downloaded additional lateral movement scripts from C2.<span onclick=scrollToRef('scite-279') id="scite-ref-279-a" class="scite-citeref-number" title="Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021."data-reference="Aqua Kinsing April 2020"><a href="https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability" target="_blank" data-hasqtip="278" aria-describedby="qtip-278">[279]</a> </td> </tr> <tr> <td> <a href="/software/S0437"> S0437 </a> </td> <td> <a href="/software/S0437"> Kivars </a> </td> <td> <a href="/software/S0437">Kivars</a> has the ability to download and execute files.<span onclick=scrollToRef('scite-280') id="scite-ref-280-a" class="scite-citeref-number" title="Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020."data-reference="TrendMicro BlackTech June 2017"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/" target="_blank" data-hasqtip="279" aria-describedby="qtip-279">[280]</a> </td> </tr> <tr> <td> <a href="/software/S0250"> S0250 </a> </td> <td> <a href="/software/S0250"> Koadic </a> </td> <td> <a href="/software/S0250">Koadic</a> can download additional files and tools.<a href="https://github.com/offsecginger/koadic" target="_blank" data-hasqtip="280" aria-describedby="qtip-280">[281]</a><span onclick=scrollToRef('scite-282') id="scite-ref-282-a" class="scite-citeref-number" title="Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021."data-reference="MalwareBytes LazyScripter Feb 2021"><a href="https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf" target="_blank" data-hasqtip="281" aria-describedby="qtip-281">[282]</a> </td> </tr> <tr> <td> <a href="/software/S0669"> S0669 </a> </td> <td> <a href="/software/S0669"> KOCTOPUS </a> </td> <td> <a href="/software/S0669">KOCTOPUS</a> has executed a PowerShell command to download a file to the system.<span onclick=scrollToRef('scite-282') id="scite-ref-282-a" class="scite-citeref-number" title="Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021."data-reference="MalwareBytes LazyScripter Feb 2021"><a href="https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf" target="_blank" data-hasqtip="281" aria-describedby="qtip-281">[282]</a> </td> </tr> <tr> <td> <a href="/software/S0356"> S0356 </a> </td> <td> <a href="/software/S0356"> KONNI </a> </td> <td> <a href="/software/S0356">KONNI</a> can download files and execute them on the victim’s machine.<span onclick=scrollToRef('scite-283') id="scite-ref-283-a" class="scite-citeref-number" title="Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018."data-reference="Talos Konni May 2017"><a href="https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html" target="_blank" data-hasqtip="282" aria-describedby="qtip-282">[283]</a><span onclick=scrollToRef('scite-284') id="scite-ref-284-a" class="scite-citeref-number" title="Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022."data-reference="Malwarebytes Konni Aug 2021"><a href="https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/" target="_blank" data-hasqtip="283" aria-describedby="qtip-283">[284]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0035"> C0035 </a> </td> <td> <a href="/campaigns/C0035"> KV Botnet Activity </a> </td> <td> <a href="https://attack.mitre.org/campaigns/C0035">KV Botnet Activity</a> included the use of scripts to download additional payloads when compromising network nodes.<span onclick=scrollToRef('scite-285') id="scite-ref-285-a" class="scite-citeref-number" title="Black Lotus Labs. (2023, December 13). Routers Roasting On An Open Firewall: The KV-Botnet Investigation. Retrieved June 10, 2024."data-reference="Lumen KVBotnet 2023"><a href="https://blog.lumen.com/routers-roasting-on-an-open-firewall-the-kv-botnet-investigation/" target="_blank" data-hasqtip="284" aria-describedby="qtip-284">[285]</a> </td> </tr> <tr> <td> <a href="/software/S0236"> S0236 </a> </td> <td> <a href="/software/S0236"> Kwampirs </a> </td> <td> <a href="/software/S0236">Kwampirs</a> downloads additional files from C2 servers.<span onclick=scrollToRef('scite-286') id="scite-ref-286-a" class="scite-citeref-number" title="Moench, B. and Aboud, E. (2016, August 23). Trojan.Kwampirs. Retrieved May 10, 2018."data-reference="Symantec Security Center Trojan.Kwampirs"><a href="https://www.symantec.com/security-center/writeup/2016-081923-2700-99" target="_blank" data-hasqtip="285" aria-describedby="qtip-285">[286]</a> </td> </tr> <tr> <td> <a href="/software/S1160"> S1160 </a> </td> <td> <a href="/software/S1160"> Latrodectus </a> </td> <td> <a href="/software/S1160">Latrodectus</a> can download and execute PEs, DLLs, and shellcode from C2.<span onclick=scrollToRef('scite-253') id="scite-ref-253-a" class="scite-citeref-number" title="Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024."data-reference="Latrodectus APR 2024"><a href="https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice" target="_blank" data-hasqtip="252" aria-describedby="qtip-252">[253]</a><span onclick=scrollToRef('scite-287') id="scite-ref-287-a" class="scite-citeref-number" title="Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024."data-reference="Elastic Latrodectus May 2024"><a href="https://www.elastic.co/security-labs/spring-cleaning-with-latrodectus" target="_blank" data-hasqtip="286" aria-describedby="qtip-286">[287]</a><span onclick=scrollToRef('scite-288') id="scite-ref-288-a" class="scite-citeref-number" title="Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024."data-reference="Bitsight Latrodectus June 2024"><a href="https://www.bitsight.com/blog/latrodectus-are-you-coming-back" target="_blank" data-hasqtip="287" aria-describedby="qtip-287">[288]</a> </td> </tr> <tr> <td> <a href="/groups/G0032"> G0032 </a> </td> <td> <a href="/groups/G0032"> Lazarus Group </a> </td> <td> <a href="/groups/G0032">Lazarus Group</a> has downloaded files, malware, and tools from its C2 onto a compromised host.<span onclick=scrollToRef('scite-289') id="scite-ref-289-a" class="scite-citeref-number" title="Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016."data-reference="Novetta Blockbuster"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" data-hasqtip="288" aria-describedby="qtip-288">[289]</a><span onclick=scrollToRef('scite-290') id="scite-ref-290-a" class="scite-citeref-number" title="Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016."data-reference="Novetta Blockbuster Destructive Malware"><a href="https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf" target="_blank" data-hasqtip="289" aria-describedby="qtip-289">[290]</a><span onclick=scrollToRef('scite-291') id="scite-ref-291-a" class="scite-citeref-number" title="Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016."data-reference="Novetta Blockbuster Loaders"><a href="https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" target="_blank" data-hasqtip="290" aria-describedby="qtip-290">[291]</a><span onclick=scrollToRef('scite-146') id="scite-ref-146-a" class="scite-citeref-number" title="Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020."data-reference="SentinelOne Lazarus macOS July 2020"><a href="https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/" target="_blank" data-hasqtip="145" aria-describedby="qtip-145">[146]</a><span onclick=scrollToRef('scite-152') id="scite-ref-152-a" class="scite-citeref-number" title="Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020."data-reference="TrendMicro macOS Dacls May 2020"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/" target="_blank" data-hasqtip="151" aria-describedby="qtip-151">[152]</a><span onclick=scrollToRef('scite-292') id="scite-ref-292-a" class="scite-citeref-number" title="Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021."data-reference="Kaspersky ThreatNeedle Feb 2021"><a href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank" data-hasqtip="291" aria-describedby="qtip-291">[292]</a><span onclick=scrollToRef('scite-293') id="scite-ref-293-a" class="scite-citeref-number" title="Weidemann, A. (2021, January 25). New campaign targeting security researchers. Retrieved December 20, 2021."data-reference="Google TAG Lazarus Jan 2021"><a href="https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/" target="_blank" data-hasqtip="292" aria-describedby="qtip-292">[293]</a><span onclick=scrollToRef('scite-294') id="scite-ref-294-a" class="scite-citeref-number" title="Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022."data-reference="Lazarus APT January 2022"><a href="https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/" target="_blank" data-hasqtip="293" aria-describedby="qtip-293">[294]</a><span onclick=scrollToRef('scite-295') id="scite-ref-295-a" class="scite-citeref-number" title="Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022."data-reference="Qualys LolZarus"><a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns" target="_blank" data-hasqtip="294" aria-describedby="qtip-294">[295]</a><span onclick=scrollToRef('scite-296') id="scite-ref-296-a" class="scite-citeref-number" title="Cherepanov, Anton. (2019, November 10). ESETresearch discovered a trojanized IDA Pro installer. Retrieved September 12, 2024."data-reference="ESET Twitter Ida Pro Nov 2021"><a href="https://x.com/ESETresearch/status/1458438155149922312" target="_blank" data-hasqtip="295" aria-describedby="qtip-295">[296]</a> </td> </tr> <tr> <td> <a href="/groups/G0140"> G0140 </a> </td> <td> <a href="/groups/G0140"> LazyScripter </a> </td> <td> <a href="/groups/G0140">LazyScripter</a> had downloaded additional tools to a compromised host.<span onclick=scrollToRef('scite-282') id="scite-ref-282-a" class="scite-citeref-number" title="Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021."data-reference="MalwareBytes LazyScripter Feb 2021"><a href="https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf" target="_blank" data-hasqtip="281" aria-describedby="qtip-281">[282]</a> </td> </tr> <tr> <td> <a href="/groups/G0065"> G0065 </a> </td> <td> <a href="/groups/G0065"> Leviathan </a> </td> <td> <a href="/groups/G0065">Leviathan</a> has downloaded additional scripts and files from adversary-controlled servers.<span onclick=scrollToRef('scite-297') id="scite-ref-297-a" class="scite-citeref-number" title="Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018."data-reference="Proofpoint Leviathan Oct 2017"><a href="https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets" target="_blank" data-hasqtip="296" aria-describedby="qtip-296">[297]</a><span onclick=scrollToRef('scite-122') id="scite-ref-122-a" class="scite-citeref-number" title="FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018."data-reference="FireEye Periscope March 2018"><a href="https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" target="_blank" data-hasqtip="121" aria-describedby="qtip-121">[122]</a> </td> </tr> <tr> <td> <a href="/software/S0395"> S0395 </a> </td> <td> <a href="/software/S0395"> LightNeuron </a> </td> <td> <a href="/software/S0395">LightNeuron</a> has the ability to download and execute additional files.<span onclick=scrollToRef('scite-298') id="scite-ref-298-a" class="scite-citeref-number" title="Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019."data-reference="ESET LightNeuron May 2019"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf" target="_blank" data-hasqtip="297" aria-describedby="qtip-297">[298]</a> </td> </tr> <tr> <td> <a href="/software/S0211"> S0211 </a> </td> <td> <a href="/software/S0211"> Linfo </a> </td> <td> <a href="/software/S0211">Linfo</a> creates a backdoor through which remote attackers can download files onto compromised hosts.<a href="https://www.symantec.com/security_response/writeup.jsp?docid=2012-051605-2535-99" target="_blank" data-hasqtip="298" aria-describedby="qtip-298">[299]</a> </td> </tr> <tr> <td> <a href="/software/S0513"> S0513 </a> </td> <td> <a href="/software/S0513"> LiteDuke </a> </td> <td> <a href="/software/S0513">LiteDuke</a> has the ability to download files.<span onclick=scrollToRef('scite-300') id="scite-ref-300-a" class="scite-citeref-number" title="Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020."data-reference="ESET Dukes October 2019"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="299" aria-describedby="qtip-299">[300]</a> </td> </tr> <tr> <td> <a href="/software/S0680"> S0680 </a> </td> <td> <a href="/software/S0680"> LitePower </a> </td> <td> <a href="/software/S0680">LitePower</a> has the ability to download payloads containing system commands to a compromised host.<span onclick=scrollToRef('scite-301') id="scite-ref-301-a" class="scite-citeref-number" title="Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022."data-reference="Kaspersky WIRTE November 2021"><a href="https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044" target="_blank" data-hasqtip="300" aria-describedby="qtip-300">[301]</a> </td> </tr> <tr> <td> <a href="/software/S0681"> S0681 </a> </td> <td> <a href="/software/S0681"> Lizar </a> </td> <td> <a href="/software/S0681">Lizar</a> can download additional plugins, files, and tools.<span onclick=scrollToRef('scite-302') id="scite-ref-302-a" class="scite-citeref-number" title="BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022."data-reference="BiZone Lizar May 2021"><a href="https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319" target="_blank" data-hasqtip="301" aria-describedby="qtip-301">[302]</a> </td> </tr> <tr> <td> <a href="/software/S0447"> S0447 </a> </td> <td> <a href="/software/S0447"> Lokibot </a> </td> <td> <a href="/software/S0447">Lokibot</a> downloaded several staged items onto the victim's machine.<span onclick=scrollToRef('scite-303') id="scite-ref-303-a" class="scite-citeref-number" title="Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021."data-reference="Talos Lokibot Jan 2021"><a href="https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html" target="_blank" data-hasqtip="302" aria-describedby="qtip-302">[303]</a> </td> </tr> <tr> <td> <a href="/software/S0451"> S0451 </a> </td> <td> <a href="/software/S0451"> LoudMiner </a> </td> <td> <a href="/software/S0451">LoudMiner</a> used SCP to update the miner from the C2.<span onclick=scrollToRef('scite-304') id="scite-ref-304-a" class="scite-citeref-number" title="Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020."data-reference="ESET LoudMiner June 2019"><a href="https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/" target="_blank" data-hasqtip="303" aria-describedby="qtip-303">[304]</a> </td> </tr> <tr> <td> <a href="/software/S0042"> S0042 </a> </td> <td> <a href="/software/S0042"> LOWBALL </a> </td> <td> <a href="/software/S0042">LOWBALL</a> uses the Dropbox API to request two files, one of which is the same file as the one dropped by the malicious email attachment. This is most likely meant to be a mechanism to update the compromised host with a new version of the <a href="/software/S0042">LOWBALL</a> malware.<span onclick=scrollToRef('scite-305') id="scite-ref-305-a" class="scite-citeref-number" title="FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015."data-reference="FireEye admin@338"><a href="https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" target="_blank" data-hasqtip="304" aria-describedby="qtip-304">[305]</a> </td> </tr> <tr> <td> <a href="/software/S0532"> S0532 </a> </td> <td> <a href="/software/S0532"> Lucifer </a> </td> <td> <a href="/software/S0532">Lucifer</a> can download and execute a replica of itself using <a href="/software/S0160">certutil</a>.<span onclick=scrollToRef('scite-306') id="scite-ref-306-a" class="scite-citeref-number" title="Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020."data-reference="Unit 42 Lucifer June 2020"><a href="https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/" target="_blank" data-hasqtip="305" aria-describedby="qtip-305">[306]</a> </td> </tr> <tr> <td> <a href="/groups/G1014"> G1014 </a> </td> <td> <a href="/groups/G1014"> LuminousMoth </a> </td> <td> <a href="/groups/G1014">LuminousMoth</a> has downloaded additional malware and tools onto a compromised host.<span onclick=scrollToRef('scite-307') id="scite-ref-307-a" class="scite-citeref-number" title="Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022."data-reference="Kaspersky LuminousMoth July 2021"><a href="https://securelist.com/apt-luminousmoth/103332/" target="_blank" data-hasqtip="306" aria-describedby="qtip-306">[307]</a><span onclick=scrollToRef('scite-308') id="scite-ref-308-a" class="scite-citeref-number" title="Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022."data-reference="Bitdefender LuminousMoth July 2021"><a href="https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited" target="_blank" data-hasqtip="307" aria-describedby="qtip-307">[308]</a> </td> </tr> <tr> <td> <a href="/software/S0409"> S0409 </a> </td> <td> <a href="/software/S0409"> Machete </a> </td> <td> <a href="/software/S0409">Machete</a> can download additional files for execution on the victim’s machine.<span onclick=scrollToRef('scite-309') id="scite-ref-309-a" class="scite-citeref-number" title="ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019."data-reference="ESET Machete July 2019"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf" target="_blank" data-hasqtip="308" aria-describedby="qtip-308">[309]</a> </td> </tr> <tr> <td> <a href="/software/S1016"> S1016 </a> </td> <td> <a href="/software/S1016"> MacMa </a> </td> <td> <a href="/software/S1016">MacMa</a> has downloaded additional files, including an exploit for used privilege escalation.<span onclick=scrollToRef('scite-310') id="scite-ref-310-a" class="scite-citeref-number" title="M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022."data-reference="ESET DazzleSpy Jan 2022"><a href="https://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/" target="_blank" data-hasqtip="309" aria-describedby="qtip-309">[310]</a><span onclick=scrollToRef('scite-311') id="scite-ref-311-a" class="scite-citeref-number" title="Wardle, P. (2021, November 11). OSX.CDDS (OSX.MacMa). Retrieved June 30, 2022."data-reference="Objective-See MacMa Nov 2021"><a href="https://objective-see.org/blog/blog_0x69.html" target="_blank" data-hasqtip="310" aria-describedby="qtip-310">[311]</a> </td> </tr> <tr> <td> <a href="/software/S1048"> S1048 </a> </td> <td> <a href="/software/S1048"> macOS.OSAMiner </a> </td> <td> <a href="/software/S1048">macOS.OSAMiner</a> has used <code>curl</code> to download a <a href="/techniques/T1027/008">Stripped Payloads</a> from a public facing adversary-controlled webpage. </td> </tr> <tr> <td> <a href="/software/S1060"> S1060 </a> </td> <td> <a href="/software/S1060"> Mafalda </a> </td> <td> <a href="/software/S1060">Mafalda</a> can download additional files onto the compromised host.<span onclick=scrollToRef('scite-312') id="scite-ref-312-a" class="scite-citeref-number" title="SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023."data-reference="SentinelLabs Metador Technical Appendix Sept 2022"><a href="https://docs.google.com/document/d/1e9ZTW9b71YwFWS_18ZwDAxa-cYbV8q1wUefmKZLYVsA/edit#heading=h.lmnbtht1ikzm" target="_blank" data-hasqtip="311" aria-describedby="qtip-311">[312]</a> </td> </tr> <tr> <td> <a href="/groups/G0059"> G0059 </a> </td> <td> <a href="/groups/G0059"> Magic Hound </a> </td> <td> <a href="/groups/G0059">Magic Hound</a> has downloaded additional code and files from servers onto victims.<span onclick=scrollToRef('scite-313') id="scite-ref-313-a" class="scite-citeref-number" title="Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017."data-reference="Unit 42 Magic Hound Feb 2017"><a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank" data-hasqtip="312" aria-describedby="qtip-312">[313]</a><span onclick=scrollToRef('scite-314') id="scite-ref-314-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022"><a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="313" aria-describedby="qtip-313">[314]</a><span onclick=scrollToRef('scite-315') id="scite-ref-315-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021"><a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="314" aria-describedby="qtip-314">[315]</a><span onclick=scrollToRef('scite-316') id="scite-ref-316-a" class="scite-citeref-number" title="MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023."data-reference="Microsoft Iranian Threat Actor Trends November 2021"><a href="https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021" target="_blank" data-hasqtip="315" aria-describedby="qtip-315">[316]</a> </td> </tr> <tr> <td> <a href="/software/S0652"> S0652 </a> </td> <td> <a href="/software/S0652"> MarkiRAT </a> </td> <td> <a href="/software/S0652">MarkiRAT</a> can download additional files and tools from its C2 server, including through the use of <a href="/software/S0190">BITSAdmin</a>.<span onclick=scrollToRef('scite-317') id="scite-ref-317-a" class="scite-citeref-number" title="GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021."data-reference="Kaspersky Ferocious Kitten Jun 2021"><a href="https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/" target="_blank" data-hasqtip="316" aria-describedby="qtip-316">[317]</a> </td> </tr> <tr> <td> <a href="/software/S0500"> S0500 </a> </td> <td> <a href="/software/S0500"> MCMD </a> </td> <td> <a href="/software/S0500">MCMD</a> can upload additional files to a compromised host.<span onclick=scrollToRef('scite-318') id="scite-ref-318-a" class="scite-citeref-number" title="Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020."data-reference="Secureworks MCMD July 2019"><a href="https://www.secureworks.com/research/mcmd-malware-analysis" target="_blank" data-hasqtip="317" aria-describedby="qtip-317">[318]</a> </td> </tr> <tr> <td> <a href="/software/S0459"> S0459 </a> </td> <td> <a href="/software/S0459"> MechaFlounder </a> </td> <td> <a href="/software/S0459">MechaFlounder</a> has the ability to upload and download files to and from a compromised host.<span onclick=scrollToRef('scite-319') id="scite-ref-319-a" class="scite-citeref-number" title="Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020."data-reference="Unit 42 MechaFlounder March 2019"><a href="https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/" target="_blank" data-hasqtip="318" aria-describedby="qtip-318">[319]</a> </td> </tr> <tr> <td> <a href="/software/S0530"> S0530 </a> </td> <td> <a href="/software/S0530"> Melcoz </a> </td> <td> <a href="/software/S0530">Melcoz</a> has the ability to download additional files to a compromised host.<span onclick=scrollToRef('scite-49') id="scite-ref-49-a" class="scite-citeref-number" title="GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020."data-reference="Securelist Brazilian Banking Malware July 2020"><a href="https://securelist.com/the-tetrade-brazilian-banking-malware/97779/" target="_blank" data-hasqtip="48" aria-describedby="qtip-48">[49]</a> </td> </tr> <tr> <td> <a href="/groups/G0045"> G0045 </a> </td> <td> <a href="/groups/G0045"> menuPass </a> </td> <td> <a href="/groups/G0045">menuPass</a> has installed updates and new malware on victims.<span onclick=scrollToRef('scite-320') id="scite-ref-320-a" class="scite-citeref-number" title="PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017."data-reference="PWC Cloud Hopper April 2017"><a href="https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf" target="_blank" data-hasqtip="319" aria-describedby="qtip-319">[320]</a><span onclick=scrollToRef('scite-321') id="scite-ref-321-a" class="scite-citeref-number" title="US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020."data-reference="District Court of NY APT10 Indictment December 2018"><a href="https://www.justice.gov/opa/page/file/1122671/download" target="_blank" data-hasqtip="320" aria-describedby="qtip-320">[321]</a> </td> </tr> <tr> <td> <a href="/groups/G1013"> G1013 </a> </td> <td> <a href="/groups/G1013"> Metador </a> </td> <td> <a href="/groups/G1013">Metador</a> has downloaded tools and malware onto a compromised system.<span onclick=scrollToRef('scite-322') id="scite-ref-322-a" class="scite-citeref-number" title="Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023."data-reference="SentinelLabs Metador Sept 2022"><a href="https://assets.sentinelone.com/sentinellabs22/metador#page=1" target="_blank" data-hasqtip="321" aria-describedby="qtip-321">[322]</a> </td> </tr> <tr> <td> <a href="/software/S1059"> S1059 </a> </td> <td> <a href="/software/S1059"> metaMain </a> </td> <td> <a href="/software/S1059">metaMain</a> can download files onto compromised systems.<span onclick=scrollToRef('scite-322') id="scite-ref-322-a" class="scite-citeref-number" title="Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023."data-reference="SentinelLabs Metador Sept 2022"><a href="https://assets.sentinelone.com/sentinellabs22/metador#page=1" target="_blank" data-hasqtip="321" aria-describedby="qtip-321">[322]</a><span onclick=scrollToRef('scite-312') id="scite-ref-312-a" class="scite-citeref-number" title="SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023."data-reference="SentinelLabs Metador Technical Appendix Sept 2022"><a href="https://docs.google.com/document/d/1e9ZTW9b71YwFWS_18ZwDAxa-cYbV8q1wUefmKZLYVsA/edit#heading=h.lmnbtht1ikzm" target="_blank" data-hasqtip="311" aria-describedby="qtip-311">[312]</a> </td> </tr> <tr> <td> <a href="/software/S0455"> S0455 </a> </td> <td> <a href="/software/S0455"> Metamorfo </a> </td> <td> <a href="/software/S0455">Metamorfo</a> has used MSI files to download additional files to execute.<span onclick=scrollToRef('scite-323') id="scite-ref-323-a" class="scite-citeref-number" title="Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020."data-reference="Medium Metamorfo Apr 2020"><a href="https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767" target="_blank" data-hasqtip="322" aria-describedby="qtip-322">[323]</a><span onclick=scrollToRef('scite-324') id="scite-ref-324-a" class="scite-citeref-number" title="Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020."data-reference="FireEye Metamorfo Apr 2018"><a href="https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html" target="_blank" data-hasqtip="323" aria-describedby="qtip-323">[324]</a><span onclick=scrollToRef('scite-325') id="scite-ref-325-a" class="scite-citeref-number" title="Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020."data-reference="Fortinet Metamorfo Feb 2020"><a href="https://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions" target="_blank" data-hasqtip="324" aria-describedby="qtip-324">[325]</a><span onclick=scrollToRef('scite-326') id="scite-ref-326-a" class="scite-citeref-number" title="ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021."data-reference="ESET Casbaneiro Oct 2019"><a href="https://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/" target="_blank" data-hasqtip="325" aria-describedby="qtip-325">[326]</a> </td> </tr> <tr> <td> <a href="/software/S0688"> S0688 </a> </td> <td> <a href="/software/S0688"> Meteor </a> </td> <td> <a href="/software/S0688">Meteor</a> has the ability to download additional files for execution on the victim's machine.<span onclick=scrollToRef('scite-327') id="scite-ref-327-a" class="scite-citeref-number" title="Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022."data-reference="Check Point Meteor Aug 2021"><a href="https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/" target="_blank" data-hasqtip="326" aria-describedby="qtip-326">[327]</a> </td> </tr> <tr> <td> <a href="/software/S0339"> S0339 </a> </td> <td> <a href="/software/S0339"> Micropsia </a> </td> <td> <a href="/software/S0339">Micropsia</a> can download and execute an executable from the C2 server.<span onclick=scrollToRef('scite-328') id="scite-ref-328-a" class="scite-citeref-number" title="Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018."data-reference="Talos Micropsia June 2017"><a href="https://blog.talosintelligence.com/2017/06/palestine-delphi.html" target="_blank" data-hasqtip="327" aria-describedby="qtip-327">[328]</a><span onclick=scrollToRef('scite-329') id="scite-ref-329-a" class="scite-citeref-number" title="Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018."data-reference="Radware Micropsia July 2018"><a href="https://www.radware.com/blog/security/2018/07/micropsia-malware/" target="_blank" data-hasqtip="328" aria-describedby="qtip-328">[329]</a> </td> </tr> <tr> <td> <a href="/software/S1015"> S1015 </a> </td> <td> <a href="/software/S1015"> Milan </a> </td> <td> <a href="/software/S1015">Milan</a> has received files from C2 and stored them in log folders beginning with the character sequence <code>a9850d2f</code>.<span onclick=scrollToRef('scite-330') id="scite-ref-330-a" class="scite-citeref-number" title="ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By "Siamesekitten" - Lyceum. Retrieved June 6, 2022."data-reference="ClearSky Siamesekitten August 2021"><a href="https://www.clearskysec.com/siamesekitten/" target="_blank" data-hasqtip="329" aria-describedby="qtip-329">[330]</a> </td> </tr> <tr> <td> <a href="/software/S0051"> S0051 </a> </td> <td> <a href="/software/S0051"> MiniDuke </a> </td> <td> <a href="/software/S0051">MiniDuke</a> can download additional encrypted backdoors onto the victim via GIF files.<span onclick=scrollToRef('scite-331') id="scite-ref-331-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research & Analysis Team. (2013, February 27). The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor. Retrieved April 5, 2017."data-reference="Securelist MiniDuke Feb 2013"><a href="https://cdn.securelist.com/files/2014/07/themysteryofthepdf0-dayassemblermicrobackdoor.pdf" target="_blank" data-hasqtip="330" aria-describedby="qtip-330">[331]</a><span onclick=scrollToRef('scite-300') id="scite-ref-300-a" class="scite-citeref-number" title="Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020."data-reference="ESET Dukes October 2019"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="299" aria-describedby="qtip-299">[300]</a> </td> </tr> <tr> <td> <a href="/software/S0084"> S0084 </a> </td> <td> <a href="/software/S0084"> Mis-Type </a> </td> <td> <a href="/software/S0084">Mis-Type</a> has downloaded additional malware and files onto a compromised host.<span onclick=scrollToRef('scite-332') id="scite-ref-332-a" class="scite-citeref-number" title="Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021."data-reference="Cylance Dust Storm"><a href="https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" target="_blank" data-hasqtip="331" aria-describedby="qtip-331">[332]</a> </td> </tr> <tr> <td> <a href="/software/S0083"> S0083 </a> </td> <td> <a href="/software/S0083"> Misdat </a> </td> <td> <a href="/software/S0083">Misdat</a> is capable of downloading files from the C2.<span onclick=scrollToRef('scite-332') id="scite-ref-332-a" class="scite-citeref-number" title="Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021."data-reference="Cylance Dust Storm"><a href="https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" target="_blank" data-hasqtip="331" aria-describedby="qtip-331">[332]</a> </td> </tr> <tr> <td> <a href="/software/S0080"> S0080 </a> </td> <td> <a href="/software/S0080"> Mivast </a> </td> <td> <a href="/software/S0080">Mivast</a> has the capability to download and execute .exe files.<span onclick=scrollToRef('scite-333') id="scite-ref-333-a" class="scite-citeref-number" title="Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016."data-reference="Symantec Backdoor.Mivast"><a href="http://www.symantec.com/security_response/writeup.jsp?docid=2015-020623-0740-99&tabid=2" target="_blank" data-hasqtip="332" aria-describedby="qtip-332">[333]</a> </td> </tr> <tr> <td> <a href="/software/S0079"> S0079 </a> </td> <td> <a href="/software/S0079"> MobileOrder </a> </td> <td> <a href="/software/S0079">MobileOrder</a> has a command to download a file from the C2 server to the victim mobile device's SD card.<span onclick=scrollToRef('scite-105') id="scite-ref-105-a" class="scite-citeref-number" title="Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016."data-reference="Scarlet Mimic Jan 2016"><a href="http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" target="_blank" data-hasqtip="104" aria-describedby="qtip-104">[105]</a> </td> </tr> <tr> <td> <a href="/software/S0553"> S0553 </a> </td> <td> <a href="/software/S0553"> MoleNet </a> </td> <td> <a href="/software/S0553">MoleNet</a> can download additional payloads from the C2.<span onclick=scrollToRef('scite-175') id="scite-ref-175-a" class="scite-citeref-number" title="Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020."data-reference="Cybereason Molerats Dec 2020"><a href="https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf" target="_blank" data-hasqtip="174" aria-describedby="qtip-174">[175]</a> </td> </tr> <tr> <td> <a href="/groups/G0021"> G0021 </a> </td> <td> <a href="/groups/G0021"> Molerats </a> </td> <td> <a href="/groups/G0021">Molerats</a> used executables to download malicious files from different sources.<span onclick=scrollToRef('scite-334') id="scite-ref-334-a" class="scite-citeref-number" title="GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020."data-reference="Kaspersky MoleRATs April 2019"><a href="https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/" target="_blank" data-hasqtip="333" aria-describedby="qtip-333">[334]</a><span onclick=scrollToRef('scite-335') id="scite-ref-335-a" class="scite-citeref-number" title="Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020."data-reference="Unit42 Molerat Mar 2020"><a href="https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/" target="_blank" data-hasqtip="334" aria-describedby="qtip-334">[335]</a> </td> </tr> <tr> <td> <a href="/software/S1026"> S1026 </a> </td> <td> <a href="/software/S1026"> Mongall </a> </td> <td> <a href="/software/S1026">Mongall</a> can download files to targeted systems.<span onclick=scrollToRef('scite-336') id="scite-ref-336-a" class="scite-citeref-number" title="Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022."data-reference="SentinelOne Aoqin Dragon June 2022"><a href="https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/" target="_blank" data-hasqtip="335" aria-describedby="qtip-335">[336]</a> </td> </tr> <tr> <td> <a href="/groups/G1036"> G1036 </a> </td> <td> <a href="/groups/G1036"> Moonstone Sleet </a> </td> <td> <a href="/groups/G1036">Moonstone Sleet</a> retrieved a final stage payload from command and control infrastructure during initial installation on victim systems.<span onclick=scrollToRef('scite-337') id="scite-ref-337-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024."data-reference="Microsoft Moonstone Sleet 2024"><a href="https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/" target="_blank" data-hasqtip="336" aria-describedby="qtip-336">[337]</a> </td> </tr> <tr> <td> <a href="/software/S0284"> S0284 </a> </td> <td> <a href="/software/S0284"> More_eggs </a> </td> <td> <a href="/software/S0284">More_eggs</a> can download and launch additional payloads.<span onclick=scrollToRef('scite-338') id="scite-ref-338-a" class="scite-citeref-number" title="Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018."data-reference="Talos Cobalt Group July 2018"><a href="https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html" target="_blank" data-hasqtip="337" aria-describedby="qtip-337">[338]</a><span onclick=scrollToRef('scite-339') id="scite-ref-339-a" class="scite-citeref-number" title="Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019."data-reference="Security Intelligence More Eggs Aug 2019"><a href="https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/" target="_blank" data-hasqtip="338" aria-describedby="qtip-338">[339]</a> </td> </tr> <tr> <td> <a href="/groups/G1009"> G1009 </a> </td> <td> <a href="/groups/G1009"> Moses Staff </a> </td> <td> <a href="/groups/G1009">Moses Staff</a> has downloaded and installed web shells to following path <code>C:\inetpub\wwwroot\aspnet_client\system_web\IISpool.aspx</code>.<span onclick=scrollToRef('scite-340') id="scite-ref-340-a" class="scite-citeref-number" title="Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022."data-reference="Checkpoint MosesStaff Nov 2021"><a href="https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/" target="_blank" data-hasqtip="339" aria-describedby="qtip-339">[340]</a> </td> </tr> <tr> <td> <a href="/software/S0256"> S0256 </a> </td> <td> <a href="/software/S0256"> Mosquito </a> </td> <td> <a href="/software/S0256">Mosquito</a> can upload and download files to the victim.<span onclick=scrollToRef('scite-341') id="scite-ref-341-a" class="scite-citeref-number" title="ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018."data-reference="ESET Turla Mosquito Jan 2018"><a href="https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" target="_blank" data-hasqtip="340" aria-describedby="qtip-340">[341]</a> </td> </tr> <tr> <td> <a href="/groups/G0069"> G0069 </a> </td> <td> <a href="/groups/G0069"> MuddyWater </a> </td> <td> <a href="/groups/G0069">MuddyWater</a> has used malware that can upload additional files to the victim’s machine.<span onclick=scrollToRef('scite-342') id="scite-ref-342-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018."data-reference="Securelist MuddyWater Oct 2018"><a href="https://securelist.com/muddywater/88059/" target="_blank" data-hasqtip="341" aria-describedby="qtip-341">[342]</a><span onclick=scrollToRef('scite-343') id="scite-ref-343-a" class="scite-citeref-number" title="ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018."data-reference="ClearSky MuddyWater Nov 2018"><a href="https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf" target="_blank" data-hasqtip="342" aria-describedby="qtip-342">[343]</a><span onclick=scrollToRef('scite-344') id="scite-ref-344-a" class="scite-citeref-number" title="Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020."data-reference="Reaqta MuddyWater November 2017"><a href="https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/" target="_blank" data-hasqtip="343" aria-describedby="qtip-343">[344]</a><span onclick=scrollToRef('scite-345') id="scite-ref-345-a" class="scite-citeref-number" title="Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021."data-reference="Trend Micro Muddy Water March 2021"><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" data-hasqtip="344" aria-describedby="qtip-344">[345]</a> </td> </tr> <tr> <td> <a href="/groups/G0129"> G0129 </a> </td> <td> <a href="/groups/G0129"> Mustang Panda </a> </td> <td> <a href="/groups/G0129">Mustang Panda</a> has downloaded additional executables following the initial infection stage.<span onclick=scrollToRef('scite-346') id="scite-ref-346-a" class="scite-citeref-number" title="Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021."data-reference="Recorded Future REDDELTA July 2020"><a href="https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf" target="_blank" data-hasqtip="345" aria-describedby="qtip-345">[346]</a> </td> </tr> <tr> <td> <a href="/groups/G1020"> G1020 </a> </td> <td> <a href="/groups/G1020"> Mustard Tempest </a> </td> <td> <a href="/groups/G1020">Mustard Tempest</a> has deployed secondary payloads and third stage implants to compromised hosts.<span onclick=scrollToRef('scite-347') id="scite-ref-347-a" class="scite-citeref-number" title="Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023."data-reference="Microsoft Ransomware as a Service"><a href="https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/" target="_blank" data-hasqtip="346" aria-describedby="qtip-346">[347]</a> </td> </tr> <tr> <td> <a href="/software/S0228"> S0228 </a> </td> <td> <a href="/software/S0228"> NanHaiShu </a> </td> <td> <a href="/software/S0228">NanHaiShu</a> can download additional files from URLs.<span onclick=scrollToRef('scite-297') id="scite-ref-297-a" class="scite-citeref-number" title="Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018."data-reference="Proofpoint Leviathan Oct 2017"><a href="https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets" target="_blank" data-hasqtip="296" aria-describedby="qtip-296">[297]</a> </td> </tr> <tr> <td> <a href="/software/S0336"> S0336 </a> </td> <td> <a href="/software/S0336"> NanoCore </a> </td> <td> <a href="/software/S0336">NanoCore</a> has the capability to download and activate additional modules for execution.<span onclick=scrollToRef('scite-348') id="scite-ref-348-a" class="scite-citeref-number" title="The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018."data-reference="DigiTrust NanoCore Jan 2017"><a href="https://www.digitrustgroup.com/nanocore-not-your-average-rat/" target="_blank" data-hasqtip="347" aria-describedby="qtip-347">[348]</a><span onclick=scrollToRef('scite-349') id="scite-ref-349-a" class="scite-citeref-number" title="Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018."data-reference="PaloAlto NanoCore Feb 2016"><a href="https://researchcenter.paloaltonetworks.com/2016/02/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/" target="_blank" data-hasqtip="348" aria-describedby="qtip-348">[349]</a> </td> </tr> <tr> <td> <a href="/software/S0247"> S0247 </a> </td> <td> <a href="/software/S0247"> NavRAT </a> </td> <td> <a href="/software/S0247">NavRAT</a> can download files remotely.<span onclick=scrollToRef('scite-350') id="scite-ref-350-a" class="scite-citeref-number" title="Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018."data-reference="Talos NavRAT May 2018"><a href="https://blog.talosintelligence.com/2018/05/navrat.html" target="_blank" data-hasqtip="349" aria-describedby="qtip-349">[350]</a> </td> </tr> <tr> <td> <a href="/software/S0272"> S0272 </a> </td> <td> <a href="/software/S0272"> NDiskMonitor </a> </td> <td> <a href="/software/S0272">NDiskMonitor</a> can download and execute a file from given URL.<span onclick=scrollToRef('scite-64') id="scite-ref-64-a" class="scite-citeref-number" title="Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018."data-reference="TrendMicro Patchwork Dec 2017"><a href="https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" target="_blank" data-hasqtip="63" aria-describedby="qtip-63">[64]</a> </td> </tr> <tr> <td> <a href="/software/S0630"> S0630 </a> </td> <td> <a href="/software/S0630"> Nebulae </a> </td> <td> <a href="/software/S0630">Nebulae</a> can download files from C2.<span onclick=scrollToRef('scite-351') id="scite-ref-351-a" class="scite-citeref-number" title="Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021."data-reference="Bitdefender Naikon April 2021"><a href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank" data-hasqtip="350" aria-describedby="qtip-350">[351]</a> </td> </tr> <tr> <td> <a href="/software/S0691"> S0691 </a> </td> <td> <a href="/software/S0691"> Neoichor </a> </td> <td> <a href="/software/S0691">Neoichor</a> can download additional files onto a compromised host.<span onclick=scrollToRef('scite-273') id="scite-ref-273-a" class="scite-citeref-number" title="MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022."data-reference="Microsoft NICKEL December 2021"><a href="https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe" target="_blank" data-hasqtip="272" aria-describedby="qtip-272">[273]</a> </td> </tr> <tr> <td> <a href="/software/S0210"> S0210 </a> </td> <td> <a href="/software/S0210"> Nerex </a> </td> <td> <a href="/software/S0210">Nerex</a> creates a backdoor through which remote attackers can download files onto a compromised host.<span onclick=scrollToRef('scite-184') id="scite-ref-184-a" class="scite-citeref-number" title="Ladley, F. (2012, May 15). Backdoor.Ritsol. Retrieved February 23, 2018."data-reference="Symantec Ristol May 2012"><a href="https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-3909-99" target="_blank" data-hasqtip="183" aria-describedby="qtip-183">[184]</a> </td> </tr> <tr> <td> <a href="/software/S0457"> S0457 </a> </td> <td> <a href="/software/S0457"> Netwalker </a> </td> <td> Operators deploying <a href="/software/S0457">Netwalker</a> have used psexec and certutil to retrieve the <a href="/software/S0457">Netwalker</a> payload.<span onclick=scrollToRef('scite-352') id="scite-ref-352-a" class="scite-citeref-number" title="Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020."data-reference="Sophos Netwalker May 2020"><a href="https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/" target="_blank" data-hasqtip="351" aria-describedby="qtip-351">[352]</a> </td> </tr> <tr> <td> <a href="/software/S0198"> S0198 </a> </td> <td> <a href="/software/S0198"> NETWIRE </a> </td> <td> <a href="/software/S0198">NETWIRE</a> can downloaded payloads from C2 to the compromised host.<span onclick=scrollToRef('scite-353') id="scite-ref-353-a" class="scite-citeref-number" title="Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021."data-reference="FireEye NETWIRE March 2019"><a href="https://www.mandiant.com/resources/blog/dissecting-netwire-phishing-campaigns-usage-process-hollowing" target="_blank" data-hasqtip="352" aria-describedby="qtip-352">[353]</a><span onclick=scrollToRef('scite-354') id="scite-ref-354-a" class="scite-citeref-number" title="Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021."data-reference="Proofpoint NETWIRE December 2020"><a href="https://www.proofpoint.com/us/blog/threat-insight/geofenced-netwire-campaigns" target="_blank" data-hasqtip="353" aria-describedby="qtip-353">[354]</a> </td> </tr> <tr> <td> <a href="/software/S0118"> S0118 </a> </td> <td> <a href="/software/S0118"> Nidiran </a> </td> <td> <a href="/software/S0118">Nidiran</a> can download and execute files.<span onclick=scrollToRef('scite-355') id="scite-ref-355-a" class="scite-citeref-number" title="Sponchioni, R.. (2016, March 11). Backdoor.Nidiran. Retrieved August 3, 2016."data-reference="Symantec Backdoor.Nidiran"><a href="https://www.symantec.com/security_response/writeup.jsp?docid=2015-120123-5521-99" target="_blank" data-hasqtip="354" aria-describedby="qtip-354">[355]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0002"> C0002 </a> </td> <td> <a href="/campaigns/C0002"> Night Dragon </a> </td> <td> During <a href="https://attack.mitre.org/campaigns/C0002">Night Dragon</a>, threat actors used administrative utilities to deliver Trojan components to remote systems.<span onclick=scrollToRef('scite-356') id="scite-ref-356-a" class="scite-citeref-number" title="McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: "Night Dragon". Retrieved February 19, 2018."data-reference="McAfee Night Dragon"><a href="https://scadahacker.com/library/Documents/Cyber_Events/McAfee%20-%20Night%20Dragon%20-%20Global%20Energy%20Cyberattacks.pdf" target="_blank" data-hasqtip="355" aria-describedby="qtip-355">[356]</a> </td> </tr> <tr> <td> <a href="/software/S1090"> S1090 </a> </td> <td> <a href="/software/S1090"> NightClub </a> </td> <td> <a href="/software/S1090">NightClub</a> can load multiple additional plugins on an infected host.<span onclick=scrollToRef('scite-167') id="scite-ref-167-a" class="scite-citeref-number" title="Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023."data-reference="MoustachedBouncer ESET August 2023"><a href="https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" target="_blank" data-hasqtip="166" aria-describedby="qtip-166">[167]</a> </td> </tr> <tr> <td> <a href="/software/S0385"> S0385 </a> </td> <td> <a href="/software/S0385"> njRAT </a> </td> <td> <a href="/software/S0385">njRAT</a> can download files to the victim’s machine.<span onclick=scrollToRef('scite-357') id="scite-ref-357-a" class="scite-citeref-number" title="Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019."data-reference="Fidelis njRAT June 2013"><a href="https://www.threatminer.org/_reports/2013/fta-1009---njrat-uncovered-1.pdf" target="_blank" data-hasqtip="356" aria-describedby="qtip-356">[357]</a><span onclick=scrollToRef('scite-358') id="scite-ref-358-a" class="scite-citeref-number" title="Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019."data-reference="Trend Micro njRAT 2018"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/" target="_blank" data-hasqtip="357" aria-describedby="qtip-357">[358]</a> </td> </tr> <tr> <td> <a href="/software/S0353"> S0353 </a> </td> <td> <a href="/software/S0353"> NOKKI </a> </td> <td> <a href="/software/S0353">NOKKI</a> has downloaded a remote module for execution.<span onclick=scrollToRef('scite-359') id="scite-ref-359-a" class="scite-citeref-number" title="Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018."data-reference="Unit 42 NOKKI Sept 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/" target="_blank" data-hasqtip="358" aria-describedby="qtip-358">[359]</a> </td> </tr> <tr> <td> <a href="/groups/G0133"> G0133 </a> </td> <td> <a href="/groups/G0133"> Nomadic Octopus </a> </td> <td> <a href="/groups/G0133">Nomadic Octopus</a> has used malicious macros to download additional files to the victim's machine.<span onclick=scrollToRef('scite-360') id="scite-ref-360-a" class="scite-citeref-number" title="Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021."data-reference="ESET Nomadic Octopus 2018"><a href="https://www.virusbulletin.com/uploads/pdf/conference_slides/2018/Cherepanov-VB2018-Octopus.pdf" target="_blank" data-hasqtip="359" aria-describedby="qtip-359">[360]</a> </td> </tr> <tr> <td> <a href="/software/S0340"> S0340 </a> </td> <td> <a href="/software/S0340"> Octopus </a> </td> <td> <a href="/software/S0340">Octopus</a> can download additional files and tools onto the victim’s machine.<span onclick=scrollToRef('scite-361') id="scite-ref-361-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018."data-reference="Securelist Octopus Oct 2018"><a href="https://securelist.com/octopus-infested-seas-of-central-asia/88200/" target="_blank" data-hasqtip="360" aria-describedby="qtip-360">[361]</a><span onclick=scrollToRef('scite-362') id="scite-ref-362-a" class="scite-citeref-number" title="Paganini, P. (2018, October 16). Russia-linked APT group DustSquad targets diplomatic entities in Central Asia. Retrieved August 24, 2021."data-reference="Security Affairs DustSquad Oct 2018"><a href="https://securityaffairs.co/wordpress/77165/apt/russia-linked-apt-dustsquad.html" target="_blank" data-hasqtip="361" aria-describedby="qtip-361">[362]</a><span onclick=scrollToRef('scite-360') id="scite-ref-360-a" class="scite-citeref-number" title="Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021."data-reference="ESET Nomadic Octopus 2018"><a href="https://www.virusbulletin.com/uploads/pdf/conference_slides/2018/Cherepanov-VB2018-Octopus.pdf" target="_blank" data-hasqtip="359" aria-describedby="qtip-359">[360]</a> </td> </tr> <tr> <td> <a href="/groups/G0049"> G0049 </a> </td> <td> <a href="/groups/G0049"> OilRig </a> </td> <td> <a href="/groups/G0049">OilRig</a> can download remote files onto victims.<span onclick=scrollToRef('scite-363') id="scite-ref-363-a" class="scite-citeref-number" title="Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017."data-reference="FireEye APT34 Dec 2017"><a href="https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" target="_blank" data-hasqtip="362" aria-describedby="qtip-362">[363]</a> </td> </tr> <tr> <td> <a href="/software/S0439"> S0439 </a> </td> <td> <a href="/software/S0439"> Okrum </a> </td> <td> <a href="/software/S0439">Okrum</a> has built-in commands for uploading, downloading, and executing files to the system.<span onclick=scrollToRef('scite-364') id="scite-ref-364-a" class="scite-citeref-number" title="Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."data-reference="ESET Okrum July 2019"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf" target="_blank" data-hasqtip="363" aria-describedby="qtip-363">[364]</a> </td> </tr> <tr> <td> <a href="/software/S0264"> S0264 </a> </td> <td> <a href="/software/S0264"> OopsIE </a> </td> <td> <a href="/software/S0264">OopsIE</a> can download files from its C2 server to the victim's machine.<span onclick=scrollToRef('scite-365') id="scite-ref-365-a" class="scite-citeref-number" title="Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018."data-reference="Unit 42 OopsIE! Feb 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/" target="_blank" data-hasqtip="364" aria-describedby="qtip-364">[365]</a><span onclick=scrollToRef('scite-366') id="scite-ref-366-a" class="scite-citeref-number" title="Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018."data-reference="Unit 42 OilRig Sept 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/" target="_blank" data-hasqtip="365" aria-describedby="qtip-365">[366]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0022"> C0022 </a> </td> <td> <a href="/campaigns/C0022"> Operation Dream Job </a> </td> <td> During <a href="https://attack.mitre.org/campaigns/C0022">Operation Dream Job</a>, <a href="/groups/G0032">Lazarus Group</a> downloaded multistage malware and tools onto a compromised host.<span onclick=scrollToRef('scite-174') id="scite-ref-174-a" class="scite-citeref-number" title="ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021."data-reference="ClearSky Lazarus Aug 2020"><a href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank" data-hasqtip="173" aria-describedby="qtip-173">[174]</a><span onclick=scrollToRef('scite-367') id="scite-ref-367-a" class="scite-citeref-number" title="Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021."data-reference="ESET Lazarus Jun 2020"><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank" data-hasqtip="366" aria-describedby="qtip-366">[367]</a><span onclick=scrollToRef('scite-368') id="scite-ref-368-a" class="scite-citeref-number" title="Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021."data-reference="McAfee Lazarus Jul 2020"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/?hilite=%27Operation%27%2C%27North%27%2C%27Star%27" target="_blank" data-hasqtip="367" aria-describedby="qtip-367">[368]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0006"> C0006 </a> </td> <td> <a href="/campaigns/C0006"> Operation Honeybee </a> </td> <td> During <a href="https://attack.mitre.org/campaigns/C0006">Operation Honeybee</a>, the threat actors downloaded additional malware and malicious scripts onto a compromised host.<span onclick=scrollToRef('scite-369') id="scite-ref-369-a" class="scite-citeref-number" title="Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018."data-reference="McAfee Honeybee"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/" target="_blank" data-hasqtip="368" aria-describedby="qtip-368">[369]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0013"> C0013 </a> </td> <td> <a href="/campaigns/C0013"> Operation Sharpshooter </a> </td> <td> During <a href="https://attack.mitre.org/campaigns/C0013">Operation Sharpshooter</a>, additional payloads were downloaded after a target was infected with a first-stage downloader.<span onclick=scrollToRef('scite-370') id="scite-ref-370-a" class="scite-citeref-number" title="Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020."data-reference="McAfee Sharpshooter December 2018"><a href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf" target="_blank" data-hasqtip="369" aria-describedby="qtip-369">[370]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0014"> C0014 </a> </td> <td> <a href="/campaigns/C0014"> Operation Wocao </a> </td> <td> During <a href="https://attack.mitre.org/campaigns/C0014">Operation Wocao</a>, threat actors downloaded additional files to the infected system.<span onclick=scrollToRef('scite-371') id="scite-ref-371-a" class="scite-citeref-number" title="Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020."data-reference="FoxIT Wocao December 2019"><a href="https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf" target="_blank" data-hasqtip="370" aria-describedby="qtip-370">[371]</a> </td> </tr> <tr> <td> <a href="/software/S0229"> S0229 </a> </td> <td> <a href="/software/S0229"> Orz </a> </td> <td> <a href="/software/S0229">Orz</a> can download files onto the victim.<span onclick=scrollToRef('scite-297') id="scite-ref-297-a" class="scite-citeref-number" title="Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018."data-reference="Proofpoint Leviathan Oct 2017"><a href="https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets" target="_blank" data-hasqtip="296" aria-describedby="qtip-296">[297]</a> </td> </tr> <tr> <td> <a href="/software/S0402"> S0402 </a> </td> <td> <a href="/software/S0402"> OSX/Shlayer </a> </td> <td> <a href="/software/S0402">OSX/Shlayer</a> can download payloads, and extract bytes from files. <a href="/software/S0402">OSX/Shlayer</a> uses the <code>curl -fsL "$url" >$tmp_path</code> command to download malicious payloads into a temporary directory.<span onclick=scrollToRef('scite-372') id="scite-ref-372-a" class="scite-citeref-number" title="Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019."data-reference="Carbon Black Shlayer Feb 2019"><a href="https://blogs.vmware.com/security/2020/02/vmware-carbon-black-tau-threat-analysis-shlayer-macos.html" target="_blank" data-hasqtip="371" aria-describedby="qtip-371">[372]</a><span onclick=scrollToRef('scite-373') id="scite-ref-373-a" class="scite-citeref-number" title="Phil Stokes. (2020, September 8). Coming Out of Your Shell: From Shlayer to ZShlayer. Retrieved September 13, 2021."data-reference="sentinelone shlayer to zshlayer"><a href="https://www.sentinelone.com/blog/coming-out-of-your-shell-from-shlayer-to-zshlayer/" target="_blank" data-hasqtip="372" aria-describedby="qtip-372">[373]</a><span onclick=scrollToRef('scite-374') id="scite-ref-374-a" class="scite-citeref-number" title="Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021."data-reference="20 macOS Common Tools and Techniques"><a href="https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/" target="_blank" data-hasqtip="373" aria-describedby="qtip-373">[374]</a><span onclick=scrollToRef('scite-375') id="scite-ref-375-a" class="scite-citeref-number" title="Patrick Wardle. (2020, August 30). Apple Approved Malware malicious code ...now notarized!? #2020. Retrieved September 13, 2021."data-reference="objectivesee osx.shlayer apple approved 2020"><a href="https://objective-see.com/blog/blog_0x4E.html" target="_blank" data-hasqtip="374" aria-describedby="qtip-374">[375]</a> </td> </tr> <tr> <td> <a href="/software/S0352"> S0352 </a> </td> <td> <a href="/software/S0352"> OSX_OCEANLOTUS.D </a> </td> <td> <a href="/software/S0352">OSX_OCEANLOTUS.D</a> has a command to download and execute a file on the victim’s machine.<span onclick=scrollToRef('scite-376') id="scite-ref-376-a" class="scite-citeref-number" title="Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018."data-reference="TrendMicro MacOS April 2018"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/" target="_blank" data-hasqtip="375" aria-describedby="qtip-375">[376]</a><span onclick=scrollToRef('scite-377') id="scite-ref-377-a" class="scite-citeref-number" title="Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020."data-reference="Trend Micro MacOS Backdoor November 2020"><a href="https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html" target="_blank" data-hasqtip="376" aria-describedby="qtip-376">[377]</a> </td> </tr> <tr> <td> <a href="/software/S1017"> S1017 </a> </td> <td> <a href="/software/S1017"> OutSteel </a> </td> <td> <a href="/software/S1017">OutSteel</a> can download files from its C2 server.<span onclick=scrollToRef('scite-378') id="scite-ref-378-a" class="scite-citeref-number" title="Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022."data-reference="Palo Alto Unit 42 OutSteel SaintBot February 2022 "><a href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank" data-hasqtip="377" aria-describedby="qtip-377">[378]</a> </td> </tr> <tr> <td> <a href="/software/S0598"> S0598 </a> </td> <td> <a href="/software/S0598"> P.A.S. Webshell </a> </td> <td> <a href="/software/S0598">P.A.S. Webshell</a> can upload and download files to and from compromised hosts.<span onclick=scrollToRef('scite-193') id="scite-ref-193-a" class="scite-citeref-number" title="ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021."data-reference="ANSSI Sandworm January 2021"><a href="https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" target="_blank" data-hasqtip="192" aria-describedby="qtip-192">[193]</a> </td> </tr> <tr> <td> <a href="/software/S0626"> S0626 </a> </td> <td> <a href="/software/S0626"> P8RAT </a> </td> <td> <a href="/software/S0626">P8RAT</a> can download additional payloads to a target system.<span onclick=scrollToRef('scite-181') id="scite-ref-181-a" class="scite-citeref-number" title="GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021."data-reference="Securelist APT10 March 2021"><a href="https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/" target="_blank" data-hasqtip="180" aria-describedby="qtip-180">[181]</a> </td> </tr> <tr> <td> <a href="/software/S0664"> S0664 </a> </td> <td> <a href="/software/S0664"> Pandora </a> </td> <td> <a href="/software/S0664">Pandora</a> can load additional drivers and files onto a victim machine.<span onclick=scrollToRef('scite-379') id="scite-ref-379-a" class="scite-citeref-number" title="Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021."data-reference="Trend Micro Iron Tiger April 2021"><a href="https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html" target="_blank" data-hasqtip="378" aria-describedby="qtip-378">[379]</a> </td> </tr> <tr> <td> <a href="/software/S0208"> S0208 </a> </td> <td> <a href="/software/S0208"> Pasam </a> </td> <td> <a href="/software/S0208">Pasam</a> creates a backdoor through which remote attackers can upload files.<span onclick=scrollToRef('scite-380') id="scite-ref-380-a" class="scite-citeref-number" title="Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018."data-reference="Symantec Pasam May 2012"><a href="https://www.symantec.com/security_response/writeup.jsp?docid=2012-050412-4128-99" target="_blank" data-hasqtip="379" aria-describedby="qtip-379">[380]</a> </td> </tr> <tr> <td> <a href="/groups/G0040"> G0040 </a> </td> <td> <a href="/groups/G0040"> Patchwork </a> </td> <td> <a href="/groups/G0040">Patchwork</a> payloads download additional files from the C2 server.<span onclick=scrollToRef('scite-381') id="scite-ref-381-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016."data-reference="Securelist Dropping Elephant"><a href="https://securelist.com/the-dropping-elephant-actor/75328/" target="_blank" data-hasqtip="380" aria-describedby="qtip-380">[381]</a><span onclick=scrollToRef('scite-64') id="scite-ref-64-a" class="scite-citeref-number" title="Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018."data-reference="TrendMicro Patchwork Dec 2017"><a href="https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" target="_blank" data-hasqtip="63" aria-describedby="qtip-63">[64]</a> </td> </tr> <tr> <td> <a href="/software/S0587"> S0587 </a> </td> <td> <a href="/software/S0587"> Penquin </a> </td> <td> <a href="/software/S0587">Penquin</a> can execute the command code <code>do_download</code> to retrieve remote files from C2.<span onclick=scrollToRef('scite-382') id="scite-ref-382-a" class="scite-citeref-number" title="Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA "Penquin_x64". Retrieved March 11, 2021."data-reference="Leonardo Turla Penquin May 2020"><a href="https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf" target="_blank" data-hasqtip="381" aria-describedby="qtip-381">[382]</a> </td> </tr> <tr> <td> <a href="/software/S0643"> S0643 </a> </td> <td> <a href="/software/S0643"> Peppy </a> </td> <td> <a href="/software/S0643">Peppy</a> can download and execute remote files.<span onclick=scrollToRef('scite-143') id="scite-ref-143-a" class="scite-citeref-number" title="Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016."data-reference="Proofpoint Operation Transparent Tribe March 2016"><a href="https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" target="_blank" data-hasqtip="142" aria-describedby="qtip-142">[143]</a> </td> </tr> <tr> <td> <a href="/software/S0501"> S0501 </a> </td> <td> <a href="/software/S0501"> PipeMon </a> </td> <td> <a href="/software/S0501">PipeMon</a> can install additional modules via C2 commands.<span onclick=scrollToRef('scite-383') id="scite-ref-383-a" class="scite-citeref-number" title="Tartare, M. et al. (2020, May 21). No "Game over" for the Winnti Group. Retrieved August 24, 2020."data-reference="ESET PipeMon May 2020"><a href="https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/" target="_blank" data-hasqtip="382" aria-describedby="qtip-382">[383]</a> </td> </tr> <tr> <td> <a href="/software/S0124"> S0124 </a> </td> <td> <a href="/software/S0124"> Pisloader </a> </td> <td> <a href="/software/S0124">Pisloader</a> has a command to upload a file to the victim machine.<span onclick=scrollToRef('scite-384') id="scite-ref-384-a" class="scite-citeref-number" title="Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016."data-reference="Palo Alto DNS Requests"><a href="http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" target="_blank" data-hasqtip="383" aria-describedby="qtip-383">[384]</a> </td> </tr> <tr> <td> <a href="/software/S0254"> S0254 </a> </td> <td> <a href="/software/S0254"> PLAINTEE </a> </td> <td> <a href="/software/S0254">PLAINTEE</a> has downloaded and executed additional plugins.<span onclick=scrollToRef('scite-162') id="scite-ref-162-a" class="scite-citeref-number" title="Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018."data-reference="Rancor Unit42 June 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" target="_blank" data-hasqtip="161" aria-describedby="qtip-161">[162]</a> </td> </tr> <tr> <td> <a href="/groups/G0068"> G0068 </a> </td> <td> <a href="/groups/G0068"> PLATINUM </a> </td> <td> <a href="/groups/G0068">PLATINUM</a> has transferred files using the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel.<span onclick=scrollToRef('scite-385') id="scite-ref-385-a" class="scite-citeref-number" title="Kaplan, D, et al. (2017, June 7). PLATINUM continues to evolve, find ways to maintain invisibility. Retrieved February 19, 2018."data-reference="Microsoft PLATINUM June 2017"><a href="https://cloudblogs.microsoft.com/microsoftsecure/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/?source=mmpc" target="_blank" data-hasqtip="384" aria-describedby="qtip-384">[385]</a> </td> </tr> <tr> <td> <a href="/groups/G1040"> G1040 </a> </td> <td> <a href="/groups/G1040"> Play </a> </td> <td> <a href="/groups/G1040">Play</a> has used <a href="/software/S0154">Cobalt Strike</a> to download files to compromised machines.<span onclick=scrollToRef('scite-386') id="scite-ref-386-a" class="scite-citeref-number" title="Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024."data-reference="Trend Micro Ransomware Spotlight Play July 2023"><a href="https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play" target="_blank" data-hasqtip="385" aria-describedby="qtip-385">[386]</a> </td> </tr> <tr> <td> <a href="/software/S0435"> S0435 </a> </td> <td> <a href="/software/S0435"> PLEAD </a> </td> <td> <a href="/software/S0435">PLEAD</a> has the ability to upload and download files to and from an infected host.<span onclick=scrollToRef('scite-387') id="scite-ref-387-a" class="scite-citeref-number" title="Tomonaga, S. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020."data-reference="JPCert PLEAD Downloader June 2018"><a href="https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html" target="_blank" data-hasqtip="386" aria-describedby="qtip-386">[387]</a> </td> </tr> <tr> <td> <a href="/software/S0013"> S0013 </a> </td> <td> <a href="/software/S0013"> PlugX </a> </td> <td> <a href="/software/S0013">PlugX</a> has a module to download and execute files on the compromised machine.<span onclick=scrollToRef('scite-388') id="scite-ref-388-a" class="scite-citeref-number" title="Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018."data-reference="CIRCL PlugX March 2013"><a href="http://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf" target="_blank" data-hasqtip="387" aria-describedby="qtip-387">[388]</a><span onclick=scrollToRef('scite-389') id="scite-ref-389-a" class="scite-citeref-number" title="Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022."data-reference="Proofpoint TA416 Europe March 2022"><a href="https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european" target="_blank" data-hasqtip="388" aria-describedby="qtip-388">[389]</a> </td> </tr> <tr> <td> <a href="/software/S0428"> S0428 </a> </td> <td> <a href="/software/S0428"> PoetRAT </a> </td> <td> <a href="/software/S0428">PoetRAT</a> has the ability to copy files and download/upload files into C2 channels using FTP and HTTPS.<span onclick=scrollToRef('scite-390') id="scite-ref-390-a" class="scite-citeref-number" title="Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020."data-reference="Talos PoetRAT April 2020"><a href="https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html" target="_blank" data-hasqtip="389" aria-describedby="qtip-389">[390]</a><span onclick=scrollToRef('scite-391') id="scite-ref-391-a" class="scite-citeref-number" title="Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021."data-reference="Talos PoetRAT October 2020"><a href="https://blog.talosintelligence.com/2020/10/poetrat-update.html" target="_blank" data-hasqtip="390" aria-describedby="qtip-390">[391]</a> </td> </tr> <tr> <td> <a href="/software/S0012"> S0012 </a> </td> <td> <a href="/software/S0012"> PoisonIvy </a> </td> <td> <a href="/software/S0012">PoisonIvy</a> creates a backdoor through which remote attackers can upload files.<span onclick=scrollToRef('scite-392') id="scite-ref-392-a" class="scite-citeref-number" title="Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018."data-reference="Symantec Darkmoon Aug 2005"><a href="https://www.symantec.com/security_response/writeup.jsp?docid=2005-081910-3934-99" target="_blank" data-hasqtip="391" aria-describedby="qtip-391">[392]</a> </td> </tr> <tr> <td> <a href="/software/S0518"> S0518 </a> </td> <td> <a href="/software/S0518"> PolyglotDuke </a> </td> <td> <a href="/software/S0518">PolyglotDuke</a> can retrieve payloads from the C2 server.<span onclick=scrollToRef('scite-300') id="scite-ref-300-a" class="scite-citeref-number" title="Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020."data-reference="ESET Dukes October 2019"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="299" aria-describedby="qtip-299">[300]</a> </td> </tr> <tr> <td> <a href="/software/S0453"> S0453 </a> </td> <td> <a href="/software/S0453"> Pony </a> </td> <td> <a href="/software/S0453">Pony</a> can download additional files onto the infected system.<span onclick=scrollToRef('scite-393') id="scite-ref-393-a" class="scite-citeref-number" title="hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020."data-reference="Malwarebytes Pony April 2016"><a href="https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/" target="_blank" data-hasqtip="392" aria-describedby="qtip-392">[393]</a> </td> </tr> <tr> <td> <a href="/software/S0150"> S0150 </a> </td> <td> <a href="/software/S0150"> POSHSPY </a> </td> <td> <a href="/software/S0150">POSHSPY</a> downloads and executes additional PowerShell code and Windows binaries.<span onclick=scrollToRef('scite-394') id="scite-ref-394-a" class="scite-citeref-number" title="Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017."data-reference="FireEye POSHSPY April 2017"><a href="https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html" target="_blank" data-hasqtip="393" aria-describedby="qtip-393">[394]</a> </td> </tr> <tr> <td> <a href="/software/S0139"> S0139 </a> </td> <td> <a href="/software/S0139"> PowerDuke </a> </td> <td> <a href="/software/S0139">PowerDuke</a> has a command to download a file.<span onclick=scrollToRef('scite-395') id="scite-ref-395-a" class="scite-citeref-number" title="Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017."data-reference="Volexity PowerDuke November 2016"><a href="https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" target="_blank" data-hasqtip="394" aria-describedby="qtip-394">[395]</a> </td> </tr> <tr> <td> <a href="/software/S1012"> S1012 </a> </td> <td> <a href="/software/S1012"> PowerLess </a> </td> <td> <a href="/software/S1012">PowerLess</a> can download additional payloads to a compromised host.<span onclick=scrollToRef('scite-396') id="scite-ref-396-a" class="scite-citeref-number" title="Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022."data-reference="Cybereason PowerLess February 2022"><a href="https://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage" target="_blank" data-hasqtip="395" aria-describedby="qtip-395">[396]</a> </td> </tr> <tr> <td> <a href="/software/S0685"> S0685 </a> </td> <td> <a href="/software/S0685"> PowerPunch </a> </td> <td> <a href="/software/S0685">PowerPunch</a> can download payloads from adversary infrastructure.<span onclick=scrollToRef('scite-217') id="scite-ref-217-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022."data-reference="Microsoft Actinium February 2022"><a href="https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/" target="_blank" data-hasqtip="216" aria-describedby="qtip-216">[217]</a> </td> </tr> <tr> <td> <a href="/software/S0145"> S0145 </a> </td> <td> <a href="/software/S0145"> POWERSOURCE </a> </td> <td> <a href="/software/S0145">POWERSOURCE</a> has been observed being used to download <a href="/software/S0146">TEXTMATE</a> and the Cobalt Strike Beacon payload onto victims.<span onclick=scrollToRef('scite-397') id="scite-ref-397-a" class="scite-citeref-number" title="Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017."data-reference="FireEye FIN7 March 2017"><a href="https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html" target="_blank" data-hasqtip="396" aria-describedby="qtip-396">[397]</a> </td> </tr> <tr> <td> <a href="/software/S0223"> S0223 </a> </td> <td> <a href="/software/S0223"> POWERSTATS </a> </td> <td> <a href="/software/S0223">POWERSTATS</a> can retrieve and execute additional <a href="/techniques/T1059/001">PowerShell</a> payloads from the C2 server.<span onclick=scrollToRef('scite-398') id="scite-ref-398-a" class="scite-citeref-number" title="Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018."data-reference="FireEye MuddyWater Mar 2018"><a href="https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" target="_blank" data-hasqtip="397" aria-describedby="qtip-397">[398]</a> </td> </tr> <tr> <td> <a href="/software/S0184"> S0184 </a> </td> <td> <a href="/software/S0184"> POWRUNER </a> </td> <td> <a href="/software/S0184">POWRUNER</a> can download or upload files from its C2 server.<span onclick=scrollToRef('scite-363') id="scite-ref-363-a" class="scite-citeref-number" title="Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017."data-reference="FireEye APT34 Dec 2017"><a href="https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" target="_blank" data-hasqtip="362" aria-describedby="qtip-362">[363]</a> </td> </tr> <tr> <td> <a href="/software/S0613"> S0613 </a> </td> <td> <a href="/software/S0613"> PS1 </a> </td> <td> <a href="/software/S0614">CostaBricks</a> can download additional payloads onto a compromised host.<span onclick=scrollToRef('scite-141') id="scite-ref-141-a" class="scite-citeref-number" title="The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021."data-reference="BlackBerry CostaRicto November 2020"><a href="https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced" target="_blank" data-hasqtip="140" aria-describedby="qtip-140">[141]</a> </td> </tr> <tr> <td> <a href="/software/S0078"> S0078 </a> </td> <td> <a href="/software/S0078"> Psylo </a> </td> <td> <a href="/software/S0078">Psylo</a> has a command to download a file to the system from its C2 server.<span onclick=scrollToRef('scite-105') id="scite-ref-105-a" class="scite-citeref-number" title="Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016."data-reference="Scarlet Mimic Jan 2016"><a href="http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" target="_blank" data-hasqtip="104" aria-describedby="qtip-104">[105]</a> </td> </tr> <tr> <td> <a href="/software/S0147"> S0147 </a> </td> <td> <a href="/software/S0147"> Pteranodon </a> </td> <td> <a href="/software/S0147">Pteranodon</a> can download and execute additional files.<span onclick=scrollToRef('scite-214') id="scite-ref-214-a" class="scite-citeref-number" title="Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017."data-reference="Palo Alto Gamaredon Feb 2017"><a href="https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/" target="_blank" data-hasqtip="213" aria-describedby="qtip-213">[214]</a><span onclick=scrollToRef('scite-399') id="scite-ref-399-a" class="scite-citeref-number" title="Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022."data-reference="Symantec Shuckworm January 2022"><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine" target="_blank" data-hasqtip="398" aria-describedby="qtip-398">[399]</a><span onclick=scrollToRef('scite-400') id="scite-ref-400-a" class="scite-citeref-number" title="Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022."data-reference="Unit 42 Gamaredon February 2022"><a href="https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/" target="_blank" data-hasqtip="399" aria-describedby="qtip-399">[400]</a> </td> </tr> <tr> <td> <a href="/software/S0196"> S0196 </a> </td> <td> <a href="/software/S0196"> PUNCHBUGGY </a> </td> <td> <a href="/software/S0196">PUNCHBUGGY</a> can download additional files and payloads to compromised hosts.<span onclick=scrollToRef('scite-401') id="scite-ref-401-a" class="scite-citeref-number" title="Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018."data-reference="FireEye Know Your Enemy FIN8 Aug 2016"><a href="https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" target="_blank" data-hasqtip="400" aria-describedby="qtip-400">[401]</a><span onclick=scrollToRef('scite-402') id="scite-ref-402-a" class="scite-citeref-number" title="Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019."data-reference="Morphisec ShellTea June 2019"><a href="http://blog.morphisec.com/security-alert-fin8-is-back" target="_blank" data-hasqtip="401" aria-describedby="qtip-401">[402]</a> </td> </tr> <tr> <td> <a href="/software/S0192"> S0192 </a> </td> <td> <a href="/software/S0192"> Pupy </a> </td> <td> <a href="/software/S0192">Pupy</a> can upload and download to/from a victim machine.<a href="https://github.com/n1nj4sec/pupy" target="_blank" data-hasqtip="402" aria-describedby="qtip-402">[403]</a> </td> </tr> <tr> <td> <a href="/software/S0650"> S0650 </a> </td> <td> <a href="/software/S0650"> QakBot </a> </td> <td> <a href="/software/S0650">QakBot</a> has the ability to download additional components and malware.<span onclick=scrollToRef('scite-404') id="scite-ref-404-a" class="scite-citeref-number" title="Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021."data-reference="Trend Micro Qakbot May 2020"><a href="https://www.trendmicro.com/vinfo/ph/security/news/cybercrime-and-digital-threats/qakbot-resurges-spreads-through-vbs-files" target="_blank" data-hasqtip="403" aria-describedby="qtip-403">[404]</a><span onclick=scrollToRef('scite-405') id="scite-ref-405-a" class="scite-citeref-number" title="CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021."data-reference="Crowdstrike Qakbot October 2020"><a href="https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/" target="_blank" data-hasqtip="404" aria-describedby="qtip-404">[405]</a><span onclick=scrollToRef('scite-406') id="scite-ref-406-a" class="scite-citeref-number" title="Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021."data-reference="Trend Micro Qakbot December 2020"><a href="https://success.trendmicro.com/solution/000283381" target="_blank" data-hasqtip="405" aria-describedby="qtip-405">[406]</a><span onclick=scrollToRef('scite-407') id="scite-ref-407-a" class="scite-citeref-number" title="Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021."data-reference="Cyberint Qakbot May 2021"><a href="https://blog.cyberint.com/qakbot-banking-trojan" target="_blank" data-hasqtip="406" aria-describedby="qtip-406">[407]</a><span onclick=scrollToRef('scite-408') id="scite-ref-408-a" class="scite-citeref-number" title="Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021."data-reference="Kaspersky QakBot September 2021"><a href="https://securelist.com/qakbot-technical-analysis/103931/" target="_blank" data-hasqtip="407" aria-describedby="qtip-407">[408]</a><span onclick=scrollToRef('scite-409') id="scite-ref-409-a" class="scite-citeref-number" title="Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021."data-reference="Group IB Ransomware September 2020"><a href="https://groupib.pathfactory.com/ransomware-reports/prolock_wp" target="_blank" data-hasqtip="408" aria-describedby="qtip-408">[409]</a> </td> </tr> <tr> <td> <a href="/software/S0262"> S0262 </a> </td> <td> <a href="/software/S0262"> QuasarRAT </a> </td> <td> <a href="/software/S0262">QuasarRAT</a> can download files to the victim’s machine and execute them.<a href="https://github.com/quasar/QuasarRAT" target="_blank" data-hasqtip="409" aria-describedby="qtip-409">[410]</a><span onclick=scrollToRef('scite-411') id="scite-ref-411-a" class="scite-citeref-number" title="Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018."data-reference="Volexity Patchwork June 2018"><a href="https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" target="_blank" data-hasqtip="410" aria-describedby="qtip-410">[411]</a> </td> </tr> <tr> <td> <a href="/software/S0686"> S0686 </a> </td> <td> <a href="/software/S0686"> QuietSieve </a> </td> <td> <a href="/software/S0686">QuietSieve</a> can download and execute payloads on a target host.<span onclick=scrollToRef('scite-217') id="scite-ref-217-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022."data-reference="Microsoft Actinium February 2022"><a href="https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/" target="_blank" data-hasqtip="216" aria-describedby="qtip-216">[217]</a> </td> </tr> <tr> <td> <a href="/software/S1148"> S1148 </a> </td> <td> <a href="/software/S1148"> Raccoon Stealer </a> </td> <td> <a href="/software/S1148">Raccoon Stealer</a> downloads various library files enabling interaction with various data stores and structures to facilitate follow-on information theft.<span onclick=scrollToRef('scite-412') id="scite-ref-412-a" class="scite-citeref-number" title="S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024."data-reference="S2W Racoon 2022"><a href="https://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d" target="_blank" data-hasqtip="411" aria-describedby="qtip-411">[412]</a><span onclick=scrollToRef('scite-413') id="scite-ref-413-a" class="scite-citeref-number" title="Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024."data-reference="Sekoia Raccoon2 2022"><a href="https://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/" target="_blank" data-hasqtip="412" aria-describedby="qtip-412">[413]</a> </td> </tr> <tr> <td> <a href="/software/S0629"> S0629 </a> </td> <td> <a href="/software/S0629"> RainyDay </a> </td> <td> <a href="/software/S0629">RainyDay</a> can download files to a compromised host.<span onclick=scrollToRef('scite-351') id="scite-ref-351-a" class="scite-citeref-number" title="Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021."data-reference="Bitdefender Naikon April 2021"><a href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank" data-hasqtip="350" aria-describedby="qtip-350">[351]</a> </td> </tr> <tr> <td> <a href="/groups/G0075"> G0075 </a> </td> <td> <a href="/groups/G0075"> Rancor </a> </td> <td> <a href="/groups/G0075">Rancor</a> has downloaded additional malware, including by using <a href="/software/S0160">certutil</a>.<span onclick=scrollToRef('scite-162') id="scite-ref-162-a" class="scite-citeref-number" title="Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018."data-reference="Rancor Unit42 June 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" target="_blank" data-hasqtip="161" aria-describedby="qtip-161">[162]</a> </td> </tr> <tr> <td> <a href="/software/S0055"> S0055 </a> </td> <td> <a href="/software/S0055"> RARSTONE </a> </td> <td> <a href="/software/S0055">RARSTONE</a> downloads its backdoor component from a C2 server and loads it directly into memory.<span onclick=scrollToRef('scite-414') id="scite-ref-414-a" class="scite-citeref-number" title="Aquino, M. (2013, June 13). RARSTONE Found In Targeted Attacks. Retrieved December 17, 2015."data-reference="Aquino RARSTONE"><a href="http://blog.trendmicro.com/trendlabs-security-intelligence/rarstone-found-in-targeted-attacks/" target="_blank" data-hasqtip="413" aria-describedby="qtip-413">[414]</a> </td> </tr> <tr> <td> <a href="/software/S1130"> S1130 </a> </td> <td> <a href="/software/S1130"> Raspberry Robin </a> </td> <td> <a href="/software/S1130">Raspberry Robin</a> retrieves its second stage payload in a variety of ways such as through msiexec.exe abuse, or running the curl command to download the payload to the victim's <code>%AppData%</code> folder.<span onclick=scrollToRef('scite-415') id="scite-ref-415-a" class="scite-citeref-number" title="Patrick Schläpfer . (2024, April 10). Raspberry Robin Now Spreading Through Windows Script Files. Retrieved May 17, 2024."data-reference="HP RaspberryRobin 2024"><a href="https://threatresearch.ext.hp.com/raspberry-robin-now-spreading-through-windows-script-files/" target="_blank" data-hasqtip="414" aria-describedby="qtip-414">[415]</a><span onclick=scrollToRef('scite-416') id="scite-ref-416-a" class="scite-citeref-number" title="Lauren Podber and Stef Rand. (2022, May 5). Raspberry Robin gets the worm early. Retrieved May 17, 2024."data-reference="RedCanary RaspberryRobin 2022"><a href="https://redcanary.com/blog/threat-intelligence/raspberry-robin/" target="_blank" data-hasqtip="415" aria-describedby="qtip-415">[416]</a> </td> </tr> <tr> <td> <a href="/software/S0241"> S0241 </a> </td> <td> <a href="/software/S0241"> RATANKBA </a> </td> <td> <a href="/software/S0241">RATANKBA</a> uploads and downloads information.<span onclick=scrollToRef('scite-417') id="scite-ref-417-a" class="scite-citeref-number" title="Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018."data-reference="Lazarus RATANKBA"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/" target="_blank" data-hasqtip="416" aria-describedby="qtip-416">[417]</a><span onclick=scrollToRef('scite-418') id="scite-ref-418-a" class="scite-citeref-number" title="Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018."data-reference="RATANKBA"><a href="https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html" target="_blank" data-hasqtip="417" aria-describedby="qtip-417">[418]</a> </td> </tr> <tr> <td> <a href="/software/S0662"> S0662 </a> </td> <td> <a href="/software/S0662"> RCSession </a> </td> <td> <a href="/software/S0662">RCSession</a> has the ability to drop additional files to an infected machine.<span onclick=scrollToRef('scite-419') id="scite-ref-419-a" class="scite-citeref-number" title="Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021."data-reference="Profero APT27 December 2020"><a href="https://web.archive.org/web/20210104144857/https://shared-public-reports.s3-eu-west-1.amazonaws.com/APT27+turns+to+ransomware.pdf" target="_blank" data-hasqtip="418" aria-describedby="qtip-418">[419]</a> </td> </tr> <tr> <td> <a href="/software/S0495"> S0495 </a> </td> <td> <a href="/software/S0495"> RDAT </a> </td> <td> <a href="/software/S0495">RDAT</a> can download files via DNS.<span onclick=scrollToRef('scite-420') id="scite-ref-420-a" class="scite-citeref-number" title="Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020."data-reference="Unit42 RDAT July 2020"><a href="https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/" target="_blank" data-hasqtip="419" aria-describedby="qtip-419">[420]</a> </td> </tr> <tr> <td> <a href="/software/S0153"> S0153 </a> </td> <td> <a href="/software/S0153"> RedLeaves </a> </td> <td> <a href="/software/S0153">RedLeaves</a> is capable of downloading a file from a specified URL.<span onclick=scrollToRef('scite-421') id="scite-ref-421-a" class="scite-citeref-number" title="PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017."data-reference="PWC Cloud Hopper Technical Annex April 2017"><a href="https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf" target="_blank" data-hasqtip="420" aria-describedby="qtip-420">[421]</a> </td> </tr> <tr> <td> <a href="/software/S0511"> S0511 </a> </td> <td> <a href="/software/S0511"> RegDuke </a> </td> <td> <a href="/software/S0511">RegDuke</a> can download files from C2.<span onclick=scrollToRef('scite-300') id="scite-ref-300-a" class="scite-citeref-number" title="Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020."data-reference="ESET Dukes October 2019"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="299" aria-describedby="qtip-299">[300]</a> </td> </tr> <tr> <td> <a href="/software/S0332"> S0332 </a> </td> <td> <a href="/software/S0332"> Remcos </a> </td> <td> <a href="/software/S0332">Remcos</a> can upload and download files to and from the victim’s machine.<span onclick=scrollToRef('scite-422') id="scite-ref-422-a" class="scite-citeref-number" title="Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018."data-reference="Riskiq Remcos Jan 2018"><a href="https://web.archive.org/web/20180124082756/https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/" target="_blank" data-hasqtip="421" aria-describedby="qtip-421">[422]</a> </td> </tr> <tr> <td> <a href="/software/S0166"> S0166 </a> </td> <td> <a href="/software/S0166"> RemoteCMD </a> </td> <td> <a href="/software/S0166">RemoteCMD</a> copies a file over to the remote system before execution.<span onclick=scrollToRef('scite-423') id="scite-ref-423-a" class="scite-citeref-number" title="Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016."data-reference="Symantec Buckeye"><a href="http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" target="_blank" data-hasqtip="422" aria-describedby="qtip-422">[423]</a> </td> </tr> <tr> <td> <a href="/software/S0592"> S0592 </a> </td> <td> <a href="/software/S0592"> RemoteUtilities </a> </td> <td> <a href="/software/S0592">RemoteUtilities</a> can upload and download files to and from a target machine.<span onclick=scrollToRef('scite-345') id="scite-ref-345-a" class="scite-citeref-number" title="Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021."data-reference="Trend Micro Muddy Water March 2021"><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" data-hasqtip="344" aria-describedby="qtip-344">[345]</a> </td> </tr> <tr> <td> <a href="/software/S0125"> S0125 </a> </td> <td> <a href="/software/S0125"> Remsec </a> </td> <td> <a href="/software/S0125">Remsec</a> contains a network loader to receive executable modules from remote attackers and run them on the local victim. It can also upload and download files over HTTP and HTTPS.<span onclick=scrollToRef('scite-424') id="scite-ref-424-a" class="scite-citeref-number" title="Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016."data-reference="Symantec Remsec IOCs"><a href="http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Symantec_Remsec_IOCs.pdf" target="_blank" data-hasqtip="423" aria-describedby="qtip-423">[424]</a><span onclick=scrollToRef('scite-425') id="scite-ref-425-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016."data-reference="Kaspersky ProjectSauron Technical Analysis"><a href="https://securelist.com/files/2016/07/The-ProjectSauron-APT_Technical_Analysis_KL.pdf" target="_blank" data-hasqtip="424" aria-describedby="qtip-424">[425]</a> </td> </tr> <tr> <td> <a href="/software/S0379"> S0379 </a> </td> <td> <a href="/software/S0379"> Revenge RAT </a> </td> <td> <a href="/software/S0379">Revenge RAT</a> has the ability to upload and download files.<span onclick=scrollToRef('scite-426') id="scite-ref-426-a" class="scite-citeref-number" title="Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019."data-reference="Cylance Shaheen Nov 2018"><a href="https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/WhiteCompanyOperationShaheenReport.pdf?_ga=2.161661948.1943296560.1555683782-1066572390.1555511517" target="_blank" data-hasqtip="425" aria-describedby="qtip-425">[426]</a> </td> </tr> <tr> <td> <a href="/software/S0496"> S0496 </a> </td> <td> <a href="/software/S0496"> REvil </a> </td> <td> <a href="/software/S0496">REvil</a> can download a copy of itself from an attacker controlled IP address to the victim machine.<span onclick=scrollToRef('scite-427') id="scite-ref-427-a" class="scite-citeref-number" title="Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020."data-reference="Talos Sodinokibi April 2019"><a href="https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html" target="_blank" data-hasqtip="426" aria-describedby="qtip-426">[427]</a><span onclick=scrollToRef('scite-428') id="scite-ref-428-a" class="scite-citeref-number" title="McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020."data-reference="McAfee Sodinokibi October 2019"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/" target="_blank" data-hasqtip="427" aria-describedby="qtip-427">[428]</a><span onclick=scrollToRef('scite-429') id="scite-ref-429-a" class="scite-citeref-number" title="Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020."data-reference="Picus Sodinokibi January 2020"><a href="https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware" target="_blank" data-hasqtip="428" aria-describedby="qtip-428">[429]</a> </td> </tr> <tr> <td> <a href="/software/S0258"> S0258 </a> </td> <td> <a href="/software/S0258"> RGDoor </a> </td> <td> <a href="/software/S0258">RGDoor</a> uploads and downloads files to and from the victim’s machine.<span onclick=scrollToRef('scite-430') id="scite-ref-430-a" class="scite-citeref-number" title="Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018."data-reference="Unit 42 RGDoor Jan 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/" target="_blank" data-hasqtip="429" aria-describedby="qtip-429">[430]</a> </td> </tr> <tr> <td> <a href="/groups/G0106"> G0106 </a> </td> <td> <a href="/groups/G0106"> Rocke </a> </td> <td> <a href="/groups/G0106">Rocke</a> used malware to download additional malicious files to the target system.<span onclick=scrollToRef('scite-431') id="scite-ref-431-a" class="scite-citeref-number" title="Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020."data-reference="Talos Rocke August 2018"><a href="https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html" target="_blank" data-hasqtip="430" aria-describedby="qtip-430">[431]</a> </td> </tr> <tr> <td> <a href="/software/S0270"> S0270 </a> </td> <td> <a href="/software/S0270"> RogueRobin </a> </td> <td> <a href="/software/S0270">RogueRobin</a> can save a new file to the system from the C2 server.<span onclick=scrollToRef('scite-432') id="scite-ref-432-a" class="scite-citeref-number" title="Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018."data-reference="Unit 42 DarkHydrus July 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" target="_blank" data-hasqtip="431" aria-describedby="qtip-431">[432]</a><span onclick=scrollToRef('scite-433') id="scite-ref-433-a" class="scite-citeref-number" title="Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019."data-reference="Unit42 DarkHydrus Jan 2019"><a href="https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/" target="_blank" data-hasqtip="432" aria-describedby="qtip-432">[433]</a> </td> </tr> <tr> <td> <a href="/software/S0240"> S0240 </a> </td> <td> <a href="/software/S0240"> ROKRAT </a> </td> <td> <a href="/software/S0240">ROKRAT</a> can retrieve additional malicious payloads from its C2 server.<span onclick=scrollToRef('scite-434') id="scite-ref-434-a" class="scite-citeref-number" title="Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018."data-reference="Talos ROKRAT"><a href="https://blog.talosintelligence.com/2017/04/introducing-rokrat.html" target="_blank" data-hasqtip="433" aria-describedby="qtip-433">[434]</a><span onclick=scrollToRef('scite-435') id="scite-ref-435-a" class="scite-citeref-number" title="Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020."data-reference="NCCGroup RokRat Nov 2018"><a href="https://research.nccgroup.com/2018/11/08/rokrat-analysis/" target="_blank" data-hasqtip="434" aria-describedby="qtip-434">[435]</a><span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021."data-reference="Volexity InkySquid RokRAT August 2021"><a href="https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a><span onclick=scrollToRef('scite-436') id="scite-ref-436-a" class="scite-citeref-number" title="Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022."data-reference="Malwarebytes RokRAT VBA January 2021"><a href="https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/" target="_blank" data-hasqtip="435" aria-describedby="qtip-435">[436]</a> </td> </tr> <tr> <td> <a href="/software/S0148"> S0148 </a> </td> <td> <a href="/software/S0148"> RTM </a> </td> <td> <a href="/software/S0148">RTM</a> can download additional files.<span onclick=scrollToRef('scite-437') id="scite-ref-437-a" class="scite-citeref-number" title="Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017."data-reference="ESET RTM Feb 2017"><a href="https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf" target="_blank" data-hasqtip="436" aria-describedby="qtip-436">[437]</a><span onclick=scrollToRef('scite-438') id="scite-ref-438-a" class="scite-citeref-number" title="Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020."data-reference="Unit42 Redaman January 2019"><a href="https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/" target="_blank" data-hasqtip="437" aria-describedby="qtip-437">[438]</a> </td> </tr> <tr> <td> <a href="/software/S0085"> S0085 </a> </td> <td> <a href="/software/S0085"> S-Type </a> </td> <td> <a href="/software/S0085">S-Type</a> can download additional files onto a compromised host.<span onclick=scrollToRef('scite-332') id="scite-ref-332-a" class="scite-citeref-number" title="Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021."data-reference="Cylance Dust Storm"><a href="https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" target="_blank" data-hasqtip="331" aria-describedby="qtip-331">[332]</a> </td> </tr> <tr> <td> <a href="/software/S1018"> S1018 </a> </td> <td> <a href="/software/S1018"> Saint Bot </a> </td> <td> <a href="/software/S1018">Saint Bot</a> can download additional files onto a compromised host.<span onclick=scrollToRef('scite-378') id="scite-ref-378-a" class="scite-citeref-number" title="Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022."data-reference="Palo Alto Unit 42 OutSteel SaintBot February 2022 "><a href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank" data-hasqtip="377" aria-describedby="qtip-377">[378]</a> </td> </tr> <tr> <td> <a href="/software/S0074"> S0074 </a> </td> <td> <a href="/software/S0074"> Sakula </a> </td> <td> <a href="/software/S0074">Sakula</a> has the capability to download files.<span onclick=scrollToRef('scite-439') id="scite-ref-439-a" class="scite-citeref-number" title="Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016."data-reference="Dell Sakula"><a href="http://www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/" target="_blank" data-hasqtip="438" aria-describedby="qtip-438">[439]</a> </td> </tr> <tr> <td> <a href="/software/S1099"> S1099 </a> </td> <td> <a href="/software/S1099"> Samurai </a> </td> <td> <a href="/software/S1099">Samurai</a> has been used to deploy other malware including <a href="/software/S1100">Ninja</a>.<span onclick=scrollToRef('scite-126') id="scite-ref-126-a" class="scite-citeref-number" title="Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024."data-reference="Kaspersky ToddyCat June 2022"><a href="https://securelist.com/toddycat/106799/" target="_blank" data-hasqtip="125" aria-describedby="qtip-125">[126]</a> </td> </tr> <tr> <td> <a href="/groups/G0034"> G0034 </a> </td> <td> <a href="/groups/G0034"> Sandworm Team </a> </td> <td> <a href="/groups/G0034">Sandworm Team</a> has pushed additional malicious tools onto an infected system to steal user credentials, move laterally, and destroy data.<span onclick=scrollToRef('scite-440') id="scite-ref-440-a" class="scite-citeref-number" title="Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."data-reference="ESET Telebots Dec 2016"><a href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank" data-hasqtip="439" aria-describedby="qtip-439">[440]</a><span onclick=scrollToRef('scite-441') id="scite-ref-441-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020"><a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="440" aria-describedby="qtip-440">[441]</a> </td> </tr> <tr> <td> <a href="/software/S1085"> S1085 </a> </td> <td> <a href="/software/S1085"> Sardonic </a> </td> <td> <a href="/software/S1085">Sardonic</a> has the ability to upload additional malicious files to a compromised machine.<span onclick=scrollToRef('scite-442') id="scite-ref-442-a" class="scite-citeref-number" title="Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023."data-reference="Bitdefender Sardonic Aug 2021"><a href="https://www.bitdefender.com/files/News/CaseStudies/study/401/Bitdefender-PR-Whitepaper-FIN8-creat5619-en-EN.pdf" target="_blank" data-hasqtip="441" aria-describedby="qtip-441">[442]</a> </td> </tr> <tr> <td> <a href="/software/S0461"> S0461 </a> </td> <td> <a href="/software/S0461"> SDBbot </a> </td> <td> <a href="/software/S0461">SDBbot</a> has the ability to download a DLL from C2 to a compromised host.<span onclick=scrollToRef('scite-443') id="scite-ref-443-a" class="scite-citeref-number" title="Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."data-reference="Proofpoint TA505 October 2019"><a href="https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader" target="_blank" data-hasqtip="442" aria-describedby="qtip-442">[443]</a> </td> </tr> <tr> <td> <a href="/software/S0053"> S0053 </a> </td> <td> <a href="/software/S0053"> SeaDuke </a> </td> <td> <a href="/software/S0053">SeaDuke</a> is capable of uploading and downloading files.<span onclick=scrollToRef('scite-444') id="scite-ref-444-a" class="scite-citeref-number" title="Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016."data-reference="Unit 42 SeaDuke 2015"><a href="http://researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seaduke/" target="_blank" data-hasqtip="443" aria-describedby="qtip-443">[444]</a> </td> </tr> <tr> <td> <a href="/software/S0345"> S0345 </a> </td> <td> <a href="/software/S0345"> Seasalt </a> </td> <td> <a href="/software/S0345">Seasalt</a> has a command to download additional files.<span onclick=scrollToRef('scite-73') id="scite-ref-73-a" class="scite-citeref-number" title="Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016."data-reference="Mandiant APT1 Appendix"><a href="https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf" target="_blank" data-hasqtip="72" aria-describedby="qtip-72">[73]</a><span onclick=scrollToRef('scite-73') id="scite-ref-73-a" class="scite-citeref-number" title="Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016."data-reference="Mandiant APT1 Appendix"><a href="https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf" target="_blank" data-hasqtip="72" aria-describedby="qtip-72">[73]</a> </td> </tr> <tr> <td> <a href="/software/S0185"> S0185 </a> </td> <td> <a href="/software/S0185"> SEASHARPEE </a> </td> <td> <a href="/software/S0185">SEASHARPEE</a> can download remote files onto victims.<span onclick=scrollToRef('scite-445') id="scite-ref-445-a" class="scite-citeref-number" title="Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017."data-reference="FireEye APT34 Webinar Dec 2017"><a href="https://www.brighttalk.com/webcast/10703/296317/apt34-new-targeted-attack-in-the-middle-east" target="_blank" data-hasqtip="444" aria-describedby="qtip-444">[445]</a> </td> </tr> <tr> <td> <a href="/software/S0382"> S0382 </a> </td> <td> <a href="/software/S0382"> ServHelper </a> </td> <td> <a href="/software/S0382">ServHelper</a> may download additional files to execute.<span onclick=scrollToRef('scite-446') id="scite-ref-446-a" class="scite-citeref-number" title="Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019."data-reference="Proofpoint TA505 Jan 2019"><a href="https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505" target="_blank" data-hasqtip="445" aria-describedby="qtip-445">[446]</a><span onclick=scrollToRef('scite-447') id="scite-ref-447-a" class="scite-citeref-number" title="Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved September 16, 2024.."data-reference="Deep Instinct TA505 Apr 2019"><a href="https://www.deepinstinct.com/blog/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload" target="_blank" data-hasqtip="446" aria-describedby="qtip-446">[447]</a> </td> </tr> <tr> <td> <a href="/software/S0639"> S0639 </a> </td> <td> <a href="/software/S0639"> Seth-Locker </a> </td> <td> <a href="/software/S0639">Seth-Locker</a> has the ability to download and execute files on a compromised host.<span onclick=scrollToRef('scite-448') id="scite-ref-448-a" class="scite-citeref-number" title="Centero, R. et al. (2021, February 5). New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker. Retrieved August 11, 2021."data-reference="Trend Micro Ransomware February 2021"><a href="https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html" target="_blank" data-hasqtip="447" aria-describedby="qtip-447">[448]</a> </td> </tr> <tr> <td> <a href="/software/S0596"> S0596 </a> </td> <td> <a href="/software/S0596"> ShadowPad </a> </td> <td> <a href="/software/S0596">ShadowPad</a> has downloaded code from a C2 server.<span onclick=scrollToRef('scite-449') id="scite-ref-449-a" class="scite-citeref-number" title="GReAT. (2017, August 15). ShadowPad in corporate networks. Retrieved March 22, 2021."data-reference="Securelist ShadowPad Aug 2017"><a href="https://securelist.com/shadowpad-in-corporate-networks/81432/" target="_blank" data-hasqtip="448" aria-describedby="qtip-448">[449]</a> </td> </tr> <tr> <td> <a href="/software/S0140"> S0140 </a> </td> <td> <a href="/software/S0140"> Shamoon </a> </td> <td> <a href="/software/S0140">Shamoon</a> can download an executable to run on the victim.<span onclick=scrollToRef('scite-450') id="scite-ref-450-a" class="scite-citeref-number" title="Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017."data-reference="Palo Alto Shamoon Nov 2016"><a href="http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/" target="_blank" data-hasqtip="449" aria-describedby="qtip-449">[450]</a> </td> </tr> <tr> <td> <a href="/software/S1019"> S1019 </a> </td> <td> <a href="/software/S1019"> Shark </a> </td> <td> <a href="/software/S1019">Shark</a> can download additional files from its C2 via HTTP or DNS.<span onclick=scrollToRef('scite-330') id="scite-ref-330-a" class="scite-citeref-number" title="ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By "Siamesekitten" - Lyceum. Retrieved June 6, 2022."data-reference="ClearSky Siamesekitten August 2021"><a href="https://www.clearskysec.com/siamesekitten/" target="_blank" data-hasqtip="329" aria-describedby="qtip-329">[330]</a><span onclick=scrollToRef('scite-451') id="scite-ref-451-a" class="scite-citeref-number" title="Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022."data-reference="Accenture Lyceum Targets November 2021"><a href="https://www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns" target="_blank" data-hasqtip="450" aria-describedby="qtip-450">[451]</a> </td> </tr> <tr> <td> <a href="/software/S1089"> S1089 </a> </td> <td> <a href="/software/S1089"> SharpDisco </a> </td> <td> <a href="/software/S1089">SharpDisco</a> has been used to download a Python interpreter to <code>C:\Users\Public\WinTN\WinTN.exe</code> as well as other plugins from external sources.<span onclick=scrollToRef('scite-167') id="scite-ref-167-a" class="scite-citeref-number" title="Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023."data-reference="MoustachedBouncer ESET August 2023"><a href="https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" target="_blank" data-hasqtip="166" aria-describedby="qtip-166">[167]</a> </td> </tr> <tr> <td> <a href="/software/S0546"> S0546 </a> </td> <td> <a href="/software/S0546"> SharpStage </a> </td> <td> <a href="/software/S0546">SharpStage</a> has the ability to download and execute additional payloads via a DropBox API.<span onclick=scrollToRef('scite-175') id="scite-ref-175-a" class="scite-citeref-number" title="Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020."data-reference="Cybereason Molerats Dec 2020"><a href="https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf" target="_blank" data-hasqtip="174" aria-describedby="qtip-174">[175]</a><span onclick=scrollToRef('scite-176') id="scite-ref-176-a" class="scite-citeref-number" title="Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020."data-reference="BleepingComputer Molerats Dec 2020"><a href="https://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/" target="_blank" data-hasqtip="175" aria-describedby="qtip-175">[176]</a> </td> </tr> <tr> <td> <a href="/software/S0450"> S0450 </a> </td> <td> <a href="/software/S0450"> SHARPSTATS </a> </td> <td> <a href="/software/S0450">SHARPSTATS</a> has the ability to upload and download files.<span onclick=scrollToRef('scite-452') id="scite-ref-452-a" class="scite-citeref-number" title="Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020."data-reference="TrendMicro POWERSTATS V3 June 2019"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/" target="_blank" data-hasqtip="451" aria-describedby="qtip-451">[452]</a> </td> </tr> <tr> <td> <a href="/software/S0444"> S0444 </a> </td> <td> <a href="/software/S0444"> ShimRat </a> </td> <td> <a href="/software/S0444">ShimRat</a> can download additional files.<span onclick=scrollToRef('scite-453') id="scite-ref-453-a" class="scite-citeref-number" title="Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."data-reference="FOX-IT May 2016 Mofang"><a href="https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" target="_blank" data-hasqtip="452" aria-describedby="qtip-452">[453]</a> </td> </tr> <tr> <td> <a href="/software/S0445"> S0445 </a> </td> <td> <a href="/software/S0445"> ShimRatReporter </a> </td> <td> <a href="/software/S0445">ShimRatReporter</a> had the ability to download additional payloads.<span onclick=scrollToRef('scite-453') id="scite-ref-453-a" class="scite-citeref-number" title="Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."data-reference="FOX-IT May 2016 Mofang"><a href="https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" target="_blank" data-hasqtip="452" aria-describedby="qtip-452">[453]</a> </td> </tr> <tr> <td> <a href="/software/S0217"> S0217 </a> </td> <td> <a href="/software/S0217"> SHUTTERSPEED </a> </td> <td> <a href="/software/S0217">SHUTTERSPEED</a> can download and execute an arbitary executable.<span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" title="FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018."data-reference="FireEye APT37 Feb 2018"><a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a> </td> </tr> <tr> <td> <a href="/software/S0589"> S0589 </a> </td> <td> <a href="/software/S0589"> Sibot </a> </td> <td> <a href="/software/S0589">Sibot</a> can download and execute a payload onto a compromised system.<span onclick=scrollToRef('scite-225') id="scite-ref-225-a" class="scite-citeref-number" title="Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021."data-reference="MSTIC NOBELIUM Mar 2021"><a href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank" data-hasqtip="224" aria-describedby="qtip-224">[225]</a> </td> </tr> <tr> <td> <a href="/groups/G1008"> G1008 </a> </td> <td> <a href="/groups/G1008"> SideCopy </a> </td> <td> <a href="/groups/G1008">SideCopy</a> has delivered trojanized executables via spearphishing emails that contacts actor-controlled servers to download malicious payloads.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022."data-reference="MalwareBytes SideCopy Dec 2021"><a href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a> </td> </tr> <tr> <td> <a href="/software/S0610"> S0610 </a> </td> <td> <a href="/software/S0610"> SideTwist </a> </td> <td> <a href="/software/S0610">SideTwist</a> has the ability to download additional files.<span onclick=scrollToRef('scite-454') id="scite-ref-454-a" class="scite-citeref-number" title="Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021."data-reference="Check Point APT34 April 2021"><a href="https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/" target="_blank" data-hasqtip="453" aria-describedby="qtip-453">[454]</a> </td> </tr> <tr> <td> <a href="/groups/G0121"> G0121 </a> </td> <td> <a href="/groups/G0121"> Sidewinder </a> </td> <td> <a href="/groups/G0121">Sidewinder</a> has used LNK files to download remote files to the victim's network.<span onclick=scrollToRef('scite-455') id="scite-ref-455-a" class="scite-citeref-number" title="Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021."data-reference="ATT Sidewinder January 2021"><a href="https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf" target="_blank" data-hasqtip="454" aria-describedby="qtip-454">[455]</a><span onclick=scrollToRef('scite-456') id="scite-ref-456-a" class="scite-citeref-number" title="Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021."data-reference="Cyble Sidewinder September 2020"><a href="https://cybleinc.com/2020/09/26/sidewinder-apt-targets-with-futuristic-tactics-and-techniques/" target="_blank" data-hasqtip="455" aria-describedby="qtip-455">[456]</a> </td> </tr> <tr> <td> <a href="/groups/G0091"> G0091 </a> </td> <td> <a href="/groups/G0091"> Silence </a> </td> <td> <a href="/groups/G0091">Silence</a> has downloaded additional modules and malware to victim’s machines.<span onclick=scrollToRef('scite-457') id="scite-ref-457-a" class="scite-citeref-number" title="Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020."data-reference="Group IB Silence Sept 2018"><a href="https://go.group-ib.com/report-silence-en?_gl=1*d1bh3a*_ga*MTIwMzM5Mzc5MS4xNjk4OTI5NzY4*_ga_QMES53K3Y2*MTcwNDcyMjU2OS40LjEuMTcwNDcyMzU1Mi41My4wLjA." target="_blank" data-hasqtip="456" aria-describedby="qtip-456">[457]</a> </td> </tr> <tr> <td> <a href="/software/S0692"> S0692 </a> </td> <td> <a href="/software/S0692"> SILENTTRINITY </a> </td> <td> <a href="/software/S0692">SILENTTRINITY</a> can load additional files and tools, including <a href="/software/S0002">Mimikatz</a>.<span onclick=scrollToRef('scite-458') id="scite-ref-458-a" class="scite-citeref-number" title="Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022."data-reference="GitHub SILENTTRINITY Modules July 2019"><a href="https://github.com/byt3bl33d3r/SILENTTRINITY/tree/master/silenttrinity/core/teamserver/modules/boo" target="_blank" data-hasqtip="457" aria-describedby="qtip-457">[458]</a> </td> </tr> <tr> <td> <a href="/software/S0468"> S0468 </a> </td> <td> <a href="/software/S0468"> Skidmap </a> </td> <td> <a href="/software/S0468">Skidmap</a> has the ability to download files on an infected host.<span onclick=scrollToRef('scite-459') id="scite-ref-459-a" class="scite-citeref-number" title="Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020."data-reference="Trend Micro Skidmap"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/" target="_blank" data-hasqtip="458" aria-describedby="qtip-458">[459]</a> </td> </tr> <tr> <td> <a href="/software/S1110"> S1110 </a> </td> <td> <a href="/software/S1110"> SLIGHTPULSE </a> </td> <td> <a href="/software/S1113">RAPIDPULSE</a> can transfer files to and from compromised hosts.<span onclick=scrollToRef('scite-460') id="scite-ref-460-a" class="scite-citeref-number" title="Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024."data-reference="Mandiant Pulse Secure Update May 2021"><a href="https://www.mandiant.com/resources/blog/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices" target="_blank" data-hasqtip="459" aria-describedby="qtip-459">[460]</a> </td> </tr> <tr> <td> <a href="/software/S0633"> S0633 </a> </td> <td> <a href="/software/S0633"> Sliver </a> </td> <td> <a href="/software/S0633">Sliver</a> can upload files from the C2 server to the victim machine using the <code>upload</code> command.<a href="https://github.com/BishopFox/sliver/blob/ea329226636ab8e470086a17f13aa8d330baad22/client/command/filesystem/upload.go" target="_blank" data-hasqtip="460" aria-describedby="qtip-460">[461]</a> </td> </tr> <tr> <td> <a href="/software/S0533"> S0533 </a> </td> <td> <a href="/software/S0533"> SLOTHFULMEDIA </a> </td> <td> <a href="/software/S0533">SLOTHFULMEDIA</a> has downloaded files onto a victim machine.<span onclick=scrollToRef('scite-462') id="scite-ref-462-a" class="scite-citeref-number" title="DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020."data-reference="CISA MAR SLOTHFULMEDIA October 2020"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a" target="_blank" data-hasqtip="461" aria-describedby="qtip-461">[462]</a> </td> </tr> <tr> <td> <a href="/software/S0218"> S0218 </a> </td> <td> <a href="/software/S0218"> SLOWDRIFT </a> </td> <td> <a href="/software/S0218">SLOWDRIFT</a> downloads additional payloads.<span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" title="FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018."data-reference="FireEye APT37 Feb 2018"><a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a> </td> </tr> <tr> <td> <a href="/software/S1035"> S1035 </a> </td> <td> <a href="/software/S1035"> Small Sieve </a> </td> <td> <a href="/software/S1035">Small Sieve</a> has the ability to download files.<span onclick=scrollToRef('scite-463') id="scite-ref-463-a" class="scite-citeref-number" title="NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022."data-reference="NCSC GCHQ Small Sieve Jan 2022"><a href="https://www.ncsc.gov.uk/files/NCSC-Malware-Analysis-Report-Small-Sieve.pdf" target="_blank" data-hasqtip="462" aria-describedby="qtip-462">[463]</a> </td> </tr> <tr> <td> <a href="/software/S0226"> S0226 </a> </td> <td> <a href="/software/S0226"> Smoke Loader </a> </td> <td> <a href="/software/S0226">Smoke Loader</a> downloads a new version of itself once it has installed. It also downloads additional plugins.<span onclick=scrollToRef('scite-464') id="scite-ref-464-a" class="scite-citeref-number" title="Hasherezade. (2016, September 12). Smoke Loader – downloader with a smokescreen still alive. Retrieved March 20, 2018."data-reference="Malwarebytes SmokeLoader 2016"><a href="https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/" target="_blank" data-hasqtip="463" aria-describedby="qtip-463">[464]</a> </td> </tr> <tr> <td> <a href="/software/S0649"> S0649 </a> </td> <td> <a href="/software/S0649"> SMOKEDHAM </a> </td> <td> <a href="/software/S0649">SMOKEDHAM</a> has used Powershell to download UltraVNC and <a href="/software/S0508">ngrok</a> from third-party file sharing sites.<span onclick=scrollToRef('scite-465') id="scite-ref-465-a" class="scite-citeref-number" title="FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021."data-reference="FireEye SMOKEDHAM June 2021"><a href="https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html" target="_blank" data-hasqtip="464" aria-describedby="qtip-464">[465]</a> </td> </tr> <tr> <td> <a href="/software/S1086"> S1086 </a> </td> <td> <a href="/software/S1086"> Snip3 </a> </td> <td> <a href="/software/S1086">Snip3</a> can download additional payloads to compromised systems.<span onclick=scrollToRef('scite-466') id="scite-ref-466-a" class="scite-citeref-number" title="Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023."data-reference="Morphisec Snip3 May 2021"><a href="https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader" target="_blank" data-hasqtip="465" aria-describedby="qtip-465">[466]</a><span onclick=scrollToRef('scite-467') id="scite-ref-467-a" class="scite-citeref-number" title="Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023."data-reference="Telefonica Snip3 December 2021"><a href="https://telefonicatech.com/blog/snip3-investigacion-malware" target="_blank" data-hasqtip="466" aria-describedby="qtip-466">[467]</a> </td> </tr> <tr> <td> <a href="/software/S1124"> S1124 </a> </td> <td> <a href="/software/S1124"> SocGholish </a> </td> <td> <a href="/software/S1124">SocGholish</a> can download additional malware to infected hosts.<span onclick=scrollToRef('scite-468') id="scite-ref-468-a" class="scite-citeref-number" title="Red Canary. (2024, March). Red Canary 2024 Threat Detection Report: SocGholish. Retrieved March 22, 2024."data-reference="Red Canary SocGholish March 2024"><a href="https://redcanary.com/threat-detection-report/threats/socgholish/" target="_blank" data-hasqtip="467" aria-describedby="qtip-467">[468]</a><span onclick=scrollToRef('scite-469') id="scite-ref-469-a" class="scite-citeref-number" title="Secureworks. (n.d.). GOLD PRELUDE . Retrieved March 22, 2024."data-reference="Secureworks Gold Prelude Profile"><a href="https://www.secureworks.com/research/threat-profiles/gold-prelude" target="_blank" data-hasqtip="468" aria-describedby="qtip-468">[469]</a> </td> </tr> <tr> <td> <a href="/software/S0627"> S0627 </a> </td> <td> <a href="/software/S0627"> SodaMaster </a> </td> <td> <a href="/software/S0627">SodaMaster</a> has the ability to download additional payloads from C2 to the targeted system.<span onclick=scrollToRef('scite-181') id="scite-ref-181-a" class="scite-citeref-number" title="GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021."data-reference="Securelist APT10 March 2021"><a href="https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/" target="_blank" data-hasqtip="180" aria-describedby="qtip-180">[181]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0024"> C0024 </a> </td> <td> <a href="/campaigns/C0024"> SolarWinds Compromise </a> </td> <td> During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> downloaded additional malware, such as <a href="/software/S0560">TEARDROP</a> and <a href="/software/S0154">Cobalt Strike</a>, onto a compromised host following initial access.<span onclick=scrollToRef('scite-470') id="scite-ref-470-a" class="scite-citeref-number" title="FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021."data-reference="FireEye SUNBURST Backdoor December 2020"><a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" data-hasqtip="469" aria-describedby="qtip-469">[470]</a> </td> </tr> <tr> <td> <a href="/software/S0615"> S0615 </a> </td> <td> <a href="/software/S0615"> SombRAT </a> </td> <td> <a href="/software/S0615">SombRAT</a> has the ability to download and execute additional payloads.<span onclick=scrollToRef('scite-141') id="scite-ref-141-a" class="scite-citeref-number" title="The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021."data-reference="BlackBerry CostaRicto November 2020"><a href="https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced" target="_blank" data-hasqtip="140" aria-describedby="qtip-140">[141]</a><span onclick=scrollToRef('scite-163') id="scite-ref-163-a" class="scite-citeref-number" title="McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021."data-reference="FireEye FiveHands April 2021"><a href="https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html" target="_blank" data-hasqtip="162" aria-describedby="qtip-162">[163]</a><span onclick=scrollToRef('scite-471') id="scite-ref-471-a" class="scite-citeref-number" title="CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021."data-reference="CISA AR21-126A FIVEHANDS May 2021"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a" target="_blank" data-hasqtip="470" aria-describedby="qtip-470">[471]</a> </td> </tr> <tr> <td> <a href="/software/S0516"> S0516 </a> </td> <td> <a href="/software/S0516"> SoreFang </a> </td> <td> <a href="/software/S0516">SoreFang</a> can download additional payloads from C2.<span onclick=scrollToRef('scite-472') id="scite-ref-472-a" class="scite-citeref-number" title="CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020."data-reference="CISA SoreFang July 2016"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a" target="_blank" data-hasqtip="471" aria-describedby="qtip-471">[472]</a><span onclick=scrollToRef('scite-473') id="scite-ref-473-a" class="scite-citeref-number" title="National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020."data-reference="NCSC APT29 July 2020"><a href="https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf" target="_blank" data-hasqtip="472" aria-describedby="qtip-472">[473]</a> </td> </tr> <tr> <td> <a href="/software/S0374"> S0374 </a> </td> <td> <a href="/software/S0374"> SpeakUp </a> </td> <td> <a href="/software/S0374">SpeakUp</a> downloads and executes additional files from a remote server. <span onclick=scrollToRef('scite-474') id="scite-ref-474-a" class="scite-citeref-number" title="Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019."data-reference="CheckPoint SpeakUp Feb 2019"><a href="https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/" target="_blank" data-hasqtip="473" aria-describedby="qtip-473">[474]</a> </td> </tr> <tr> <td> <a href="/software/S1140"> S1140 </a> </td> <td> <a href="/software/S1140"> Spica </a> </td> <td> <a href="/software/S1140">Spica</a> can upload and download files to and from compromised hosts.<span onclick=scrollToRef('scite-475') id="scite-ref-475-a" class="scite-citeref-number" title="Shields, W. (2024, January 18). Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware. Retrieved June 13, 2024."data-reference="Google TAG COLDRIVER January 2024"><a href="https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/" target="_blank" data-hasqtip="474" aria-describedby="qtip-474">[475]</a> </td> </tr> <tr> <td> <a href="/software/S0646"> S0646 </a> </td> <td> <a href="/software/S0646"> SpicyOmelette </a> </td> <td> <a href="/software/S0646">SpicyOmelette</a> can download malicious files from threat actor controlled AWS URL's.<span onclick=scrollToRef('scite-476') id="scite-ref-476-a" class="scite-citeref-number" title="CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021."data-reference="Secureworks GOLD KINGSWOOD September 2018"><a href="https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish" target="_blank" data-hasqtip="475" aria-describedby="qtip-475">[476]</a> </td> </tr> <tr> <td> <a href="/software/S0390"> S0390 </a> </td> <td> <a href="/software/S0390"> SQLRat </a> </td> <td> <a href="/software/S0390">SQLRat</a> can make a direct SQL connection to a Microsoft database controlled by the attackers, retrieve an item from the bindata table, then write and execute the file on disk.<span onclick=scrollToRef('scite-477') id="scite-ref-477-a" class="scite-citeref-number" title="Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019."data-reference="Flashpoint FIN 7 March 2019"><a href="https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/" target="_blank" data-hasqtip="476" aria-describedby="qtip-476">[477]</a> </td> </tr> <tr> <td> <a href="/software/S1030"> S1030 </a> </td> <td> <a href="/software/S1030"> Squirrelwaffle </a> </td> <td> <a href="/software/S1030">Squirrelwaffle</a> has downloaded and executed additional encoded payloads.<span onclick=scrollToRef('scite-478') id="scite-ref-478-a" class="scite-citeref-number" title="Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022."data-reference="ZScaler Squirrelwaffle Sep 2021"><a href="https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike" target="_blank" data-hasqtip="477" aria-describedby="qtip-477">[478]</a><span onclick=scrollToRef('scite-479') id="scite-ref-479-a" class="scite-citeref-number" title="Palazolo, G. (2021, October 7). SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot. Retrieved August 9, 2022."data-reference="Netskope Squirrelwaffle Oct 2021"><a href="https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot" target="_blank" data-hasqtip="478" aria-describedby="qtip-478">[479]</a> </td> </tr> <tr> <td> <a href="/software/S1112"> S1112 </a> </td> <td> <a href="/software/S1112"> STEADYPULSE </a> </td> <td> <a href="/software/S1112">STEADYPULSE</a> can add lines to a Perl script on a targeted server to import additional Perl modules.<span onclick=scrollToRef('scite-480') id="scite-ref-480-a" class="scite-citeref-number" title="Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024."data-reference="Mandiant Pulse Secure Zero-Day April 2021"><a href="https://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day" target="_blank" data-hasqtip="479" aria-describedby="qtip-479">[480]</a> </td> </tr> <tr> <td> <a href="/software/S0380"> S0380 </a> </td> <td> <a href="/software/S0380"> StoneDrill </a> </td> <td> <a href="/software/S0380">StoneDrill</a> has downloaded and dropped temporary files containing scripts; it additionally has a function to upload files from the victims machine.<span onclick=scrollToRef('scite-481') id="scite-ref-481-a" class="scite-citeref-number" title="Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019."data-reference="Kaspersky StoneDrill 2017"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf" target="_blank" data-hasqtip="480" aria-describedby="qtip-480">[481]</a> </td> </tr> <tr> <td> <a href="/software/S1034"> S1034 </a> </td> <td> <a href="/software/S1034"> StrifeWater </a> </td> <td> <a href="/software/S1034">StrifeWater</a> can download updates and auxiliary modules.<span onclick=scrollToRef('scite-482') id="scite-ref-482-a" class="scite-citeref-number" title="Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022."data-reference="Cybereason StrifeWater Feb 2022"><a href="https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations" target="_blank" data-hasqtip="481" aria-describedby="qtip-481">[482]</a> </td> </tr> <tr> <td> <a href="/software/S0491"> S0491 </a> </td> <td> <a href="/software/S0491"> StrongPity </a> </td> <td> <a href="/software/S0491">StrongPity</a> can download files to specified targets.<span onclick=scrollToRef('scite-483') id="scite-ref-483-a" class="scite-citeref-number" title="Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020."data-reference="Bitdefender StrongPity June 2020"><a href="https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf" target="_blank" data-hasqtip="482" aria-describedby="qtip-482">[483]</a> </td> </tr> <tr> <td> <a href="/software/S0559"> S0559 </a> </td> <td> <a href="/software/S0559"> SUNBURST </a> </td> <td> <a href="/software/S0559">SUNBURST</a> delivered different payloads, including <a href="/software/S0560">TEARDROP</a> in at least one instance.<span onclick=scrollToRef('scite-470') id="scite-ref-470-a" class="scite-citeref-number" title="FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021."data-reference="FireEye SUNBURST Backdoor December 2020"><a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" data-hasqtip="469" aria-describedby="qtip-469">[470]</a> </td> </tr> <tr> <td> <a href="/software/S1064"> S1064 </a> </td> <td> <a href="/software/S1064"> SVCReady </a> </td> <td> <a href="/software/S1064">SVCReady</a> has the ability to download additional tools such as the RedLine Stealer to an infected host.<span onclick=scrollToRef('scite-484') id="scite-ref-484-a" class="scite-citeref-number" title="Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022."data-reference="HP SVCReady Jun 2022"><a href="https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/" target="_blank" data-hasqtip="483" aria-describedby="qtip-483">[484]</a> </td> </tr> <tr> <td> <a href="/software/S0663"> S0663 </a> </td> <td> <a href="/software/S0663"> SysUpdate </a> </td> <td> <a href="/software/S0663">SysUpdate</a> has the ability to download files to a compromised host.<span onclick=scrollToRef('scite-379') id="scite-ref-379-a" class="scite-citeref-number" title="Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021."data-reference="Trend Micro Iron Tiger April 2021"><a href="https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html" target="_blank" data-hasqtip="378" aria-describedby="qtip-378">[379]</a><span onclick=scrollToRef('scite-485') id="scite-ref-485-a" class="scite-citeref-number" title="Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023."data-reference="Lunghi Iron Tiger Linux"><a href="https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html" target="_blank" data-hasqtip="484" aria-describedby="qtip-484">[485]</a> </td> </tr> <tr> <td> <a href="/groups/G1018"> G1018 </a> </td> <td> <a href="/groups/G1018"> TA2541 </a> </td> <td> <a href="/groups/G1018">TA2541</a> has used malicious scripts and macros with the ability to download additional payloads.<span onclick=scrollToRef('scite-486') id="scite-ref-486-a" class="scite-citeref-number" title="Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023."data-reference="Cisco Operation Layover September 2021"><a href="https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/" target="_blank" data-hasqtip="485" aria-describedby="qtip-485">[486]</a> </td> </tr> <tr> <td> <a href="/groups/G0092"> G0092 </a> </td> <td> <a href="/groups/G0092"> TA505 </a> </td> <td> <a href="/groups/G0092">TA505</a> has downloaded additional malware to execute on victim systems.<span onclick=scrollToRef('scite-487') id="scite-ref-487-a" class="scite-citeref-number" title="Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019."data-reference="Cybereason TA505 April 2019"><a href="https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware" target="_blank" data-hasqtip="486" aria-describedby="qtip-486">[487]</a><span onclick=scrollToRef('scite-447') id="scite-ref-447-a" class="scite-citeref-number" title="Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved September 16, 2024.."data-reference="Deep Instinct TA505 Apr 2019"><a href="https://www.deepinstinct.com/blog/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload" target="_blank" data-hasqtip="446" aria-describedby="qtip-446">[447]</a><span onclick=scrollToRef('scite-488') id="scite-ref-488-a" class="scite-citeref-number" title="Proofpoint Staff. (2018, July 19). TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT. Retrieved April 19, 2019."data-reference="ProofPoint SettingContent-ms July 2018"><a href="https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat" target="_blank" data-hasqtip="487" aria-describedby="qtip-487">[488]</a> </td> </tr> <tr> <td> <a href="/groups/G0127"> G0127 </a> </td> <td> <a href="/groups/G0127"> TA551 </a> </td> <td> <a href="/groups/G0127">TA551</a> has retrieved DLLs and installer binaries for malware execution from C2.<span onclick=scrollToRef('scite-489') id="scite-ref-489-a" class="scite-citeref-number" title="Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021."data-reference="Unit 42 TA551 Jan 2021"><a href="https://unit42.paloaltonetworks.com/ta551-shathak-icedid/" target="_blank" data-hasqtip="488" aria-describedby="qtip-488">[489]</a> </td> </tr> <tr> <td> <a href="/software/S0011"> S0011 </a> </td> <td> <a href="/software/S0011"> Taidoor </a> </td> <td> <a href="/software/S0011">Taidoor</a> has downloaded additional files onto a compromised host.<a href="http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf" target="_blank" data-hasqtip="489" aria-describedby="qtip-489">[490]</a> </td> </tr> <tr> <td> <a href="/software/S0586"> S0586 </a> </td> <td> <a href="/software/S0586"> TAINTEDSCRIBE </a> </td> <td> <a href="/software/S0586">TAINTEDSCRIBE</a> can download additional modules from its C2 server.<span onclick=scrollToRef('scite-491') id="scite-ref-491-a" class="scite-citeref-number" title="USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021."data-reference="CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-133b" target="_blank" data-hasqtip="490" aria-describedby="qtip-490">[491]</a> </td> </tr> <tr> <td> <a href="/software/S0164"> S0164 </a> </td> <td> <a href="/software/S0164"> TDTESS </a> </td> <td> <a href="/software/S0164">TDTESS</a> has a command to download and execute an additional file.<span onclick=scrollToRef('scite-492') id="scite-ref-492-a" class="scite-citeref-number" title="ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017."data-reference="ClearSky Wilted Tulip July 2017"><a href="http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf" target="_blank" data-hasqtip="491" aria-describedby="qtip-491">[492]</a> </td> </tr> <tr> <td> <a href="/groups/G0139"> G0139 </a> </td> <td> <a href="/groups/G0139"> TeamTNT </a> </td> <td> <a href="/groups/G0139">TeamTNT</a> has the <code>curl</code> and <code>wget</code> commands as well as batch scripts to download new tools.<span onclick=scrollToRef('scite-493') id="scite-ref-493-a" class="scite-citeref-number" title="Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021."data-reference="Intezer TeamTNT September 2020"><a href="https://www.intezer.com/blog/cloud-security/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/" target="_blank" data-hasqtip="492" aria-describedby="qtip-492">[493]</a><span onclick=scrollToRef('scite-494') id="scite-ref-494-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022."data-reference="Cisco Talos Intelligence Group"><a href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank" data-hasqtip="493" aria-describedby="qtip-493">[494]</a> </td> </tr> <tr> <td> <a href="/software/S0595"> S0595 </a> </td> <td> <a href="/software/S0595"> ThiefQuest </a> </td> <td> <a href="/software/S0595">ThiefQuest</a> can download and execute payloads in-memory or from disk.<span onclick=scrollToRef('scite-495') id="scite-ref-495-a" class="scite-citeref-number" title="Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021."data-reference="wardle evilquest partii"><a href="https://objective-see.com/blog/blog_0x60.html" target="_blank" data-hasqtip="494" aria-describedby="qtip-494">[495]</a> </td> </tr> <tr> <td> <a href="/groups/G0027"> G0027 </a> </td> <td> <a href="/groups/G0027"> Threat Group-3390 </a> </td> <td> <a href="/groups/G0027">Threat Group-3390</a> has downloaded additional malware and tools, including through the use of <code>certutil</code>, onto a compromised host .<span onclick=scrollToRef('scite-246') id="scite-ref-246-a" class="scite-citeref-number" title="Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018."data-reference="Dell TG-3390"><a href="https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage" target="_blank" data-hasqtip="245" aria-describedby="qtip-245">[246]</a><span onclick=scrollToRef('scite-496') id="scite-ref-496-a" class="scite-citeref-number" title="Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021."data-reference="Trend Micro DRBControl February 2020"><a href="https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf" target="_blank" data-hasqtip="495" aria-describedby="qtip-495">[496]</a> </td> </tr> <tr> <td> <a href="/software/S0665"> S0665 </a> </td> <td> <a href="/software/S0665"> ThreatNeedle </a> </td> <td> <a href="/software/S0665">ThreatNeedle</a> can download additional tools to enable lateral movement.<span onclick=scrollToRef('scite-292') id="scite-ref-292-a" class="scite-citeref-number" title="Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021."data-reference="Kaspersky ThreatNeedle Feb 2021"><a href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank" data-hasqtip="291" aria-describedby="qtip-291">[292]</a> </td> </tr> <tr> <td> <a href="/software/S0668"> S0668 </a> </td> <td> <a href="/software/S0668"> TinyTurla </a> </td> <td> <a href="/software/S0668">TinyTurla</a> has the ability to act as a second-stage dropper used to infect the system with additional malware.<span onclick=scrollToRef('scite-497') id="scite-ref-497-a" class="scite-citeref-number" title="Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021."data-reference="Talos TinyTurla September 2021"><a href="https://blog.talosintelligence.com/2021/09/tinyturla.html" target="_blank" data-hasqtip="496" aria-describedby="qtip-496">[497]</a> </td> </tr> <tr> <td> <a href="/software/S0671"> S0671 </a> </td> <td> <a href="/software/S0671"> Tomiris </a> </td> <td> <a href="/software/S0671">Tomiris</a> can download files and execute them on a victim's system.<span onclick=scrollToRef('scite-498') id="scite-ref-498-a" class="scite-citeref-number" title="Kwiatkoswki, I. and Delcher, P. (2021, September 29). DarkHalo After SolarWinds: the Tomiris connection. Retrieved December 27, 2021."data-reference="Kaspersky Tomiris Sep 2021"><a href="https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/" target="_blank" data-hasqtip="497" aria-describedby="qtip-497">[498]</a> </td> </tr> <tr> <td> <a href="/groups/G0131"> G0131 </a> </td> <td> <a href="/groups/G0131"> Tonto Team </a> </td> <td> <a href="/groups/G0131">Tonto Team</a> has downloaded malicious DLLs which served as a <a href="/software/S0596">ShadowPad</a> loader.<span onclick=scrollToRef('scite-499') id="scite-ref-499-a" class="scite-citeref-number" title="Faou, M., Tartare, M., Dupuy, T. (2021, March 10). Exchange servers under siege from at least 10 APT groups. Retrieved May 21, 2021."data-reference="ESET Exchange Mar 2021"><a href="https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/" target="_blank" data-hasqtip="498" aria-describedby="qtip-498">[499]</a> </td> </tr> <tr> <td> <a href="/software/S0266"> S0266 </a> </td> <td> <a href="/software/S0266"> TrickBot </a> </td> <td> <a href="/software/S0266">TrickBot</a> downloads several additional files and saves them to the victim's machine.<span onclick=scrollToRef('scite-500') id="scite-ref-500-a" class="scite-citeref-number" title="Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018."data-reference="Trend Micro Totbrick Oct 2016"><a href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_trickload.n" target="_blank" data-hasqtip="499" aria-describedby="qtip-499">[500]</a><span onclick=scrollToRef('scite-501') id="scite-ref-501-a" class="scite-citeref-number" title="Radu Tudorica. (2021, July 12). A Fresh Look at Trickbot’s Ever-Improving VNC Module. Retrieved September 28, 2021."data-reference="Bitdefender Trickbot VNC module Whitepaper 2021"><a href="https://www.bitdefender.com/files/News/CaseStudies/study/399/Bitdefender-PR-Whitepaper-Trickbot-creat5515-en-EN.pdf" target="_blank" data-hasqtip="500" aria-describedby="qtip-500">[501]</a> </td> </tr> <tr> <td> <a href="/software/S0094"> S0094 </a> </td> <td> <a href="/software/S0094"> Trojan.Karagany </a> </td> <td> <a href="/software/S0094">Trojan.Karagany</a> can upload, download, and execute files on the victim.<span onclick=scrollToRef('scite-502') id="scite-ref-502-a" class="scite-citeref-number" title="Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016."data-reference="Symantec Dragonfly"><a href="https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" target="_blank" data-hasqtip="501" aria-describedby="qtip-501">[502]</a><span onclick=scrollToRef('scite-503') id="scite-ref-503-a" class="scite-citeref-number" title="Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020."data-reference="Secureworks Karagany July 2019"><a href="https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" target="_blank" data-hasqtip="502" aria-describedby="qtip-502">[503]</a> </td> </tr> <tr> <td> <a href="/groups/G0081"> G0081 </a> </td> <td> <a href="/groups/G0081"> Tropic Trooper </a> </td> <td> <a href="/groups/G0081">Tropic Trooper</a> has used a delivered trojan to download additional files.<span onclick=scrollToRef('scite-504') id="scite-ref-504-a" class="scite-citeref-number" title="Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."data-reference="TrendMicro Tropic Trooper May 2020"><a href="https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf" target="_blank" data-hasqtip="503" aria-describedby="qtip-503">[504]</a> </td> </tr> <tr> <td> <a href="/software/S0436"> S0436 </a> </td> <td> <a href="/software/S0436"> TSCookie </a> </td> <td> <a href="/software/S0436">TSCookie</a> has the ability to upload and download files to and from the infected host.<span onclick=scrollToRef('scite-505') id="scite-ref-505-a" class="scite-citeref-number" title="Tomonaga, S. (2018, March 6). Malware "TSCookie". Retrieved May 6, 2020."data-reference="JPCert TSCookie March 2018"><a href="https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html" target="_blank" data-hasqtip="504" aria-describedby="qtip-504">[505]</a> </td> </tr> <tr> <td> <a href="/software/S0647"> S0647 </a> </td> <td> <a href="/software/S0647"> Turian </a> </td> <td> <a href="/software/S0647">Turian</a> can download additional files and tools from its C2.<span onclick=scrollToRef('scite-59') id="scite-ref-59-a" class="scite-citeref-number" title="Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021"data-reference="ESET BackdoorDiplomacy Jun 2021"><a href="https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/" target="_blank" data-hasqtip="58" aria-describedby="qtip-58">[59]</a> </td> </tr> <tr> <td> <a href="/groups/G0010"> G0010 </a> </td> <td> <a href="/groups/G0010"> Turla </a> </td> <td> <a href="/groups/G0010">Turla</a> has used shellcode to download Meterpreter after compromising a victim.<span onclick=scrollToRef('scite-506') id="scite-ref-506-a" class="scite-citeref-number" title="ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018."data-reference="ESET Turla Mosquito May 2018"><a href="https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/" target="_blank" data-hasqtip="505" aria-describedby="qtip-505">[506]</a> </td> </tr> <tr> <td> <a href="/software/S0199"> S0199 </a> </td> <td> <a href="/software/S0199"> TURNEDUP </a> </td> <td> <a href="/software/S0199">TURNEDUP</a> is capable of downloading additional files.<span onclick=scrollToRef('scite-507') id="scite-ref-507-a" class="scite-citeref-number" title="O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018."data-reference="FireEye APT33 Sept 2017"><a href="https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" target="_blank" data-hasqtip="506" aria-describedby="qtip-506">[507]</a> </td> </tr> <tr> <td> <a href="/software/S0263"> S0263 </a> </td> <td> <a href="/software/S0263"> TYPEFRAME </a> </td> <td> <a href="/software/S0263">TYPEFRAME</a> can upload and download files to the victim’s machine.<span onclick=scrollToRef('scite-508') id="scite-ref-508-a" class="scite-citeref-number" title="US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018."data-reference="US-CERT TYPEFRAME June 2018"><a href="https://www.us-cert.gov/ncas/analysis-reports/AR18-165A" target="_blank" data-hasqtip="507" aria-describedby="qtip-507">[508]</a> </td> </tr> <tr> <td> <a href="/software/S0333"> S0333 </a> </td> <td> <a href="/software/S0333"> UBoatRAT </a> </td> <td> <a href="/software/S0333">UBoatRAT</a> can upload and download files to the victim’s machine.<span onclick=scrollToRef('scite-509') id="scite-ref-509-a" class="scite-citeref-number" title="Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018."data-reference="PaloAlto UBoatRAT Nov 2017"><a href="https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/" target="_blank" data-hasqtip="508" aria-describedby="qtip-508">[509]</a> </td> </tr> <tr> <td> <a href="/software/S0130"> S0130 </a> </td> <td> <a href="/software/S0130"> Unknown Logger </a> </td> <td> <a href="/software/S0130">Unknown Logger</a> is capable of downloading remote files.<span onclick=scrollToRef('scite-62') id="scite-ref-62-a" class="scite-citeref-number" title="Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016."data-reference="Forcepoint Monsoon"><a href="https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" target="_blank" data-hasqtip="61" aria-describedby="qtip-61">[62]</a> </td> </tr> <tr> <td> <a href="/software/S0275"> S0275 </a> </td> <td> <a href="/software/S0275"> UPPERCUT </a> </td> <td> <a href="/software/S0275">UPPERCUT</a> can download and upload files to and from the victim’s machine.<span onclick=scrollToRef('scite-510') id="scite-ref-510-a" class="scite-citeref-number" title="Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018."data-reference="FireEye APT10 Sept 2018"><a href="https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html" target="_blank" data-hasqtip="509" aria-describedby="qtip-509">[510]</a> </td> </tr> <tr> <td> <a href="/software/S0022"> S0022 </a> </td> <td> <a href="/software/S0022"> Uroburos </a> </td> <td> <a href="/software/S0022">Uroburos</a> can use a <code>Put</code> command to write files to an infected machine.<span onclick=scrollToRef('scite-511') id="scite-ref-511-a" class="scite-citeref-number" title="FBI et al. (2023, May 9). Hunting Russian Intelligence "Snake" Malware. Retrieved June 8, 2023."data-reference="Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023"><a href="https://www.cisa.gov/sites/default/files/2023-05/aa23-129a_snake_malware_2.pdf" target="_blank" data-hasqtip="510" aria-describedby="qtip-510">[511]</a> </td> </tr> <tr> <td> <a href="/software/S0386"> S0386 </a> </td> <td> <a href="/software/S0386"> Ursnif </a> </td> <td> <a href="/software/S0386">Ursnif</a> has dropped payload and configuration files to disk. <a href="/software/S0386">Ursnif</a> has also been used to download and execute additional payloads.<span onclick=scrollToRef('scite-512') id="scite-ref-512-a" class="scite-citeref-number" title="Trend Micro. (2014, December 11). PE_URSNIF.A2. Retrieved June 5, 2019."data-reference="TrendMicro PE_URSNIF.A2"><a href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_URSNIF.A2?_ga=2.131425807.1462021705.1559742358-1202584019.1549394279" target="_blank" data-hasqtip="511" aria-describedby="qtip-511">[512]</a><span onclick=scrollToRef('scite-513') id="scite-ref-513-a" class="scite-citeref-number" title="Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019."data-reference="TrendMicro BKDR_URSNIF.SM"><a href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/BKDR_URSNIF.SM?_ga=2.129468940.1462021705.1559742358-1202584019.1549394279" target="_blank" data-hasqtip="512" aria-describedby="qtip-512">[513]</a> </td> </tr> <tr> <td> <a href="/software/S0476"> S0476 </a> </td> <td> <a href="/software/S0476"> Valak </a> </td> <td> <a href="/software/S0476">Valak</a> has downloaded a variety of modules and payloads to the compromised host, including <a href="/software/S0483">IcedID</a> and NetSupport Manager RAT-based malware.<span onclick=scrollToRef('scite-514') id="scite-ref-514-a" class="scite-citeref-number" title="Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020."data-reference="Unit 42 Valak July 2020"><a href="https://unit42.paloaltonetworks.com/valak-evolution/" target="_blank" data-hasqtip="513" aria-describedby="qtip-513">[514]</a><span onclick=scrollToRef('scite-515') id="scite-ref-515-a" class="scite-citeref-number" title="Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020."data-reference="Cybereason Valak May 2020"><a href="https://www.cybereason.com/blog/valak-more-than-meets-the-eye" target="_blank" data-hasqtip="514" aria-describedby="qtip-514">[515]</a> </td> </tr> <tr> <td> <a href="/software/S0636"> S0636 </a> </td> <td> <a href="/software/S0636"> VaporRage </a> </td> <td> <a href="/software/S0636">VaporRage</a> has the ability to download malicious shellcode to compromised systems.<span onclick=scrollToRef('scite-84') id="scite-ref-84-a" class="scite-citeref-number" title="MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021."data-reference="MSTIC Nobelium Toolset May 2021"><a href="https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" target="_blank" data-hasqtip="83" aria-describedby="qtip-83">[84]</a> </td> </tr> <tr> <td> <a href="/software/S0207"> S0207 </a> </td> <td> <a href="/software/S0207"> Vasport </a> </td> <td> <a href="/software/S0207">Vasport</a> can download files.<span onclick=scrollToRef('scite-516') id="scite-ref-516-a" class="scite-citeref-number" title="Zhou, R. (2012, May 15). Backdoor.Vasport. Retrieved February 22, 2018."data-reference="Symantec Vasport May 2012"><a href="https://www.symantec.com/security_response/writeup.jsp?docid=2012-051606-5938-99" target="_blank" data-hasqtip="515" aria-describedby="qtip-515">[516]</a> </td> </tr> <tr> <td> <a href="/software/S0442"> S0442 </a> </td> <td> <a href="/software/S0442"> VBShower </a> </td> <td> <a href="/software/S0442">VBShower</a> has the ability to download VBS files to the target computer.<span onclick=scrollToRef('scite-517') id="scite-ref-517-a" class="scite-citeref-number" title="GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020."data-reference="Kaspersky Cloud Atlas August 2019"><a href="https://securelist.com/recent-cloud-atlas-activity/92016/" target="_blank" data-hasqtip="516" aria-describedby="qtip-516">[517]</a> </td> </tr> <tr> <td> <a href="/software/S0257"> S0257 </a> </td> <td> <a href="/software/S0257"> VERMIN </a> </td> <td> <a href="/software/S0257">VERMIN</a> can download and upload files to the victim's machine.<span onclick=scrollToRef('scite-518') id="scite-ref-518-a" class="scite-citeref-number" title="Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018."data-reference="Unit 42 VERMIN Jan 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/" target="_blank" data-hasqtip="517" aria-describedby="qtip-517">[518]</a> </td> </tr> <tr> <td> <a href="/groups/G0123"> G0123 </a> </td> <td> <a href="/groups/G0123"> Volatile Cedar </a> </td> <td> <a href="/groups/G0123">Volatile Cedar</a> can deploy additional tools.<span onclick=scrollToRef('scite-112') id="scite-ref-112-a" class="scite-citeref-number" title="ClearSky Cyber Security. (2021, January). "Lebanese Cedar" APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021."data-reference="ClearSky Lebanese Cedar Jan 2021"><a href="https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf" target="_blank" data-hasqtip="111" aria-describedby="qtip-111">[112]</a> </td> </tr> <tr> <td> <a href="/software/S0180"> S0180 </a> </td> <td> <a href="/software/S0180"> Volgmer </a> </td> <td> <a href="/software/S0180">Volgmer</a> can download remote files and additional payloads to the victim's machine.<span onclick=scrollToRef('scite-519') id="scite-ref-519-a" class="scite-citeref-number" title="US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017."data-reference="US-CERT Volgmer Nov 2017"><a href="https://www.us-cert.gov/ncas/alerts/TA17-318B" target="_blank" data-hasqtip="518" aria-describedby="qtip-518">[519]</a><span onclick=scrollToRef('scite-520') id="scite-ref-520-a" class="scite-citeref-number" title="US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018."data-reference="US-CERT Volgmer 2 Nov 2017"><a href="https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-D_WHITE_S508C.PDF" target="_blank" data-hasqtip="519" aria-describedby="qtip-519">[520]</a><span onclick=scrollToRef('scite-521') id="scite-ref-521-a" class="scite-citeref-number" title="Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018."data-reference="Symantec Volgmer Aug 2014"><a href="https://web.archive.org/web/20181126143456/https://www.symantec.com/security-center/writeup/2014-081811-3237-99?tabid=2" target="_blank" data-hasqtip="520" aria-describedby="qtip-520">[521]</a> </td> </tr> <tr> <td> <a href="/groups/G1017"> G1017 </a> </td> <td> <a href="/groups/G1017"> Volt Typhoon </a> </td> <td> <a href="/groups/G1017">Volt Typhoon</a> has downloaded an outdated version of comsvcs.dll to a compromised domain controller in a non-standard folder.<span onclick=scrollToRef('scite-522') id="scite-ref-522-a" class="scite-citeref-number" title="CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024."data-reference="CISA AA24-038A PRC Critical Infrastructure February 2024"><a href="https://www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf" target="_blank" data-hasqtip="521" aria-describedby="qtip-521">[522]</a> </td> </tr> <tr> <td> <a href="/software/S0670"> S0670 </a> </td> <td> <a href="/software/S0670"> WarzoneRAT </a> </td> <td> <a href="/software/S0670">WarzoneRAT</a> can download and execute additional files.<span onclick=scrollToRef('scite-523') id="scite-ref-523-a" class="scite-citeref-number" title="Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021."data-reference="Check Point Warzone Feb 2020"><a href="https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/" target="_blank" data-hasqtip="522" aria-describedby="qtip-522">[523]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0037"> C0037 </a> </td> <td> <a href="/campaigns/C0037"> Water Curupira Pikabot Distribution </a> </td> <td> <a href="https://attack.mitre.org/campaigns/C0037">Water Curupira Pikabot Distribution</a> used Curl.exe to download the <a href="/software/S1145">Pikabot</a> payload from an external server, saving the file to the victim machine's temporary directory.<span onclick=scrollToRef('scite-524') id="scite-ref-524-a" class="scite-citeref-number" title="Shinji Robert Arasawa, Joshua Aquino, Charles Steven Derion, Juhn Emmanuel Atanque, Francisrey Joshua Castillo, John Carlo Marquez, Henry Salcedo, John Rainier Navato, Arianne Dela Cruz, Raymart Yambot & Ian Kenefick. (2024, January 9). Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign. Retrieved July 17, 2024."data-reference="TrendMicro Pikabot 2024"><a href="https://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html" target="_blank" data-hasqtip="523" aria-describedby="qtip-523">[524]</a> </td> </tr> <tr> <td> <a href="/software/S0579"> S0579 </a> </td> <td> <a href="/software/S0579"> Waterbear </a> </td> <td> <a href="/software/S0579">Waterbear</a> can receive and load executables from remote C2 servers.<span onclick=scrollToRef('scite-525') id="scite-ref-525-a" class="scite-citeref-number" title="Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021."data-reference="Trend Micro Waterbear December 2019"><a href="https://www.trendmicro.com/en_us/research/19/l/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection.html" target="_blank" data-hasqtip="524" aria-describedby="qtip-524">[525]</a> </td> </tr> <tr> <td> <a href="/software/S0109"> S0109 </a> </td> <td> <a href="/software/S0109"> WEBC2 </a> </td> <td> <a href="/software/S0109">WEBC2</a> can download and execute a file.<span onclick=scrollToRef('scite-526') id="scite-ref-526-a" class="scite-citeref-number" title="Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016."data-reference="Mandiant APT1"><a href="https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" target="_blank" data-hasqtip="525" aria-describedby="qtip-525">[526]</a> </td> </tr> <tr> <td> <a href="/software/S0515"> S0515 </a> </td> <td> <a href="/software/S0515"> WellMail </a> </td> <td> <a href="/software/S0515">WellMail</a> can receive data and executable scripts from C2.<span onclick=scrollToRef('scite-527') id="scite-ref-527-a" class="scite-citeref-number" title="CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020."data-reference="CISA WellMail July 2020"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c" target="_blank" data-hasqtip="526" aria-describedby="qtip-526">[527]</a> </td> </tr> <tr> <td> <a href="/software/S0514"> S0514 </a> </td> <td> <a href="/software/S0514"> WellMess </a> </td> <td> <a href="/software/S0514">WellMess</a> can write files to a compromised host.<span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020."data-reference="PWC WellMess July 2020"><a href="https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a><span onclick=scrollToRef('scite-528') id="scite-ref-528-a" class="scite-citeref-number" title="CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020."data-reference="CISA WellMess July 2020"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b" target="_blank" data-hasqtip="527" aria-describedby="qtip-527">[528]</a> </td> </tr> <tr> <td> <a href="/software/S0689"> S0689 </a> </td> <td> <a href="/software/S0689"> WhisperGate </a> </td> <td> <a href="/software/S0689">WhisperGate</a> can download additional stages of malware from a Discord CDN channel.<span onclick=scrollToRef('scite-529') id="scite-ref-529-a" class="scite-citeref-number" title="MSTIC. (2022, January 15). Destructive malware targeting Ukrainian organizations. Retrieved March 10, 2022."data-reference="Microsoft WhisperGate January 2022"><a href="https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/" target="_blank" data-hasqtip="528" aria-describedby="qtip-528">[529]</a><span onclick=scrollToRef('scite-530') id="scite-ref-530-a" class="scite-citeref-number" title="Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022."data-reference="Unit 42 WhisperGate January 2022"><a href="https://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/#whispergate-malware-family" target="_blank" data-hasqtip="529" aria-describedby="qtip-529">[530]</a><span onclick=scrollToRef('scite-531') id="scite-ref-531-a" class="scite-citeref-number" title="Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022."data-reference="Cisco Ukraine Wipers January 2022"><a href="https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html" target="_blank" data-hasqtip="530" aria-describedby="qtip-530">[531]</a><span onclick=scrollToRef('scite-532') id="scite-ref-532-a" class="scite-citeref-number" title="S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022."data-reference="Medium S2W WhisperGate January 2022"><a href="https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3" target="_blank" data-hasqtip="531" aria-describedby="qtip-531">[532]</a> </td> </tr> <tr> <td> <a href="/groups/G0107"> G0107 </a> </td> <td> <a href="/groups/G0107"> Whitefly </a> </td> <td> <a href="/groups/G0107">Whitefly</a> has the ability to download additional tools from the C2.<span onclick=scrollToRef('scite-533') id="scite-ref-533-a" class="scite-citeref-number" title="Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020."data-reference="Symantec Whitefly March 2019"><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/whitefly-espionage-singapore" target="_blank" data-hasqtip="532" aria-describedby="qtip-532">[533]</a> </td> </tr> <tr> <td> <a href="/software/S0206"> S0206 </a> </td> <td> <a href="/software/S0206"> Wiarp </a> </td> <td> <a href="/software/S0206">Wiarp</a> creates a backdoor through which remote attackers can download files.<a href="https://www.symantec.com/security_response/writeup.jsp?docid=2012-051606-1005-99" target="_blank" data-hasqtip="533" aria-describedby="qtip-533">[534]</a> </td> </tr> <tr> <td> <a href="/groups/G0112"> G0112 </a> </td> <td> <a href="/groups/G0112"> Windshift </a> </td> <td> <a href="/groups/G0112">Windshift</a> has used tools to deploy additional payloads to compromised hosts.<span onclick=scrollToRef('scite-535') id="scite-ref-535-a" class="scite-citeref-number" title="The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021."data-reference="BlackBerry Bahamut"><a href="https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf" target="_blank" data-hasqtip="534" aria-describedby="qtip-534">[535]</a> </td> </tr> <tr> <td> <a href="/software/S0430"> S0430 </a> </td> <td> <a href="/software/S0430"> Winnti for Linux </a> </td> <td> <a href="/software/S0430">Winnti for Linux</a> has the ability to deploy modules directly from command and control (C2) servers, possibly for remote command execution, file exfiltration, and socks5 proxying on the infected host. <span onclick=scrollToRef('scite-536') id="scite-ref-536-a" class="scite-citeref-number" title="Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020."data-reference="Chronicle Winnti for Linux May 2019"><a href="https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a" target="_blank" data-hasqtip="535" aria-describedby="qtip-535">[536]</a> </td> </tr> <tr> <td> <a href="/software/S0141"> S0141 </a> </td> <td> <a href="/software/S0141"> Winnti for Windows </a> </td> <td> The <a href="/software/S0141">Winnti for Windows</a> dropper can place malicious payloads on targeted systems.<span onclick=scrollToRef('scite-537') id="scite-ref-537-a" class="scite-citeref-number" title="Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017."data-reference="Novetta Winnti April 2015"><a href="https://web.archive.org/web/20150412223949/http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf" target="_blank" data-hasqtip="536" aria-describedby="qtip-536">[537]</a> </td> </tr> <tr> <td> <a href="/groups/G0044"> G0044 </a> </td> <td> <a href="/groups/G0044"> Winnti Group </a> </td> <td> <a href="/groups/G0044">Winnti Group</a> has downloaded an auxiliary program named ff.exe to infected machines.<span onclick=scrollToRef('scite-538') id="scite-ref-538-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017."data-reference="Kaspersky Winnti April 2013"><a href="https://securelist.com/winnti-more-than-just-a-game/37029/" target="_blank" data-hasqtip="537" aria-describedby="qtip-537">[538]</a> </td> </tr> <tr> <td> <a href="/groups/G1035"> G1035 </a> </td> <td> <a href="/groups/G1035"> Winter Vivern </a> </td> <td> <a href="/groups/G1035">Winter Vivern</a> executed PowerShell scripts to create scheduled tasks to retrieve remotely-hosted payloads.<span onclick=scrollToRef('scite-539') id="scite-ref-539-a" class="scite-citeref-number" title="Chad Anderson. (2021, April 27). Winter Vivern: A Look At Re-Crafted Government MalDocs Targeting Multiple Languages. Retrieved July 29, 2024."data-reference="DomainTools WinterVivern 2021"><a href="https://www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs/" target="_blank" data-hasqtip="538" aria-describedby="qtip-538">[539]</a> </td> </tr> <tr> <td> <a href="/software/S1115"> S1115 </a> </td> <td> <a href="/software/S1115"> WIREFIRE </a> </td> <td> <a href="/software/S1115">WIREFIRE</a> has the ability to download files to compromised devices.<span onclick=scrollToRef('scite-540') id="scite-ref-540-a" class="scite-citeref-number" title="McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024."data-reference="Mandiant Cutting Edge January 2024"><a href="https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day" target="_blank" data-hasqtip="539" aria-describedby="qtip-539">[540]</a> </td> </tr> <tr> <td> <a href="/groups/G0090"> G0090 </a> </td> <td> <a href="/groups/G0090"> WIRTE </a> </td> <td> <a href="/groups/G0090">WIRTE</a> has downloaded PowerShell code from the C2 server to be executed.<span onclick=scrollToRef('scite-541') id="scite-ref-541-a" class="scite-citeref-number" title="S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019."data-reference="Lab52 WIRTE Apr 2019"><a href="https://lab52.io/blog/wirte-group-attacking-the-middle-east/" target="_blank" data-hasqtip="540" aria-describedby="qtip-540">[541]</a> </td> </tr> <tr> <td> <a href="/groups/G0102"> G0102 </a> </td> <td> <a href="/groups/G0102"> Wizard Spider </a> </td> <td> <a href="/groups/G0102">Wizard Spider</a> can transfer malicious payloads such as ransomware to compromised machines.<span onclick=scrollToRef('scite-542') id="scite-ref-542-a" class="scite-citeref-number" title="Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023."data-reference="Mandiant FIN12 Oct 2021"><a href="https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf" target="_blank" data-hasqtip="541" aria-describedby="qtip-541">[542]</a> </td> </tr> <tr> <td> <a href="/software/S1065"> S1065 </a> </td> <td> <a href="/software/S1065"> Woody RAT </a> </td> <td> <a href="/software/S1065">Woody RAT</a> can download files from its C2 server, including the .NET DLLs, <code>WoodySharpExecutor</code> and <code>WoodyPowerSession</code>.<span onclick=scrollToRef('scite-543') id="scite-ref-543-a" class="scite-citeref-number" title="MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022."data-reference="MalwareBytes WoodyRAT Aug 2022"><a href="https://www.malwarebytes.com/blog/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild" target="_blank" data-hasqtip="542" aria-describedby="qtip-542">[543]</a> </td> </tr> <tr> <td> <a href="/software/S0341"> S0341 </a> </td> <td> <a href="/software/S0341"> Xbash </a> </td> <td> <a href="/software/S0341">Xbash</a> can download additional malicious files from its C2 server.<span onclick=scrollToRef('scite-544') id="scite-ref-544-a" class="scite-citeref-number" title="Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018."data-reference="Unit42 Xbash Sept 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/" target="_blank" data-hasqtip="543" aria-describedby="qtip-543">[544]</a> </td> </tr> <tr> <td> <a href="/software/S0653"> S0653 </a> </td> <td> <a href="/software/S0653"> xCaon </a> </td> <td> <a href="/software/S0653">xCaon</a> has a command to download files to the victim's machine.<span onclick=scrollToRef('scite-85') id="scite-ref-85-a" class="scite-citeref-number" title="CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021."data-reference="Checkpoint IndigoZebra July 2021"><a href="https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/" target="_blank" data-hasqtip="84" aria-describedby="qtip-84">[85]</a> </td> </tr> <tr> <td> <a href="/software/S0658"> S0658 </a> </td> <td> <a href="/software/S0658"> XCSSET </a> </td> <td> <a href="/software/S0658">XCSSET</a> downloads browser specific AppleScript modules using a constructed URL with the <code>curl</code> command, <code>https://" & domain & "/agent/scripts/" & moduleName & ".applescript</code>.<span onclick=scrollToRef('scite-545') id="scite-ref-545-a" class="scite-citeref-number" title="Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021."data-reference="trendmicro xcsset xcode project 2020"><a href="https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf" target="_blank" data-hasqtip="544" aria-describedby="qtip-544">[545]</a> </td> </tr> <tr> <td> <a href="/software/S0388"> S0388 </a> </td> <td> <a href="/software/S0388"> YAHOYAH </a> </td> <td> <a href="/software/S0388">YAHOYAH</a> uses HTTP GET requests to download other files that are executed in memory.<span onclick=scrollToRef('scite-546') id="scite-ref-546-a" class="scite-citeref-number" title="Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019."data-reference="TrendMicro TropicTrooper 2015"><a href="https://documents.trendmicro.com/assets/wp/wp-operation-tropic-trooper.pdf" target="_blank" data-hasqtip="545" aria-describedby="qtip-545">[546]</a> </td> </tr> <tr> <td> <a href="/software/S0251"> S0251 </a> </td> <td> <a href="/software/S0251"> Zebrocy </a> </td> <td> <a href="/software/S0251">Zebrocy</a> obtains additional code to execute on the victim's machine, including the downloading of a secondary payload.<span onclick=scrollToRef('scite-547') id="scite-ref-547-a" class="scite-citeref-number" title="Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018."data-reference="Palo Alto Sofacy 06-2018"><a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" target="_blank" data-hasqtip="546" aria-describedby="qtip-546">[547]</a><span onclick=scrollToRef('scite-106') id="scite-ref-106-a" class="scite-citeref-number" title="Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018."data-reference="Unit42 Cannon Nov 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/" target="_blank" data-hasqtip="105" aria-describedby="qtip-105">[106]</a><span onclick=scrollToRef('scite-548') id="scite-ref-548-a" class="scite-citeref-number" title="ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019."data-reference="ESET Zebrocy May 2019"><a href="https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" target="_blank" data-hasqtip="547" aria-describedby="qtip-547">[548]</a><span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019."data-reference="Accenture SNAKEMACKEREL Nov 2018"><a href="https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a> </td> </tr> <tr> <td> <a href="/software/S0230"> S0230 </a> </td> <td> <a href="/software/S0230"> ZeroT </a> </td> <td> <a href="/software/S0230">ZeroT</a> can download additional payloads onto the victim.<span onclick=scrollToRef('scite-549') id="scite-ref-549-a" class="scite-citeref-number" title="Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018."data-reference="Proofpoint ZeroT Feb 2017"><a href="https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" target="_blank" data-hasqtip="548" aria-describedby="qtip-548">[549]</a> </td> </tr> <tr> <td> <a href="/software/S0330"> S0330 </a> </td> <td> <a href="/software/S0330"> Zeus Panda </a> </td> <td> <a href="/software/S0330">Zeus Panda</a> can download additional malware plug-in modules and execute them on the victim’s machine.<span onclick=scrollToRef('scite-550') id="scite-ref-550-a" class="scite-citeref-number" title="Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018."data-reference="GDATA Zeus Panda June 2017"><a href="https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf" target="_blank" data-hasqtip="549" aria-describedby="qtip-549">[550]</a> </td> </tr> <tr> <td> <a href="/software/S1114"> S1114 </a> </td> <td> <a href="/software/S1114"> ZIPLINE </a> </td> <td> <a href="/software/S1114">ZIPLINE</a> can download files to be saved on the compromised system.<span onclick=scrollToRef('scite-540') id="scite-ref-540-a" class="scite-citeref-number" title="McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024."data-reference="Mandiant Cutting Edge January 2024"><a href="https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day" target="_blank" data-hasqtip="539" aria-describedby="qtip-539">[540]</a><span onclick=scrollToRef('scite-94') id="scite-ref-94-a" class="scite-citeref-number" title="Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024."data-reference="Mandiant Cutting Edge Part 2 January 2024"><a href="https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation" target="_blank" data-hasqtip="93" aria-describedby="qtip-93">[94]</a> </td> </tr> <tr> <td> <a href="/groups/G0128"> G0128 </a> </td> <td> <a href="/groups/G0128"> ZIRCONIUM </a> </td> <td> <a href="/groups/G0128">ZIRCONIUM</a> has used tools to download malicious files to compromised hosts.<span onclick=scrollToRef('scite-551') id="scite-ref-551-a" class="scite-citeref-number" title="Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021."data-reference="Zscaler APT31 Covid-19 October 2020"><a href="https://www.zscaler.com/blogs/security-research/apt-31-leverages-covid-19-vaccine-theme-and-abuses-legitimate-online" target="_blank" data-hasqtip="550" aria-describedby="qtip-550">[551]</a> </td> </tr> <tr> <td> <a href="/software/S0086"> S0086 </a> </td> <td> <a href="/software/S0086"> ZLib </a> </td> <td> <a href="/software/S0086">ZLib</a> has the ability to download files.<span onclick=scrollToRef('scite-332') id="scite-ref-332-a" class="scite-citeref-number" title="Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021."data-reference="Cylance Dust Storm"><a href="https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" target="_blank" data-hasqtip="331" aria-describedby="qtip-331">[332]</a> </td> </tr> <tr> <td> <a href="/software/S0672"> S0672 </a> </td> <td> <a href="/software/S0672"> Zox </a> </td> <td> <a href="/software/S0672">Zox</a> can download files to a compromised machine.<span onclick=scrollToRef('scite-241') id="scite-ref-241-a" class="scite-citeref-number" title="Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014."data-reference="Novetta-Axiom"><a href="https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf" target="_blank" data-hasqtip="240" aria-describedby="qtip-240">[241]</a> </td> </tr> <tr> <td> <a href="/software/S0412"> S0412 </a> </td> <td> <a href="/software/S0412"> ZxShell </a> </td> <td> <a href="/software/S0412">ZxShell</a> has a command to transfer files from a remote host.<span onclick=scrollToRef('scite-552') id="scite-ref-552-a" class="scite-citeref-number" title="Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019."data-reference="Talos ZxShell Oct 2014"><a href="https://blogs.cisco.com/security/talos/opening-zxshell" target="_blank" data-hasqtip="551" aria-describedby="qtip-551">[552]</a> </td> </tr> <tr> <td> <a href="/software/S1013"> S1013 </a> </td> <td> <a href="/software/S1013"> ZxxZ </a> </td> <td> <a href="/software/S1013">ZxxZ</a> can download and execute additional files.<span onclick=scrollToRef('scite-78') id="scite-ref-78-a" class="scite-citeref-number" title="Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022."data-reference="Cisco Talos Bitter Bangladesh May 2022"><a href="https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html" target="_blank" data-hasqtip="77" aria-describedby="qtip-77">[78]</a> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id ="mitigations">Mitigations</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Mitigation</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/mitigations/M1031"> M1031 </a> </td> <td> <a href="/mitigations/M1031"> Network Intrusion Prevention </a> </td> <td> Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.<span onclick=scrollToRef('scite-553') id="scite-ref-553-a" class="scite-citeref-number" title="Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016."data-reference="University of Birmingham C2"><a href="https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" target="_blank" data-hasqtip="552" aria-describedby="qtip-552">[553]</a> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="detection">Detection</h2> <div class="tables-mobile"> <table class="table datasources-table table-bordered"> <thead> <tr> <th class="p-2" scope="col">ID</th> <th class="p-2 nowrap" scope="col">Data Source</th> <th class="p-2 nowrap" scope="col">Data Component</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="datasource" id="uses-DS0017"> <td> <a href="/datasources/DS0017">DS0017</a> </td> <td class="nowrap"> <a href="/datasources/DS0017">Command</a> </td>  <td> <a href="/datasources/DS0017/#Command%20Execution">Command Execution</a> </td> <td> Monitor executed commands and arguments for suspicious activity associated with downloading external content. </td> </tr> <tr class="datasource" id="uses-DS0022"> <td> <a href="/datasources/DS0022">DS0022</a> </td> <td class="nowrap"> <a href="/datasources/DS0022">File</a> </td>  <td> <a href="/datasources/DS0022/#File%20Creation">File Creation</a> </td> <td> Monitor for file creation and files transferred into the network </td> </tr> <tr class="datasource" id="uses-DS0029"> <td> <a href="/datasources/DS0029">DS0029</a> </td> <td class="nowrap"> <a href="/datasources/DS0029">Network Traffic</a> </td>  <td> <a href="/datasources/DS0029/#Network%20Connection%20Creation">Network Connection Creation</a> </td> <td> Monitor for newly constructed network connections that are sent or received by untrusted hosts or creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious. </td> </tr> <tr class="datacomponent datasource" id="uses-DS0029-Network Traffic Content"> <td></td> <td></td> <td> <a href="/datasources/DS0029/#Network%20Traffic%20Content">Network Traffic Content</a> </td> <td> Monitor network traffic content for files and other potentially malicious content, especially data coming in from abnormal/unknown domain and IPs. </td> </tr> <tr class="datacomponent datasource" id="uses-DS0029-Network Traffic Flow"> <td></td> <td></td> <td> <a href="/datasources/DS0029/#Network%20Traffic%20Flow">Network Traffic Flow</a> </td> <td> Monitor network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <a rel="nofollow" class="external text" name="scite-1" href="https://lolbas-project.github.io/#t1105" target="_blank"> LOLBAS. (n.d.). LOLBAS Mapped to T1105. Retrieved March 11, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-2" href="https://www.trellix.com/blogs/research/beyond-file-search-a-novel-method/" target="_blank"> Mathanraj Thangaraju, Sijo Jacob. (2023, July 26). Beyond File Search: A Novel Method for Exploiting the "search-ms" URI Protocol Handler. Retrieved March 15, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-3" href="https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf" target="_blank"> Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-4" href="https://www.technologyreview.com/2013/08/21/83143/dropbox-and-similar-services-can-sync-malware/" target="_blank"> David Talbot. (2013, August 21). Dropbox and Similar Services Can Sync Malware. Retrieved May 31, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-5" href="https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf" target="_blank"> Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22 </a> </li> <li> <a rel="nofollow" class="external text" name="scite-6" href="https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" target="_blank"> Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-7" href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank"> Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-8" href="https://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html" target="_blank"> Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-9" href="https://www.digitrustgroup.com/agent-tesla-keylogger/" target="_blank"> The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-10" href="http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html" target="_blank"> Shevchenko, S.. (2008, November 30). Agent.btz - A Threat That Hit Pentagon. Retrieved April 8, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-11" href="https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" target="_blank"> Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-12" href="https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot" target="_blank"> Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-13" href="https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" target="_blank"> Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-14" href="https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30" target="_blank"> Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-15" href="https://web.archive.org/web/20230213154832/http://download.ahnlab.com/global/brochure/%5BAnalysis%5DAndariel_Group.pdf" target="_blank"> AhnLab. (2018, June 23). Targeted attacks by Andariel Threat Group, a subgroup of the Lazarus. Retrieved September 29, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-16" href="https://www.mandiant.com/resources/blog/turla-galaxy-opportunity" target="_blank"> Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-17" href="https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/" target="_blank"> QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-18" href="https://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" target="_blank"> Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-19" href="https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" target="_blank"> Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-20" href="https://pan-unit42.github.io/playbook_viewer/" target="_blank"> Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-21" href="https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" target="_blank"> Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-22" href="https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" target="_blank"> Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-23" href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank"> NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-24" href="https://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908" target="_blank"> Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-25" href="https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html" target="_blank"> PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-26" href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank"> F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-27" href="https://www.mandiant.com/resources/blog/unc3524-eye-spy-email" target="_blank"> Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-28" href="https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html" target="_blank"> Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-29" href="https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/" target="_blank"> Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-30" href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank"> Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-31" href="https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/" target="_blank"> Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-32" href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" target="_blank"> FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-33" href="https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/" target="_blank"> GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-34" href="https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/" target="_blank"> Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-35" href="https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/" target="_blank"> Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-36" href="https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf" target="_blank"> FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-37" href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions" target="_blank"> Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-38" href="https://www.iranwatch.org/sites/default/files/public-intelligence-alert.pdf" target="_blank"> FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-39" href="https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html" target="_blank"> Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-40" href="https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" target="_blank"> Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-41" href="https://www.group-ib.com/blog/colunmtk-apt41/" target="_blank"> Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-42" href="https://www.group-ib.com/blog/apt41-world-tour-2021/" target="_blank"> Nikita Rostovcev. (2022, August 18). APT41 World Tour 2021 on a tight schedule. Retrieved February 22, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-43" href="https://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1" target="_blank"> DCSO CyTec Blog. (2022, December 24). APT41 — The spy who failed to encrypt me. Retrieved June 13, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-44" href="https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust" target="_blank"> Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-45" href="https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/" target="_blank"> Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-46" href="https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/" target="_blank"> CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-47" href="https://web.archive.org/web/20200302071436/https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/" target="_blank"> Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved September 25, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-48" href="https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research" target="_blank"> Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-49" href="https://securelist.com/the-tetrade-brazilian-banking-malware/97779/" target="_blank"> GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-50" href="https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp/blob/master/README.md" target="_blank"> Nyan-x-Cat. (n.d.). NYAN-x-CAT / AsyncRAT-C-Sharp. Retrieved October 3, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-51" href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf" target="_blank"> Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-52" href="https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/" target="_blank"> Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-53" href="https://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/" target="_blank"> Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-54" href="https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" target="_blank"> Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-55" href="https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/" target="_blank"> Lim, M.. (2019, April 26). BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat . Retrieved October 7, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-56" href="https://us-cert.cisa.gov/ncas/alerts/aa20-301a" target="_blank"> CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-57" href="https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/" target="_blank"> Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-58" href="https://vblocalhost.com/uploads/VB2021-Slowik.pdf" target="_blank"> Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-59" href="https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/" target="_blank"> Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021 </a> </li> <li> <a rel="nofollow" class="external text" name="scite-60" href="https://www.accenture.com/us-en/blogs/cyber-defense/mudcarps-focus-on-submarine-technologies" target="_blank"> Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-61" href="https://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/" target="_blank"> Savelesky, K., et al. (2019, July 23). ABADBABE 8BADFOOD: Discovering BADHATCH and a Detailed Look at FIN8's Tooling. Retrieved September 8, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-62" href="https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" target="_blank"> Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-63" href="https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/" target="_blank"> Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-64" href="https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" target="_blank"> Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-65" href="https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/" target="_blank"> Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-66" href="https://research.checkpoint.com/2020/bandook-signed-delivered/" target="_blank"> Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-67" href="https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF" target="_blank"> US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-68" href="https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles" target="_blank"> Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-69" href="https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware" target="_blank"> Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-70" href="https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/" target="_blank"> Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-71" href="https://www.crowdstrike.com/blog/wizard-spider-adversary-update/" target="_blank"> Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-72" href="https://unit42.paloaltonetworks.com/bendybear-shellcode-blacktech/" target="_blank"> Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-73" href="https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf" target="_blank"> Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-74" href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/" target="_blank"> Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-75" href="https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/" target="_blank"> Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-76" href="https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html" target="_blank"> Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-77" href="https://msdn.microsoft.com/library/aa362813.aspx" target="_blank"> Microsoft. (n.d.). BITSAdmin Tool. Retrieved January 12, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-78" href="https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html" target="_blank"> Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-79" href="https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan" target="_blank"> Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-80" href="https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/" target="_blank"> MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-81" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a" target="_blank"> US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-82" href="https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" target="_blank"> Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-83" href="https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/" target="_blank"> Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-84" href="https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" target="_blank"> MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-85" href="https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/" target="_blank"> CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-86" href="https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-2843-99" target="_blank"> Ladley, F. (2012, May 15). Backdoor.Briba. Retrieved February 21, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-87" href="https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" target="_blank"> Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-88" href="https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/" target="_blank"> Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-89" href="https://www.rapid7.com/blog/post/2024/07/24/malware-campaign-lures-users-with-fake-w2-form/" target="_blank"> Elkins, T. (2024, July 24). Malware Campaign Lures Users With Fake W2 Form. Retrieved September 13, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-90" href="https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/" target="_blank"> Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-91" href="https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming" target="_blank"> Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-92" href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime" target="_blank"> Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-93" href="https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/" target="_blank"> Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-94" href="https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation" target="_blank"> Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-95" href="https://www.mandiant.com/resources/blog/investigating-ivanti-exploitation-persistence" target="_blank"> Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-96" href="https://www.mandiant.com/resources/blog/suspected-iranian-actor-targeting-israeli-shipping" target="_blank"> Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-97" href="https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/" target="_blank"> DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-98" href="https://www.mandiant.com/resources/apt41-us-state-governments" target="_blank"> Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-99" href="https://blog.talosintelligence.com/avoslocker-new-arsenal/" target="_blank"> Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-100" href="https://www.linkedin.com/pulse/raas-avoslocker-incident-response-analysis-fl%C3%A1vio-costa?trk=articles_directory" target="_blank"> Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-101" href="https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/" target="_blank"> Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-102" href="https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html" target="_blank"> Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-103" href="https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/" target="_blank"> Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-104" href="https://web.archive.org/web/20190111082249/https://www.symantec.com/security-center/writeup/2018-073014-2512-99?om_rssid=sr-latestthreats30days" target="_blank"> Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-105" href="http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" target="_blank"> Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-106" href="https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/" target="_blank"> Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-107" href="https://web.archive.org/web/20231227000328/http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf" target="_blank"> Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved September 12, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-108" href="https://web.archive.org/web/20111004014029/http://www.trusteer.com/sites/default/files/Carberp_Analysis.pdf" target="_blank"> Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-109" href="https://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/" target="_blank"> Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-110" href="https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/" target="_blank"> McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-111" href="https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/" target="_blank"> Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-112" href="https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf" target="_blank"> ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-113" href="https://technet.microsoft.com/library/cc732443.aspx" target="_blank"> Microsoft. (2012, November 14). Certutil. Retrieved July 3, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-114" href="https://lolbas-project.github.io/lolbas/Binaries/Certutil/" target="_blank"> LOLBAS. (n.d.). Certutil.exe. Retrieved July 31, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-115" href="https://www.cybereason.com/hubfs/dam/collateral/reports/11-2020-Chaes-e-commerce-malware-research.pdf" target="_blank"> Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-116" href="https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/" target="_blank"> Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-117" href="http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/" target="_blank"> Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-118" href="http://blog.jpcert.or.jp/2017/02/chches-malware--93d6.html" target="_blank"> Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-119" href="https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html" target="_blank"> FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-120" href="https://cycraft.com/download/CyCraft-Whitepaper-Chimera_V4.1.pdf" target="_blank"> Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-121" href="https://cloud.google.com/blog/topics/threat-intelligence/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against/" target="_blank"> Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-122" href="https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" target="_blank"> FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-123" href="https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html" target="_blank"> Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-124" href="https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools" target="_blank"> The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-125" href="https://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/" target="_blank"> Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-126" href="https://securelist.com/toddycat/106799/" target="_blank"> Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-127" href="https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" target="_blank"> Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-128" href="https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf" target="_blank"> Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-129" href="https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group" target="_blank"> Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-130" href="https://technet.microsoft.com/en-us/library/bb490886.aspx" target="_blank"> Microsoft. (n.d.). Copy. Retrieved April 26, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-131" href="https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf" target="_blank"> Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-132" href="https://blog.morphisec.com/cobalt-gang-2.0" target="_blank"> Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-133" href="https://web.archive.org/web/20210219195905/https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf" target="_blank"> Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved September 12, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-134" href="https://web.archive.org/web/20210708035426/https://www.cobaltstrike.com/downloads/csmanual43.pdf" target="_blank"> Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-135" href="https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/" target="_blank"> Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-136" href="https://web.archive.org/web/20200125132645/https://www.sans.org/security-resources/malwarefaq/conficker-worm" target="_blank"> Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-137" href="https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat" target="_blank"> Uptycs Threat Research Team. (2021, January 12). Confucius APT deploys Warzone RAT. Retrieved December 17, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-138" href="https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html" target="_blank"> Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-139" href="https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/" target="_blank"> Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-140" href="https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank"> FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-141" href="https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced" target="_blank"> The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-142" href="https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/" target="_blank"> Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-143" href="https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" target="_blank"> Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-144" href="https://securelist.com/transparent-tribe-part-1/98127/" target="_blank"> Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-145" href="https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html" target="_blank"> N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-146" href="https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/" target="_blank"> Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-147" href="https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" target="_blank"> Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-148" href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf" target="_blank"> Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-149" href="https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/" target="_blank"> Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-150" href="https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf" target="_blank"> NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-151" href="https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html" target="_blank"> Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-152" href="https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/" target="_blank"> Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-153" href="https://symantec-enterprise-blogs.security.com/threat-intelligence/apt-attacks-telecoms-africa-mgbot" target="_blank"> Threat Hunter Team. (2023, April 20). Daggerfly: APT Actor Targets Telecoms Company in Africa. Retrieved July 25, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-154" href="https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign" target="_blank"> SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19 </a> </li> <li> <a rel="nofollow" class="external text" name="scite-155" href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/DARKCOMET" target="_blank"> TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-156" href="https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/" target="_blank"> Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-157" href="https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign" target="_blank"> Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-158" href="https://www.trellix.com/blogs/research/the-continued-evolution-of-the-darkgate-malware-as-a-service/" target="_blank"> Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-159" href="https://www.microsoft.com/security/blog/2016/06/09/reverse-engineering-dubnium-2/" target="_blank"> Microsoft. (2016, June 9). Reverse-engineering DUBNIUM. Retrieved March 31, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-160" href="https://www.secureworks.com/research/darktortilla-malware-analysis" target="_blank"> Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-161" href="http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/" target="_blank"> Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-162" href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" target="_blank"> Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-163" href="https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html" target="_blank"> McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-164" href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank"> Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-165" href="https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider" target="_blank"> Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-166" href="https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" target="_blank"> Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-167" href="https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" target="_blank"> Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-168" href="https://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor" target="_blank"> Shivtarkar, N. and Kumar, A. (2022, June 9). Lyceum .NET DNS Backdoor. Retrieved June 23, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-169" href="https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/" target="_blank"> Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-170" href="https://www.intezer.com/blog/cloud-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/" target="_blank"> Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-171" href="https://github.com/TheWover/donut" target="_blank"> TheWover. (2019, May 9). donut. Retrieved March 25, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-172" href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf" target="_blank"> ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-173" href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank"> US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-174" href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank"> ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-175" href="https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf" target="_blank"> Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-176" href="https://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/" target="_blank"> Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-177" href="https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF" target="_blank"> NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-178" href="https://securelist.com/my-name-is-dtrack/93338/" target="_blank"> Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-179" href="https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/" target="_blank"> Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-180" href="http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dyre-emerging-threat.pdf" target="_blank"> Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-181" href="https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/" target="_blank"> GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-182" href="https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware" target="_blank"> Rochberger, L. (2020, November 26). Cybereason vs. Egregor Ransomware. Retrieved December 30, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-183" href="https://www.intrinsec.com/egregor-prolock/?cn-reloaded=1" target="_blank"> Bichet, J. (2020, November 12). Egregor – Prolock: Fraternal Twins ?. Retrieved January 6, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-184" href="https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-3909-99" target="_blank"> Ladley, F. (2012, May 15). Backdoor.Ritsol. Retrieved February 23, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-185" href="https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf" target="_blank"> Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-186" href="http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linked-to-operation-lotus-blossom/" target="_blank"> Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-187" href="https://github.com/PowerShellEmpire/Empire" target="_blank"> Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-188" href="https://lolbas-project.github.io/lolbas/Binaries/Esentutl/" target="_blank"> LOLBAS. (n.d.). Esentutl.exe. Retrieved September 3, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-189" href="https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/" target="_blank"> Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-190" href="https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" target="_blank"> Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-191" href="https://www.prevailion.com/phantom-in-the-command-shell-2/" target="_blank"> Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-192" href="https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/" target="_blank"> Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-193" href="https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" target="_blank"> ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-194" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf" target="_blank"> Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-195" href="https://blogs.forcepoint.com/security-labs/playing-cat-mouse-introducing-felismus-malware" target="_blank"> Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-196" href="https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html" target="_blank"> Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-197" href="https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf" target="_blank"> Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-198" href="https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico" target="_blank"> Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-199" href="https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf?__hstc=147695848.3e8f1a482c8f8d4531507747318e660b.1680005306711.1680005306711.1680005306711.1&__hssc=147695848.1.1680005306711&__hsfp=3000179024&hsCtaTracking=189ec409-ae2d-4909-8bf1-62dcdd694372%7Cca91d317-8f10-4a38-9f80-367f551ad64d" target="_blank"> Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-200" href="https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html" target="_blank"> Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-201" href="https://www.justice.gov/opa/press-release/file/1084361/download" target="_blank"> Department of Justice. (2018, August 01). HOW FIN7 ATTACKED AND STOLE DATA. Retrieved August 24, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-202" href="https://www.mandiant.com/resources/evolution-of-fin7" target="_blank"> Abdo, B., et al. (2022, April 4). FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7. Retrieved April 5, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-203" href="https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html" target="_blank"> Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-204" href="https://businessinsights.bitdefender.com/deep-dive-into-a-fin8-attack-a-forensic-investigation" target="_blank"> Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-205" href="https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech" target="_blank"> Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-206" href="https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1382.do?page=1&column=&search=&searchSDate=&searchEDate=&bbsDataCategory=" target="_blank"> Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-207" href="https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/" target="_blank"> Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-208" href="https://us-cert.cisa.gov/ncas/alerts/aa20-259a" target="_blank"> CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-209" href="https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html" target="_blank"> Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-210" href="https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/ftp" target="_blank"> Microsoft. (2021, July 21). ftp. Retrieved February 25, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-211" href="https://linux.die.net/man/1/ftp" target="_blank"> N/A. (n.d.). ftp(1) - Linux man page. Retrieved February 25, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-212" href="https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" target="_blank"> Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-213" href="https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" target="_blank"> Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-214" href="https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/" target="_blank"> Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-215" href="https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/" target="_blank"> Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-216" href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/" target="_blank"> Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-217" href="https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/" target="_blank"> Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-218" href="https://unit42.paloaltonetworks.com/trident-ursa/" target="_blank"> Unit 42. (2022, December 20). Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. Retrieved September 12, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-219" href="https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf" target="_blank"> ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-220" href="https://securelist.com/introducing-whitebear/81638/" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-221" href="https://research.nccgroup.com/2018/04/17/decoding-network-data-from-a-gh0st-rat-variant/" target="_blank"> Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-222" href="https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant" target="_blank"> Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-223" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" target="_blank"> Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-224" href="https://www.trustwave.com/en-us/resources/library/documents/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/" target="_blank"> Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-225" href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank"> Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-226" href="https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html" target="_blank"> Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-227" href="https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/" target="_blank"> Szappanos, G. & Brandt, A. (2021, March 1). “Gootloader” expands its payload delivery options. Retrieved September 30, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-228" href="https://www.sentinelone.com/labs/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/" target="_blank"> Pirozzi, A. (2021, June 16). Gootloader: ‘Initial Access as a Service’ Platform Expands Its Search for High Value Targets. Retrieved May 28, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-229" href="https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" target="_blank"> Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-230" href="https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/" target="_blank"> Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-231" href="https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/" target="_blank"> ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-232" href="https://www.group-ib.com/blog/grimagent/" target="_blank"> Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-233" href="https://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4" target="_blank"> Salem, E. (2021, April 19). Dancing With Shellcodes: Cracking the latest version of Guloader. Retrieved July 7, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-234" href="http://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities-part-2" target="_blank"> Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-235" href="https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/" target="_blank"> MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-236" href="https://threatpost.com/spammers-revive-hancitor-downloader-campaigns/123011/" target="_blank"> Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-237" href="http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" target="_blank"> Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-238" href="https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf" target="_blank"> Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-239" href="https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL_0.pdf" target="_blank"> Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-240" href="https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/" target="_blank"> Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-241" href="https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf" target="_blank"> Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-242" href="https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" target="_blank"> Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-243" href="https://www.microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/" target="_blank"> MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-244" href="https://www.us-cert.gov/ncas/analysis-reports/AR19-100A" target="_blank"> US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-245" href="https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/" target="_blank"> Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-246" href="https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage" target="_blank"> Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-247" href="https://www.symantec.com/connect/blogs/trojanhydraq-incident" target="_blank"> Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-248" href="https://www.symantec.com/security_response/writeup.jsp?docid=2010-011114-1830-99" target="_blank"> Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-249" href="https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/" target="_blank"> Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-250" href="https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/" target="_blank"> Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-251" href="https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware" target="_blank"> Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-252" href="https://thedfirreport.com/2022/04/25/quantum-ransomware/" target="_blank"> DFIR. (2022, April 25). Quantum Ransomware. Retrieved July 26, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-253" href="https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice" target="_blank"> Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-254" href="https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html" target="_blank"> PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved August 14, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-255" href="https://www.huntress.com/blog/investigating-new-inc-ransom-group-activity" target="_blank"> Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-256" href="https://www.huntress.com/blog/lolbin-to-inc-ransomware" target="_blank"> Carvey, H. (2024, May 1). LOLBin to INC Ransomware. Retrieved June 5, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-257" href="https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/" target="_blank"> Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-258" href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us" target="_blank"> Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-259" href="https://cloud.google.com/blog/topics/threat-intelligence/unc2165-shifts-to-evade-sanctions/" target="_blank"> Mandiant Intelligence. (2022, June 2). To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions. Retrieved July 29, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-260" href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank"> Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-261" href="https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" target="_blank"> Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-262" href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" target="_blank"> Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-263" href="https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf" target="_blank"> Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-264" href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf" target="_blank"> ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-265" href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/" target="_blank"> Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-266" href="https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" target="_blank"> Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-267" href="https://www.symantec.com/blogs/threat-intelligence/jrat-new-anti-parsing-techniques" target="_blank"> Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-268" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07195002/KL_AdwindPublicReport_2016.pdf" target="_blank"> Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-269" href="https://www.symantec.com/connect/blogs/cross-platform-frutas-rat-builder-and-back-door" target="_blank"> Bingham, J. (2013, February 11). Cross-Platform Frutas RAT Builder and Back Door. Retrieved April 23, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-270" href="https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/" target="_blank"> Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-271" href="http://research.zscaler.com/2016/01/malicious-office-files-dropping-kasidet.html" target="_blank"> Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-272" href="https://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/" target="_blank"> Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-273" href="https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe" target="_blank"> MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-274" href="https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/" target="_blank"> Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-275" href="https://web.archive.org/web/20211129064701/https://www.pwc.co.uk/issues/cyber-security-services/research/the-keyboys-are-back-in-town.html" target="_blank"> Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-276" href="https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/" target="_blank"> Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-277" href="https://www.us-cert.gov/ncas/analysis-reports/AR18-221A" target="_blank"> US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018. </a> </li> </ol> </div> <div class="col"> <ol start="278.0"> <li> <a rel="nofollow" class="external text" name="scite-278" href="https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html" target="_blank"> An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-279" href="https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability" target="_blank"> Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-280" href="https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/" target="_blank"> Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-281" href="https://github.com/offsecginger/koadic" target="_blank"> Magius, J., et al. (2017, July 19). Koadic. Retrieved September 27, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-282" href="https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf" target="_blank"> Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-283" href="https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html" target="_blank"> Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-284" href="https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/" target="_blank"> Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-285" href="https://blog.lumen.com/routers-roasting-on-an-open-firewall-the-kv-botnet-investigation/" target="_blank"> Black Lotus Labs. (2023, December 13). Routers Roasting On An Open Firewall: The KV-Botnet Investigation. Retrieved June 10, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-286" href="https://www.symantec.com/security-center/writeup/2016-081923-2700-99" target="_blank"> Moench, B. and Aboud, E. (2016, August 23). Trojan.Kwampirs. Retrieved May 10, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-287" href="https://www.elastic.co/security-labs/spring-cleaning-with-latrodectus" target="_blank"> Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-288" href="https://www.bitsight.com/blog/latrodectus-are-you-coming-back" target="_blank"> Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-289" href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank"> Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-290" href="https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf" target="_blank"> Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-291" href="https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" target="_blank"> Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-292" href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank"> Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-293" href="https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/" target="_blank"> Weidemann, A. (2021, January 25). New campaign targeting security researchers. Retrieved December 20, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-294" href="https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/" target="_blank"> Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-295" href="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns" target="_blank"> Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-296" href="https://x.com/ESETresearch/status/1458438155149922312" target="_blank"> Cherepanov, Anton. (2019, November 10). ESETresearch discovered a trojanized IDA Pro installer. Retrieved September 12, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-297" href="https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets" target="_blank"> Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-298" href="https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf" target="_blank"> Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-299" href="https://www.symantec.com/security_response/writeup.jsp?docid=2012-051605-2535-99" target="_blank"> Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-300" href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank"> Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-301" href="https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044" target="_blank"> Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-302" href="https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319" target="_blank"> BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-303" href="https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html" target="_blank"> Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-304" href="https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/" target="_blank"> Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-305" href="https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" target="_blank"> FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-306" href="https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/" target="_blank"> Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-307" href="https://securelist.com/apt-luminousmoth/103332/" target="_blank"> Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-308" href="https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited" target="_blank"> Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-309" href="https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf" target="_blank"> ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-310" href="https://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/" target="_blank"> M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-311" href="https://objective-see.org/blog/blog_0x69.html" target="_blank"> Wardle, P. (2021, November 11). OSX.CDDS (OSX.MacMa). Retrieved June 30, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-312" href="https://docs.google.com/document/d/1e9ZTW9b71YwFWS_18ZwDAxa-cYbV8q1wUefmKZLYVsA/edit#heading=h.lmnbtht1ikzm" target="_blank"> SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-313" href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank"> Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-314" href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank"> DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-315" href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank"> DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-316" href="https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021" target="_blank"> MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-317" href="https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/" target="_blank"> GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-318" href="https://www.secureworks.com/research/mcmd-malware-analysis" target="_blank"> Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-319" href="https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/" target="_blank"> Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-320" href="https://web.archive.org/web/20220224041316/https:/www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf" target="_blank"> PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-321" href="https://www.justice.gov/opa/page/file/1122671/download" target="_blank"> US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-322" href="https://assets.sentinelone.com/sentinellabs22/metador#page=1" target="_blank"> Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-323" href="https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767" target="_blank"> Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-324" href="https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html" target="_blank"> Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-325" href="https://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions" target="_blank"> Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-326" href="https://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/" target="_blank"> ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-327" href="https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/" target="_blank"> Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-328" href="https://blog.talosintelligence.com/2017/06/palestine-delphi.html" target="_blank"> Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-329" href="https://www.radware.com/blog/security/2018/07/micropsia-malware/" target="_blank"> Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-330" href="https://www.clearskysec.com/siamesekitten/" target="_blank"> ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-331" href="https://cdn.securelist.com/files/2014/07/themysteryofthepdf0-dayassemblermicrobackdoor.pdf" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2013, February 27). The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor. Retrieved April 5, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-332" href="https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" target="_blank"> Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-333" href="http://www.symantec.com/security_response/writeup.jsp?docid=2015-020623-0740-99&tabid=2" target="_blank"> Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-334" href="https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/" target="_blank"> GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-335" href="https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/" target="_blank"> Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-336" href="https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/" target="_blank"> Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-337" href="https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/" target="_blank"> Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-338" href="https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html" target="_blank"> Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-339" href="https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/" target="_blank"> Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-340" href="https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/" target="_blank"> Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-341" href="https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" target="_blank"> ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-342" href="https://securelist.com/muddywater/88059/" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-343" href="https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf" target="_blank"> ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-344" href="https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/" target="_blank"> Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-345" href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank"> Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-346" href="https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf" target="_blank"> Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-347" href="https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/" target="_blank"> Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-348" href="https://www.digitrustgroup.com/nanocore-not-your-average-rat/" target="_blank"> The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-349" href="https://researchcenter.paloaltonetworks.com/2016/02/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/" target="_blank"> Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-350" href="https://blog.talosintelligence.com/2018/05/navrat.html" target="_blank"> Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-351" href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank"> Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-352" href="https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/" target="_blank"> Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-353" href="https://www.mandiant.com/resources/blog/dissecting-netwire-phishing-campaigns-usage-process-hollowing" target="_blank"> Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-354" href="https://www.proofpoint.com/us/blog/threat-insight/geofenced-netwire-campaigns" target="_blank"> Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-355" href="https://www.symantec.com/security_response/writeup.jsp?docid=2015-120123-5521-99" target="_blank"> Sponchioni, R.. (2016, March 11). Backdoor.Nidiran. Retrieved August 3, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-356" href="https://scadahacker.com/library/Documents/Cyber_Events/McAfee%20-%20Night%20Dragon%20-%20Global%20Energy%20Cyberattacks.pdf" target="_blank"> McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-357" href="https://www.threatminer.org/_reports/2013/fta-1009---njrat-uncovered-1.pdf" target="_blank"> Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-358" href="https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/" target="_blank"> Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-359" href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/" target="_blank"> Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-360" href="https://www.virusbulletin.com/uploads/pdf/conference_slides/2018/Cherepanov-VB2018-Octopus.pdf" target="_blank"> Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-361" href="https://securelist.com/octopus-infested-seas-of-central-asia/88200/" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-362" href="https://securityaffairs.co/wordpress/77165/apt/russia-linked-apt-dustsquad.html" target="_blank"> Paganini, P. (2018, October 16). Russia-linked APT group DustSquad targets diplomatic entities in Central Asia. Retrieved August 24, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-363" href="https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" target="_blank"> Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-364" href="https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf" target="_blank"> Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-365" href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/" target="_blank"> Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-366" href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/" target="_blank"> Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-367" href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank"> Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-368" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/?hilite=%27Operation%27%2C%27North%27%2C%27Star%27" target="_blank"> Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-369" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/" target="_blank"> Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-370" href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf" target="_blank"> Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-371" href="https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf" target="_blank"> Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-372" href="https://blogs.vmware.com/security/2020/02/vmware-carbon-black-tau-threat-analysis-shlayer-macos.html" target="_blank"> Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-373" href="https://www.sentinelone.com/blog/coming-out-of-your-shell-from-shlayer-to-zshlayer/" target="_blank"> Phil Stokes. (2020, September 8). Coming Out of Your Shell: From Shlayer to ZShlayer. Retrieved September 13, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-374" href="https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/" target="_blank"> Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-375" href="https://objective-see.com/blog/blog_0x4E.html" target="_blank"> Patrick Wardle. (2020, August 30). Apple Approved Malware malicious code ...now notarized!? #2020. Retrieved September 13, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-376" href="https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/" target="_blank"> Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-377" href="https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html" target="_blank"> Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-378" href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank"> Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-379" href="https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html" target="_blank"> Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-380" href="https://www.symantec.com/security_response/writeup.jsp?docid=2012-050412-4128-99" target="_blank"> Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-381" href="https://securelist.com/the-dropping-elephant-actor/75328/" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-382" href="https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf" target="_blank"> Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-383" href="https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/" target="_blank"> Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-384" href="http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" target="_blank"> Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-385" href="https://cloudblogs.microsoft.com/microsoftsecure/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/?source=mmpc" target="_blank"> Kaplan, D, et al. (2017, June 7). PLATINUM continues to evolve, find ways to maintain invisibility. Retrieved February 19, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-386" href="https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play" target="_blank"> Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-387" href="https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html" target="_blank"> Tomonaga, S. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-388" href="http://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf" target="_blank"> Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-389" href="https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european" target="_blank"> Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-390" href="https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html" target="_blank"> Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-391" href="https://blog.talosintelligence.com/2020/10/poetrat-update.html" target="_blank"> Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-392" href="https://www.symantec.com/security_response/writeup.jsp?docid=2005-081910-3934-99" target="_blank"> Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-393" href="https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/" target="_blank"> hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-394" href="https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html" target="_blank"> Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-395" href="https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" target="_blank"> Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-396" href="https://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage" target="_blank"> Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-397" href="https://web.archive.org/web/20180808125108/https:/www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html" target="_blank"> Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-398" href="https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" target="_blank"> Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-399" href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine" target="_blank"> Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-400" href="https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/" target="_blank"> Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-401" href="https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" target="_blank"> Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-402" href="http://blog.morphisec.com/security-alert-fin8-is-back" target="_blank"> Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-403" href="https://github.com/n1nj4sec/pupy" target="_blank"> Nicolas Verdier. (n.d.). Retrieved January 29, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-404" href="https://www.trendmicro.com/vinfo/ph/security/news/cybercrime-and-digital-threats/qakbot-resurges-spreads-through-vbs-files" target="_blank"> Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-405" href="https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/" target="_blank"> CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-406" href="https://success.trendmicro.com/solution/000283381" target="_blank"> Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-407" href="https://blog.cyberint.com/qakbot-banking-trojan" target="_blank"> Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-408" href="https://securelist.com/qakbot-technical-analysis/103931/" target="_blank"> Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-409" href="https://groupib.pathfactory.com/ransomware-reports/prolock_wp" target="_blank"> Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-410" href="https://github.com/quasar/QuasarRAT" target="_blank"> MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-411" href="https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" target="_blank"> Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-412" href="https://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d" target="_blank"> S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-413" href="https://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/" target="_blank"> Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-414" href="http://blog.trendmicro.com/trendlabs-security-intelligence/rarstone-found-in-targeted-attacks/" target="_blank"> Aquino, M. (2013, June 13). RARSTONE Found In Targeted Attacks. Retrieved December 17, 2015. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-415" href="https://threatresearch.ext.hp.com/raspberry-robin-now-spreading-through-windows-script-files/" target="_blank"> Patrick Schläpfer . (2024, April 10). Raspberry Robin Now Spreading Through Windows Script Files. Retrieved May 17, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-416" href="https://redcanary.com/blog/threat-intelligence/raspberry-robin/" target="_blank"> Lauren Podber and Stef Rand. (2022, May 5). Raspberry Robin gets the worm early. Retrieved May 17, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-417" href="https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/" target="_blank"> Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-418" href="https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html" target="_blank"> Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-419" href="https://web.archive.org/web/20210104144857/https://shared-public-reports.s3-eu-west-1.amazonaws.com/APT27+turns+to+ransomware.pdf" target="_blank"> Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-420" href="https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/" target="_blank"> Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-421" href="https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf" target="_blank"> PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-422" href="https://web.archive.org/web/20180124082756/https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/" target="_blank"> Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-423" href="http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" target="_blank"> Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-424" href="http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Symantec_Remsec_IOCs.pdf" target="_blank"> Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-425" href="https://securelist.com/files/2016/07/The-ProjectSauron-APT_Technical_Analysis_KL.pdf" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-426" href="https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/WhiteCompanyOperationShaheenReport.pdf?_ga=2.161661948.1943296560.1555683782-1066572390.1555511517" target="_blank"> Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-427" href="https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html" target="_blank"> Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-428" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/" target="_blank"> McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-429" href="https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware" target="_blank"> Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-430" href="https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/" target="_blank"> Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-431" href="https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html" target="_blank"> Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-432" href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" target="_blank"> Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-433" href="https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/" target="_blank"> Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-434" href="https://blog.talosintelligence.com/2017/04/introducing-rokrat.html" target="_blank"> Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-435" href="https://research.nccgroup.com/2018/11/08/rokrat-analysis/" target="_blank"> Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-436" href="https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/" target="_blank"> Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-437" href="https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf" target="_blank"> Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-438" href="https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/" target="_blank"> Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-439" href="http://www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/" target="_blank"> Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-440" href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank"> Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-441" href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank"> Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-442" href="https://www.bitdefender.com/files/News/CaseStudies/study/401/Bitdefender-PR-Whitepaper-FIN8-creat5619-en-EN.pdf" target="_blank"> Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-443" href="https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader" target="_blank"> Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-444" href="http://researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seaduke/" target="_blank"> Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-445" href="https://www.brighttalk.com/webcast/10703/296317/apt34-new-targeted-attack-in-the-middle-east" target="_blank"> Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-446" href="https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505" target="_blank"> Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-447" href="https://www.deepinstinct.com/blog/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload" target="_blank"> Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved September 16, 2024.. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-448" href="https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html" target="_blank"> Centero, R. et al. (2021, February 5). New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker. Retrieved August 11, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-449" href="https://securelist.com/shadowpad-in-corporate-networks/81432/" target="_blank"> GReAT. (2017, August 15). ShadowPad in corporate networks. Retrieved March 22, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-450" href="http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/" target="_blank"> Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-451" href="https://www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns" target="_blank"> Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-452" href="https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/" target="_blank"> Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-453" href="https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" target="_blank"> Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-454" href="https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/" target="_blank"> Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-455" href="https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf" target="_blank"> Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-456" href="https://cybleinc.com/2020/09/26/sidewinder-apt-targets-with-futuristic-tactics-and-techniques/" target="_blank"> Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-457" href="https://go.group-ib.com/report-silence-en?_gl=1*d1bh3a*_ga*MTIwMzM5Mzc5MS4xNjk4OTI5NzY4*_ga_QMES53K3Y2*MTcwNDcyMjU2OS40LjEuMTcwNDcyMzU1Mi41My4wLjA." target="_blank"> Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-458" href="https://github.com/byt3bl33d3r/SILENTTRINITY/tree/master/silenttrinity/core/teamserver/modules/boo" target="_blank"> Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-459" href="https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/" target="_blank"> Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-460" href="https://www.mandiant.com/resources/blog/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices" target="_blank"> Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-461" href="https://github.com/BishopFox/sliver/blob/ea329226636ab8e470086a17f13aa8d330baad22/client/command/filesystem/upload.go" target="_blank"> BishopFox. (n.d.). Sliver Upload. Retrieved September 16, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-462" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a" target="_blank"> DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-463" href="https://www.ncsc.gov.uk/files/NCSC-Malware-Analysis-Report-Small-Sieve.pdf" target="_blank"> NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-464" href="https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/" target="_blank"> Hasherezade. (2016, September 12). Smoke Loader – downloader with a smokescreen still alive. Retrieved March 20, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-465" href="https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html" target="_blank"> FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-466" href="https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader" target="_blank"> Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-467" href="https://telefonicatech.com/blog/snip3-investigacion-malware" target="_blank"> Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-468" href="https://redcanary.com/threat-detection-report/threats/socgholish/" target="_blank"> Red Canary. (2024, March). Red Canary 2024 Threat Detection Report: SocGholish. Retrieved March 22, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-469" href="https://www.secureworks.com/research/threat-profiles/gold-prelude" target="_blank"> Secureworks. (n.d.). GOLD PRELUDE . Retrieved March 22, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-470" href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank"> FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-471" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a" target="_blank"> CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-472" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a" target="_blank"> CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-473" href="https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf" target="_blank"> National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-474" href="https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/" target="_blank"> Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-475" href="https://blog.google/threat-analysis-group/google-tag-coldriver-russian-phishing-malware/" target="_blank"> Shields, W. (2024, January 18). Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware. Retrieved June 13, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-476" href="https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish" target="_blank"> CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-477" href="https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/" target="_blank"> Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-478" href="https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike" target="_blank"> Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-479" href="https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot" target="_blank"> Palazolo, G. (2021, October 7). SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot. Retrieved August 9, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-480" href="https://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day" target="_blank"> Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-481" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf" target="_blank"> Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-482" href="https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations" target="_blank"> Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-483" href="https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf" target="_blank"> Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-484" href="https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/" target="_blank"> Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-485" href="https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html" target="_blank"> Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-486" href="https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/" target="_blank"> Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-487" href="https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware" target="_blank"> Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-488" href="https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat" target="_blank"> Proofpoint Staff. (2018, July 19). TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT. Retrieved April 19, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-489" href="https://unit42.paloaltonetworks.com/ta551-shathak-icedid/" target="_blank"> Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-490" href="http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf" target="_blank"> Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-491" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-133b" target="_blank"> USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-492" href="http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf" target="_blank"> ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-493" href="https://www.intezer.com/blog/cloud-security/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/" target="_blank"> Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-494" href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank"> Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-495" href="https://objective-see.com/blog/blog_0x60.html" target="_blank"> Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-496" href="https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf" target="_blank"> Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-497" href="https://blog.talosintelligence.com/2021/09/tinyturla.html" target="_blank"> Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-498" href="https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/" target="_blank"> Kwiatkoswki, I. and Delcher, P. (2021, September 29). DarkHalo After SolarWinds: the Tomiris connection. Retrieved December 27, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-499" href="https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/" target="_blank"> Faou, M., Tartare, M., Dupuy, T. (2021, March 10). Exchange servers under siege from at least 10 APT groups. Retrieved May 21, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-500" href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_trickload.n" target="_blank"> Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-501" href="https://www.bitdefender.com/files/News/CaseStudies/study/399/Bitdefender-PR-Whitepaper-Trickbot-creat5515-en-EN.pdf" target="_blank"> Radu Tudorica. (2021, July 12). A Fresh Look at Trickbot’s Ever-Improving VNC Module. Retrieved September 28, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-502" href="https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" target="_blank"> Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-503" href="https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" target="_blank"> Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-504" href="https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf" target="_blank"> Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-505" href="https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html" target="_blank"> Tomonaga, S. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-506" href="https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/" target="_blank"> ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-507" href="https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" target="_blank"> O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-508" href="https://www.us-cert.gov/ncas/analysis-reports/AR18-165A" target="_blank"> US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-509" href="https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/" target="_blank"> Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-510" href="https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html" target="_blank"> Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-511" href="https://www.cisa.gov/sites/default/files/2023-05/aa23-129a_snake_malware_2.pdf" target="_blank"> FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-512" href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_URSNIF.A2?_ga=2.131425807.1462021705.1559742358-1202584019.1549394279" target="_blank"> Trend Micro. (2014, December 11). PE_URSNIF.A2. Retrieved June 5, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-513" href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/BKDR_URSNIF.SM?_ga=2.129468940.1462021705.1559742358-1202584019.1549394279" target="_blank"> Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-514" href="https://unit42.paloaltonetworks.com/valak-evolution/" target="_blank"> Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-515" href="https://www.cybereason.com/blog/valak-more-than-meets-the-eye" target="_blank"> Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-516" href="https://www.symantec.com/security_response/writeup.jsp?docid=2012-051606-5938-99" target="_blank"> Zhou, R. (2012, May 15). Backdoor.Vasport. Retrieved February 22, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-517" href="https://securelist.com/recent-cloud-atlas-activity/92016/" target="_blank"> GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-518" href="https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/" target="_blank"> Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-519" href="https://www.us-cert.gov/ncas/alerts/TA17-318B" target="_blank"> US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-520" href="https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-D_WHITE_S508C.PDF" target="_blank"> US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-521" href="https://web.archive.org/web/20181126143456/https://www.symantec.com/security-center/writeup/2014-081811-3237-99?tabid=2" target="_blank"> Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-522" href="https://www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf" target="_blank"> CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-523" href="https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/" target="_blank"> Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-524" href="https://www.trendmicro.com/en_us/research/24/a/a-look-into-pikabot-spam-wave-campaign.html" target="_blank"> Shinji Robert Arasawa, Joshua Aquino, Charles Steven Derion, Juhn Emmanuel Atanque, Francisrey Joshua Castillo, John Carlo Marquez, Henry Salcedo, John Rainier Navato, Arianne Dela Cruz, Raymart Yambot & Ian Kenefick. (2024, January 9). Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign. Retrieved July 17, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-525" href="https://www.trendmicro.com/en_us/research/19/l/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection.html" target="_blank"> Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-526" href="https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" target="_blank"> Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-527" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c" target="_blank"> CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-528" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b" target="_blank"> CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-529" href="https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/" target="_blank"> MSTIC. (2022, January 15). Destructive malware targeting Ukrainian organizations. Retrieved March 10, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-530" href="https://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/#whispergate-malware-family" target="_blank"> Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-531" href="https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html" target="_blank"> Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-532" href="https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3" target="_blank"> S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-533" href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/whitefly-espionage-singapore" target="_blank"> Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-534" href="https://www.symantec.com/security_response/writeup.jsp?docid=2012-051606-1005-99" target="_blank"> Zhou, R. (2012, May 15). Backdoor.Wiarp. Retrieved February 22, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-535" href="https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf" target="_blank"> The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-536" href="https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a" target="_blank"> Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-537" href="https://web.archive.org/web/20150412223949/http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf" target="_blank"> Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-538" href="https://securelist.com/winnti-more-than-just-a-game/37029/" target="_blank"> Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-539" href="https://www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs/" target="_blank"> Chad Anderson. (2021, April 27). Winter Vivern: A Look At Re-Crafted Government MalDocs Targeting Multiple Languages. Retrieved July 29, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-540" href="https://www.mandiant.com/resources/blog/suspected-apt-targets-ivanti-zero-day" target="_blank"> McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-541" href="https://lab52.io/blog/wirte-group-attacking-the-middle-east/" target="_blank"> S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-542" href="https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf" target="_blank"> Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-543" href="https://www.malwarebytes.com/blog/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild" target="_blank"> MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-544" href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/" target="_blank"> Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-545" href="https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf" target="_blank"> Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-546" href="https://documents.trendmicro.com/assets/wp/wp-operation-tropic-trooper.pdf" target="_blank"> Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-547" href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" target="_blank"> Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-548" href="https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" target="_blank"> ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-549" href="https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" target="_blank"> Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-550" href="https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf" target="_blank"> Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-551" href="https://www.zscaler.com/blogs/security-research/apt-31-leverages-covid-19-vaccine-theme-and-abuses-legitimate-online" target="_blank"> Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-552" href="https://blogs.cisco.com/security/talos/opening-zxshell" target="_blank"> Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-553" href="https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" target="_blank"> Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. </a> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div>   <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner">  <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div>  <div id="search-body" class="search-body"> <div class="results" id="search-results">  </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1">  <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a> </div> <div class="px-3 col-footer"> <a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a> </div> <div class="px-3 col-footer"> <a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a> </div> <div class="px-3"> <a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&CK content v16.1Website v4.2.1">Website Changelog</a> </div> </div> <div class="row"> © 2015 - 2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div>  </div>  <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script>  <script src="/theme/scripts/resizer.js"></script>  <script src="/theme/scripts/bootstrap-tourist.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/tour/tour-techniques.js"></script> <script src="/theme/scripts/sidebar-load-all.js"></script> </body> </html>

CINXE.COM

Ingress Tool Transfer, Technique T1105 - Enterprise | MITRE ATT&CK®