<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v15/theme/favicon.ico" type='image/x-icon'> <title>Phishing: Spearphishing Link, Sub-technique T1566.002 - Enterprise | MITRE ATT&CK&reg;</title> <!-- USWDS CSS --> <!-- Bootstrap CSS --> <link rel='stylesheet' href="/versions/v15/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v15/theme/style/bootstrap-tourist.css" /> <link rel='stylesheet' href="/versions/v15/theme/style/bootstrap-select.min.css" /> <!-- Fontawesome CSS --> <link rel="stylesheet" href="/versions/v15/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/versions/v15/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/versions/v15/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/versions/v15/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1"> <!-- header elements --> <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href="/versions/v15/"><img src="/versions/v15/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v15/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v15/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v15/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v15/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v15/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v15/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/versions/v15/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v15/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v15/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/versions/v15/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/groups">Groups</a> <a class="dropdown-item" href="/versions/v15/software">Software</a> <a class="dropdown-item" href="/versions/v15/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/resources/">Get Started</a> <a class="dropdown-item" href="/versions/v15/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/versions/v15/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v15/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/versions/v15/resources/faq/">FAQ</a> <a class="dropdown-item" href="/versions/v15/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/versions/v15/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/versions/v15/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/versions/v15/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- banner elements --> <div class="col px-0"> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v15/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v15.1" target="_blank">ATT&CK v15.1</a> which was live between April 23, 2024 and October 30, 2024. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> </div> </div> <div class="row flex-grow-1 flex-shrink-0"> <!-- main content elements --> <!--start-indexing-for-search--> <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div> <!--stop-indexing-for-search--> <div id="sidebars"></div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v15/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v15/techniques/enterprise">Techniques</a></li> <li class="breadcrumb-item"><a href="/versions/v15/techniques/enterprise">Enterprise</a></li> <li class="breadcrumb-item"><a href="/versions/v15/techniques/T1566">Phishing</a></li> <li class="breadcrumb-item">Spearphishing Link</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1 id=""> <span id="subtechnique-parent-name">Phishing:</span> Spearphishing Link </h1> <div class="row"> <div class="col-md-8"> <!--stop-indexing-for-search--> <div class="card-block pb-2"> <div class="card"> <div class="card-header collapsed" id="subtechniques-card-header" data-toggle="collapse" data-target="#subtechniques-card-body" aria-expanded="false" aria-controls="subtechniques-card-body"> <h5 class="mb-0" id ="sub-techniques">Other sub-techniques of Phishing (4)</h5> </div> <div id="subtechniques-card-body" class="card-body p-0 collapse" aria-labelledby="subtechniques-card-header"> <table class="table table-bordered"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v15/techniques/T1566/001/" class="subtechnique-table-item" data-subtechnique_id="T1566.001"> T1566.001 </a> </td> <td> <a href="/versions/v15/techniques/T1566/001/" class="subtechnique-table-item" data-subtechnique_id="T1566.001"> Spearphishing Attachment </a> </td> </tr> <tr> <td class="active"> T1566.002 </td> <td class="active"> Spearphishing Link </td> </tr> <tr> <td> <a href="/versions/v15/techniques/T1566/003/" class="subtechnique-table-item" data-subtechnique_id="T1566.003"> T1566.003 </a> </td> <td> <a href="/versions/v15/techniques/T1566/003/" class="subtechnique-table-item" data-subtechnique_id="T1566.003"> Spearphishing via Service </a> </td> </tr> <tr> <td> <a href="/versions/v15/techniques/T1566/004/" class="subtechnique-table-item" data-subtechnique_id="T1566.004"> T1566.004 </a> </td> <td> <a href="/versions/v15/techniques/T1566/004/" class="subtechnique-table-item" data-subtechnique_id="T1566.004"> Spearphishing Voice </a> </td> </tr> </tbody> </table> </div> </div> </div> <!--start-indexing-for-search--> <div class="description-body"> <p>Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.</p><p>All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging <a href="/versions/v15/techniques/T1204">User Execution</a>. The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place.</p><p>Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly. Additionally, adversaries may use seemingly benign links that abuse special characters to mimic legitimate websites (known as an "IDN homograph attack").<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="CISA. (2019, September 27). Security Tip (ST05-016): Understanding Internationalized Domain Names. Retrieved October 20, 2020."data-reference="CISA IDN ST05-016">^{<a href="https://us-cert.cisa.gov/ncas/tips/ST05-016" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span> URLs may also be obfuscated by taking advantage of quirks in the URL schema, such as the acceptance of integer- or hexadecimal-based hostname formats and the automatic discarding of text before an "@" symbol: for example, <code>hxxp://google.com@1157586937</code>.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved August 4, 2023."data-reference="Mandiant URL Obfuscation 2023">^{<a href="https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p><p>Adversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to <a href="/versions/v15/techniques/T1528">Steal Application Access Token</a>s.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks. Retrieved October 4, 2019."data-reference="Trend Micro Pawn Storm OAuth 2017">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span> These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. <span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Microsoft 365 Defender Threat Intelligence Team. (2021, June 14). Microsoft delivers comprehensive solution to battle rise in consent phishing emails. Retrieved December 13, 2021."data-reference="Microsoft OAuth 2.0 Consent Phishing 2021">^{<a href="https://www.microsoft.com/security/blog/2021/07/14/microsoft-delivers-comprehensive-solution-to-battle-rise-in-consent-phishing-emails/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span></p><p>Adversaries may also utilize spearphishing links to <a href="/versions/v15/techniques/T1528">Steal Application Access Token</a>s that grant immediate access to the victim environment. For example, a user may be lured through "consent phishing" into granting adversaries permissions/access via a malicious OAuth 2.0 request URL .<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks. Retrieved October 4, 2019."data-reference="Trend Micro Pawn Storm OAuth 2017">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Microsoft 365 Defender Threat Intelligence Team. (2021, June 14). Microsoft delivers comprehensive solution to battle rise in consent phishing emails. Retrieved December 13, 2021."data-reference="Microsoft OAuth 2.0 Consent Phishing 2021">^{<a href="https://www.microsoft.com/security/blog/2021/07/14/microsoft-delivers-comprehensive-solution-to-battle-rise-in-consent-phishing-emails/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span></p><p>Similarly, malicious links may also target device-based authorization, such as OAuth 2.0 device authorization grant flow which is typically used to authenticate devices without UIs/browsers. Known as "device code phishing," an adversary may send a link that directs the victim to a malicious authorization page where the user is tricked into entering a code/credentials that produces a device token.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="SecureWorks Counter Threat Unit Research Team. (2021, June 3). OAuth’S Device Code Flow Abused in Phishing Attacks. Retrieved March 19, 2024."data-reference="SecureWorks Device Code Phishing 2021">^{<a href="https://www.secureworks.com/blog/oauths-device-code-flow-abused-in-phishing-attacks" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Jenko Hwong. (2021, August 10). New Phishing Attacks Exploiting OAuth Authorization Flows (Part 1). Retrieved March 19, 2024."data-reference="Netskope Device Code Phishing 2021">^{<a href="https://www.netskope.com/blog/new-phishing-attacks-exploiting-oauth-authorization-flows-part-1" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Optiv. (2021, August 17). Microsoft 365 OAuth Device Code Flow and Phishing. Retrieved March 19, 2024."data-reference="Optiv Device Code Phishing 2021">^{<a href="https://www.optiv.com/insights/source-zero/blog/microsoft-365-oauth-device-code-flow-and-phishing" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data" id="card-id"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID:&nbsp;</span>T1566.002 </div> </div> <!--stop-indexing-for-search--> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Sub-technique of:&nbsp;</span> <a href="/versions/v15/techniques/T1566">T1566</a> </div> </div> <!--start-indexing-for-search--> <div id="card-tactics" class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The tactic objectives that the (sub-)technique can be used to accomplish">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Tactic:</span> <a href="/versions/v15/tactics/TA0001">Initial Access</a> </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Platforms:&nbsp;</span>Google Workspace, Linux, Office 365, SaaS, Windows, macOS </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Contributors:&nbsp;</span>Jeff Sakowicz, Microsoft Identity Developer Platform Services (IDPM Services); Kobi Haimovich, CardinalOps; Mark Wee; Menachem Goldstein; Philip Winther; Saisha Agrawal, Microsoft Threat Intelligent Center (MSTIC); Shailesh Tiwary (Indian Army) </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version:&nbsp;</span>2.6 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created:&nbsp;</span>02 March 2020 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified:&nbsp;</span>15 April 2024 </div> </div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of T1566.002" href="/versions/v15/techniques/T1566/002/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of T1566.002" href="/techniques/T1566/002/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <h2 class="pt-3" id ="examples">Procedure Examples</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v15/software/S0677"> S0677 </a> </td> <td> <a href="/versions/v15/software/S0677"> AADInternals </a> </td> <td> <p><a href="/versions/v15/software/S0677">AADInternals</a> can send "consent phishing" emails containing malicious links designed to steal users’ access tokens.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022."data-reference="AADInternals Documentation">^{<a href="https://o365blog.com/aadinternals" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0584"> S0584 </a> </td> <td> <a href="/versions/v15/software/S0584"> AppleJeus </a> </td> <td> <p><a href="/versions/v15/software/S0584">AppleJeus</a> has been distributed via spearphishing link.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021."data-reference="CISA AppleJeus Feb 2021">^{<a href="https://us-cert.cisa.gov/ncas/alerts/aa21-048a" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0006"> G0006 </a> </td> <td> <a href="/versions/v15/groups/G0006"> APT1 </a> </td> <td> <p><a href="/versions/v15/groups/G0006">APT1</a> has sent spearphishing emails containing hyperlinks to malicious files.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016."data-reference="Mandiant APT1">^{<a href="https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0007"> G0007 </a> </td> <td> <a href="/versions/v15/groups/G0007"> APT28 </a> </td> <td> <p><a href="/versions/v15/groups/G0007">APT28</a> sent spearphishing emails which used a URL-shortener service to masquerade as a legitimate service and to redirect targets to credential harvesting sites.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018."data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span><span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019."data-reference="ESET Zebrocy May 2019">^{<a href="https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020."data-reference="US District Court Indictment GRU Oct 2018">^{<a href="https://www.justice.gov/opa/page/file/1098481/download" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022."data-reference="Secureworks IRON TWILIGHT Active Measures March 2017">^{<a href="https://www.secureworks.com/research/iron-twilight-supports-active-measures" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0016"> G0016 </a> </td> <td> <a href="/versions/v15/groups/G0016"> APT29 </a> </td> <td> <p><a href="/versions/v15/groups/G0016">APT29</a> has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016."data-reference="Mandiant No Easy Breach">^{<a href="http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021."data-reference="MSTIC NOBELIUM May 2021">^{<a href="https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Secureworks CTU. (2021, May 28). USAID-Themed Phishing Campaign Leverages U.S. Elections Lure. Retrieved February 24, 2022."data-reference="Secureworks IRON RITUAL USAID Phish May 2021">^{<a href="https://www.secureworks.com/blog/usaid-themed-phishing-campaign-leverages-us-elections-lure" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0022"> G0022 </a> </td> <td> <a href="/versions/v15/groups/G0022"> APT3 </a> </td> <td> <p><a href="/versions/v15/groups/G0022">APT3</a> has sent spearphishing emails containing malicious links.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016."data-reference="FireEye Clandestine Wolf">^{<a href="https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0050"> G0050 </a> </td> <td> <a href="/versions/v15/groups/G0050"> APT32 </a> </td> <td> <p><a href="/versions/v15/groups/G0050">APT32</a> has sent spearphishing emails containing malicious links.<span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018."data-reference="ESET OceanLotus">^{<a href="https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span><span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018."data-reference="Cybereason Oceanlotus May 2017">^{<a href="https://www.cybereason.com/blog/operation-cobalt-kitty-apt" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span><span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Henderson, S., et al. (2020, April 22). Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage. Retrieved April 28, 2020."data-reference="FireEye APT32 April 2020">^{<a href="https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span><span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020."data-reference="Volexity Ocean Lotus November 2020">^{<a href="https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span><span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021."data-reference="Amnesty Intl. Ocean Lotus February 2021">^{<a href="https://www.amnestyusa.org/wp-content/uploads/2021/02/Click-and-Bait_Vietnamese-Human-Rights-Defenders-Targeted-with-Spyware-Attacks.pdf" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0064"> G0064 </a> </td> <td> <a href="/versions/v15/groups/G0064"> APT33 </a> </td> <td> <p><a href="/versions/v15/groups/G0064">APT33</a> has sent spearphishing emails containing links to .hta files.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018."data-reference="FireEye APT33 Sept 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span><span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019."data-reference="Symantec Elfin Mar 2019">^{<a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0087"> G0087 </a> </td> <td> <a href="/versions/v15/groups/G0087"> APT39 </a> </td> <td> <p><a href="/versions/v15/groups/G0087">APT39</a> leveraged spearphishing emails with malicious links to initially compromise victims.<span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019."data-reference="FireEye APT39 Jan 2019">^{<a href="https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a>}</span><span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020."data-reference="FBI FLASH APT39 September 2020">^{<a href="https://www.iranwatch.org/sites/default/files/public-intelligence-alert.pdf" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0534"> S0534 </a> </td> <td> <a href="/versions/v15/software/S0534"> Bazar </a> </td> <td> <p><a href="/versions/v15/software/S0534">Bazar</a> has been spread via emails with embedded malicious links.<span onclick=scrollToRef('scite-28') id="scite-ref-28-a" class="scite-citeref-number" title="Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020."data-reference="Cybereason Bazar July 2020">^{<a href="https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a>}</span><span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" title="Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020."data-reference="Zscaler Bazar September 2020">^{<a href="https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a>}</span><span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021."data-reference="CrowdStrike Wizard Spider October 2020">^{<a href="https://www.crowdstrike.com/blog/wizard-spider-adversary-update/" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0098"> G0098 </a> </td> <td> <a href="/versions/v15/groups/G0098"> BlackTech </a> </td> <td> <p><a href="/versions/v15/groups/G0098">BlackTech</a> has used spearphishing e-mails with links to cloud services to deliver malware.<span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020."data-reference="TrendMicro BlackTech June 2017">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S1039"> S1039 </a> </td> <td> <a href="/versions/v15/software/S1039"> Bumblebee </a> </td> <td> <p><a href="/versions/v15/software/S1039">Bumblebee</a> has been spread through e-mail campaigns with malicious links.<span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" title="Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022."data-reference="Proofpoint Bumblebee April 2022">^{<a href="https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a>}</span><span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022."data-reference="Cybereason Bumblebee August 2022">^{<a href="https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/campaigns/C0011"> C0011 </a> </td> <td> <a href="/versions/v15/campaigns/C0011"> C0011 </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0011">C0011</a>, <a href="/versions/v15/groups/G0134">Transparent Tribe</a> sent emails containing a malicious link to student targets in India.<span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" title="N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022."data-reference="Cisco Talos Transparent Tribe Education Campaign July 2022">^{<a href="https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/campaigns/C0021"> C0021 </a> </td> <td> <a href="/versions/v15/campaigns/C0021"> C0021 </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0021">C0021</a>, the threat actors sent phishing emails with unique malicious links, likely for tracking victim clicks.<span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018."data-reference="FireEye APT29 Nov 2018">^{<a href="https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span><span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" title="Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019."data-reference="Microsoft Unidentified Dec 2018">^{<a href="https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0080"> G0080 </a> </td> <td> <a href="/versions/v15/groups/G0080"> Cobalt Group </a> </td> <td> <p><a href="/versions/v15/groups/G0080">Cobalt Group</a> has sent emails with URLs pointing to malicious documents.<span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018."data-reference="Talos Cobalt Group July 2018">^{<a href="https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a>}</span><span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" title="CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021."data-reference="Secureworks GOLD KINGSWOOD September 2018">^{<a href="https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0142"> G0142 </a> </td> <td> <a href="/versions/v15/groups/G0142"> Confucius </a> </td> <td> <p><a href="/versions/v15/groups/G0142">Confucius</a> has sent malicious links to victims through email campaigns.<span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021."data-reference="TrendMicro Confucius APT Aug 2021">^{<a href="https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S1111"> S1111 </a> </td> <td> <a href="/versions/v15/software/S1111"> DarkGate </a> </td> <td> <p><a href="/versions/v15/software/S1111">DarkGate</a> is distributed in phishing emails containing links to distribute malicious VBS or MSI files.<span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" title="Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024."data-reference="Trellix Darkgate 2023">^{<a href="https://www.trellix.com/blogs/research/the-continued-evolution-of-the-darkgate-malware-as-a-service/" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a>}</span> <a href="/versions/v15/software/S1111">DarkGate</a> uses applications such as Microsoft Teams for distributing links to payloads.<span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" title="Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024."data-reference="Trellix Darkgate 2023">^{<a href="https://www.trellix.com/blogs/research/the-continued-evolution-of-the-darkgate-malware-as-a-service/" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G1006"> G1006 </a> </td> <td> <a href="/versions/v15/groups/G1006"> Earth Lusca </a> </td> <td> <p><a href="/versions/v15/groups/G1006">Earth Lusca</a> has sent spearphishing emails to potential targets that contained a malicious link.<span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" title="Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022."data-reference="TrendMicro EarthLusca 2022">^{<a href="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0066"> G0066 </a> </td> <td> <a href="/versions/v15/groups/G0066"> Elderwood </a> </td> <td> <p><a href="/versions/v15/groups/G0066">Elderwood</a> has delivered zero-day exploits and malware to victims via targeted emails containing a link to malicious content hosted on an uncommon Web server.<span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" title="O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018."data-reference="Symantec Elderwood Sept 2012">^{<a href="https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a>}</span><span onclick=scrollToRef('scite-43') id="scite-ref-43-a" class="scite-citeref-number" title="Clayton, M.. (2012, September 14). Stealing US business secrets: Experts ID two huge cyber 'gangs' in China. Retrieved February 15, 2018."data-reference="CSM Elderwood Sept 2012">^{<a href="https://www.csmonitor.com/USA/2012/0914/Stealing-US-business-secrets-Experts-ID-two-huge-cyber-gangs-in-China" target="_blank" data-hasqtip="42" aria-describedby="qtip-42">[43]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G1003"> G1003 </a> </td> <td> <a href="/versions/v15/groups/G1003"> Ember Bear </a> </td> <td> <p><a href="/versions/v15/groups/G1003">Ember Bear</a> has sent spearphishing emails containing malicious links.<span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022."data-reference="Palo Alto Unit 42 OutSteel SaintBot February 2022 ">^{<a href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0367"> S0367 </a> </td> <td> <a href="/versions/v15/software/S0367"> Emotet </a> </td> <td> <p><a href="/versions/v15/software/S0367">Emotet</a> has been delivered by phishing emails containing links. <span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" title="Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019."data-reference="Trend Micro Banking Malware Jan 2019">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a>}</span><span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" title="Shulmin, A. . (2015, April 9). The Banking Trojan Emotet: Detailed Analysis. Retrieved March 25, 2019."data-reference="Kaspersky Emotet Jan 2019">^{<a href="https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a>}</span><span onclick=scrollToRef('scite-47') id="scite-ref-47-a" class="scite-citeref-number" title="CIS. (2017, April 28). Emotet Changes TTPs and Arrives in United States. Retrieved January 17, 2019."data-reference="CIS Emotet Apr 2017">^{<a href="https://www.cisecurity.org/blog/emotet-changes-ttp-and-arrives-in-united-states/" target="_blank" data-hasqtip="46" aria-describedby="qtip-46">[47]</a>}</span><span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" title="Smith, A.. (2017, December 22). Protect your network from Emotet Trojan with Malwarebytes Endpoint Security. Retrieved January 17, 2019."data-reference="Malwarebytes Emotet Dec 2017">^{<a href="https://support.malwarebytes.com/docs/DOC-2295" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a>}</span><span onclick=scrollToRef('scite-49') id="scite-ref-49-a" class="scite-citeref-number" title="Symantec. (2018, July 18). The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved March 25, 2019."data-reference="Symantec Emotet Jul 2018">^{<a href="https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor" target="_blank" data-hasqtip="48" aria-describedby="qtip-48">[49]</a>}</span><span onclick=scrollToRef('scite-50') id="scite-ref-50-a" class="scite-citeref-number" title="US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019."data-reference="US-CERT Emotet Jul 2018">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-201A" target="_blank" data-hasqtip="49" aria-describedby="qtip-49">[50]</a>}</span><span onclick=scrollToRef('scite-51') id="scite-ref-51-a" class="scite-citeref-number" title="Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019."data-reference="Talos Emotet Jan 2019">^{<a href="https://blog.talosintelligence.com/2019/01/return-of-emotet.html" target="_blank" data-hasqtip="50" aria-describedby="qtip-50">[51]</a>}</span><span onclick=scrollToRef('scite-51') id="scite-ref-51-a" class="scite-citeref-number" title="Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019."data-reference="Talos Emotet Jan 2019">^{<a href="https://blog.talosintelligence.com/2019/01/return-of-emotet.html" target="_blank" data-hasqtip="50" aria-describedby="qtip-50">[51]</a>}</span><span onclick=scrollToRef('scite-52') id="scite-ref-52-a" class="scite-citeref-number" title="Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019."data-reference="Picus Emotet Dec 2018">^{<a href="https://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html" target="_blank" data-hasqtip="51" aria-describedby="qtip-51">[52]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0120"> G0120 </a> </td> <td> <a href="/versions/v15/groups/G0120"> Evilnum </a> </td> <td> <p><a href="/versions/v15/groups/G0120">Evilnum</a> has sent spearphishing emails containing a link to a zip file hosted on Google Drive.<span onclick=scrollToRef('scite-53') id="scite-ref-53-a" class="scite-citeref-number" title="Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021."data-reference="ESET EvilNum July 2020">^{<a href="https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" target="_blank" data-hasqtip="52" aria-describedby="qtip-52">[53]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G1011"> G1011 </a> </td> <td> <a href="/versions/v15/groups/G1011"> EXOTIC LILY </a> </td> <td> <p><a href="/versions/v15/groups/G1011">EXOTIC LILY</a> has relied on victims to open malicious links in e-mails for execution.<span onclick=scrollToRef('scite-54') id="scite-ref-54-a" class="scite-citeref-number" title="Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022."data-reference="Google EXOTIC LILY March 2022">^{<a href="https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/" target="_blank" data-hasqtip="53" aria-describedby="qtip-53">[54]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0085"> G0085 </a> </td> <td> <a href="/versions/v15/groups/G0085"> FIN4 </a> </td> <td> <p><a href="/versions/v15/groups/G0085">FIN4</a> has used spearphishing emails (often sent from compromised accounts) containing malicious links.<span onclick=scrollToRef('scite-55') id="scite-ref-55-a" class="scite-citeref-number" title="Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018."data-reference="FireEye Hacking FIN4 Dec 2014">^{<a href="https://www.mandiant.com/sites/default/files/2021-09/rpt-fin4.pdf" target="_blank" data-hasqtip="54" aria-describedby="qtip-54">[55]</a>}</span><span onclick=scrollToRef('scite-56') id="scite-ref-56-a" class="scite-citeref-number" title="Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019."data-reference="FireEye Hacking FIN4 Video Dec 2014">^{<a href="https://www2.fireeye.com/WBNR-14Q4NAMFIN4.html" target="_blank" data-hasqtip="55" aria-describedby="qtip-55">[56]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0046"> G0046 </a> </td> <td> <a href="/versions/v15/groups/G0046"> FIN7 </a> </td> <td> <p><a href="/versions/v15/groups/G0046">FIN7</a> has conducted broad phishing campaigns using malicious links.<span onclick=scrollToRef('scite-57') id="scite-ref-57-a" class="scite-citeref-number" title="Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021."data-reference="CrowdStrike Carbon Spider August 2021">^{<a href="https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/" target="_blank" data-hasqtip="56" aria-describedby="qtip-56">[57]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0061"> G0061 </a> </td> <td> <a href="/versions/v15/groups/G0061"> FIN8 </a> </td> <td> <p><a href="/versions/v15/groups/G0061">FIN8</a> has distributed targeted emails containing links to malicious documents with embedded macros.<span onclick=scrollToRef('scite-58') id="scite-ref-58-a" class="scite-citeref-number" title="Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018."data-reference="FireEye Know Your Enemy FIN8 Aug 2016">^{<a href="https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" target="_blank" data-hasqtip="57" aria-describedby="qtip-57">[58]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0531"> S0531 </a> </td> <td> <a href="/versions/v15/software/S0531"> Grandoreiro </a> </td> <td> <p><a href="/versions/v15/software/S0531">Grandoreiro</a> has been spread via malicious links embedded in e-mails.<span onclick=scrollToRef('scite-59') id="scite-ref-59-a" class="scite-citeref-number" title="Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020."data-reference="IBM Grandoreiro April 2020">^{<a href="https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/" target="_blank" data-hasqtip="58" aria-describedby="qtip-58">[59]</a>}</span><span onclick=scrollToRef('scite-60') id="scite-ref-60-a" class="scite-citeref-number" title="ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020."data-reference="ESET Grandoreiro April 2020">^{<a href="https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/" target="_blank" data-hasqtip="59" aria-describedby="qtip-59">[60]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0561"> S0561 </a> </td> <td> <a href="/versions/v15/software/S0561"> GuLoader </a> </td> <td> <p><a href="/versions/v15/software/S0561">GuLoader</a> has been spread in phishing campaigns using malicious web links.<span onclick=scrollToRef('scite-61') id="scite-ref-61-a" class="scite-citeref-number" title="Duncan, B. (2020, April 3). GuLoader: Malspam Campaign Installing NetWire RAT. Retrieved January 7, 2021."data-reference="Unit 42 NETWIRE April 2020">^{<a href="https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/" target="_blank" data-hasqtip="60" aria-describedby="qtip-60">[61]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0499"> S0499 </a> </td> <td> <a href="/versions/v15/software/S0499"> Hancitor </a> </td> <td> <p><a href="/versions/v15/software/S0499">Hancitor</a> has been delivered via phishing emails which contained malicious links.<span onclick=scrollToRef('scite-62') id="scite-ref-62-a" class="scite-citeref-number" title="Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020."data-reference="Threatpost Hancitor">^{<a href="https://threatpost.com/spammers-revive-hancitor-downloader-campaigns/123011/" target="_blank" data-hasqtip="61" aria-describedby="qtip-61">[62]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0528"> S0528 </a> </td> <td> <a href="/versions/v15/software/S0528"> Javali </a> </td> <td> <p><a href="/versions/v15/software/S0528">Javali</a> has been delivered via malicious links embedded in e-mails.<span onclick=scrollToRef('scite-63') id="scite-ref-63-a" class="scite-citeref-number" title="GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020."data-reference="Securelist Brazilian Banking Malware July 2020">^{<a href="https://securelist.com/the-tetrade-brazilian-banking-malware/97779/" target="_blank" data-hasqtip="62" aria-describedby="qtip-62">[63]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0585"> S0585 </a> </td> <td> <a href="/versions/v15/software/S0585"> Kerrdown </a> </td> <td> <p><a href="/versions/v15/software/S0585">Kerrdown</a> has been distributed via e-mails containing a malicious link.<span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021."data-reference="Amnesty Intl. Ocean Lotus February 2021">^{<a href="https://www.amnestyusa.org/wp-content/uploads/2021/02/Click-and-Bait_Vietnamese-Human-Rights-Defenders-Targeted-with-Spyware-Attacks.pdf" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0094"> G0094 </a> </td> <td> <a href="/versions/v15/groups/G0094"> Kimsuky </a> </td> <td> <p><a href="/versions/v15/groups/G0094">Kimsuky</a> has sent spearphishing emails containing a link to a document that contained malicious macros or took the victim to an actor-controlled domain.<span onclick=scrollToRef('scite-64') id="scite-ref-64-a" class="scite-citeref-number" title="Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019."data-reference="EST Kimsuky April 2019">^{<a href="https://blog.alyac.co.kr/2234" target="_blank" data-hasqtip="63" aria-describedby="qtip-63">[64]</a>}</span><span onclick=scrollToRef('scite-65') id="scite-ref-65-a" class="scite-citeref-number" title="ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019."data-reference="Netscout Stolen Pencil Dec 2018">^{<a href="https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/" target="_blank" data-hasqtip="64" aria-describedby="qtip-64">[65]</a>}</span><span onclick=scrollToRef('scite-66') id="scite-ref-66-a" class="scite-citeref-number" title="KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022."data-reference="KISA Operation Muzabi">^{<a href="https://www.boho.or.kr/krcert/publicationView.do?bulletin_writing_sequence=35936" target="_blank" data-hasqtip="65" aria-describedby="qtip-65">[66]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0669"> S0669 </a> </td> <td> <a href="/versions/v15/software/S0669"> KOCTOPUS </a> </td> <td> <p><a href="/versions/v15/software/S0669">KOCTOPUS</a> has been distributed as a malicious link within an email.<span onclick=scrollToRef('scite-67') id="scite-ref-67-a" class="scite-citeref-number" title="Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021."data-reference="MalwareBytes LazyScripter Feb 2021">^{<a href="https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf" target="_blank" data-hasqtip="66" aria-describedby="qtip-66">[67]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0032"> G0032 </a> </td> <td> <a href="/versions/v15/groups/G0032"> Lazarus Group </a> </td> <td> <p><a href="/versions/v15/groups/G0032">Lazarus Group</a> has sent malicious links to victims via email.<span onclick=scrollToRef('scite-68') id="scite-ref-68-a" class="scite-citeref-number" title="Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021."data-reference="Kaspersky ThreatNeedle Feb 2021">^{<a href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank" data-hasqtip="67" aria-describedby="qtip-67">[68]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0140"> G0140 </a> </td> <td> <a href="/versions/v15/groups/G0140"> LazyScripter </a> </td> <td> <p><a href="/versions/v15/groups/G0140">LazyScripter</a> has used spam emails that contain a link that redirects the victim to download a malicious document.<span onclick=scrollToRef('scite-67') id="scite-ref-67-a" class="scite-citeref-number" title="Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021."data-reference="MalwareBytes LazyScripter Feb 2021">^{<a href="https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf" target="_blank" data-hasqtip="66" aria-describedby="qtip-66">[67]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0065"> G0065 </a> </td> <td> <a href="/versions/v15/groups/G0065"> Leviathan </a> </td> <td> <p><a href="/versions/v15/groups/G0065">Leviathan</a> has sent spearphishing emails with links, often using a fraudulent lookalike domain and stolen branding.<span onclick=scrollToRef('scite-69') id="scite-ref-69-a" class="scite-citeref-number" title="Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018."data-reference="Proofpoint Leviathan Oct 2017">^{<a href="https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets" target="_blank" data-hasqtip="68" aria-describedby="qtip-68">[69]</a>}</span><span onclick=scrollToRef('scite-70') id="scite-ref-70-a" class="scite-citeref-number" title="CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021."data-reference="CISA AA21-200A APT40 July 2021">^{<a href="https://us-cert.cisa.gov/ncas/alerts/aa21-200a" target="_blank" data-hasqtip="69" aria-describedby="qtip-69">[70]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G1014"> G1014 </a> </td> <td> <a href="/versions/v15/groups/G1014"> LuminousMoth </a> </td> <td> <p><a href="/versions/v15/groups/G1014">LuminousMoth</a> has sent spearphishing emails containing a malicious Dropbox download link.<span onclick=scrollToRef('scite-71') id="scite-ref-71-a" class="scite-citeref-number" title="Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022."data-reference="Kaspersky LuminousMoth July 2021">^{<a href="https://securelist.com/apt-luminousmoth/103332/" target="_blank" data-hasqtip="70" aria-describedby="qtip-70">[71]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0095"> G0095 </a> </td> <td> <a href="/versions/v15/groups/G0095"> Machete </a> </td> <td> <p><a href="/versions/v15/groups/G0095">Machete</a> has sent phishing emails that contain a link to an external server with ZIP and RAR archives.<span onclick=scrollToRef('scite-72') id="scite-ref-72-a" class="scite-citeref-number" title="The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019."data-reference="Cylance Machete Mar 2017">^{<a href="https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html" target="_blank" data-hasqtip="71" aria-describedby="qtip-71">[72]</a>}</span><span onclick=scrollToRef('scite-73') id="scite-ref-73-a" class="scite-citeref-number" title="ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019."data-reference="ESET Machete July 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf" target="_blank" data-hasqtip="72" aria-describedby="qtip-72">[73]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0059"> G0059 </a> </td> <td> <a href="/versions/v15/groups/G0059"> Magic Hound </a> </td> <td> <p><a href="/versions/v15/groups/G0059">Magic Hound</a> has sent malicious URL links through email to victims. In some cases the URLs were shortened or linked to Word documents with malicious macros that executed PowerShells scripts to download <a href="/versions/v15/software/S0192">Pupy</a>.<span onclick=scrollToRef('scite-74') id="scite-ref-74-a" class="scite-citeref-number" title="Counter Threat Unit Research Team. (2017, February 15). Iranian PupyRAT Bites Middle Eastern Organizations. Retrieved December 27, 2017."data-reference="Secureworks Cobalt Gypsy Feb 2017">^{<a href="https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations" target="_blank" data-hasqtip="73" aria-describedby="qtip-73">[74]</a>}</span><span onclick=scrollToRef('scite-75') id="scite-ref-75-a" class="scite-citeref-number" title="ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021."data-reference="ClearSky Kittens Back 3 August 2020">^{<a href="https://www.clearskysec.com/wp-content/uploads/2020/08/The-Kittens-are-Back-in-Town-3.pdf" target="_blank" data-hasqtip="74" aria-describedby="qtip-74">[75]</a>}</span><span onclick=scrollToRef('scite-76') id="scite-ref-76-a" class="scite-citeref-number" title="Certfa Labs. (2021, January 8). Charming Kitten’s Christmas Gift. Retrieved May 3, 2021."data-reference="Certfa Charming Kitten January 2021">^{<a href="https://blog.certfa.com/posts/charming-kitten-christmas-gift/" target="_blank" data-hasqtip="75" aria-describedby="qtip-75">[76]</a>}</span><span onclick=scrollToRef('scite-77') id="scite-ref-77-a" class="scite-citeref-number" title="MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023."data-reference="Microsoft Iranian Threat Actor Trends November 2021">^{<a href="https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021" target="_blank" data-hasqtip="76" aria-describedby="qtip-76">[77]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0530"> S0530 </a> </td> <td> <a href="/versions/v15/software/S0530"> Melcoz </a> </td> <td> <p><a href="/versions/v15/software/S0530">Melcoz</a> has been spread through malicious links embedded in e-mails.<span onclick=scrollToRef('scite-63') id="scite-ref-63-a" class="scite-citeref-number" title="GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020."data-reference="Securelist Brazilian Banking Malware July 2020">^{<a href="https://securelist.com/the-tetrade-brazilian-banking-malware/97779/" target="_blank" data-hasqtip="62" aria-describedby="qtip-62">[63]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S1122"> S1122 </a> </td> <td> <a href="/versions/v15/software/S1122"> Mispadu </a> </td> <td> <p><a href="/versions/v15/software/S1122">Mispadu</a> has been spread via malicious links embedded in emails.<span onclick=scrollToRef('scite-78') id="scite-ref-78-a" class="scite-citeref-number" title="SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024."data-reference="SCILabs Malteiro 2021">^{<a href="https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/" target="_blank" data-hasqtip="77" aria-describedby="qtip-77">[78]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0103"> G0103 </a> </td> <td> <a href="/versions/v15/groups/G0103"> Mofang </a> </td> <td> <p><a href="/versions/v15/groups/G0103">Mofang</a> delivered spearphishing emails with malicious links included.<span onclick=scrollToRef('scite-79') id="scite-ref-79-a" class="scite-citeref-number" title="Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."data-reference="FOX-IT May 2016 Mofang">^{<a href="https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" target="_blank" data-hasqtip="78" aria-describedby="qtip-78">[79]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0021"> G0021 </a> </td> <td> <a href="/versions/v15/groups/G0021"> Molerats </a> </td> <td> <p><a href="/versions/v15/groups/G0021">Molerats</a> has sent phishing emails with malicious links included.<span onclick=scrollToRef('scite-80') id="scite-ref-80-a" class="scite-citeref-number" title="GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020."data-reference="Kaspersky MoleRATs April 2019">^{<a href="https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/" target="_blank" data-hasqtip="79" aria-describedby="qtip-79">[80]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0069"> G0069 </a> </td> <td> <a href="/versions/v15/groups/G0069"> MuddyWater </a> </td> <td> <p><a href="/versions/v15/groups/G0069">MuddyWater</a> has sent targeted spearphishing e-mails with malicious links.<span onclick=scrollToRef('scite-81') id="scite-ref-81-a" class="scite-citeref-number" title="Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021."data-reference="Anomali Static Kitten February 2021">^{<a href="https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies" target="_blank" data-hasqtip="80" aria-describedby="qtip-80">[81]</a>}</span><span onclick=scrollToRef('scite-82') id="scite-ref-82-a" class="scite-citeref-number" title="Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021."data-reference="Trend Micro Muddy Water March 2021">^{<a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" data-hasqtip="81" aria-describedby="qtip-81">[82]</a>}</span><span onclick=scrollToRef('scite-83') id="scite-ref-83-a" class="scite-citeref-number" title="Miller, J. et al. (2024, March 21). Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign. Retrieved March 27, 2024."data-reference="Proofpoint TA450 Phishing March 2024">^{<a href="https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign" target="_blank" data-hasqtip="82" aria-describedby="qtip-82">[83]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0129"> G0129 </a> </td> <td> <a href="/versions/v15/groups/G0129"> Mustang Panda </a> </td> <td> <p><a href="/versions/v15/groups/G0129">Mustang Panda</a> has delivered malicious links to their intended targets.<span onclick=scrollToRef('scite-84') id="scite-ref-84-a" class="scite-citeref-number" title="Roccia, T., Seret, T., Fokker, J. (2021, March 16). Technical Analysis of Operation Dianxun. Retrieved April 13, 2021."data-reference="McAfee Dianxun March 2021">^{<a href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf" target="_blank" data-hasqtip="83" aria-describedby="qtip-83">[84]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G1020"> G1020 </a> </td> <td> <a href="/versions/v15/groups/G1020"> Mustard Tempest </a> </td> <td> <p><a href="/versions/v15/groups/G1020">Mustard Tempest</a> has sent victims emails containing links to compromised websites.<span onclick=scrollToRef('scite-85') id="scite-ref-85-a" class="scite-citeref-number" title="Andrew Northern. (2022, November 22). SocGholish, a very real threat from a very fake update. Retrieved February 13, 2024."data-reference="SocGholish-update">^{<a href="https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update" target="_blank" data-hasqtip="84" aria-describedby="qtip-84">[85]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0198"> S0198 </a> </td> <td> <a href="/versions/v15/software/S0198"> NETWIRE </a> </td> <td> <p><a href="/versions/v15/software/S0198">NETWIRE</a> has been spread via e-mail campaigns utilizing malicious links.<span onclick=scrollToRef('scite-61') id="scite-ref-61-a" class="scite-citeref-number" title="Duncan, B. (2020, April 3). GuLoader: Malspam Campaign Installing NetWire RAT. Retrieved January 7, 2021."data-reference="Unit 42 NETWIRE April 2020">^{<a href="https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/" target="_blank" data-hasqtip="60" aria-describedby="qtip-60">[61]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/campaigns/C0002"> C0002 </a> </td> <td> <a href="/versions/v15/campaigns/C0002"> Night Dragon </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0002">Night Dragon</a>, threat actors sent spearphishing emails containing links to compromised websites where malware was downloaded.<span onclick=scrollToRef('scite-86') id="scite-ref-86-a" class="scite-citeref-number" title="McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: "Night Dragon". Retrieved February 19, 2018."data-reference="McAfee Night Dragon">^{<a href="https://scadahacker.com/library/Documents/Cyber_Events/McAfee%20-%20Night%20Dragon%20-%20Global%20Energy%20Cyberattacks.pdf" target="_blank" data-hasqtip="85" aria-describedby="qtip-85">[86]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0049"> G0049 </a> </td> <td> <a href="/versions/v15/groups/G0049"> OilRig </a> </td> <td> <p><a href="/versions/v15/groups/G0049">OilRig</a> has sent spearphising emails with malicious links to potential victims.<span onclick=scrollToRef('scite-87') id="scite-ref-87-a" class="scite-citeref-number" title="Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018."data-reference="Unit 42 OopsIE! Feb 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/" target="_blank" data-hasqtip="86" aria-describedby="qtip-86">[87]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/campaigns/C0022"> C0022 </a> </td> <td> <a href="/versions/v15/campaigns/C0022"> Operation Dream Job </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0022">Operation Dream Job</a>, <a href="/versions/v15/groups/G0032">Lazarus Group</a> sent malicious OneDrive links with fictitious job offer advertisements via email.<span onclick=scrollToRef('scite-88') id="scite-ref-88-a" class="scite-citeref-number" title="ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021."data-reference="ClearSky Lazarus Aug 2020">^{<a href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank" data-hasqtip="87" aria-describedby="qtip-87">[88]</a>}</span><span onclick=scrollToRef('scite-89') id="scite-ref-89-a" class="scite-citeref-number" title="Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021."data-reference="ESET Lazarus Jun 2020">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank" data-hasqtip="88" aria-describedby="qtip-88">[89]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/campaigns/C0016"> C0016 </a> </td> <td> <a href="/versions/v15/campaigns/C0016"> Operation Dust Storm </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0016">Operation Dust Storm</a>, the threat actors sent spearphishing emails containing a malicious link.<span onclick=scrollToRef('scite-90') id="scite-ref-90-a" class="scite-citeref-number" title="Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021."data-reference="Cylance Dust Storm">^{<a href="https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" target="_blank" data-hasqtip="89" aria-describedby="qtip-89">[90]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/campaigns/C0005"> C0005 </a> </td> <td> <a href="/versions/v15/campaigns/C0005"> Operation Spalax </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0005">Operation Spalax</a>, the threat actors sent phishing emails to victims that contained a malicious link.<span onclick=scrollToRef('scite-91') id="scite-ref-91-a" class="scite-citeref-number" title="M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022."data-reference="ESET Operation Spalax Jan 2021">^{<a href="https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/" target="_blank" data-hasqtip="90" aria-describedby="qtip-90">[91]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S1017"> S1017 </a> </td> <td> <a href="/versions/v15/software/S1017"> OutSteel </a> </td> <td> <p><a href="/versions/v15/software/S1017">OutSteel</a> has been distributed through malicious links contained within spearphishing emails.<span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022."data-reference="Palo Alto Unit 42 OutSteel SaintBot February 2022 ">^{<a href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0040"> G0040 </a> </td> <td> <a href="/versions/v15/groups/G0040"> Patchwork </a> </td> <td> <p><a href="/versions/v15/groups/G0040">Patchwork</a> has used spearphishing with links to deliver files with exploits to initial victims.<span onclick=scrollToRef('scite-92') id="scite-ref-92-a" class="scite-citeref-number" title="Hamada, J.. (2016, July 25). Patchwork cyberespionage group expands targets from governments to wide range of industries. Retrieved August 17, 2016."data-reference="Symantec Patchwork">^{<a href="http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries" target="_blank" data-hasqtip="91" aria-describedby="qtip-91">[92]</a>}</span><span onclick=scrollToRef('scite-93') id="scite-ref-93-a" class="scite-citeref-number" title="Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018."data-reference="TrendMicro Patchwork Dec 2017">^{<a href="https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" target="_blank" data-hasqtip="92" aria-describedby="qtip-92">[93]</a>}</span><span onclick=scrollToRef('scite-94') id="scite-ref-94-a" class="scite-citeref-number" title="Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020."data-reference="Unit 42 BackConfig May 2020">^{<a href="https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/" target="_blank" data-hasqtip="93" aria-describedby="qtip-93">[94]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0453"> S0453 </a> </td> <td> <a href="/versions/v15/software/S0453"> Pony </a> </td> <td> <p><a href="/versions/v15/software/S0453">Pony</a> has been delivered via spearphishing emails which contained malicious links.<span onclick=scrollToRef('scite-95') id="scite-ref-95-a" class="scite-citeref-number" title="hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020."data-reference="Malwarebytes Pony April 2016">^{<a href="https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/" target="_blank" data-hasqtip="94" aria-describedby="qtip-94">[95]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0650"> S0650 </a> </td> <td> <a href="/versions/v15/software/S0650"> QakBot </a> </td> <td> <p><a href="/versions/v15/software/S0650">QakBot</a> has spread through emails with malicious links.<span onclick=scrollToRef('scite-96') id="scite-ref-96-a" class="scite-citeref-number" title="Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021."data-reference="Trend Micro Qakbot May 2020">^{<a href="https://www.trendmicro.com/vinfo/ph/security/news/cybercrime-and-digital-threats/qakbot-resurges-spreads-through-vbs-files" target="_blank" data-hasqtip="95" aria-describedby="qtip-95">[96]</a>}</span><span onclick=scrollToRef('scite-97') id="scite-ref-97-a" class="scite-citeref-number" title="Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021."data-reference="Kroll Qakbot June 2020">^{<a href="https://www.kroll.com/en/insights/publications/cyber/qakbot-malware-exfiltrating-emails-thread-hijacking-attacks" target="_blank" data-hasqtip="96" aria-describedby="qtip-96">[97]</a>}</span><span onclick=scrollToRef('scite-98') id="scite-ref-98-a" class="scite-citeref-number" title="Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021."data-reference="Trend Micro Qakbot December 2020">^{<a href="https://success.trendmicro.com/solution/000283381" target="_blank" data-hasqtip="97" aria-describedby="qtip-97">[98]</a>}</span><span onclick=scrollToRef('scite-99') id="scite-ref-99-a" class="scite-citeref-number" title="Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021."data-reference="ATT QakBot April 2021">^{<a href="https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot" target="_blank" data-hasqtip="98" aria-describedby="qtip-98">[99]</a>}</span><span onclick=scrollToRef('scite-100') id="scite-ref-100-a" class="scite-citeref-number" title="Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021."data-reference="Kaspersky QakBot September 2021">^{<a href="https://securelist.com/qakbot-technical-analysis/103931/" target="_blank" data-hasqtip="99" aria-describedby="qtip-99">[100]</a>}</span><span onclick=scrollToRef('scite-101') id="scite-ref-101-a" class="scite-citeref-number" title="Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021."data-reference="Group IB Ransomware September 2020">^{<a href="https://groupib.pathfactory.com/ransomware-reports/prolock_wp" target="_blank" data-hasqtip="100" aria-describedby="qtip-100">[101]</a>}</span><span onclick=scrollToRef('scite-102') id="scite-ref-102-a" class="scite-citeref-number" title="Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023."data-reference="Trend Micro Black Basta October 2022">^{<a href="https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html" target="_blank" data-hasqtip="101" aria-describedby="qtip-101">[102]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S1018"> S1018 </a> </td> <td> <a href="/versions/v15/software/S1018"> Saint Bot </a> </td> <td> <p><a href="/versions/v15/software/S1018">Saint Bot</a> has been distributed through malicious links contained within spearphishing emails.<span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022."data-reference="Palo Alto Unit 42 OutSteel SaintBot February 2022 ">^{<a href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0034"> G0034 </a> </td> <td> <a href="/versions/v15/groups/G0034"> Sandworm Team </a> </td> <td> <p><a href="/versions/v15/groups/G0034">Sandworm Team</a> has crafted phishing emails containing malicious hyperlinks.<span onclick=scrollToRef('scite-103') id="scite-ref-103-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="102" aria-describedby="qtip-102">[103]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0121"> G0121 </a> </td> <td> <a href="/versions/v15/groups/G0121"> Sidewinder </a> </td> <td> <p><a href="/versions/v15/groups/G0121">Sidewinder</a> has sent e-mails with malicious links often crafted for specific targets.<span onclick=scrollToRef('scite-104') id="scite-ref-104-a" class="scite-citeref-number" title="Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021."data-reference="ATT Sidewinder January 2021">^{<a href="https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf" target="_blank" data-hasqtip="103" aria-describedby="qtip-103">[104]</a>}</span><span onclick=scrollToRef('scite-105') id="scite-ref-105-a" class="scite-citeref-number" title="Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021."data-reference="Cyble Sidewinder September 2020">^{<a href="https://cybleinc.com/2020/09/26/sidewinder-apt-targets-with-futuristic-tactics-and-techniques/" target="_blank" data-hasqtip="104" aria-describedby="qtip-104">[105]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S1086"> S1086 </a> </td> <td> <a href="/versions/v15/software/S1086"> Snip3 </a> </td> <td> <p><a href="/versions/v15/software/S1086">Snip3</a> has been delivered to victims through e-mail links to malicious files.<span onclick=scrollToRef('scite-106') id="scite-ref-106-a" class="scite-citeref-number" title="Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023."data-reference="Telefonica Snip3 December 2021">^{<a href="https://telefonicatech.com/blog/snip3-investigacion-malware" target="_blank" data-hasqtip="105" aria-describedby="qtip-105">[106]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S1124"> S1124 </a> </td> <td> <a href="/versions/v15/software/S1124"> SocGholish </a> </td> <td> <p><a href="/versions/v15/software/S1124">SocGholish</a> has been spread via emails containing malicious links.<span onclick=scrollToRef('scite-85') id="scite-ref-85-a" class="scite-citeref-number" title="Andrew Northern. (2022, November 22). SocGholish, a very real threat from a very fake update. Retrieved February 13, 2024."data-reference="SocGholish-update">^{<a href="https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update" target="_blank" data-hasqtip="84" aria-describedby="qtip-84">[85]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0646"> S0646 </a> </td> <td> <a href="/versions/v15/software/S0646"> SpicyOmelette </a> </td> <td> <p><a href="/versions/v15/software/S0646">SpicyOmelette</a> has been distributed via emails containing a malicious link that appears to be a PDF document.<span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" title="CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021."data-reference="Secureworks GOLD KINGSWOOD September 2018">^{<a href="https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S1030"> S1030 </a> </td> <td> <a href="/versions/v15/software/S1030"> Squirrelwaffle </a> </td> <td> <p><a href="/versions/v15/software/S1030">Squirrelwaffle</a> has been distributed through phishing emails containing a malicious URL.<span onclick=scrollToRef('scite-107') id="scite-ref-107-a" class="scite-citeref-number" title="Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022."data-reference="ZScaler Squirrelwaffle Sep 2021">^{<a href="https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike" target="_blank" data-hasqtip="106" aria-describedby="qtip-106">[107]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G1018"> G1018 </a> </td> <td> <a href="/versions/v15/groups/G1018"> TA2541 </a> </td> <td> <p><a href="/versions/v15/groups/G1018">TA2541</a> has used spearphishing e-mails with malicious links to deliver malware. <span onclick=scrollToRef('scite-108') id="scite-ref-108-a" class="scite-citeref-number" title="Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023."data-reference="Proofpoint TA2541 February 2022">^{<a href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank" data-hasqtip="107" aria-describedby="qtip-107">[108]</a>}</span><span onclick=scrollToRef('scite-106') id="scite-ref-106-a" class="scite-citeref-number" title="Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023."data-reference="Telefonica Snip3 December 2021">^{<a href="https://telefonicatech.com/blog/snip3-investigacion-malware" target="_blank" data-hasqtip="105" aria-describedby="qtip-105">[106]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0092"> G0092 </a> </td> <td> <a href="/versions/v15/groups/G0092"> TA505 </a> </td> <td> <p><a href="/versions/v15/groups/G0092">TA505</a> has sent spearphishing emails containing malicious links.<span onclick=scrollToRef('scite-109') id="scite-ref-109-a" class="scite-citeref-number" title="Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019."data-reference="Proofpoint TA505 Sep 2017">^{<a href="https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter" target="_blank" data-hasqtip="108" aria-describedby="qtip-108">[109]</a>}</span><span onclick=scrollToRef('scite-110') id="scite-ref-110-a" class="scite-citeref-number" title="Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019."data-reference="Proofpoint TA505 Jan 2019">^{<a href="https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505" target="_blank" data-hasqtip="109" aria-describedby="qtip-109">[110]</a>}</span><span onclick=scrollToRef('scite-111') id="scite-ref-111-a" class="scite-citeref-number" title="Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020."data-reference="Trend Micro TA505 June 2019">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/" target="_blank" data-hasqtip="110" aria-describedby="qtip-110">[111]</a>}</span><span onclick=scrollToRef('scite-112') id="scite-ref-112-a" class="scite-citeref-number" title="Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."data-reference="Proofpoint TA505 October 2019">^{<a href="https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader" target="_blank" data-hasqtip="111" aria-describedby="qtip-111">[112]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0134"> G0134 </a> </td> <td> <a href="/versions/v15/groups/G0134"> Transparent Tribe </a> </td> <td> <p><a href="/versions/v15/groups/G0134">Transparent Tribe</a> has embedded links to malicious downloads in e-mails.<span onclick=scrollToRef('scite-113') id="scite-ref-113-a" class="scite-citeref-number" title="Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021."data-reference="Talos Oblique RAT March 2021">^{<a href="https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html" target="_blank" data-hasqtip="112" aria-describedby="qtip-112">[113]</a>}</span><span onclick=scrollToRef('scite-114') id="scite-ref-114-a" class="scite-citeref-number" title="Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021."data-reference="Talos Transparent Tribe May 2021">^{<a href="https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html" target="_blank" data-hasqtip="113" aria-describedby="qtip-113">[114]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0266"> S0266 </a> </td> <td> <a href="/versions/v15/software/S0266"> TrickBot </a> </td> <td> <p><a href="/versions/v15/software/S0266">TrickBot</a> has been delivered via malicious links in phishing e-mails.<span onclick=scrollToRef('scite-115') id="scite-ref-115-a" class="scite-citeref-number" title="Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020."data-reference="Cyberreason Anchor December 2019">^{<a href="https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" target="_blank" data-hasqtip="114" aria-describedby="qtip-114">[115]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0010"> G0010 </a> </td> <td> <a href="/versions/v15/groups/G0010"> Turla </a> </td> <td> <p><a href="/versions/v15/groups/G0010">Turla</a> attempted to trick targets into clicking on a link featuring a seemingly legitimate domain from Adobe.com to download their malware and gain initial access.<span onclick=scrollToRef('scite-116') id="scite-ref-116-a" class="scite-citeref-number" title="ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018."data-reference="ESET Turla Mosquito Jan 2018">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" target="_blank" data-hasqtip="115" aria-describedby="qtip-115">[116]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0476"> S0476 </a> </td> <td> <a href="/versions/v15/software/S0476"> Valak </a> </td> <td> <p><a href="/versions/v15/software/S0476">Valak</a> has been delivered via malicious links in e-mail.<span onclick=scrollToRef('scite-117') id="scite-ref-117-a" class="scite-citeref-number" title="Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020."data-reference="SentinelOne Valak June 2020">^{<a href="https://assets.sentinelone.com/labs/sentinel-one-valak-i" target="_blank" data-hasqtip="116" aria-describedby="qtip-116">[117]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0112"> G0112 </a> </td> <td> <a href="/versions/v15/groups/G0112"> Windshift </a> </td> <td> <p><a href="/versions/v15/groups/G0112">Windshift</a> has sent spearphishing emails with links to harvest credentials and deliver malware.<span onclick=scrollToRef('scite-118') id="scite-ref-118-a" class="scite-citeref-number" title="Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020."data-reference="SANS Windshift August 2018">^{<a href="https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf" target="_blank" data-hasqtip="117" aria-describedby="qtip-117">[118]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0102"> G0102 </a> </td> <td> <a href="/versions/v15/groups/G0102"> Wizard Spider </a> </td> <td> <p><a href="/versions/v15/groups/G0102">Wizard Spider</a> has sent phishing emails containing a link to an actor-controlled Google Drive document or other free online file hosting services.<span onclick=scrollToRef('scite-119') id="scite-ref-119-a" class="scite-citeref-number" title="DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020."data-reference="DHS/CISA Ransomware Targeting Healthcare October 2020">^{<a href="https://us-cert.cisa.gov/ncas/alerts/aa20-302a" target="_blank" data-hasqtip="118" aria-describedby="qtip-118">[119]</a>}</span><span onclick=scrollToRef('scite-120') id="scite-ref-120-a" class="scite-citeref-number" title="The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020."data-reference="DFIR Ryuk 2 Hour Speed Run November 2020">^{<a href="https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/" target="_blank" data-hasqtip="119" aria-describedby="qtip-119">[120]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0128"> G0128 </a> </td> <td> <a href="/versions/v15/groups/G0128"> ZIRCONIUM </a> </td> <td> <p><a href="/versions/v15/groups/G0128">ZIRCONIUM</a> has used malicious links in e-mails to deliver malware.<span onclick=scrollToRef('scite-121') id="scite-ref-121-a" class="scite-citeref-number" title="Burt, T. (2020, September 10). New cyberattacks targeting U.S. elections. Retrieved March 24, 2021."data-reference="Microsoft Targeting Elections September 2020">^{<a href="https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/" target="_blank" data-hasqtip="120" aria-describedby="qtip-120">[121]</a>}</span><span onclick=scrollToRef('scite-122') id="scite-ref-122-a" class="scite-citeref-number" title="Huntley, S. (2020, October 16). How We're Tackling Evolving Online Threats. Retrieved March 24, 2021."data-reference="Google Election Threats October 2020">^{<a href="https://blog.google/threat-analysis-group/how-were-tackling-evolving-online-threats/" target="_blank" data-hasqtip="121" aria-describedby="qtip-121">[122]</a>}</span><span onclick=scrollToRef('scite-123') id="scite-ref-123-a" class="scite-citeref-number" title="Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021."data-reference="Zscaler APT31 Covid-19 October 2020">^{<a href="https://www.zscaler.com/blogs/security-research/apt-31-leverages-covid-19-vaccine-theme-and-abuses-legitimate-online" target="_blank" data-hasqtip="122" aria-describedby="qtip-122">[123]</a>}</span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id ="mitigations">Mitigations</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Mitigation</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v15/mitigations/M1047"> M1047 </a> </td> <td> <a href="/versions/v15/mitigations/M1047"> Audit </a> </td> <td> <p>Audit applications and their permissions to ensure access to data and resources are limited based upon necessity and principle of least privilege.</p> </td> </tr> <tr> <td> <a href="/versions/v15/mitigations/M1021"> M1021 </a> </td> <td> <a href="/versions/v15/mitigations/M1021"> Restrict Web-Based Content </a> </td> <td> <p>Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.</p> </td> </tr> <tr> <td> <a href="/versions/v15/mitigations/M1054"> M1054 </a> </td> <td> <a href="/versions/v15/mitigations/M1054"> Software Configuration </a> </td> <td> <p>Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.<span onclick=scrollToRef('scite-124') id="scite-ref-124-a" class="scite-citeref-number" title="Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020."data-reference="Microsoft Anti Spoofing">^{<a href="https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide" target="_blank" data-hasqtip="123" aria-describedby="qtip-123">[124]</a>}</span><span onclick=scrollToRef('scite-125') id="scite-ref-125-a" class="scite-citeref-number" title="Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020."data-reference="ACSC Email Spoofing">^{<a href="https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf" target="_blank" data-hasqtip="124" aria-describedby="qtip-124">[125]</a>}</span>.</p><p>Furthermore, policies may enforce / install browser extensions that protect against IDN and homograph attacks.</p> </td> </tr> <tr> <td> <a href="/versions/v15/mitigations/M1018"> M1018 </a> </td> <td> <a href="/versions/v15/mitigations/M1018"> User Account Management </a> </td> <td> <p>Azure AD Administrators apply limitations upon the ability for users to grant consent to unfamiliar or unverified third-party applications. </p> </td> </tr> <tr> <td> <a href="/versions/v15/mitigations/M1017"> M1017 </a> </td> <td> <a href="/versions/v15/mitigations/M1017"> User Training </a> </td> <td> <p>Users can be trained to identify social engineering techniques and spearphishing emails with malicious links which includes phishing for consent with OAuth 2.0. Additionally, users may perform visual checks of the domains they visit; however, homographs in ASCII and in IDN domains and URL schema obfuscation may render manual checks difficult. Phishing training and other cybersecurity training may raise awareness to check URLs before visiting the sites.</p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="detection">Detection</h2> <div class="tables-mobile"> <table class="table datasources-table table-bordered"> <thead> <tr> <th class="p-2" scope="col">ID</th> <th class="p-2 nowrap" scope="col">Data Source</th> <th class="p-2 nowrap" scope="col">Data Component</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="datasource" id="uses-DS0015"> <td> <a href="/versions/v15/datasources/DS0015">DS0015</a> </td> <td class="nowrap"> <a href="/versions/v15/datasources/DS0015">Application Log</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0015/#Application%20Log%20Content">Application Log Content</a> </td> <td> <p>Monitor for third-party application logging, messaging, and/or other artifacts that may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.<span onclick=scrollToRef('scite-124') id="scite-ref-124-a" class="scite-citeref-number" title="Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020."data-reference="Microsoft Anti Spoofing">^{<a href="https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide" target="_blank" data-hasqtip="123" aria-describedby="qtip-123">[124]</a>}</span><span onclick=scrollToRef('scite-125') id="scite-ref-125-a" class="scite-citeref-number" title="Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020."data-reference="ACSC Email Spoofing">^{<a href="https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf" target="_blank" data-hasqtip="124" aria-describedby="qtip-124">[125]</a>}</span> URL inspection within email (including expanding shortened links and identifying obfuscated URLs) can help detect links leading to known malicious sites.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved August 4, 2023."data-reference="Mandiant URL Obfuscation 2023">^{<a href="https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span> Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.</p><p>Furthermore, monitor browser logs for homographs in ASCII and in internationalized domain names abusing different character sets (e.g. Cyrillic vs Latin versions of trusted sites).</p> </td> </tr> <tr class="datasource" id="uses-DS0029"> <td> <a href="/versions/v15/datasources/DS0029">DS0029</a> </td> <td class="nowrap"> <a href="/versions/v15/datasources/DS0029">Network Traffic</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0029/#Network%20Traffic%20Content">Network Traffic Content</a> </td> <td> <p>Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g. extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).</p><p>Furthermore, monitor network traffic for cloned sites as well as homographs via the use of internationalized domain names abusing different character sets (e.g. Cyrillic vs Latin versions of trusted sites). </p> </td> </tr> <tr class="datacomponent datasource" id="uses-DS0029-Network Traffic Flow"> <td></td> <td></td> <td> <a href="/datasources/DS0029/#Network%20Traffic%20Flow">Network Traffic Flow</a> </td> <td> <p>Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.</p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://us-cert.cisa.gov/ncas/tips/ST05-016" target="_blank"> CISA. (2019, September 27). Security Tip (ST05-016): Understanding Internationalized Domain Names. Retrieved October 20, 2020. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://www.mandiant.com/resources/blog/url-obfuscation-schema-abuse" target="_blank"> Nick Simonian. (2023, May 22). Don't @ Me: URL Obfuscation Through Schema Abuse. Retrieved August 4, 2023. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks" target="_blank"> Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks. Retrieved October 4, 2019. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://www.microsoft.com/security/blog/2021/07/14/microsoft-delivers-comprehensive-solution-to-battle-rise-in-consent-phishing-emails/" target="_blank"> Microsoft 365 Defender Threat Intelligence Team. (2021, June 14). Microsoft delivers comprehensive solution to battle rise in consent phishing emails. Retrieved December 13, 2021. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://www.secureworks.com/blog/oauths-device-code-flow-abused-in-phishing-attacks" target="_blank"> SecureWorks Counter Threat Unit Research Team. (2021, June 3). OAuth’S Device Code Flow Abused in Phishing Attacks. Retrieved March 19, 2024. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://www.netskope.com/blog/new-phishing-attacks-exploiting-oauth-authorization-flows-part-1" target="_blank"> Jenko Hwong. (2021, August 10). New Phishing Attacks Exploiting OAuth Authorization Flows (Part 1). Retrieved March 19, 2024. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://www.optiv.com/insights/source-zero/blog/microsoft-365-oauth-device-code-flow-and-phishing" target="_blank"> Optiv. (2021, August 17). Microsoft 365 OAuth Device Code Flow and Phishing. Retrieved March 19, 2024. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://o365blog.com/aadinternals" target="_blank"> Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://us-cert.cisa.gov/ncas/alerts/aa21-048a" target="_blank"> Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" target="_blank"> Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://www.justice.gov/file/1080281/download" target="_blank"> Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" target="_blank"> ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://www.justice.gov/opa/page/file/1098481/download" target="_blank"> Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. </a> </span> </span> </li> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="https://www.secureworks.com/research/iron-twilight-supports-active-measures" target="_blank"> Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022. </a> </span> </span> </li> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" target="_blank"> Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016. </a> </span> </span> </li> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/" target="_blank"> Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="https://www.secureworks.com/blog/usaid-themed-phishing-campaign-leverages-us-elections-lure" target="_blank"> Secureworks CTU. (2021, May 28). USAID-Themed Phishing Campaign Leverages U.S. Elections Lure. Retrieved February 24, 2022. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html" target="_blank"> Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016. </a> </span> </span> </li> <li> <span id="scite-19" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-19" href="https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/" target="_blank"> Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018. </a> </span> </span> </li> <li> <span id="scite-20" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-20" href="https://www.cybereason.com/blog/operation-cobalt-kitty-apt" target="_blank"> Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018. </a> </span> </span> </li> <li> <span id="scite-21" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-21" href="https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html" target="_blank"> Henderson, S., et al. (2020, April 22). Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage. Retrieved April 28, 2020. </a> </span> </span> </li> <li> <span id="scite-22" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-22" href="https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/" target="_blank"> Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020. </a> </span> </span> </li> <li> <span id="scite-23" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-23" href="https://www.amnestyusa.org/wp-content/uploads/2021/02/Click-and-Bait_Vietnamese-Human-Rights-Defenders-Targeted-with-Spyware-Attacks.pdf" target="_blank"> Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021. </a> </span> </span> </li> <li> <span id="scite-24" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-24" href="https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" target="_blank"> O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018. </a> </span> </span> </li> <li> <span id="scite-25" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-25" href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank"> Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019. </a> </span> </span> </li> <li> <span id="scite-26" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-26" href="https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html" target="_blank"> Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019. </a> </span> </span> </li> <li> <span id="scite-27" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-27" href="https://www.iranwatch.org/sites/default/files/public-intelligence-alert.pdf" target="_blank"> FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. </a> </span> </span> </li> <li> <span id="scite-28" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-28" href="https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles" target="_blank"> Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. </a> </span> </span> </li> <li> <span id="scite-29" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-29" href="https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware" target="_blank"> Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020. </a> </span> </span> </li> <li> <span id="scite-30" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-30" href="https://www.crowdstrike.com/blog/wizard-spider-adversary-update/" target="_blank"> Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021. </a> </span> </span> </li> <li> <span id="scite-31" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-31" href="https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/" target="_blank"> Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020. </a> </span> </span> </li> <li> <span id="scite-32" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-32" href="https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming" target="_blank"> Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022. </a> </span> </span> </li> <li> <span id="scite-33" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-33" href="https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control" target="_blank"> Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022. </a> </span> </span> </li> <li> <span id="scite-34" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-34" href="https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html" target="_blank"> N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022. </a> </span> </span> </li> <li> <span id="scite-35" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-35" href="https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html" target="_blank"> Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018. </a> </span> </span> </li> <li> <span id="scite-36" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-36" href="https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/" target="_blank"> Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019. </a> </span> </span> </li> <li> <span id="scite-37" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-37" href="https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html" target="_blank"> Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018. </a> </span> </span> </li> <li> <span id="scite-38" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-38" href="https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish" target="_blank"> CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021. </a> </span> </span> </li> <li> <span id="scite-39" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-39" href="https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html" target="_blank"> Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021. </a> </span> </span> </li> <li> <span id="scite-40" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-40" href="https://www.trellix.com/blogs/research/the-continued-evolution-of-the-darkgate-malware-as-a-service/" target="_blank"> Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024. </a> </span> </span> </li> <li> <span id="scite-41" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-41" href="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf" target="_blank"> Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. </a> </span> </span> </li> <li> <span id="scite-42" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-42" href="https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf" target="_blank"> O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018. </a> </span> </span> </li> <li> <span id="scite-43" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-43" href="https://www.csmonitor.com/USA/2012/0914/Stealing-US-business-secrets-Experts-ID-two-huge-cyber-gangs-in-China" target="_blank"> Clayton, M.. (2012, September 14). Stealing US business secrets: Experts ID two huge cyber 'gangs' in China. Retrieved February 15, 2018. </a> </span> </span> </li> <li> <span id="scite-44" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-44" href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank"> Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022. </a> </span> </span> </li> <li> <span id="scite-45" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-45" href="https://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/" target="_blank"> Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019. </a> </span> </span> </li> <li> <span id="scite-46" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-46" href="https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/" target="_blank"> Shulmin, A. . (2015, April 9). The Banking Trojan Emotet: Detailed Analysis. Retrieved March 25, 2019. </a> </span> </span> </li> <li> <span id="scite-47" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-47" href="https://www.cisecurity.org/blog/emotet-changes-ttp-and-arrives-in-united-states/" target="_blank"> CIS. (2017, April 28). Emotet Changes TTPs and Arrives in United States. Retrieved January 17, 2019. </a> </span> </span> </li> <li> <span id="scite-48" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-48" href="https://support.malwarebytes.com/docs/DOC-2295" target="_blank"> Smith, A.. (2017, December 22). Protect your network from Emotet Trojan with Malwarebytes Endpoint Security. Retrieved January 17, 2019. </a> </span> </span> </li> <li> <span id="scite-49" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-49" href="https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor" target="_blank"> Symantec. (2018, July 18). The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved March 25, 2019. </a> </span> </span> </li> <li> <span id="scite-50" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-50" href="https://www.us-cert.gov/ncas/alerts/TA18-201A" target="_blank"> US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019. </a> </span> </span> </li> <li> <span id="scite-51" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-51" href="https://blog.talosintelligence.com/2019/01/return-of-emotet.html" target="_blank"> Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019. </a> </span> </span> </li> <li> <span id="scite-52" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-52" href="https://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html" target="_blank"> Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019. </a> </span> </span> </li> <li> <span id="scite-53" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-53" href="https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" target="_blank"> Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021. </a> </span> </span> </li> <li> <span id="scite-54" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-54" href="https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/" target="_blank"> Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022. </a> </span> </span> </li> <li> <span id="scite-55" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-55" href="https://www.mandiant.com/sites/default/files/2021-09/rpt-fin4.pdf" target="_blank"> Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018. </a> </span> </span> </li> <li> <span id="scite-56" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-56" href="https://www2.fireeye.com/WBNR-14Q4NAMFIN4.html" target="_blank"> Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019. </a> </span> </span> </li> <li> <span id="scite-57" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-57" href="https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/" target="_blank"> Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. </a> </span> </span> </li> <li> <span id="scite-58" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-58" href="https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" target="_blank"> Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. </a> </span> </span> </li> <li> <span id="scite-59" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-59" href="https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/" target="_blank"> Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020. </a> </span> </span> </li> <li> <span id="scite-60" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-60" href="https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/" target="_blank"> ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. </a> </span> </span> </li> <li> <span id="scite-61" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-61" href="https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/" target="_blank"> Duncan, B. (2020, April 3). GuLoader: Malspam Campaign Installing NetWire RAT. Retrieved January 7, 2021. </a> </span> </span> </li> <li> <span id="scite-62" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-62" href="https://threatpost.com/spammers-revive-hancitor-downloader-campaigns/123011/" target="_blank"> Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020. </a> </span> </span> </li> <li> <span id="scite-63" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-63" href="https://securelist.com/the-tetrade-brazilian-banking-malware/97779/" target="_blank"> GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="64.0"> <li> <span id="scite-64" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-64" href="https://blog.alyac.co.kr/2234" target="_blank"> Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019. </a> </span> </span> </li> <li> <span id="scite-65" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-65" href="https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/" target="_blank"> ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019. </a> </span> </span> </li> <li> <span id="scite-66" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-66" href="https://www.boho.or.kr/krcert/publicationView.do?bulletin_writing_sequence=35936" target="_blank"> KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022. </a> </span> </span> </li> <li> <span id="scite-67" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-67" href="https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf" target="_blank"> Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. </a> </span> </span> </li> <li> <span id="scite-68" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-68" href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank"> Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021. </a> </span> </span> </li> <li> <span id="scite-69" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-69" href="https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets" target="_blank"> Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018. </a> </span> </span> </li> <li> <span id="scite-70" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-70" href="https://us-cert.cisa.gov/ncas/alerts/aa21-200a" target="_blank"> CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021. </a> </span> </span> </li> <li> <span id="scite-71" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-71" href="https://securelist.com/apt-luminousmoth/103332/" target="_blank"> Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022. </a> </span> </span> </li> <li> <span id="scite-72" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-72" href="https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html" target="_blank"> The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019. </a> </span> </span> </li> <li> <span id="scite-73" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-73" href="https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf" target="_blank"> ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. </a> </span> </span> </li> <li> <span id="scite-74" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-74" href="https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations" target="_blank"> Counter Threat Unit Research Team. (2017, February 15). Iranian PupyRAT Bites Middle Eastern Organizations. Retrieved December 27, 2017. </a> </span> </span> </li> <li> <span id="scite-75" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-75" href="https://www.clearskysec.com/wp-content/uploads/2020/08/The-Kittens-are-Back-in-Town-3.pdf" target="_blank"> ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021. </a> </span> </span> </li> <li> <span id="scite-76" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-76" href="https://blog.certfa.com/posts/charming-kitten-christmas-gift/" target="_blank"> Certfa Labs. (2021, January 8). Charming Kitten’s Christmas Gift. Retrieved May 3, 2021. </a> </span> </span> </li> <li> <span id="scite-77" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-77" href="https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021" target="_blank"> MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023. </a> </span> </span> </li> <li> <span id="scite-78" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-78" href="https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/" target="_blank"> SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024. </a> </span> </span> </li> <li> <span id="scite-79" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-79" href="https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" target="_blank"> Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. </a> </span> </span> </li> <li> <span id="scite-80" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-80" href="https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/" target="_blank"> GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020. </a> </span> </span> </li> <li> <span id="scite-81" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-81" href="https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies" target="_blank"> Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021. </a> </span> </span> </li> <li> <span id="scite-82" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-82" href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank"> Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021. </a> </span> </span> </li> <li> <span id="scite-83" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-83" href="https://www.proofpoint.com/us/blog/threat-insight/security-brief-ta450-uses-embedded-links-pdf-attachments-latest-campaign" target="_blank"> Miller, J. et al. (2024, March 21). Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign. Retrieved March 27, 2024. </a> </span> </span> </li> <li> <span id="scite-84" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-84" href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf" target="_blank"> Roccia, T., Seret, T., Fokker, J. (2021, March 16). Technical Analysis of Operation Dianxun. Retrieved April 13, 2021. </a> </span> </span> </li> <li> <span id="scite-85" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-85" href="https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update" target="_blank"> Andrew Northern. (2022, November 22). SocGholish, a very real threat from a very fake update. Retrieved February 13, 2024. </a> </span> </span> </li> <li> <span id="scite-86" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-86" href="https://scadahacker.com/library/Documents/Cyber_Events/McAfee%20-%20Night%20Dragon%20-%20Global%20Energy%20Cyberattacks.pdf" target="_blank"> McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. </a> </span> </span> </li> <li> <span id="scite-87" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-87" href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/" target="_blank"> Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018. </a> </span> </span> </li> <li> <span id="scite-88" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-88" href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank"> ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021. </a> </span> </span> </li> <li> <span id="scite-89" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-89" href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank"> Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021. </a> </span> </span> </li> <li> <span id="scite-90" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-90" href="https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" target="_blank"> Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. </a> </span> </span> </li> <li> <span id="scite-91" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-91" href="https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/" target="_blank"> M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022. </a> </span> </span> </li> <li> <span id="scite-92" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-92" href="http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries" target="_blank"> Hamada, J.. (2016, July 25). Patchwork cyberespionage group expands targets from governments to wide range of industries. Retrieved August 17, 2016. </a> </span> </span> </li> <li> <span id="scite-93" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-93" href="https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" target="_blank"> Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. </a> </span> </span> </li> <li> <span id="scite-94" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-94" href="https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/" target="_blank"> Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020. </a> </span> </span> </li> <li> <span id="scite-95" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-95" href="https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/" target="_blank"> hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020. </a> </span> </span> </li> <li> <span id="scite-96" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-96" href="https://www.trendmicro.com/vinfo/ph/security/news/cybercrime-and-digital-threats/qakbot-resurges-spreads-through-vbs-files" target="_blank"> Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021. </a> </span> </span> </li> <li> <span id="scite-97" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-97" href="https://www.kroll.com/en/insights/publications/cyber/qakbot-malware-exfiltrating-emails-thread-hijacking-attacks" target="_blank"> Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021. </a> </span> </span> </li> <li> <span id="scite-98" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-98" href="https://success.trendmicro.com/solution/000283381" target="_blank"> Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021. </a> </span> </span> </li> <li> <span id="scite-99" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-99" href="https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot" target="_blank"> Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021. </a> </span> </span> </li> <li> <span id="scite-100" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-100" href="https://securelist.com/qakbot-technical-analysis/103931/" target="_blank"> Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. </a> </span> </span> </li> <li> <span id="scite-101" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-101" href="https://groupib.pathfactory.com/ransomware-reports/prolock_wp" target="_blank"> Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021. </a> </span> </span> </li> <li> <span id="scite-102" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-102" href="https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html" target="_blank"> Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023. </a> </span> </span> </li> <li> <span id="scite-103" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-103" href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank"> Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. </a> </span> </span> </li> <li> <span id="scite-104" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-104" href="https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf" target="_blank"> Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021. </a> </span> </span> </li> <li> <span id="scite-105" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-105" href="https://cybleinc.com/2020/09/26/sidewinder-apt-targets-with-futuristic-tactics-and-techniques/" target="_blank"> Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021. </a> </span> </span> </li> <li> <span id="scite-106" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-106" href="https://telefonicatech.com/blog/snip3-investigacion-malware" target="_blank"> Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023. </a> </span> </span> </li> <li> <span id="scite-107" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-107" href="https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike" target="_blank"> Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022. </a> </span> </span> </li> <li> <span id="scite-108" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-108" href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank"> Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023. </a> </span> </span> </li> <li> <span id="scite-109" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-109" href="https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter" target="_blank"> Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019. </a> </span> </span> </li> <li> <span id="scite-110" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-110" href="https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505" target="_blank"> Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019. </a> </span> </span> </li> <li> <span id="scite-111" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-111" href="https://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/" target="_blank"> Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020. </a> </span> </span> </li> <li> <span id="scite-112" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-112" href="https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader" target="_blank"> Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020. </a> </span> </span> </li> <li> <span id="scite-113" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-113" href="https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html" target="_blank"> Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021. </a> </span> </span> </li> <li> <span id="scite-114" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-114" href="https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html" target="_blank"> Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021. </a> </span> </span> </li> <li> <span id="scite-115" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-115" href="https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" target="_blank"> Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020. </a> </span> </span> </li> <li> <span id="scite-116" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-116" href="https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" target="_blank"> ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018. </a> </span> </span> </li> <li> <span id="scite-117" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-117" href="https://assets.sentinelone.com/labs/sentinel-one-valak-i" target="_blank"> Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020. </a> </span> </span> </li> <li> <span id="scite-118" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-118" href="https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf" target="_blank"> Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020. </a> </span> </span> </li> <li> <span id="scite-119" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-119" href="https://us-cert.cisa.gov/ncas/alerts/aa20-302a" target="_blank"> DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020. </a> </span> </span> </li> <li> <span id="scite-120" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-120" href="https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/" target="_blank"> The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020. </a> </span> </span> </li> <li> <span id="scite-121" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-121" href="https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/" target="_blank"> Burt, T. (2020, September 10). New cyberattacks targeting U.S. elections. Retrieved March 24, 2021. </a> </span> </span> </li> <li> <span id="scite-122" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-122" href="https://blog.google/threat-analysis-group/how-were-tackling-evolving-online-threats/" target="_blank"> Huntley, S. (2020, October 16). How We're Tackling Evolving Online Threats. Retrieved March 24, 2021. </a> </span> </span> </li> <li> <span id="scite-123" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-123" href="https://www.zscaler.com/blogs/security-research/apt-31-leverages-covid-19-vaccine-theme-and-abuses-legitimate-online" target="_blank"> Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021. </a> </span> </span> </li> <li> <span id="scite-124" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-124" href="https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide" target="_blank"> Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020. </a> </span> </span> </li> <li> <span id="scite-125" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-125" href="https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf" target="_blank"> Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <!-- search overlay for entire page -- not displayed inline --> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- footer elements --> <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v15/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v15/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v15/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v15/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/versions/v15/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&amp;CK content v15.1&#013;Website v4.1.6">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> &copy;&nbsp;2015&nbsp;-&nbsp;2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div> <!--stopindex--> </div> <!--SCRIPTS--> <script src="/versions/v15/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v15/theme/scripts/popper.min.js"></script> <script src="/versions/v15/theme/scripts/bootstrap-select.min.js"></script> <script src="/versions/v15/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v15/theme/scripts/site.js?1487"></script> <script src="/versions/v15/theme/scripts/settings.js?4401"></script> <script src="/versions/v15/theme/scripts/search_bundle.js"></script> <!--SCRIPTS--> <script src="/versions/v15/theme/scripts/resizer.js"></script> <!--SCRIPTS--> <script src="/versions/v15/theme/scripts/bootstrap-tourist.js"></script> <script src="/versions/v15/theme/scripts/settings.js"></script> <script src="/versions/v15/theme/scripts/tour/tour-subtechniques.js"></script> <script src="/versions/v15/theme/scripts/sidebar-load-all.js"></script> </body> </html>