Masquerading: Match Legitimate Name or Location, Sub-technique T1036.005 - Enterprise

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>Masquerading: Match Legitimate Name or Location, Sub-technique T1036.005 - Enterprise | MITRE ATT&CK®</title>   <link rel='stylesheet' href='/theme/style/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-select.min.css' />  <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1">  <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> Matrices </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> Tactics </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> Techniques </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> Defenses </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> Mitigations </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> CTI </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> Resources </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" >Benefactors</a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> Blog  <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1">  <div class="col px-0">   <div class="container-fluid banner-message"> ATT&CKcon 6.0 returns October 14-15, 2025 in McLean, VA. More details about tickets and our CFP can be found <a href='https://na.eventscloud.com/attackcon6'>here</a> </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0">   <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div>  <div id="sidebars"></div>  </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/techniques/enterprise">Techniques</a></li> <li class="breadcrumb-item"><a href="/techniques/enterprise">Enterprise</a></li> <li class="breadcrumb-item"><a href="/techniques/T1036">Masquerading</a></li> <li class="breadcrumb-item">Match Legitimate Name or Location</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1 id=""> Masquerading: Match Legitimate Name or Location </h1> <div class="row"> <div class="col-md-8">  <div class="card-block pb-2"> <div class="card"> <div class="card-header collapsed" id="subtechniques-card-header" data-toggle="collapse" data-target="#subtechniques-card-body" aria-expanded="false" aria-controls="subtechniques-card-body"> <h5 class="mb-0" id ="sub-techniques">Other sub-techniques of Masquerading (10)</h5> </div> <div id="subtechniques-card-body" class="card-body p-0 collapse" aria-labelledby="subtechniques-card-header"> <table class="table table-bordered"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> </tr> </thead> <tbody> <tr> <td> <a href="/techniques/T1036/001/" class="subtechnique-table-item" data-subtechnique_id="T1036.001"> T1036.001 </a> </td> <td> <a href="/techniques/T1036/001/" class="subtechnique-table-item" data-subtechnique_id="T1036.001"> Invalid Code Signature </a> </td> </tr> <tr> <td> <a href="/techniques/T1036/002/" class="subtechnique-table-item" data-subtechnique_id="T1036.002"> T1036.002 </a> </td> <td> <a href="/techniques/T1036/002/" class="subtechnique-table-item" data-subtechnique_id="T1036.002"> Right-to-Left Override </a> </td> </tr> <tr> <td> <a href="/techniques/T1036/003/" class="subtechnique-table-item" data-subtechnique_id="T1036.003"> T1036.003 </a> </td> <td> <a href="/techniques/T1036/003/" class="subtechnique-table-item" data-subtechnique_id="T1036.003"> Rename System Utilities </a> </td> </tr> <tr> <td> <a href="/techniques/T1036/004/" class="subtechnique-table-item" data-subtechnique_id="T1036.004"> T1036.004 </a> </td> <td> <a href="/techniques/T1036/004/" class="subtechnique-table-item" data-subtechnique_id="T1036.004"> Masquerade Task or Service </a> </td> </tr> <tr> <td class="active"> T1036.005 </td> <td class="active"> Match Legitimate Name or Location </td> </tr> <tr> <td> <a href="/techniques/T1036/006/" class="subtechnique-table-item" data-subtechnique_id="T1036.006"> T1036.006 </a> </td> <td> <a href="/techniques/T1036/006/" class="subtechnique-table-item" data-subtechnique_id="T1036.006"> Space after Filename </a> </td> </tr> <tr> <td> <a href="/techniques/T1036/007/" class="subtechnique-table-item" data-subtechnique_id="T1036.007"> T1036.007 </a> </td> <td> <a href="/techniques/T1036/007/" class="subtechnique-table-item" data-subtechnique_id="T1036.007"> Double File Extension </a> </td> </tr> <tr> <td> <a href="/techniques/T1036/008/" class="subtechnique-table-item" data-subtechnique_id="T1036.008"> T1036.008 </a> </td> <td> <a href="/techniques/T1036/008/" class="subtechnique-table-item" data-subtechnique_id="T1036.008"> Masquerade File Type </a> </td> </tr> <tr> <td> <a href="/techniques/T1036/009/" class="subtechnique-table-item" data-subtechnique_id="T1036.009"> T1036.009 </a> </td> <td> <a href="/techniques/T1036/009/" class="subtechnique-table-item" data-subtechnique_id="T1036.009"> Break Process Trees </a> </td> </tr> <tr> <td> <a href="/techniques/T1036/010/" class="subtechnique-table-item" data-subtechnique_id="T1036.010"> T1036.010 </a> </td> <td> <a href="/techniques/T1036/010/" class="subtechnique-table-item" data-subtechnique_id="T1036.010"> Masquerade Account Name </a> </td> </tr> </tbody> </table> </div> </div> </div>  <div class="description-body"> Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.Adversaries may also use the same icon of the file they are trying to mimic. </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data" id="card-id"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> ID: T1036.005 </div> </div>  <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> Sub-technique of:  <a href="/techniques/T1036">T1036</a> </div> </div>  <div id="card-tactics" class="row card-data"> <div class="col-md-1 px-0 text-center"> ⓘ </div> <div class="col-md-11 pl-0"> Tactic: <a href="/tactics/TA0005">Defense Evasion</a> </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> ⓘ </div> <div class="col-md-11 pl-0"> Platforms: Containers, Linux, Windows, macOS </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="If the (sub-)technique can be used to bypass or evade a particular defensive tool, methodology, or process">ⓘ </div> <div class="col-md-11 pl-0"> Defense Bypassed: Application Control </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> Contributors: Vishwas Manral, McAfee; Yossi Weizman, Azure Defender Research Team </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> Version: 1.2 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> Created: 10 February 2020 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> Last Modified: 12 September 2024 </div> </div> </div> </div> <div class="text-center pt-2 version-button live"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of T1036.005" href="/versions/v16/techniques/T1036/005/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of T1036.005" href="/versions/v16/techniques/T1036/005/" data-test-ignore="true">Live Version</a> </div> </div> </div> </div> <h2 class="pt-3" id ="examples">Procedure Examples</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/campaigns/C0025"> C0025 </a> </td> <td> <a href="/campaigns/C0025"> 2016 Ukraine Electric Power Attack </a> </td> <td> During the <a href="https://attack.mitre.org/campaigns/C0025">2016 Ukraine Electric Power Attack</a>, DLLs and EXEs with filenames associated with common electric power sector protocols were used to masquerade files.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2017"><a href="https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a> </td> </tr> <tr> <td> <a href="/groups/G0018"> G0018 </a> </td> <td> <a href="/groups/G0018"> admin@338 </a> </td> <td> <a href="/groups/G0018">admin@338</a> actors used the following command to rename one of their tools to a benign file name: <code>ren "%temp%\upload" audiodg.exe</code><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015."data-reference="FireEye admin@338"><a href="https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a> </td> </tr> <tr> <td> <a href="/software/S1074"> S1074 </a> </td> <td> <a href="/software/S1074"> ANDROMEDA </a> </td> <td> <a href="/software/S1074">ANDROMEDA</a> has been installed to <code>C:\Temp\TrustedInstaller.exe</code> to mimic a legitimate Windows installer service.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023."data-reference="Mandiant Suspected Turla Campaign February 2023"><a href="https://www.mandiant.com/resources/blog/turla-galaxy-opportunity" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a> </td> </tr> <tr> <td> <a href="/groups/G1007"> G1007 </a> </td> <td> <a href="/groups/G1007"> Aoqin Dragon </a> </td> <td> <a href="/groups/G1007">Aoqin Dragon</a> has used fake icons including antivirus and external drives to disguise malicious payloads.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022."data-reference="SentinelOne Aoqin Dragon June 2022"><a href="https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a> </td> </tr> <tr> <td> <a href="/software/S0622"> S0622 </a> </td> <td> <a href="/software/S0622"> AppleSeed </a> </td> <td> <a href="/software/S0622">AppleSeed</a> has the ability to rename its payload to ESTCommon.dll to masquerade as a DLL belonging to ESTsecurity.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021."data-reference="Malwarebytes Kimsuky June 2021"><a href="https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a> </td> </tr> <tr> <td> <a href="/groups/G0006"> G0006 </a> </td> <td> <a href="/groups/G0006"> APT1 </a> </td> <td> The file name AcroRD32.exe, a legitimate process name for Adobe's Acrobat Reader, was used by <a href="/groups/G0006">APT1</a> as a name for malware.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016."data-reference="Mandiant APT1"><a href="https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016."data-reference="Mandiant APT1 Appendix"><a href="https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a> </td> </tr> <tr> <td> <a href="/groups/G0007"> G0007 </a> </td> <td> <a href="/groups/G0007"> APT28 </a> </td> <td> <a href="/groups/G0007">APT28</a> has changed extensions on files containing exfiltrated data to make them appear benign, and renamed a web shell instance to appear as a legitimate OWA page.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021"><a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a> </td> </tr> <tr> <td> <a href="/groups/G0016"> G0016 </a> </td> <td> <a href="/groups/G0016"> APT29 </a> </td> <td> <a href="/groups/G0016">APT29</a> has renamed malicious DLLs with legitimate names to appear benign; they have also created an Azure AD certificate with a Common Name that matched the display name of the compromised service principal.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021."data-reference="SentinelOne NobleBaron June 2021"><a href="https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023."data-reference="Mandiant APT29 Microsoft 365 2022"><a href="https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a> </td> </tr> <tr> <td> <a href="/groups/G0050"> G0050 </a> </td> <td> <a href="/groups/G0050"> APT32 </a> </td> <td> <a href="/groups/G0050">APT32</a> has renamed a NetCat binary to kb-10233.exe to masquerade as a Windows update. <a href="/groups/G0050">APT32</a> has also renamed a Cobalt Strike beacon payload to install_flashplayers.exe. <span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018."data-reference="Cybereason Cobalt Kitty 2017"><a href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a><span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020."data-reference="Volexity Ocean Lotus November 2020"><a href="https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a> </td> </tr> <tr> <td> <a href="/groups/G0087"> G0087 </a> </td> <td> <a href="/groups/G0087"> APT39 </a> </td> <td> <a href="/groups/G0087">APT39</a> has used malware disguised as Mozilla Firefox and a tool named mfevtpse.exe to proxy C2 communications, closely mimicking a legitimate McAfee file mfevtps.exe.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020."data-reference="BitDefender Chafer May 2020"><a href="https://www.bitdefender.com/blog/labs/iranian-chafer-apt-targeted-air-transportation-and-government-in-kuwait-and-saudi-arabia/" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020."data-reference="FBI FLASH APT39 September 2020"><a href="https://www.iranwatch.org/sites/default/files/public-intelligence-alert.pdf" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a> </td> </tr> <tr> <td> <a href="/groups/G0096"> G0096 </a> </td> <td> <a href="/groups/G0096"> APT41 </a> </td> <td> <a href="/groups/G0096">APT41</a> attempted to masquerade their files as popular anti-virus software.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019."data-reference="FireEye APT41 Aug 2019"><a href="https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021."data-reference="Group IB APT 41 June 2021"><a href="https://www.group-ib.com/blog/colunmtk-apt41/" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a> </td> </tr> <tr> <td> <a href="/groups/G1023"> G1023 </a> </td> <td> <a href="/groups/G1023"> APT5 </a> </td> <td> <a href="/groups/G1023">APT5</a> has named exfiltration archives to mimic Windows Updates at times using filenames with a <code>KB<digits>.zip</code> pattern.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024."data-reference="Mandiant Pulse Secure Update May 2021"><a href="https://www.mandiant.com/resources/blog/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a> </td> </tr> <tr> <td> <a href="/groups/G0143"> G0143 </a> </td> <td> <a href="/groups/G0143"> Aquatic Panda </a> </td> <td> <a href="/groups/G0143">Aquatic Panda</a> renamed or moved malicious binaries to legitimate locations to evade defenses and blend into victim environments.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024."data-reference="Crowdstrike HuntReport 2022"><a href="https://go.crowdstrike.com/rs/281-OBQ-266/images/2022OverWatchThreatHuntingReport.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a> </td> </tr> <tr> <td> <a href="/software/S0475"> S0475 </a> </td> <td> <a href="/software/S0475"> BackConfig </a> </td> <td> <a href="/software/S0475">BackConfig</a> has hidden malicious payloads in <code>%USERPROFILE%\Adobe\Driver\dwg\</code> and mimicked the legitimate DHCP service binary.<span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020."data-reference="Unit 42 BackConfig May 2020"><a href="https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a> </td> </tr> <tr> <td> <a href="/groups/G0135"> G0135 </a> </td> <td> <a href="/groups/G0135"> BackdoorDiplomacy </a> </td> <td> <a href="/groups/G0135">BackdoorDiplomacy</a> has dropped implants in folders named for legitimate software.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021"data-reference="ESET BackdoorDiplomacy Jun 2021"><a href="https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a> </td> </tr> <tr> <td> <a href="/software/S0606"> S0606 </a> </td> <td> <a href="/software/S0606"> Bad Rabbit </a> </td> <td> <a href="/software/S0606">Bad Rabbit</a> has masqueraded as a Flash Player installer through the executable file <code>install_flash_player.exe</code>.<span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="M.Léveille, M-E.. (2017, October 24). Bad Rabbit: Not‑Petya is back with improved ransomware. Retrieved January 28, 2021."data-reference="ESET Bad Rabbit"><a href="https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a><span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021."data-reference="Secure List Bad Rabbit"><a href="https://securelist.com/bad-rabbit-ransomware/82851/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a> </td> </tr> <tr> <td> <a href="/software/S0128"> S0128 </a> </td> <td> <a href="/software/S0128"> BADNEWS </a> </td> <td> <a href="/software/S0128">BADNEWS</a> attempts to hide its payloads using legitimate filenames.<span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018."data-reference="PaloAlto Patchwork Mar 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a> </td> </tr> <tr> <td> <a href="/software/S0534"> S0534 </a> </td> <td> <a href="/software/S0534"> Bazar </a> </td> <td> The <a href="/software/S0534">Bazar</a> loader has named malicious shortcuts "adobe" and mimicked communications software.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020."data-reference="Cybereason Bazar July 2020"><a href="https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a><span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020."data-reference="NCC Group Team9 June 2020"><a href="https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a><span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021."data-reference="CrowdStrike Wizard Spider October 2020"><a href="https://www.crowdstrike.com/blog/wizard-spider-adversary-update/" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a> </td> </tr> <tr> <td> <a href="/software/S0268"> S0268 </a> </td> <td> <a href="/software/S0268"> Bisonal </a> </td> <td> <a href="/software/S0268">Bisonal</a> has renamed malicious code to <code>msacm32.dll</code> to hide within a legitimate library; earlier versions were disguised as <code>winhelp</code>.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022."data-reference="Talos Bisonal Mar 2020"><a href="https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a> </td> </tr> <tr> <td> <a href="/software/S1070"> S1070 </a> </td> <td> <a href="/software/S1070"> Black Basta </a> </td> <td> The <a href="/software/S1070">Black Basta</a> dropper has mimicked an application for creating USB bootable drivers.<span onclick=scrollToRef('scite-28') id="scite-ref-28-a" class="scite-citeref-number" title="Check Point. (2022, October 20). BLACK BASTA AND THE UNNOTICED DELIVERY. Retrieved March 8, 2023."data-reference="Check Point Black Basta October 2022"><a href="https://research.checkpoint.com/2022/black-basta-and-the-unnoticed-delivery/" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a> </td> </tr> <tr> <td> <a href="/software/S0520"> S0520 </a> </td> <td> <a href="/software/S0520"> BLINDINGCAN </a> </td> <td> <a href="/software/S0520">BLINDINGCAN</a> has attempted to hide its payload by using legitimate file names such as "iconcache.db".<span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" title="US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020."data-reference="US-CERT BLINDINGCAN Aug 2020"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a> </td> </tr> <tr> <td> <a href="/groups/G0108"> G0108 </a> </td> <td> <a href="/groups/G0108"> Blue Mockingbird </a> </td> <td> <a href="/groups/G0108">Blue Mockingbird</a> has masqueraded their XMRIG payload name by naming it wercplsupporte.dll after the legitimate wercplsupport.dll file.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020."data-reference="RedCanary Mockingbird May 2020"><a href="https://redcanary.com/blog/blue-mockingbird-cryptominer/" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a> </td> </tr> <tr> <td> <a href="/groups/G0060"> G0060 </a> </td> <td> <a href="/groups/G0060"> BRONZE BUTLER </a> </td> <td> <a href="/groups/G0060">BRONZE BUTLER</a> has given malware the same name as an existing file on the file share server to cause users to unwittingly launch and install the malware on additional systems.<span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018."data-reference="Secureworks BRONZE BUTLER Oct 2017"><a href="https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a> </td> </tr> <tr> <td> <a href="/software/S1063"> S1063 </a> </td> <td> <a href="/software/S1063"> Brute Ratel C4 </a> </td> <td> <a href="/software/S1063">Brute Ratel C4</a> has used a payload file named OneDrive.update to appear benign.<span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" title="Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023."data-reference="Palo Alto Brute Ratel July 2022"><a href="https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a> </td> </tr> <tr> <td> <a href="/software/S1039"> S1039 </a> </td> <td> <a href="/software/S1039"> Bumblebee </a> </td> <td> <a href="/software/S1039">Bumblebee</a> has named component DLLs "RapportGP.dll" to match those used by the security company Trusteer.<span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022."data-reference="Medium Ali Salem Bumblebee April 2022"><a href="https://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a> </td> </tr> <tr> <td> <a href="/software/S0482"> S0482 </a> </td> <td> <a href="/software/S0482"> Bundlore </a> </td> <td> <a href="/software/S0482">Bundlore</a> has disguised a malicious .app file as a Flash Player update.<span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" title="Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020."data-reference="MacKeeper Bundlore Apr 2019"><a href="https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0017"> C0017 </a> </td> <td> <a href="/campaigns/C0017"> C0017 </a> </td> <td> During <a href="https://attack.mitre.org/campaigns/C0017">C0017</a>, <a href="/groups/G0096">APT41</a> used file names beginning with USERS, SYSUSER, and SYSLOG for <a href="/software/S1052">DEADEYE</a>, and changed <a href="/software/S1051">KEYPLUG</a> file extensions from .vmp to .upx likely to avoid hunting detections.<span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022."data-reference="Mandiant APT41"><a href="https://www.mandiant.com/resources/apt41-us-state-governments" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0018"> C0018 </a> </td> <td> <a href="/campaigns/C0018"> C0018 </a> </td> <td> For <a href="https://attack.mitre.org/campaigns/C0018">C0018</a>, the threat actors renamed a <a href="/software/S0633">Sliver</a> payload to <code>vmware_kb.exe</code>.<span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" title="Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023."data-reference="Cisco Talos Avos Jun 2022"><a href="https://blog.talosintelligence.com/avoslocker-new-arsenal/" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0032"> C0032 </a> </td> <td> <a href="/campaigns/C0032"> C0032 </a> </td> <td> During the <a href="https://attack.mitre.org/campaigns/C0032">C0032</a> campaign, <a href="/groups/G0088">TEMP.Veles</a> renamed files to look like legitimate files, such as Windows update files or Schneider Electric application files.<span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019."data-reference="FireEye TRITON 2019"><a href="https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a> </td> </tr> <tr> <td> <a href="/software/S0274"> S0274 </a> </td> <td> <a href="/software/S0274"> Calisto </a> </td> <td> <a href="/software/S0274">Calisto</a>'s installation file is an unsigned DMG image under the guise of Intego’s security solution for mac.<span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" title="Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018."data-reference="Securelist Calisto July 2018"><a href="https://securelist.com/calisto-trojan-for-macos/86543/" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a> </td> </tr> <tr> <td> <a href="/groups/G0008"> G0008 </a> </td> <td> <a href="/groups/G0008"> Carbanak </a> </td> <td> <a href="/groups/G0008">Carbanak</a> has named malware "svchost.exe," which is the name of the Windows shared service host program.<span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018."data-reference="Kaspersky Carbanak"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a> </td> </tr> <tr> <td> <a href="/software/S0484"> S0484 </a> </td> <td> <a href="/software/S0484"> Carberp </a> </td> <td> <a href="/software/S0484">Carberp</a> has masqueraded as Windows system file names, as well as "chkntfs.exe" and "syscron.exe".<span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" title="Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved September 12, 2024."data-reference="Prevx Carberp March 2011"><a href="https://web.archive.org/web/20231227000328/http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a><span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" title="Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020."data-reference="Trusteer Carberp October 2010"><a href="https://web.archive.org/web/20111004014029/http://www.trusteer.com/sites/default/files/Carberp_Analysis.pdf" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a> </td> </tr> <tr> <td> <a href="/software/S0631"> S0631 </a> </td> <td> <a href="/software/S0631"> Chaes </a> </td> <td> <a href="/software/S0631">Chaes</a> has used an unsigned, crafted DLL module named <code>hha.dll</code> that was designed to look like a legitimate 32-bit Windows DLL.<span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" title="Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021."data-reference="Cybereason Chaes Nov 2020"><a href="https://www.cybereason.com/hubfs/dam/collateral/reports/11-2020-Chaes-e-commerce-malware-research.pdf" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a> </td> </tr> <tr> <td> <a href="/software/S0144"> S0144 </a> </td> <td> <a href="/software/S0144"> ChChes </a> </td> <td> <a href="/software/S0144">ChChes</a> copies itself to an .exe file with a filename that is likely intended to imitate Norton Antivirus but has several letters reversed (e.g. notron.exe).<span onclick=scrollToRef('scite-43') id="scite-ref-43-a" class="scite-citeref-number" title="PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017."data-reference="PWC Cloud Hopper Technical Annex April 2017"><a href="https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf" target="_blank" data-hasqtip="42" aria-describedby="qtip-42">[43]</a> </td> </tr> <tr> <td> <a href="/groups/G0114"> G0114 </a> </td> <td> <a href="/groups/G0114"> Chimera </a> </td> <td> <a href="/groups/G0114">Chimera</a> has renamed malware to GoogleUpdate.exe and WinRAR to jucheck.exe, RecordedTV.ms, teredo.tmp, update.exe, and msadcs1.exe.<span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.."data-reference="Cycraft Chimera April 2020"><a href="https://cycraft.com/download/CyCraft-Whitepaper-Chimera_V4.1.pdf" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a> </td> </tr> <tr> <td> <a href="/software/S1041"> S1041 </a> </td> <td> <a href="/software/S1041"> Chinoxy </a> </td> <td> <a href="/software/S1041">Chinoxy</a> has used the name <code>eoffice.exe</code> in attempt to appear as a legitimate file.<span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" title="Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022."data-reference="Bitdefender FunnyDream Campaign November 2020"><a href="https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a> </td> </tr> <tr> <td> <a href="/software/S0625"> S0625 </a> </td> <td> <a href="/software/S0625"> Cuba </a> </td> <td> <a href="/software/S0625">Cuba</a> has been disguised as legitimate 360 Total Security Antivirus and OpenVPN programs.<span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" title="Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021."data-reference="McAfee Cuba April 2021"><a href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a> </td> </tr> <tr> <td> <a href="/software/S1153"> S1153 </a> </td> <td> <a href="/software/S1153"> Cuckoo Stealer </a> </td> <td> <a href="/software/S1153">Cuckoo Stealer</a> has copied and renamed itself to DumpMediaSpotifyMusicConverter.<span onclick=scrollToRef('scite-47') id="scite-ref-47-a" class="scite-citeref-number" title="Kohler, A. and Lopez, C. (2024, April 30). Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware. Retrieved August 20, 2024."data-reference="Kandji Cuckoo April 2024"><a href="https://www.kandji.io/blog/malware-cuckoo-infostealer-spyware" target="_blank" data-hasqtip="46" aria-describedby="qtip-46">[47]</a><span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" title="Stokes, P. (2024, May 9). macOS Cuckoo Stealer | Ensuring Detection and Defense as New Samples Rapidly Emerge. Retrieved August 20, 2024."data-reference="SentinelOne Cuckoo Stealer May 2024"><a href="https://www.sentinelone.com/blog/macos-cuckoo-stealer-ensuring-detection-and-defense-as-new-samples-rapidly-emerge/" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a> </td> </tr> <tr> <td> <a href="/software/S0687"> S0687 </a> </td> <td> <a href="/software/S0687"> Cyclops Blink </a> </td> <td> <a href="/software/S0687">Cyclops Blink</a> can rename its running process to <code>[kworker:0/1]</code> to masquerade as a Linux kernel thread. <a href="/software/S0687">Cyclops Blink</a> has also named RC scripts used for persistence after WatchGuard artifacts.<span onclick=scrollToRef('scite-49') id="scite-ref-49-a" class="scite-citeref-number" title="NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022."data-reference="NCSC Cyclops Blink February 2022"><a href="https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf" target="_blank" data-hasqtip="48" aria-describedby="qtip-48">[49]</a> </td> </tr> <tr> <td> <a href="/software/S1014"> S1014 </a> </td> <td> <a href="/software/S1014"> DanBot </a> </td> <td> <a href="/software/S1014">DanBot</a> files have been named <code>UltraVNC.exe</code> and <code>WINVNC.exe</code> to appear as legitimate VNC tools.<span onclick=scrollToRef('scite-50') id="scite-ref-50-a" class="scite-citeref-number" title="ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By "Siamesekitten" - Lyceum. Retrieved June 6, 2022."data-reference="ClearSky Siamesekitten August 2021"><a href="https://www.clearskysec.com/siamesekitten/" target="_blank" data-hasqtip="49" aria-describedby="qtip-49">[50]</a> </td> </tr> <tr> <td> <a href="/software/S0334"> S0334 </a> </td> <td> <a href="/software/S0334"> DarkComet </a> </td> <td> <a href="/software/S0334">DarkComet</a> has dropped itself onto victim machines with file names such as WinDefender.Exe and winupdate.exe in an apparent attempt to masquerade as a legitimate file.<span onclick=scrollToRef('scite-51') id="scite-ref-51-a" class="scite-citeref-number" title="TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018."data-reference="TrendMicro DarkComet Sept 2014"><a href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/DARKCOMET" target="_blank" data-hasqtip="50" aria-describedby="qtip-50">[51]</a> </td> </tr> <tr> <td> <a href="/groups/G0012"> G0012 </a> </td> <td> <a href="/groups/G0012"> Darkhotel </a> </td> <td> <a href="/groups/G0012">Darkhotel</a> has used malware that is disguised as a Secure Shell (SSH) tool.<span onclick=scrollToRef('scite-52') id="scite-ref-52-a" class="scite-citeref-number" title="Microsoft. (2016, June 9). Reverse-engineering DUBNIUM. Retrieved March 31, 2021."data-reference="Microsoft DUBNIUM June 2016"><a href="https://www.microsoft.com/security/blog/2016/06/09/reverse-engineering-dubnium-2/" target="_blank" data-hasqtip="51" aria-describedby="qtip-51">[52]</a> </td> </tr> <tr> <td> <a href="/software/S0187"> S0187 </a> </td> <td> <a href="/software/S0187"> Daserf </a> </td> <td> <a href="/software/S0187">Daserf</a> uses file and folder names related to legitimate programs in order to blend in, such as HP, Intel, Adobe, and perflogs.<span onclick=scrollToRef('scite-53') id="scite-ref-53-a" class="scite-citeref-number" title="DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018."data-reference="Symantec Tick Apr 2016"><a href="https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan" target="_blank" data-hasqtip="52" aria-describedby="qtip-52">[53]</a> </td> </tr> <tr> <td> <a href="/software/S0600"> S0600 </a> </td> <td> <a href="/software/S0600"> Doki </a> </td> <td> <a href="/software/S0600">Doki</a> has disguised a file as a Linux kernel module.<span onclick=scrollToRef('scite-54') id="scite-ref-54-a" class="scite-citeref-number" title="Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021."data-reference="Intezer Doki July 20"><a href="https://www.intezer.com/blog/cloud-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/" target="_blank" data-hasqtip="53" aria-describedby="qtip-53">[54]</a> </td> </tr> <tr> <td> <a href="/software/S0694"> S0694 </a> </td> <td> <a href="/software/S0694"> DRATzarus </a> </td> <td> <a href="/software/S0694">DRATzarus</a> has been named <code>Flash.exe</code>, and its dropper has been named <code>IExplorer</code>.<span onclick=scrollToRef('scite-55') id="scite-ref-55-a" class="scite-citeref-number" title="ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021."data-reference="ClearSky Lazarus Aug 2020"><a href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank" data-hasqtip="54" aria-describedby="qtip-54">[55]</a> </td> </tr> <tr> <td> <a href="/software/S0567"> S0567 </a> </td> <td> <a href="/software/S0567"> Dtrack </a> </td> <td> One of <a href="/software/S0567">Dtrack</a> can hide in replicas of legitimate programs like OllyDbg, 7-Zip, and FileZilla.<span onclick=scrollToRef('scite-56') id="scite-ref-56-a" class="scite-citeref-number" title="Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021."data-reference="CyberBit Dtrack"><a href="https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/" target="_blank" data-hasqtip="55" aria-describedby="qtip-55">[56]</a> </td> </tr> <tr> <td> <a href="/software/S1158"> S1158 </a> </td> <td> <a href="/software/S1158"> DUSTPAN </a> </td> <td> <a href="/software/S1158">DUSTPAN</a> is often disguised as a legitimate Windows binary such as <code>w3wp.exe</code> or <code>conn.exe</code>.<span onclick=scrollToRef('scite-57') id="scite-ref-57-a" class="scite-citeref-number" title="Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024."data-reference="Google Cloud APT41 2024"><a href="https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust" target="_blank" data-hasqtip="56" aria-describedby="qtip-56">[57]</a> </td> </tr> <tr> <td> <a href="/groups/G1006"> G1006 </a> </td> <td> <a href="/groups/G1006"> Earth Lusca </a> </td> <td> <a href="/groups/G1006">Earth Lusca</a> used the command <code>move [file path] c:\windows\system32\spool\prtprocs\x64\spool.dll</code> to move and register a malicious DLL name as a Windows print processor, which eventually was loaded by the Print Spooler service.<span onclick=scrollToRef('scite-58') id="scite-ref-58-a" class="scite-citeref-number" title="Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022."data-reference="TrendMicro EarthLusca 2022"><a href="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf" target="_blank" data-hasqtip="57" aria-describedby="qtip-57">[58]</a> </td> </tr> <tr> <td> <a href="/software/S0605"> S0605 </a> </td> <td> <a href="/software/S0605"> EKANS </a> </td> <td> <a href="/software/S0605">EKANS</a> has been disguised as <code>update.exe</code> to appear as a valid executable.<span onclick=scrollToRef('scite-59') id="scite-ref-59-a" class="scite-citeref-number" title="Dragos. (2020, February 3). EKANS Ransomware and ICS Operations. Retrieved February 9, 2021."data-reference="Dragos EKANS"><a href="https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/" target="_blank" data-hasqtip="58" aria-describedby="qtip-58">[59]</a> </td> </tr> <tr> <td> <a href="/software/S0081"> S0081 </a> </td> <td> <a href="/software/S0081"> Elise </a> </td> <td> If installing itself as a service fails, <a href="/software/S0081">Elise</a> instead writes itself as a file named svchost.exe saved in %APPDATA%\Microsoft\Network.<span onclick=scrollToRef('scite-60') id="scite-ref-60-a" class="scite-citeref-number" title="Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016."data-reference="Lotus Blossom Jun 2015"><a href="https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html" target="_blank" data-hasqtip="59" aria-describedby="qtip-59">[60]</a> </td> </tr> <tr> <td> <a href="/groups/G1003"> G1003 </a> </td> <td> <a href="/groups/G1003"> Ember Bear </a> </td> <td> <a href="/groups/G1003">Ember Bear</a> has renamed tools to match legitimate utilities, such as renaming GOST tunneling instances to <code>java</code> in victim environments.<span onclick=scrollToRef('scite-61') id="scite-ref-61-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024"><a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="60" aria-describedby="qtip-60">[61]</a> </td> </tr> <tr> <td> <a href="/software/S0171"> S0171 </a> </td> <td> <a href="/software/S0171"> Felismus </a> </td> <td> <a href="/software/S0171">Felismus</a> has masqueraded as legitimate Adobe Content Management System files.<span onclick=scrollToRef('scite-62') id="scite-ref-62-a" class="scite-citeref-number" title="Julia Kisielius. (2017, April 25). The Felismus RAT: Powerful Threat, Mysterious Purpose. Retrieved January 10, 2024."data-reference="ATT Felismus"><a href="https://cybersecurity.att.com/blogs/security-essentials/the-felismus-rat-powerful-threat-mysterious-purpose" target="_blank" data-hasqtip="61" aria-describedby="qtip-61">[62]</a> </td> </tr> <tr> <td> <a href="/groups/G0137"> G0137 </a> </td> <td> <a href="/groups/G0137"> Ferocious Kitten </a> </td> <td> <a href="/groups/G0137">Ferocious Kitten</a> has named malicious files <code>update.exe</code> and loaded them into the compromise host's "Public" folder.<span onclick=scrollToRef('scite-63') id="scite-ref-63-a" class="scite-citeref-number" title="GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021."data-reference="Kaspersky Ferocious Kitten Jun 2021"><a href="https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/" target="_blank" data-hasqtip="62" aria-describedby="qtip-62">[63]</a> </td> </tr> <tr> <td> <a href="/groups/G1016"> G1016 </a> </td> <td> <a href="/groups/G1016"> FIN13 </a> </td> <td> <a href="/groups/G1016">FIN13</a> has masqueraded WAR files to look like legitimate packages such as, wsexample.war, wsexamples.com, examples.war, and exampl3s.war.<span onclick=scrollToRef('scite-64') id="scite-ref-64-a" class="scite-citeref-number" title="Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023."data-reference="Sygnia Elephant Beetle Jan 2022"><a href="https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf?__hstc=147695848.3e8f1a482c8f8d4531507747318e660b.1680005306711.1680005306711.1680005306711.1&__hssc=147695848.1.1680005306711&__hsfp=3000179024&hsCtaTracking=189ec409-ae2d-4909-8bf1-62dcdd694372%7Cca91d317-8f10-4a38-9f80-367f551ad64d" target="_blank" data-hasqtip="63" aria-describedby="qtip-63">[64]</a> </td> </tr> <tr> <td> <a href="/groups/G0046"> G0046 </a> </td> <td> <a href="/groups/G0046"> FIN7 </a> </td> <td> <a href="/groups/G0046">FIN7</a> has attempted to run Darkside ransomware with the filename sleep.exe.<span onclick=scrollToRef('scite-65') id="scite-ref-65-a" class="scite-citeref-number" title="Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021."data-reference="CrowdStrike Carbon Spider August 2021"><a href="https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/" target="_blank" data-hasqtip="64" aria-describedby="qtip-64">[65]</a> </td> </tr> <tr> <td> <a href="/software/S0182"> S0182 </a> </td> <td> <a href="/software/S0182"> FinFisher </a> </td> <td> <a href="/software/S0182">FinFisher</a> renames one of its .dll files to uxtheme.dll in an apparent attempt to masquerade as a legitimate file.<a href="https://web.archive.org/web/20171222050934/http://www.finfisher.com/FinFisher/index.html" target="_blank" data-hasqtip="65" aria-describedby="qtip-65">[66]</a><span onclick=scrollToRef('scite-67') id="scite-ref-67-a" class="scite-citeref-number" title="Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018."data-reference="Microsoft FinFisher March 2018"><a href="https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/" target="_blank" data-hasqtip="66" aria-describedby="qtip-66">[67]</a> </td> </tr> <tr> <td> <a href="/software/S0661"> S0661 </a> </td> <td> <a href="/software/S0661"> FoggyWeb </a> </td> <td> <a href="/software/S0661">FoggyWeb</a> can be disguised as a Visual Studio file such as <code>Windows.Data.TimeZones.zh-PH.pri</code> to evade detection. Also, <a href="/software/S0661">FoggyWeb</a>'s loader can mimic a genuine <code>dll</code> file that carries out the same import functions as the legitimate Windows <code>version.dll</code> file.<span onclick=scrollToRef('scite-68') id="scite-ref-68-a" class="scite-citeref-number" title="Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021."data-reference="MSTIC FoggyWeb September 2021"><a href="https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/" target="_blank" data-hasqtip="67" aria-describedby="qtip-67">[68]</a> </td> </tr> <tr> <td> <a href="/groups/G0117"> G0117 </a> </td> <td> <a href="/groups/G0117"> Fox Kitten </a> </td> <td> <a href="/groups/G0117">Fox Kitten</a> has named binaries and configuration files svhost and dllhost respectively to appear legitimate.<span onclick=scrollToRef('scite-69') id="scite-ref-69-a" class="scite-citeref-number" title="CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020."data-reference="CISA AA20-259A Iran-Based Actor September 2020"><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-259a" target="_blank" data-hasqtip="68" aria-describedby="qtip-68">[69]</a> </td> </tr> <tr> <td> <a href="/software/S0410"> S0410 </a> </td> <td> <a href="/software/S0410"> Fysbis </a> </td> <td> <a href="/software/S0410">Fysbis</a> has masqueraded as trusted software rsyncd and dbus-inotifier.<span onclick=scrollToRef('scite-70') id="scite-ref-70-a" class="scite-citeref-number" title="Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017."data-reference="Fysbis Dr Web Analysis"><a href="https://vms.drweb.com/virus/?i=4276269" target="_blank" data-hasqtip="69" aria-describedby="qtip-69">[70]</a> </td> </tr> <tr> <td> <a href="/groups/G0047"> G0047 </a> </td> <td> <a href="/groups/G0047"> Gamaredon Group </a> </td> <td> <a href="/groups/G0047">Gamaredon Group</a> has used legitimate process names to hide malware including <code>svchosst</code>.<span onclick=scrollToRef('scite-71') id="scite-ref-71-a" class="scite-citeref-number" title="Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022."data-reference="Unit 42 Gamaredon February 2022"><a href="https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/" target="_blank" data-hasqtip="70" aria-describedby="qtip-70">[71]</a> </td> </tr> <tr> <td> <a href="/software/S0666"> S0666 </a> </td> <td> <a href="/software/S0666"> Gelsemium </a> </td> <td> <a href="/software/S0666">Gelsemium</a> has named malicious binaries <code>serv.exe</code>, <code>winprint.dll</code>, and <code>chrome_elf.dll</code> and has set its persistence in the Registry with the key value <code>Chrome Update</code> to appear legitimate.<span onclick=scrollToRef('scite-72') id="scite-ref-72-a" class="scite-citeref-number" title="Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021."data-reference="ESET Gelsemium June 2021"><a href="https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf" target="_blank" data-hasqtip="71" aria-describedby="qtip-71">[72]</a> </td> </tr> <tr> <td> <a href="/software/S0493"> S0493 </a> </td> <td> <a href="/software/S0493"> GoldenSpy </a> </td> <td> <a href="/software/S0493">GoldenSpy</a>'s setup file installs initial executables under the folder <code>%WinDir%\System32\PluginManager</code>.<span onclick=scrollToRef('scite-73') id="scite-ref-73-a" class="scite-citeref-number" title="Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020."data-reference="Trustwave GoldenSpy June 2020"><a href="https://www.trustwave.com/en-us/resources/library/documents/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/" target="_blank" data-hasqtip="72" aria-describedby="qtip-72">[73]</a> </td> </tr> <tr> <td> <a href="/software/S0588"> S0588 </a> </td> <td> <a href="/software/S0588"> GoldMax </a> </td> <td> <a href="/software/S0588">GoldMax</a> has used filenames that matched the system name, and appeared as a scheduled task impersonating systems management software within the corresponding ProgramData subfolder.<span onclick=scrollToRef('scite-74') id="scite-ref-74-a" class="scite-citeref-number" title="Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021."data-reference="MSTIC NOBELIUM Mar 2021"><a href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank" data-hasqtip="73" aria-describedby="qtip-73">[74]</a><span onclick=scrollToRef('scite-75') id="scite-ref-75-a" class="scite-citeref-number" title="CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022."data-reference="CrowdStrike StellarParticle January 2022"><a href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank" data-hasqtip="74" aria-describedby="qtip-74">[75]</a> </td> </tr> <tr> <td> <a href="/software/S0477"> S0477 </a> </td> <td> <a href="/software/S0477"> Goopy </a> </td> <td> <a href="/software/S0477">Goopy</a> has impersonated the legitimate goopdate.dll, which was dropped on the target system with a legitimate GoogleUpdate.exe.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018."data-reference="Cybereason Cobalt Kitty 2017"><a href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a> </td> </tr> <tr> <td> <a href="/software/S0531"> S0531 </a> </td> <td> <a href="/software/S0531"> Grandoreiro </a> </td> <td> <a href="/software/S0531">Grandoreiro</a> has named malicious browser extensions and update files to appear legitimate.<span onclick=scrollToRef('scite-76') id="scite-ref-76-a" class="scite-citeref-number" title="Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020."data-reference="IBM Grandoreiro April 2020"><a href="https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/" target="_blank" data-hasqtip="75" aria-describedby="qtip-75">[76]</a><span onclick=scrollToRef('scite-77') id="scite-ref-77-a" class="scite-citeref-number" title="ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020."data-reference="ESET Grandoreiro April 2020"><a href="https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/" target="_blank" data-hasqtip="76" aria-describedby="qtip-76">[77]</a> </td> </tr> <tr> <td> <a href="/software/S0690"> S0690 </a> </td> <td> <a href="/software/S0690"> Green Lambert </a> </td> <td> <a href="/software/S0690">Green Lambert</a> has been disguised as a Growl help file.<span onclick=scrollToRef('scite-78') id="scite-ref-78-a" class="scite-citeref-number" title="Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022."data-reference="Objective See Green Lambert for OSX Oct 2021"><a href="https://objective-see.com/blog/blog_0x68.html" target="_blank" data-hasqtip="77" aria-describedby="qtip-77">[78]</a><span onclick=scrollToRef('scite-79') id="scite-ref-79-a" class="scite-citeref-number" title="Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved March 21, 2022."data-reference="Glitch-Cat Green Lambert ATTCK Oct 2021"><a href="https://www.glitch-cat.com/blog/green-lambert-and-attack" target="_blank" data-hasqtip="78" aria-describedby="qtip-78">[79]</a> </td> </tr> <tr> <td> <a href="/software/S0697"> S0697 </a> </td> <td> <a href="/software/S0697"> HermeticWiper </a> </td> <td> <a href="/software/S0697">HermeticWiper</a> has used the name <code>postgressql.exe</code> to mask a malicious payload.<span onclick=scrollToRef('scite-80') id="scite-ref-80-a" class="scite-citeref-number" title="ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022."data-reference="ESET Hermetic Wizard March 2022"><a href="https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine" target="_blank" data-hasqtip="79" aria-describedby="qtip-79">[80]</a> </td> </tr> <tr> <td> <a href="/software/S0698"> S0698 </a> </td> <td> <a href="/software/S0698"> HermeticWizard </a> </td> <td> <a href="/software/S0698">HermeticWizard</a> has been named <code>exec_32.dll</code> to mimic a legitimate MS Outlook .dll.<span onclick=scrollToRef('scite-80') id="scite-ref-80-a" class="scite-citeref-number" title="ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022."data-reference="ESET Hermetic Wizard March 2022"><a href="https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine" target="_blank" data-hasqtip="79" aria-describedby="qtip-79">[80]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0038"> C0038 </a> </td> <td> <a href="/campaigns/C0038"> HomeLand Justice </a> </td> <td> During <a href="https://attack.mitre.org/campaigns/C0038">HomeLand Justice</a>, threat actors renamed <a href="/software/S1150">ROADSWEEP</a> to GoXML.exe and <a href="/software/S1151">ZeroCleare</a> to cl.exe.<span onclick=scrollToRef('scite-81') id="scite-ref-81-a" class="scite-citeref-number" title="CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024."data-reference="CISA Iran Albanian Attacks September 2022"><a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-264a" target="_blank" data-hasqtip="80" aria-describedby="qtip-80">[81]</a><span onclick=scrollToRef('scite-82') id="scite-ref-82-a" class="scite-citeref-number" title="Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024."data-reference="Mandiant ROADSWEEP August 2022"><a href="https://cloud.google.com/blog/topics/threat-intelligence/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against/" target="_blank" data-hasqtip="81" aria-describedby="qtip-81">[82]</a> </td> </tr> <tr> <td> <a href="/software/S0070"> S0070 </a> </td> <td> <a href="/software/S0070"> HTTPBrowser </a> </td> <td> <a href="/software/S0070">HTTPBrowser</a>'s installer contains a malicious file named navlu.dll to decrypt and run the RAT. navlu.dll is also the name of a legitimate Symantec DLL.<span onclick=scrollToRef('scite-83') id="scite-ref-83-a" class="scite-citeref-number" title="Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016."data-reference="ZScaler Hacking Team"><a href="http://research.zscaler.com/2015/08/chinese-cyber-espionage-apt-group.html" target="_blank" data-hasqtip="82" aria-describedby="qtip-82">[83]</a> </td> </tr> <tr> <td> <a href="/software/S1022"> S1022 </a> </td> <td> <a href="/software/S1022"> IceApple </a> </td> <td> <a href="/software/S1022">IceApple</a> .NET assemblies have used <code>App_Web_</code> in their file names to appear legitimate.<span onclick=scrollToRef('scite-84') id="scite-ref-84-a" class="scite-citeref-number" title="CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022."data-reference="CrowdStrike IceApple May 2022"><a href="https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework.pdf" target="_blank" data-hasqtip="83" aria-describedby="qtip-83">[84]</a> </td> </tr> <tr> <td> <a href="/software/S0483"> S0483 </a> </td> <td> <a href="/software/S0483"> IcedID </a> </td> <td> <a href="/software/S0483">IcedID</a> has modified legitimate .dll files to include malicious code.<span onclick=scrollToRef('scite-85') id="scite-ref-85-a" class="scite-citeref-number" title="Kenefick , I. (2022, December 23). IcedID Botnet Distributors Abuse Google PPC to Distribute Malware. Retrieved July 24, 2024."data-reference="Trendmicro_IcedID"><a href="https://www.trendmicro.com/en_us/research/22/l/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html" target="_blank" data-hasqtip="84" aria-describedby="qtip-84">[85]</a> </td> </tr> <tr> <td> <a href="/groups/G1032"> G1032 </a> </td> <td> <a href="/groups/G1032"> INC Ransom </a> </td> <td> <a href="/groups/G1032">INC Ransom</a> has named a <a href="/software/S0029">PsExec</a> executable winupd to mimic a legitimate Windows update file.<span onclick=scrollToRef('scite-86') id="scite-ref-86-a" class="scite-citeref-number" title="Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024."data-reference="Huntress INC Ransom Group August 2023"><a href="https://www.huntress.com/blog/investigating-new-inc-ransom-group-activity" target="_blank" data-hasqtip="85" aria-describedby="qtip-85">[86]</a><span onclick=scrollToRef('scite-87') id="scite-ref-87-a" class="scite-citeref-number" title="SOCRadar. (2024, January 24). Dark Web Profile: INC Ransom. Retrieved June 5, 2024."data-reference="SOCRadar INC Ransom January 2024"><a href="https://socradar.io/dark-web-profile-inc-ransom/" target="_blank" data-hasqtip="86" aria-describedby="qtip-86">[87]</a> </td> </tr> <tr> <td> <a href="/groups/G0119"> G0119 </a> </td> <td> <a href="/groups/G0119"> Indrik Spider </a> </td> <td> <a href="/groups/G0119">Indrik Spider</a> used fake updates for FlashPlayer plugin and Google Chrome as initial infection vectors.<span onclick=scrollToRef('scite-88') id="scite-ref-88-a" class="scite-citeref-number" title="Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021."data-reference="Crowdstrike Indrik November 2018"><a href="https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/" target="_blank" data-hasqtip="87" aria-describedby="qtip-87">[88]</a> </td> </tr> <tr> <td> <a href="/software/S0259"> S0259 </a> </td> <td> <a href="/software/S0259"> InnaputRAT </a> </td> <td> <a href="/software/S0259">InnaputRAT</a> variants have attempted to appear legitimate by using the file names SafeApp.exe and NeutralApp.exe.<span onclick=scrollToRef('scite-89') id="scite-ref-89-a" class="scite-citeref-number" title="ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018."data-reference="ASERT InnaputRAT April 2018"><a href="https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/" target="_blank" data-hasqtip="88" aria-describedby="qtip-88">[89]</a> </td> </tr> <tr> <td> <a href="/software/S0260"> S0260 </a> </td> <td> <a href="/software/S0260"> InvisiMole </a> </td> <td> <a href="/software/S0260">InvisiMole</a> has disguised its droppers as legitimate software or documents, matching their original names and locations, and saved its files as mpr.dll in the Windows folder.<span onclick=scrollToRef('scite-90') id="scite-ref-90-a" class="scite-citeref-number" title="Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018."data-reference="ESET InvisiMole June 2018"><a href="https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" target="_blank" data-hasqtip="89" aria-describedby="qtip-89">[90]</a><span onclick=scrollToRef('scite-91') id="scite-ref-91-a" class="scite-citeref-number" title="Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020."data-reference="ESET InvisiMole June 2020"><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" target="_blank" data-hasqtip="90" aria-describedby="qtip-90">[91]</a> </td> </tr> <tr> <td> <a href="/software/S0015"> S0015 </a> </td> <td> <a href="/software/S0015"> Ixeshe </a> </td> <td> <a href="/software/S0015">Ixeshe</a> has used registry values and file names associated with Adobe software, such as AcroRd32.exe.<span onclick=scrollToRef('scite-92') id="scite-ref-92-a" class="scite-citeref-number" title="Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019."data-reference="Trend Micro IXESHE 2012"><a href="https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf" target="_blank" data-hasqtip="91" aria-describedby="qtip-91">[92]</a> </td> </tr> <tr> <td> <a href="/groups/G0004"> G0004 </a> </td> <td> <a href="/groups/G0004"> Ke3chang </a> </td> <td> <a href="/groups/G0004">Ke3chang</a> has dropped their malware into legitimate installed software paths including: <code>C:\ProgramFiles\Realtek\Audio\HDA\AERTSr.exe</code>, <code>C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitRdr64.exe</code>, <code>C:\Program Files (x86)\Adobe\Flash Player\AddIns\airappinstaller\airappinstall.exe</code>, and <code>C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd64.exe</code>.<span onclick=scrollToRef('scite-93') id="scite-ref-93-a" class="scite-citeref-number" title="MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022."data-reference="Microsoft NICKEL December 2021"><a href="https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe" target="_blank" data-hasqtip="92" aria-describedby="qtip-92">[93]</a> </td> </tr> <tr> <td> <a href="/software/S0526"> S0526 </a> </td> <td> <a href="/software/S0526"> KGH_SPY </a> </td> <td> <a href="/software/S0526">KGH_SPY</a> has masqueraded as a legitimate Windows tool.<span onclick=scrollToRef('scite-94') id="scite-ref-94-a" class="scite-citeref-number" title="Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020."data-reference="Cybereason Kimsuky November 2020"><a href="https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" target="_blank" data-hasqtip="93" aria-describedby="qtip-93">[94]</a> </td> </tr> <tr> <td> <a href="/groups/G0094"> G0094 </a> </td> <td> <a href="/groups/G0094"> Kimsuky </a> </td> <td> <a href="/groups/G0094">Kimsuky</a> has renamed malware to legitimate names such as <code>ESTCommon.dll</code> or <code>patch.dll</code>.<span onclick=scrollToRef('scite-95') id="scite-ref-95-a" class="scite-citeref-number" title="Hossein Jazi. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved January 10, 2024."data-reference="Kimsuky Malwarebytes"><a href="https://www.malwarebytes.com/blog/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor" target="_blank" data-hasqtip="94" aria-describedby="qtip-94">[95]</a> </td> </tr> <tr> <td> <a href="/software/S0669"> S0669 </a> </td> <td> <a href="/software/S0669"> KOCTOPUS </a> </td> <td> <a href="/software/S0669">KOCTOPUS</a> has been disguised as legitimate software programs associated with the travel and airline industries.<span onclick=scrollToRef('scite-96') id="scite-ref-96-a" class="scite-citeref-number" title="Ionut Arghire. (2021, February 24). New ‘LazyScripter’ Hacking Group Targets Airlines. Retrieved January 10, 2024."data-reference="Arghire LazyScripter"><a href="https://www.securityweek.com/new-lazyscripter-hacking-group-targets-airlines/" target="_blank" data-hasqtip="95" aria-describedby="qtip-95">[96]</a> </td> </tr> <tr> <td> <a href="/software/S0356"> S0356 </a> </td> <td> <a href="/software/S0356"> KONNI </a> </td> <td> <a href="/software/S0356">KONNI</a> has created a shortcut called "Anti virus service.lnk" in an apparent attempt to masquerade as a legitimate file.<span onclick=scrollToRef('scite-97') id="scite-ref-97-a" class="scite-citeref-number" title="Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018."data-reference="Talos Konni May 2017"><a href="https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html" target="_blank" data-hasqtip="96" aria-describedby="qtip-96">[97]</a> </td> </tr> <tr> <td> <a href="/software/S1160"> S1160 </a> </td> <td> <a href="/software/S1160"> Latrodectus </a> </td> <td> <a href="/software/S1160">Latrodectus</a> has been packed to appear as a component to Bitdefender’s kernel-mode driver, TRUFOS.SYS.<span onclick=scrollToRef('scite-98') id="scite-ref-98-a" class="scite-citeref-number" title="Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024."data-reference="Elastic Latrodectus May 2024"><a href="https://www.elastic.co/security-labs/spring-cleaning-with-latrodectus" target="_blank" data-hasqtip="97" aria-describedby="qtip-97">[98]</a> </td> </tr> <tr> <td> <a href="/groups/G0032"> G0032 </a> </td> <td> <a href="/groups/G0032"> Lazarus Group </a> </td> <td> <a href="/groups/G0032">Lazarus Group</a> has renamed malicious code to disguise it as Microsoft's narrator and other legitimate files.<span onclick=scrollToRef('scite-99') id="scite-ref-99-a" class="scite-citeref-number" title="USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021."data-reference="CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-133b" target="_blank" data-hasqtip="98" aria-describedby="qtip-98">[99]</a><span onclick=scrollToRef('scite-100') id="scite-ref-100-a" class="scite-citeref-number" title="Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022."data-reference="Qualys LolZarus"><a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns" target="_blank" data-hasqtip="99" aria-describedby="qtip-99">[100]</a> </td> </tr> <tr> <td> <a href="/software/S0395"> S0395 </a> </td> <td> <a href="/software/S0395"> LightNeuron </a> </td> <td> <a href="/software/S0395">LightNeuron</a> has used filenames associated with Exchange and Outlook for binary and configuration files, such as <code>winmail.dat</code>.<span onclick=scrollToRef('scite-101') id="scite-ref-101-a" class="scite-citeref-number" title="Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019."data-reference="ESET LightNeuron May 2019"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf" target="_blank" data-hasqtip="100" aria-describedby="qtip-100">[101]</a> </td> </tr> <tr> <td> <a href="/software/S0582"> S0582 </a> </td> <td> <a href="/software/S0582"> LookBack </a> </td> <td> <a href="/software/S0582">LookBack</a> has a C2 proxy tool that masquerades as <code>GUP.exe</code>, which is software used by Notepad++.<span onclick=scrollToRef('scite-102') id="scite-ref-102-a" class="scite-citeref-number" title="Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021."data-reference="Proofpoint LookBack Malware Aug 2019"><a href="https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks" target="_blank" data-hasqtip="101" aria-describedby="qtip-101">[102]</a> </td> </tr> <tr> <td> <a href="/groups/G1014"> G1014 </a> </td> <td> <a href="/groups/G1014"> LuminousMoth </a> </td> <td> <a href="/groups/G1014">LuminousMoth</a> has disguised their exfiltration malware as <code>ZoomVideoApp.exe</code>.<span onclick=scrollToRef('scite-103') id="scite-ref-103-a" class="scite-citeref-number" title="Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022."data-reference="Kaspersky LuminousMoth July 2021"><a href="https://securelist.com/apt-luminousmoth/103332/" target="_blank" data-hasqtip="102" aria-describedby="qtip-102">[103]</a> </td> </tr> <tr> <td> <a href="/software/S0409"> S0409 </a> </td> <td> <a href="/software/S0409"> Machete </a> </td> <td> <a href="/software/S0409">Machete</a> renamed payloads to masquerade as legitimate Google Chrome, Java, Dropbox, Adobe Reader and Python executables.<span onclick=scrollToRef('scite-104') id="scite-ref-104-a" class="scite-citeref-number" title="ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019."data-reference="ESET Machete July 2019"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf" target="_blank" data-hasqtip="103" aria-describedby="qtip-103">[104]</a><span onclick=scrollToRef('scite-105') id="scite-ref-105-a" class="scite-citeref-number" title="Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019."data-reference="Securelist Machete Aug 2014"><a href="https://securelist.com/el-machete/66108/" target="_blank" data-hasqtip="104" aria-describedby="qtip-104">[105]</a> </td> </tr> <tr> <td> <a href="/groups/G0095"> G0095 </a> </td> <td> <a href="/groups/G0095"> Machete </a> </td> <td> <a href="/groups/G0095">Machete</a>'s <a href="/software/S0409">Machete</a> MSI installer has masqueraded as a legitimate Adobe Acrobat Reader installer.<span onclick=scrollToRef('scite-106') id="scite-ref-106-a" class="scite-citeref-number" title="kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020."data-reference="360 Machete Sep 2020"><a href="https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/" target="_blank" data-hasqtip="105" aria-describedby="qtip-105">[106]</a> </td> </tr> <tr> <td> <a href="/groups/G0059"> G0059 </a> </td> <td> <a href="/groups/G0059"> Magic Hound </a> </td> <td> <a href="/groups/G0059">Magic Hound</a> has used <code>dllhost.exe</code> to mask Fast Reverse Proxy (FRP) and <code>MicrosoftOutLookUpdater.exe</code> for Plink.<span onclick=scrollToRef('scite-107') id="scite-ref-107-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022"><a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="106" aria-describedby="qtip-106">[107]</a><span onclick=scrollToRef('scite-108') id="scite-ref-108-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021"><a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="107" aria-describedby="qtip-107">[108]</a><span onclick=scrollToRef('scite-109') id="scite-ref-109-a" class="scite-citeref-number" title="MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023."data-reference="Microsoft Iranian Threat Actor Trends November 2021"><a href="https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021" target="_blank" data-hasqtip="108" aria-describedby="qtip-108">[109]</a> </td> </tr> <tr> <td> <a href="/software/S0652"> S0652 </a> </td> <td> <a href="/software/S0652"> MarkiRAT </a> </td> <td> <a href="/software/S0652">MarkiRAT</a> can masquerade as <code>update.exe</code> and <code>svehost.exe</code>; it has also mimicked legitimate Telegram and Chrome files.<span onclick=scrollToRef('scite-63') id="scite-ref-63-a" class="scite-citeref-number" title="GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021."data-reference="Kaspersky Ferocious Kitten Jun 2021"><a href="https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/" target="_blank" data-hasqtip="62" aria-describedby="qtip-62">[63]</a> </td> </tr> <tr> <td> <a href="/software/S0500"> S0500 </a> </td> <td> <a href="/software/S0500"> MCMD </a> </td> <td> <a href="/software/S0500">MCMD</a> has been named Readme.txt to appear legitimate.<span onclick=scrollToRef('scite-110') id="scite-ref-110-a" class="scite-citeref-number" title="Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020."data-reference="Secureworks MCMD July 2019"><a href="https://www.secureworks.com/research/mcmd-malware-analysis" target="_blank" data-hasqtip="109" aria-describedby="qtip-109">[110]</a> </td> </tr> <tr> <td> <a href="/software/S0459"> S0459 </a> </td> <td> <a href="/software/S0459"> MechaFlounder </a> </td> <td> <a href="/software/S0459">MechaFlounder</a> has been downloaded as a file named lsass.exe, which matches the legitimate Windows file.<span onclick=scrollToRef('scite-111') id="scite-ref-111-a" class="scite-citeref-number" title="Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020."data-reference="Unit 42 MechaFlounder March 2019"><a href="https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/" target="_blank" data-hasqtip="110" aria-describedby="qtip-110">[111]</a> </td> </tr> <tr> <td> <a href="/groups/G0045"> G0045 </a> </td> <td> <a href="/groups/G0045"> menuPass </a> </td> <td> <a href="/groups/G0045">menuPass</a> has been seen changing malicious files to appear legitimate.<span onclick=scrollToRef('scite-112') id="scite-ref-112-a" class="scite-citeref-number" title="US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020."data-reference="District Court of NY APT10 Indictment December 2018"><a href="https://www.justice.gov/opa/page/file/1122671/download" target="_blank" data-hasqtip="111" aria-describedby="qtip-111">[112]</a> </td> </tr> <tr> <td> <a href="/software/S0455"> S0455 </a> </td> <td> <a href="/software/S0455"> Metamorfo </a> </td> <td> <a href="/software/S0455">Metamorfo</a> has disguised an MSI file as the Adobe Acrobat Reader Installer and has masqueraded payloads as OneDrive, WhatsApp, or Spotify, for example.<span onclick=scrollToRef('scite-113') id="scite-ref-113-a" class="scite-citeref-number" title="Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020."data-reference="Medium Metamorfo Apr 2020"><a href="https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767" target="_blank" data-hasqtip="112" aria-describedby="qtip-112">[113]</a><span onclick=scrollToRef('scite-114') id="scite-ref-114-a" class="scite-citeref-number" title="ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021."data-reference="ESET Casbaneiro Oct 2019"><a href="https://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/" target="_blank" data-hasqtip="113" aria-describedby="qtip-113">[114]</a> </td> </tr> <tr> <td> <a href="/software/S0084"> S0084 </a> </td> <td> <a href="/software/S0084"> Mis-Type </a> </td> <td> <a href="/software/S0084">Mis-Type</a> saves itself as a file named <code>msdtc.exe</code>, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.<span onclick=scrollToRef('scite-115') id="scite-ref-115-a" class="scite-citeref-number" title="Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021."data-reference="Cylance Dust Storm"><a href="https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" target="_blank" data-hasqtip="114" aria-describedby="qtip-114">[115]</a><span onclick=scrollToRef('scite-116') id="scite-ref-116-a" class="scite-citeref-number" title="Microsoft. (2011, January 12). Distributed Transaction Coordinator. Retrieved February 25, 2016."data-reference="Microsoft DTC"><a href="https://technet.microsoft.com/en-us/library/cc759136(v=ws.10).aspx" target="_blank" data-hasqtip="115" aria-describedby="qtip-115">[116]</a> </td> </tr> <tr> <td> <a href="/software/S0083"> S0083 </a> </td> <td> <a href="/software/S0083"> Misdat </a> </td> <td> <a href="/software/S0083">Misdat</a> saves itself as a file named <code>msdtc.exe</code>, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.<span onclick=scrollToRef('scite-115') id="scite-ref-115-a" class="scite-citeref-number" title="Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021."data-reference="Cylance Dust Storm"><a href="https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" target="_blank" data-hasqtip="114" aria-describedby="qtip-114">[115]</a><span onclick=scrollToRef('scite-116') id="scite-ref-116-a" class="scite-citeref-number" title="Microsoft. (2011, January 12). Distributed Transaction Coordinator. Retrieved February 25, 2016."data-reference="Microsoft DTC"><a href="https://technet.microsoft.com/en-us/library/cc759136(v=ws.10).aspx" target="_blank" data-hasqtip="115" aria-describedby="qtip-115">[116]</a> </td> </tr> <tr> <td> <a href="/groups/G0069"> G0069 </a> </td> <td> <a href="/groups/G0069"> MuddyWater </a> </td> <td> <a href="/groups/G0069">MuddyWater</a> has disguised malicious executables and used filenames and Registry key names associated with Windows Defender.<span onclick=scrollToRef('scite-117') id="scite-ref-117-a" class="scite-citeref-number" title="Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018."data-reference="FireEye MuddyWater Mar 2018"><a href="https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" target="_blank" data-hasqtip="116" aria-describedby="qtip-116">[117]</a><span onclick=scrollToRef('scite-118') id="scite-ref-118-a" class="scite-citeref-number" title="Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019."data-reference="Talos MuddyWater May 2019"><a href="https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html" target="_blank" data-hasqtip="117" aria-describedby="qtip-117">[118]</a><span onclick=scrollToRef('scite-119') id="scite-ref-119-a" class="scite-citeref-number" title="Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021."data-reference="Anomali Static Kitten February 2021"><a href="https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies" target="_blank" data-hasqtip="118" aria-describedby="qtip-118">[119]</a> </td> </tr> <tr> <td> <a href="/groups/G0129"> G0129 </a> </td> <td> <a href="/groups/G0129"> Mustang Panda </a> </td> <td> <a href="/groups/G0129">Mustang Panda</a> has used names like <code>adobeupdate.dat</code> and <code>PotPlayerDB.dat</code> to disguise <a href="/software/S0013">PlugX</a>, and a file named <code>OneDrive.exe</code> to load a <a href="/software/S0154">Cobalt Strike</a> payload.<span onclick=scrollToRef('scite-120') id="scite-ref-120-a" class="scite-citeref-number" title="Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021."data-reference="Recorded Future REDDELTA July 2020"><a href="https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf" target="_blank" data-hasqtip="119" aria-describedby="qtip-119">[120]</a> </td> </tr> <tr> <td> <a href="/groups/G1020"> G1020 </a> </td> <td> <a href="/groups/G1020"> Mustard Tempest </a> </td> <td> <a href="/groups/G1020">Mustard Tempest</a> has used the filename <code>AutoUpdater.js</code> to mimic legitimate update files and has also used the Cyrillic homoglyph characters С <code>(0xd0a1)</code> and а <code>(0xd0b0)</code>, to produce the filename <code>Сhrome.Updаte.zip</code>.<span onclick=scrollToRef('scite-121') id="scite-ref-121-a" class="scite-citeref-number" title="Red Canary. (2024, March). Red Canary 2024 Threat Detection Report: SocGholish. Retrieved March 22, 2024."data-reference="Red Canary SocGholish March 2024"><a href="https://redcanary.com/threat-detection-report/threats/socgholish/" target="_blank" data-hasqtip="120" aria-describedby="qtip-120">[121]</a><span onclick=scrollToRef('scite-122') id="scite-ref-122-a" class="scite-citeref-number" title="Andrew Northern. (2022, November 22). SocGholish, a very real threat from a very fake update. Retrieved February 13, 2024."data-reference="SocGholish-update"><a href="https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update" target="_blank" data-hasqtip="121" aria-describedby="qtip-121">[122]</a> </td> </tr> <tr> <td> <a href="/groups/G0019"> G0019 </a> </td> <td> <a href="/groups/G0019"> Naikon </a> </td> <td> <a href="/groups/G0019">Naikon</a> has disguised malicious programs as Google Chrome, Adobe, and VMware executables.<span onclick=scrollToRef('scite-123') id="scite-ref-123-a" class="scite-citeref-number" title="Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021."data-reference="Bitdefender Naikon April 2021"><a href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank" data-hasqtip="122" aria-describedby="qtip-122">[123]</a> </td> </tr> <tr> <td> <a href="/software/S0630"> S0630 </a> </td> <td> <a href="/software/S0630"> Nebulae </a> </td> <td> <a href="/software/S0630">Nebulae</a> uses functions named <code>StartUserModeBrowserInjection</code> and <code>StopUserModeBrowserInjection</code> indicating that it's trying to imitate chrome_frame_helper.dll.<span onclick=scrollToRef('scite-123') id="scite-ref-123-a" class="scite-citeref-number" title="Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021."data-reference="Bitdefender Naikon April 2021"><a href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank" data-hasqtip="122" aria-describedby="qtip-122">[123]</a> </td> </tr> <tr> <td> <a href="/software/S0198"> S0198 </a> </td> <td> <a href="/software/S0198"> NETWIRE </a> </td> <td> <a href="/software/S0198">NETWIRE</a> has masqueraded as legitimate software including TeamViewer and macOS Finder.<span onclick=scrollToRef('scite-124') id="scite-ref-124-a" class="scite-citeref-number" title="Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021."data-reference="Red Canary NETWIRE January 2020"><a href="https://redcanary.com/blog/netwire-remote-access-trojan-on-linux/" target="_blank" data-hasqtip="123" aria-describedby="qtip-123">[124]</a> </td> </tr> <tr> <td> <a href="/software/S1090"> S1090 </a> </td> <td> <a href="/software/S1090"> NightClub </a> </td> <td> <a href="/software/S1090">NightClub</a> has chosen file names to appear legitimate including EsetUpdate-0117583943.exe for its dropper.<span onclick=scrollToRef('scite-125') id="scite-ref-125-a" class="scite-citeref-number" title="Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023."data-reference="MoustachedBouncer ESET August 2023"><a href="https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" target="_blank" data-hasqtip="124" aria-describedby="qtip-124">[125]</a> </td> </tr> <tr> <td> <a href="/software/S1100"> S1100 </a> </td> <td> <a href="/software/S1100"> Ninja </a> </td> <td> <a href="/software/S1100">Ninja</a> has used legitimate looking filenames for its loader including update.dll and x64.dll.<span onclick=scrollToRef('scite-126') id="scite-ref-126-a" class="scite-citeref-number" title="Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024."data-reference="Kaspersky ToddyCat Check Logs October 2023"><a href="https://securelist.com/toddycat-keep-calm-and-check-logs/110696/" target="_blank" data-hasqtip="125" aria-describedby="qtip-125">[126]</a> </td> </tr> <tr> <td> <a href="/software/S0353"> S0353 </a> </td> <td> <a href="/software/S0353"> NOKKI </a> </td> <td> <a href="/software/S0353">NOKKI</a> is written to %LOCALAPPDATA%\MicroSoft Updatea\svServiceUpdate.exe prior being executed in a new process in an apparent attempt to masquerade as a legitimate folder and file.<span onclick=scrollToRef('scite-127') id="scite-ref-127-a" class="scite-citeref-number" title="Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018."data-reference="Unit 42 NOKKI Sept 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/" target="_blank" data-hasqtip="126" aria-describedby="qtip-126">[127]</a> </td> </tr> <tr> <td> <a href="/software/S0340"> S0340 </a> </td> <td> <a href="/software/S0340"> Octopus </a> </td> <td> <a href="/software/S0340">Octopus</a> has been disguised as legitimate programs, such as Java and Telegram Messenger.<span onclick=scrollToRef('scite-128') id="scite-ref-128-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018."data-reference="Securelist Octopus Oct 2018"><a href="https://securelist.com/octopus-infested-seas-of-central-asia/88200/" target="_blank" data-hasqtip="127" aria-describedby="qtip-127">[128]</a><span onclick=scrollToRef('scite-129') id="scite-ref-129-a" class="scite-citeref-number" title="Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021."data-reference="ESET Nomadic Octopus 2018"><a href="https://www.virusbulletin.com/uploads/pdf/conference_slides/2018/Cherepanov-VB2018-Octopus.pdf" target="_blank" data-hasqtip="128" aria-describedby="qtip-128">[129]</a> </td> </tr> <tr> <td> <a href="/software/S0138"> S0138 </a> </td> <td> <a href="/software/S0138"> OLDBAIT </a> </td> <td> <a href="/software/S0138">OLDBAIT</a> installs itself in <code>%ALLUSERPROFILE%\Application Data\Microsoft\MediaPlayer\updatewindws.exe</code>; the directory name is missing a space and the file name is missing the letter "o."<span onclick=scrollToRef('scite-130') id="scite-ref-130-a" class="scite-citeref-number" title="FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015."data-reference="FireEye APT28"><a href="https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank" data-hasqtip="129" aria-describedby="qtip-129">[130]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0012"> C0012 </a> </td> <td> <a href="/campaigns/C0012"> Operation CuckooBees </a> </td> <td> During <a href="https://attack.mitre.org/campaigns/C0012">Operation CuckooBees</a>, the threat actors renamed a malicious executable to <code>rundll32.exe</code> to allow it to blend in with other Windows system files.<span onclick=scrollToRef('scite-131') id="scite-ref-131-a" class="scite-citeref-number" title="Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022."data-reference="Cybereason OperationCuckooBees May 2022"><a href="https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques" target="_blank" data-hasqtip="130" aria-describedby="qtip-130">[131]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0006"> C0006 </a> </td> <td> <a href="/campaigns/C0006"> Operation Honeybee </a> </td> <td> During <a href="https://attack.mitre.org/campaigns/C0006">Operation Honeybee</a>, the threat actors used a legitimate Windows executable and secure directory for their payloads to bypass UAC.<span onclick=scrollToRef('scite-132') id="scite-ref-132-a" class="scite-citeref-number" title="Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018."data-reference="McAfee Honeybee"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/" target="_blank" data-hasqtip="131" aria-describedby="qtip-131">[132]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0013"> C0013 </a> </td> <td> <a href="/campaigns/C0013"> Operation Sharpshooter </a> </td> <td> During <a href="https://attack.mitre.org/campaigns/C0013">Operation Sharpshooter</a>, threat actors installed <a href="/software/S0448">Rising Sun</a> in the Startup folder and disguised it as <code>mssync.exe</code>.<span onclick=scrollToRef('scite-133') id="scite-ref-133-a" class="scite-citeref-number" title="Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020."data-reference="McAfee Sharpshooter December 2018"><a href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf" target="_blank" data-hasqtip="132" aria-describedby="qtip-132">[133]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0014"> C0014 </a> </td> <td> <a href="/campaigns/C0014"> Operation Wocao </a> </td> <td> During <a href="https://attack.mitre.org/campaigns/C0014">Operation Wocao</a>, the threat actors renamed some tools and executables to appear as legitimate programs.<span onclick=scrollToRef('scite-134') id="scite-ref-134-a" class="scite-citeref-number" title="Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020."data-reference="FoxIT Wocao December 2019"><a href="https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf" target="_blank" data-hasqtip="133" aria-describedby="qtip-133">[134]</a> </td> </tr> <tr> <td> <a href="/software/S0402"> S0402 </a> </td> <td> <a href="/software/S0402"> OSX/Shlayer </a> </td> <td> <a href="/software/S0402">OSX/Shlayer</a> can masquerade as a Flash Player update.<span onclick=scrollToRef('scite-135') id="scite-ref-135-a" class="scite-citeref-number" title="Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019."data-reference="Carbon Black Shlayer Feb 2019"><a href="https://blogs.vmware.com/security/2020/02/vmware-carbon-black-tau-threat-analysis-shlayer-macos.html" target="_blank" data-hasqtip="134" aria-describedby="qtip-134">[135]</a><span onclick=scrollToRef('scite-136') id="scite-ref-136-a" class="scite-citeref-number" title="Long, Joshua. (2018, February 21). OSX/Shlayer: New Mac malware comes out of its shell. Retrieved August 28, 2019."data-reference="Intego Shlayer Feb 2018"><a href="https://www.intego.com/mac-security-blog/osxshlayer-new-mac-malware-comes-out-of-its-shell/" target="_blank" data-hasqtip="135" aria-describedby="qtip-135">[136]</a> </td> </tr> <tr> <td> <a href="/software/S1017"> S1017 </a> </td> <td> <a href="/software/S1017"> OutSteel </a> </td> <td> <a href="/software/S1017">OutSteel</a> attempts to download and execute <a href="/software/S1018">Saint Bot</a> to a statically-defined location attempting to mimic svchost: <code>%TEMP%\svjhost.exe</code>.<span onclick=scrollToRef('scite-137') id="scite-ref-137-a" class="scite-citeref-number" title="Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022."data-reference="Palo Alto Unit 42 OutSteel SaintBot February 2022 "><a href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank" data-hasqtip="136" aria-describedby="qtip-136">[137]</a> </td> </tr> <tr> <td> <a href="/software/S0072"> S0072 </a> </td> <td> <a href="/software/S0072"> OwaAuth </a> </td> <td> <a href="/software/S0072">OwaAuth</a> uses the filename owaauth.dll, which is a legitimate file that normally resides in <code>%ProgramFiles%\Microsoft\Exchange Server\ClientAccess\Owa\Auth\</code>; the malicious file by the same name is saved in <code>%ProgramFiles%\Microsoft\Exchange Server\ClientAccess\Owa\bin\</code>.<span onclick=scrollToRef('scite-138') id="scite-ref-138-a" class="scite-citeref-number" title="Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018."data-reference="Dell TG-3390"><a href="https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage" target="_blank" data-hasqtip="137" aria-describedby="qtip-137">[138]</a> </td> </tr> <tr> <td> <a href="/groups/G0040"> G0040 </a> </td> <td> <a href="/groups/G0040"> Patchwork </a> </td> <td> <a href="/groups/G0040">Patchwork</a> installed its payload in the startup programs folder as "Baidu Software Update." The group also adds its second stage payload to the startup programs as "Net Monitor."<span onclick=scrollToRef('scite-139') id="scite-ref-139-a" class="scite-citeref-number" title="Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016."data-reference="Cymmetria Patchwork"><a href="https://web.archive.org/web/20180825085952/https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf" target="_blank" data-hasqtip="138" aria-describedby="qtip-138">[139]</a> They have also dropped <a href="/software/S0262">QuasarRAT</a> binaries as files named microsoft_network.exe and crome.exe.<span onclick=scrollToRef('scite-140') id="scite-ref-140-a" class="scite-citeref-number" title="Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018."data-reference="Volexity Patchwork June 2018"><a href="https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" target="_blank" data-hasqtip="139" aria-describedby="qtip-139">[140]</a> </td> </tr> <tr> <td> <a href="/software/S1050"> S1050 </a> </td> <td> <a href="/software/S1050"> PcShare </a> </td> <td> <a href="/software/S1050">PcShare</a> has been named <code>wuauclt.exe</code> to appear as the legitimate Windows Update AutoUpdate Client.<span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" title="Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022."data-reference="Bitdefender FunnyDream Campaign November 2020"><a href="https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a> </td> </tr> <tr> <td> <a href="/software/S0587"> S0587 </a> </td> <td> <a href="/software/S0587"> Penquin </a> </td> <td> <a href="/software/S0587">Penquin</a> has mimicked the Cron binary to hide itself on compromised systems.<span onclick=scrollToRef('scite-141') id="scite-ref-141-a" class="scite-citeref-number" title="Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA "Penquin_x64". Retrieved March 11, 2021."data-reference="Leonardo Turla Penquin May 2020"><a href="https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf" target="_blank" data-hasqtip="140" aria-describedby="qtip-140">[141]</a> </td> </tr> <tr> <td> <a href="/software/S0501"> S0501 </a> </td> <td> <a href="/software/S0501"> PipeMon </a> </td> <td> <a href="/software/S0501">PipeMon</a> modules are stored on disk with seemingly benign names including use of a file extension associated with a popular word processor.<span onclick=scrollToRef('scite-142') id="scite-ref-142-a" class="scite-citeref-number" title="Tartare, M. et al. (2020, May 21). No "Game over" for the Winnti Group. Retrieved August 24, 2020."data-reference="ESET PipeMon May 2020"><a href="https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/" target="_blank" data-hasqtip="141" aria-describedby="qtip-141">[142]</a> </td> </tr> <tr> <td> <a href="/software/S0013"> S0013 </a> </td> <td> <a href="/software/S0013"> PlugX </a> </td> <td> <a href="/software/S0013">PlugX</a> has been disguised as legitimate Adobe and PotPlayer files.<span onclick=scrollToRef('scite-143') id="scite-ref-143-a" class="scite-citeref-number" title="Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022."data-reference="Proofpoint TA416 Europe March 2022"><a href="https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european" target="_blank" data-hasqtip="142" aria-describedby="qtip-142">[143]</a> </td> </tr> <tr> <td> <a href="/software/S0453"> S0453 </a> </td> <td> <a href="/software/S0453"> Pony </a> </td> <td> <a href="/software/S0453">Pony</a> has used the Adobe Reader icon for the downloaded file to look more trustworthy.<span onclick=scrollToRef('scite-144') id="scite-ref-144-a" class="scite-citeref-number" title="hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020."data-reference="Malwarebytes Pony April 2016"><a href="https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/" target="_blank" data-hasqtip="143" aria-describedby="qtip-143">[144]</a> </td> </tr> <tr> <td> <a href="/groups/G0033"> G0033 </a> </td> <td> <a href="/groups/G0033"> Poseidon Group </a> </td> <td> <a href="/groups/G0033">Poseidon Group</a> tools attempt to spoof anti-virus processes as a means of self-defense.<span onclick=scrollToRef('scite-145') id="scite-ref-145-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research and Analysis Team. (2016, February 9). Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage. Retrieved March 16, 2016."data-reference="Kaspersky Poseidon Group"><a href="https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/" target="_blank" data-hasqtip="144" aria-describedby="qtip-144">[145]</a> </td> </tr> <tr> <td> <a href="/software/S1046"> S1046 </a> </td> <td> <a href="/software/S1046"> PowGoop </a> </td> <td> <a href="/software/S1046">PowGoop</a> has used a DLL named Goopdate.dll to impersonate a legitimate Google update file.<span onclick=scrollToRef('scite-146') id="scite-ref-146-a" class="scite-citeref-number" title="FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022."data-reference="DHS CISA AA22-055A MuddyWater February 2022"><a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" target="_blank" data-hasqtip="145" aria-describedby="qtip-145">[146]</a> </td> </tr> <tr> <td> <a href="/groups/G0056"> G0056 </a> </td> <td> <a href="/groups/G0056"> PROMETHIUM </a> </td> <td> <a href="/groups/G0056">PROMETHIUM</a> has disguised malicious installer files by bundling them with legitimate software installers.<span onclick=scrollToRef('scite-147') id="scite-ref-147-a" class="scite-citeref-number" title="Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020."data-reference="Talos Promethium June 2020"><a href="https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html" target="_blank" data-hasqtip="146" aria-describedby="qtip-146">[147]</a><span onclick=scrollToRef('scite-148') id="scite-ref-148-a" class="scite-citeref-number" title="Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020."data-reference="Bitdefender StrongPity June 2020"><a href="https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf" target="_blank" data-hasqtip="147" aria-describedby="qtip-147">[148]</a> </td> </tr> <tr> <td> <a href="/software/S0196"> S0196 </a> </td> <td> <a href="/software/S0196"> PUNCHBUGGY </a> </td> <td> <a href="/software/S0196">PUNCHBUGGY</a> mimics filenames from %SYSTEM%\System32 to hide DLLs in %WINDIR% and/or %TEMP%.<span onclick=scrollToRef('scite-149') id="scite-ref-149-a" class="scite-citeref-number" title="Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018."data-reference="FireEye Know Your Enemy FIN8 Aug 2016"><a href="https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" target="_blank" data-hasqtip="148" aria-describedby="qtip-148">[149]</a><span onclick=scrollToRef('scite-150') id="scite-ref-150-a" class="scite-citeref-number" title="Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019."data-reference="Morphisec ShellTea June 2019"><a href="http://blog.morphisec.com/security-alert-fin8-is-back" target="_blank" data-hasqtip="149" aria-describedby="qtip-149">[150]</a> </td> </tr> <tr> <td> <a href="/software/S1032"> S1032 </a> </td> <td> <a href="/software/S1032"> PyDCrypt </a> </td> <td> <a href="/software/S1032">PyDCrypt</a> has dropped <a href="/software/S1033">DCSrv</a> under the <code>svchost.exe</code> name to disk.<span onclick=scrollToRef('scite-151') id="scite-ref-151-a" class="scite-citeref-number" title="Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022."data-reference="Checkpoint MosesStaff Nov 2021"><a href="https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/" target="_blank" data-hasqtip="150" aria-describedby="qtip-150">[151]</a> </td> </tr> <tr> <td> <a href="/software/S0583"> S0583 </a> </td> <td> <a href="/software/S0583"> Pysa </a> </td> <td> <a href="/software/S0583">Pysa</a> has executed a malicious executable by naming it svchost.exe.<span onclick=scrollToRef('scite-152') id="scite-ref-152-a" class="scite-citeref-number" title="CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021."data-reference="CERT-FR PYSA April 2020"><a href="https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-003.pdf" target="_blank" data-hasqtip="151" aria-describedby="qtip-151">[152]</a> </td> </tr> <tr> <td> <a href="/software/S0269"> S0269 </a> </td> <td> <a href="/software/S0269"> QUADAGENT </a> </td> <td> <a href="/software/S0269">QUADAGENT</a> used the PowerShell filenames <code>Office365DCOMCheck.ps1</code> and <code>SystemDiskClean.ps1</code>.<span onclick=scrollToRef('scite-153') id="scite-ref-153-a" class="scite-citeref-number" title="Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018."data-reference="Unit 42 QUADAGENT July 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/" target="_blank" data-hasqtip="152" aria-describedby="qtip-152">[153]</a> </td> </tr> <tr> <td> <a href="/software/S1084"> S1084 </a> </td> <td> <a href="/software/S1084"> QUIETEXIT </a> </td> <td> <a href="/software/S1084">QUIETEXIT</a> has attempted to change its name to <code>cron</code> upon startup. During incident response, <a href="/software/S1084">QUIETEXIT</a> samples have been identified that were renamed to blend in with other legitimate files.<span onclick=scrollToRef('scite-154') id="scite-ref-154-a" class="scite-citeref-number" title="Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023."data-reference="Mandiant APT29 Eye Spy Email Nov 22"><a href="https://www.mandiant.com/resources/blog/unc3524-eye-spy-email" target="_blank" data-hasqtip="153" aria-describedby="qtip-153">[154]</a> </td> </tr> <tr> <td> <a href="/software/S0565"> S0565 </a> </td> <td> <a href="/software/S0565"> Raindrop </a> </td> <td> <a href="/software/S0565">Raindrop</a> was installed under names that resembled legitimate Windows file and directory names.<span onclick=scrollToRef('scite-155') id="scite-ref-155-a" class="scite-citeref-number" title="Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021."data-reference="Symantec RAINDROP January 2021"><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware" target="_blank" data-hasqtip="154" aria-describedby="qtip-154">[155]</a><span onclick=scrollToRef('scite-156') id="scite-ref-156-a" class="scite-citeref-number" title="MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021."data-reference="Microsoft Deep Dive Solorigate January 2021"><a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" data-hasqtip="155" aria-describedby="qtip-155">[156]</a> </td> </tr> <tr> <td> <a href="/software/S0629"> S0629 </a> </td> <td> <a href="/software/S0629"> RainyDay </a> </td> <td> <a href="/software/S0629">RainyDay</a> has used names to mimic legitimate software including "vmtoolsd.exe" to spoof Vmtools.<span onclick=scrollToRef('scite-123') id="scite-ref-123-a" class="scite-citeref-number" title="Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021."data-reference="Bitdefender Naikon April 2021"><a href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank" data-hasqtip="122" aria-describedby="qtip-122">[123]</a> </td> </tr> <tr> <td> <a href="/software/S0458"> S0458 </a> </td> <td> <a href="/software/S0458"> Ramsay </a> </td> <td> <a href="/software/S0458">Ramsay</a> has masqueraded as a 7zip installer.<span onclick=scrollToRef('scite-157') id="scite-ref-157-a" class="scite-citeref-number" title="Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020."data-reference="Eset Ramsay May 2020"><a href="https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/" target="_blank" data-hasqtip="156" aria-describedby="qtip-156">[157]</a><span onclick=scrollToRef('scite-158') id="scite-ref-158-a" class="scite-citeref-number" title="Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021."data-reference="Antiy CERT Ramsay April 2020"><a href="https://www.programmersought.com/article/62493896999/" target="_blank" data-hasqtip="157" aria-describedby="qtip-157">[158]</a> </td> </tr> <tr> <td> <a href="/software/S0495"> S0495 </a> </td> <td> <a href="/software/S0495"> RDAT </a> </td> <td> <a href="/software/S0495">RDAT</a> has masqueraded as VMware.exe.<span onclick=scrollToRef('scite-159') id="scite-ref-159-a" class="scite-citeref-number" title="Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020."data-reference="Unit42 RDAT July 2020"><a href="https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/" target="_blank" data-hasqtip="158" aria-describedby="qtip-158">[159]</a> </td> </tr> <tr> <td> <a href="/groups/G1039"> G1039 </a> </td> <td> <a href="/groups/G1039"> RedCurl </a> </td> <td> <a href="/groups/G1039">RedCurl</a> mimicked legitimate file names and scheduled tasks, e.g. <code>MicrosoftCurrentupdatesCheck</code> and<code>MdMMaintenenceTask</code> to mask malicious files and scheduled tasks.<span onclick=scrollToRef('scite-160') id="scite-ref-160-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="159" aria-describedby="qtip-159">[160]</a><span onclick=scrollToRef('scite-161') id="scite-ref-161-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="160" aria-describedby="qtip-160">[161]</a> </td> </tr> <tr> <td> <a href="/software/S0125"> S0125 </a> </td> <td> <a href="/software/S0125"> Remsec </a> </td> <td> The <a href="/software/S0125">Remsec</a> loader implements itself with the name Security Support Provider, a legitimate Windows function. Various <a href="/software/S0125">Remsec</a> .exe files mimic legitimate file names used by Microsoft, Symantec, Kaspersky, Hewlett-Packard, and VMWare. <a href="/software/S0125">Remsec</a> also disguised malicious modules using similar filenames as custom network encryption software on victims.<span onclick=scrollToRef('scite-162') id="scite-ref-162-a" class="scite-citeref-number" title="Warwick Ashford. (2016, August 8). Strider cyber attack group deploying malware for espionage. Retrieved January 10, 2024."data-reference="ComputerWeekly Strider"><a href="https://www.computerweekly.com/news/450302128/Strider-cyber-attack-group-deploying-malware-for-espionage" target="_blank" data-hasqtip="161" aria-describedby="qtip-161">[162]</a><span onclick=scrollToRef('scite-163') id="scite-ref-163-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016."data-reference="Kaspersky ProjectSauron Full Report"><a href="https://securelist.com/files/2016/07/The-ProjectSauron-APT_research_KL.pdf" target="_blank" data-hasqtip="162" aria-describedby="qtip-162">[163]</a> </td> </tr> <tr> <td> <a href="/software/S0496"> S0496 </a> </td> <td> <a href="/software/S0496"> REvil </a> </td> <td> <a href="/software/S0496">REvil</a> can mimic the names of known executables.<span onclick=scrollToRef('scite-164') id="scite-ref-164-a" class="scite-citeref-number" title="Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020."data-reference="Picus Sodinokibi January 2020"><a href="https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware" target="_blank" data-hasqtip="163" aria-describedby="qtip-163">[164]</a> </td> </tr> <tr> <td> <a href="/groups/G0106"> G0106 </a> </td> <td> <a href="/groups/G0106"> Rocke </a> </td> <td> <a href="/groups/G0106">Rocke</a> has used shell scripts which download mining executables and saves them with the filename "java".<span onclick=scrollToRef('scite-165') id="scite-ref-165-a" class="scite-citeref-number" title="Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020."data-reference="Talos Rocke August 2018"><a href="https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html" target="_blank" data-hasqtip="164" aria-describedby="qtip-164">[165]</a> </td> </tr> <tr> <td> <a href="/software/S1078"> S1078 </a> </td> <td> <a href="/software/S1078"> RotaJakiro </a> </td> <td> <a href="/software/S1078">RotaJakiro</a> has used the filename <code>systemd-daemon</code> in an attempt to appear legitimate.<span onclick=scrollToRef('scite-166') id="scite-ref-166-a" class="scite-citeref-number" title="Alex Turing. (2021, May 6). RotaJakiro, the Linux version of the OceanLotus. Retrieved June 14, 2023."data-reference="netlab360 rotajakiro vs oceanlotus"><a href="https://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/" target="_blank" data-hasqtip="165" aria-describedby="qtip-165">[166]</a> </td> </tr> <tr> <td> <a href="/software/S0446"> S0446 </a> </td> <td> <a href="/software/S0446"> Ryuk </a> </td> <td> <a href="/software/S0446">Ryuk</a> has constructed legitimate appearing installation folder paths by calling <code>GetWindowsDirectoryW</code> and then inserting a null byte at the fourth character of the path. For Windows Vista or higher, the path would appear as <code>C:\Users\Public</code>.<span onclick=scrollToRef('scite-167') id="scite-ref-167-a" class="scite-citeref-number" title="Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020."data-reference="CrowdStrike Ryuk January 2019"><a href="https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" target="_blank" data-hasqtip="166" aria-describedby="qtip-166">[167]</a> </td> </tr> <tr> <td> <a href="/software/S0085"> S0085 </a> </td> <td> <a href="/software/S0085"> S-Type </a> </td> <td> <a href="/software/S0085">S-Type</a> may save itself as a file named <code>msdtc.exe</code>, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.<span onclick=scrollToRef('scite-115') id="scite-ref-115-a" class="scite-citeref-number" title="Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021."data-reference="Cylance Dust Storm"><a href="https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" target="_blank" data-hasqtip="114" aria-describedby="qtip-114">[115]</a><span onclick=scrollToRef('scite-116') id="scite-ref-116-a" class="scite-citeref-number" title="Microsoft. (2011, January 12). Distributed Transaction Coordinator. Retrieved February 25, 2016."data-reference="Microsoft DTC"><a href="https://technet.microsoft.com/en-us/library/cc759136(v=ws.10).aspx" target="_blank" data-hasqtip="115" aria-describedby="qtip-115">[116]</a> </td> </tr> <tr> <td> <a href="/software/S1018"> S1018 </a> </td> <td> <a href="/software/S1018"> Saint Bot </a> </td> <td> <a href="/software/S1018">Saint Bot</a> has been disguised as a legitimate executable, including as Windows SDK.<span onclick=scrollToRef('scite-168') id="scite-ref-168-a" class="scite-citeref-number" title="Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022."data-reference="Malwarebytes Saint Bot April 2021"><a href="https://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/" target="_blank" data-hasqtip="167" aria-describedby="qtip-167">[168]</a> </td> </tr> <tr> <td> <a href="/software/S1099"> S1099 </a> </td> <td> <a href="/software/S1099"> Samurai </a> </td> <td> <a href="/software/S1099">Samurai</a> has created the directory <code>%COMMONPROGRAMFILES%\Microsoft Shared\wmi\</code> to contain DLLs for loading successive stages.<span onclick=scrollToRef('scite-169') id="scite-ref-169-a" class="scite-citeref-number" title="Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024."data-reference="Kaspersky ToddyCat June 2022"><a href="https://securelist.com/toddycat/106799/" target="_blank" data-hasqtip="168" aria-describedby="qtip-168">[169]</a> </td> </tr> <tr> <td> <a href="/groups/G0034"> G0034 </a> </td> <td> <a href="/groups/G0034"> Sandworm Team </a> </td> <td> <a href="/groups/G0034">Sandworm Team</a> has avoided detection by naming a malicious binary explorer.exe.<span onclick=scrollToRef('scite-170') id="scite-ref-170-a" class="scite-citeref-number" title="Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."data-reference="ESET Telebots Dec 2016"><a href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank" data-hasqtip="169" aria-describedby="qtip-169">[170]</a><span onclick=scrollToRef('scite-171') id="scite-ref-171-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020"><a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="170" aria-describedby="qtip-170">[171]</a> </td> </tr> <tr> <td> <a href="/software/S1019"> S1019 </a> </td> <td> <a href="/software/S1019"> Shark </a> </td> <td> <a href="/software/S1019">Shark</a> binaries have been named <code>audioddg.pdb</code> and <code>Winlangdb.pdb</code> in order to appear legitimate.<span onclick=scrollToRef('scite-50') id="scite-ref-50-a" class="scite-citeref-number" title="ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By "Siamesekitten" - Lyceum. Retrieved June 6, 2022."data-reference="ClearSky Siamesekitten August 2021"><a href="https://www.clearskysec.com/siamesekitten/" target="_blank" data-hasqtip="49" aria-describedby="qtip-49">[50]</a> </td> </tr> <tr> <td> <a href="/software/S0445"> S0445 </a> </td> <td> <a href="/software/S0445"> ShimRatReporter </a> </td> <td> <a href="/software/S0445">ShimRatReporter</a> spoofed itself as <code>AlphaZawgyl_font.exe</code>, a specialized Unicode font.<span onclick=scrollToRef('scite-172') id="scite-ref-172-a" class="scite-citeref-number" title="Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."data-reference="FOX-IT May 2016 Mofang"><a href="https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" target="_blank" data-hasqtip="171" aria-describedby="qtip-171">[172]</a> </td> </tr> <tr> <td> <a href="/software/S0589"> S0589 </a> </td> <td> <a href="/software/S0589"> Sibot </a> </td> <td> <a href="/software/S0589">Sibot</a> has downloaded a DLL to the <code>C:\windows\system32\drivers\</code> folder and renamed it with a <code>.sys</code> extension.<span onclick=scrollToRef('scite-74') id="scite-ref-74-a" class="scite-citeref-number" title="Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021."data-reference="MSTIC NOBELIUM Mar 2021"><a href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank" data-hasqtip="73" aria-describedby="qtip-73">[74]</a> </td> </tr> <tr> <td> <a href="/groups/G1008"> G1008 </a> </td> <td> <a href="/groups/G1008"> SideCopy </a> </td> <td> <a href="/groups/G1008">SideCopy</a> has used a legitimate DLL file name, <code>Duser.dll</code> to disguise a malicious remote access tool.<span onclick=scrollToRef('scite-173') id="scite-ref-173-a" class="scite-citeref-number" title="Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022."data-reference="MalwareBytes SideCopy Dec 2021"><a href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank" data-hasqtip="172" aria-describedby="qtip-172">[173]</a> </td> </tr> <tr> <td> <a href="/groups/G0121"> G0121 </a> </td> <td> <a href="/groups/G0121"> Sidewinder </a> </td> <td> <a href="/groups/G0121">Sidewinder</a> has named malicious files <code>rekeywiz.exe</code> to match the name of a legitimate Windows executable.<span onclick=scrollToRef('scite-174') id="scite-ref-174-a" class="scite-citeref-number" title="Rewterz. (2020, June 22). Analysis on Sidewinder APT Group – COVID-19. Retrieved January 29, 2021."data-reference="Rewterz Sidewinder COVID-19 June 2020"><a href="https://www.rewterz.com/articles/analysis-on-sidewinder-apt-group-covid-19" target="_blank" data-hasqtip="173" aria-describedby="qtip-173">[174]</a> </td> </tr> <tr> <td> <a href="/groups/G0091"> G0091 </a> </td> <td> <a href="/groups/G0091"> Silence </a> </td> <td> <a href="/groups/G0091">Silence</a> has named its backdoor "WINWORD.exe".<span onclick=scrollToRef('scite-175') id="scite-ref-175-a" class="scite-citeref-number" title="Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020."data-reference="Group IB Silence Sept 2018"><a href="https://go.group-ib.com/report-silence-en?_gl=1*d1bh3a*_ga*MTIwMzM5Mzc5MS4xNjk4OTI5NzY4*_ga_QMES53K3Y2*MTcwNDcyMjU2OS40LjEuMTcwNDcyMzU1Mi41My4wLjA." target="_blank" data-hasqtip="174" aria-describedby="qtip-174">[175]</a> </td> </tr> <tr> <td> <a href="/software/S0468"> S0468 </a> </td> <td> <a href="/software/S0468"> Skidmap </a> </td> <td> <a href="/software/S0468">Skidmap</a> has created a fake <code>rm</code> binary to replace the legitimate Linux binary.<span onclick=scrollToRef('scite-176') id="scite-ref-176-a" class="scite-citeref-number" title="Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020."data-reference="Trend Micro Skidmap"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/" target="_blank" data-hasqtip="175" aria-describedby="qtip-175">[176]</a> </td> </tr> <tr> <td> <a href="/software/S0533"> S0533 </a> </td> <td> <a href="/software/S0533"> SLOTHFULMEDIA </a> </td> <td> <a href="/software/S0533">SLOTHFULMEDIA</a> has mimicked the names of known executables, such as mediaplayer.exe.<span onclick=scrollToRef('scite-177') id="scite-ref-177-a" class="scite-citeref-number" title="DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020."data-reference="CISA MAR SLOTHFULMEDIA October 2020"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a" target="_blank" data-hasqtip="176" aria-describedby="qtip-176">[177]</a> </td> </tr> <tr> <td> <a href="/software/S1035"> S1035 </a> </td> <td> <a href="/software/S1035"> Small Sieve </a> </td> <td> <a href="/software/S1035">Small Sieve</a> can use variations of Microsoft and Outlook spellings, such as "Microsift", in its file names to avoid detection.<span onclick=scrollToRef('scite-178') id="scite-ref-178-a" class="scite-citeref-number" title="NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022."data-reference="NCSC GCHQ Small Sieve Jan 2022"><a href="https://www.ncsc.gov.uk/files/NCSC-Malware-Analysis-Report-Small-Sieve.pdf" target="_blank" data-hasqtip="177" aria-describedby="qtip-177">[178]</a> </td> </tr> <tr> <td> <a href="/software/S1124"> S1124 </a> </td> <td> <a href="/software/S1124"> SocGholish </a> </td> <td> <a href="/software/S1124">SocGholish</a> has been named <code>AutoUpdater.js</code> to mimic legitimate update files.<span onclick=scrollToRef('scite-122') id="scite-ref-122-a" class="scite-citeref-number" title="Andrew Northern. (2022, November 22). SocGholish, a very real threat from a very fake update. Retrieved February 13, 2024."data-reference="SocGholish-update"><a href="https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update" target="_blank" data-hasqtip="121" aria-describedby="qtip-121">[122]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0024"> C0024 </a> </td> <td> <a href="/campaigns/C0024"> SolarWinds Compromise </a> </td> <td> During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> renamed software and DLLs with legitimate names to appear benign.<span onclick=scrollToRef('scite-179') id="scite-ref-179-a" class="scite-citeref-number" title="Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020."data-reference="Volexity SolarWinds"><a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" data-hasqtip="178" aria-describedby="qtip-178">[179]</a><span onclick=scrollToRef('scite-180') id="scite-ref-180-a" class="scite-citeref-number" title="MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021."data-reference="Microsoft Analyzing Solorigate Dec 2020"><a href="https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/" target="_blank" data-hasqtip="179" aria-describedby="qtip-179">[180]</a> </td> </tr> <tr> <td> <a href="/groups/G0054"> G0054 </a> </td> <td> <a href="/groups/G0054"> Sowbug </a> </td> <td> <a href="/groups/G0054">Sowbug</a> named its tools to masquerade as Windows or Adobe Reader software, such as by using the file name adobecms.exe and the directory <code>CSIDL_APPDATA\microsoft\security</code>.<span onclick=scrollToRef('scite-181') id="scite-ref-181-a" class="scite-citeref-number" title="Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017."data-reference="Symantec Sowbug Nov 2017"><a href="https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" target="_blank" data-hasqtip="180" aria-describedby="qtip-180">[181]</a> </td> </tr> <tr> <td> <a href="/software/S0058"> S0058 </a> </td> <td> <a href="/software/S0058"> SslMM </a> </td> <td> To establish persistence, <a href="/software/S0058">SslMM</a> identifies the Start Menu Startup directory and drops a link to its own executable disguised as an "Office Start," "Yahoo Talk," "MSN Gaming Z0ne," or "MSN Talk" shortcut.<span onclick=scrollToRef('scite-182') id="scite-ref-182-a" class="scite-citeref-number" title="Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019."data-reference="Baumgartner Naikon 2015"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" target="_blank" data-hasqtip="181" aria-describedby="qtip-181">[182]</a> </td> </tr> <tr> <td> <a href="/software/S0188"> S0188 </a> </td> <td> <a href="/software/S0188"> Starloader </a> </td> <td> <a href="/software/S0188">Starloader</a> has masqueraded as legitimate software update packages such as Adobe Acrobat Reader and Intel.<span onclick=scrollToRef('scite-181') id="scite-ref-181-a" class="scite-citeref-number" title="Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017."data-reference="Symantec Sowbug Nov 2017"><a href="https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" target="_blank" data-hasqtip="180" aria-describedby="qtip-180">[181]</a> </td> </tr> <tr> <td> <a href="/software/S1034"> S1034 </a> </td> <td> <a href="/software/S1034"> StrifeWater </a> </td> <td> <a href="/software/S1034">StrifeWater</a> has been named <code>calc.exe</code> to appear as a legitimate calculator program.<span onclick=scrollToRef('scite-183') id="scite-ref-183-a" class="scite-citeref-number" title="Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022."data-reference="Cybereason StrifeWater Feb 2022"><a href="https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations" target="_blank" data-hasqtip="182" aria-describedby="qtip-182">[183]</a> </td> </tr> <tr> <td> <a href="/software/S0491"> S0491 </a> </td> <td> <a href="/software/S0491"> StrongPity </a> </td> <td> <a href="/software/S0491">StrongPity</a> has been bundled with legitimate software installation files for disguise.<span onclick=scrollToRef('scite-147') id="scite-ref-147-a" class="scite-citeref-number" title="Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020."data-reference="Talos Promethium June 2020"><a href="https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html" target="_blank" data-hasqtip="146" aria-describedby="qtip-146">[147]</a> </td> </tr> <tr> <td> <a href="/software/S1042"> S1042 </a> </td> <td> <a href="/software/S1042"> SUGARDUMP </a> </td> <td> <a href="/software/S1042">SUGARDUMP</a> has been named <code>CrashReporter.exe</code> to appear as a legitimate Mozilla executable.<span onclick=scrollToRef('scite-184') id="scite-ref-184-a" class="scite-citeref-number" title="Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022."data-reference="Mandiant UNC3890 Aug 2022"><a href="https://www.mandiant.com/resources/blog/suspected-iranian-actor-targeting-israeli-shipping" target="_blank" data-hasqtip="183" aria-describedby="qtip-183">[184]</a> </td> </tr> <tr> <td> <a href="/software/S0559"> S0559 </a> </td> <td> <a href="/software/S0559"> SUNBURST </a> </td> <td> <a href="/software/S0559">SUNBURST</a> created VBScripts that were named after existing services or folders to blend into legitimate activities.<span onclick=scrollToRef('scite-156') id="scite-ref-156-a" class="scite-citeref-number" title="MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021."data-reference="Microsoft Deep Dive Solorigate January 2021"><a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" data-hasqtip="155" aria-describedby="qtip-155">[156]</a> </td> </tr> <tr> <td> <a href="/software/S0562"> S0562 </a> </td> <td> <a href="/software/S0562"> SUNSPOT </a> </td> <td> <a href="/software/S0562">SUNSPOT</a> was identified on disk with a filename of <code>taskhostsvc.exe</code> and it created an encrypted log file at <code>C:\Windows\Temp\vmware-vmdmp.log</code>.<span onclick=scrollToRef('scite-185') id="scite-ref-185-a" class="scite-citeref-number" title="CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021."data-reference="CrowdStrike SUNSPOT Implant January 2021"><a href="https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/" target="_blank" data-hasqtip="184" aria-describedby="qtip-184">[185]</a> </td> </tr> <tr> <td> <a href="/software/S0578"> S0578 </a> </td> <td> <a href="/software/S0578"> SUPERNOVA </a> </td> <td> <a href="/software/S0578">SUPERNOVA</a> has masqueraded as a legitimate SolarWinds DLL.<span onclick=scrollToRef('scite-186') id="scite-ref-186-a" class="scite-citeref-number" title="Riley, W. (2020, December 1). SUPERNOVA SolarWinds .NET Webshell Analysis. Retrieved February 18, 2021."data-reference="Guidepoint SUPERNOVA Dec 2020"><a href="https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/" target="_blank" data-hasqtip="185" aria-describedby="qtip-185">[186]</a><span onclick=scrollToRef('scite-187') id="scite-ref-187-a" class="scite-citeref-number" title="Tennis, M. (2020, December 17). SUPERNOVA: A Novel .NET Webshell. Retrieved February 22, 2021."data-reference="Unit42 SUPERNOVA Dec 2020"><a href="https://unit42.paloaltonetworks.com/solarstorm-supernova/" target="_blank" data-hasqtip="186" aria-describedby="qtip-186">[187]</a> </td> </tr> <tr> <td> <a href="/groups/G1018"> G1018 </a> </td> <td> <a href="/groups/G1018"> TA2541 </a> </td> <td> <a href="/groups/G1018">TA2541</a> has used file names to mimic legitimate Windows files or system functionality.<span onclick=scrollToRef('scite-188') id="scite-ref-188-a" class="scite-citeref-number" title="Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023."data-reference="Proofpoint TA2541 February 2022"><a href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank" data-hasqtip="187" aria-describedby="qtip-187">[188]</a> </td> </tr> <tr> <td> <a href="/software/S0586"> S0586 </a> </td> <td> <a href="/software/S0586"> TAINTEDSCRIBE </a> </td> <td> The <a href="/software/S0586">TAINTEDSCRIBE</a> main executable has disguised itself as Microsoft’s Narrator.<span onclick=scrollToRef('scite-99') id="scite-ref-99-a" class="scite-citeref-number" title="USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021."data-reference="CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-133b" target="_blank" data-hasqtip="98" aria-describedby="qtip-98">[99]</a> </td> </tr> <tr> <td> <a href="/software/S1011"> S1011 </a> </td> <td> <a href="/software/S1011"> Tarrask </a> </td> <td> <a href="/software/S1011">Tarrask</a> has masqueraded as executable files such as <code>winupdate.exe</code>, <code>date.exe</code>, or <code>win.exe</code>.<span onclick=scrollToRef('scite-189') id="scite-ref-189-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022."data-reference="Tarrask scheduled task"><a href="https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/" target="_blank" data-hasqtip="188" aria-describedby="qtip-188">[189]</a> </td> </tr> <tr> <td> <a href="/groups/G0139"> G0139 </a> </td> <td> <a href="/groups/G0139"> TeamTNT </a> </td> <td> <a href="/groups/G0139">TeamTNT</a> has replaced .dockerd and .dockerenv with their own scripts and cryptocurrency mining software.<span onclick=scrollToRef('scite-190') id="scite-ref-190-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022."data-reference="Cisco Talos Intelligence Group"><a href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank" data-hasqtip="189" aria-describedby="qtip-189">[190]</a> </td> </tr> <tr> <td> <a href="/software/S0560"> S0560 </a> </td> <td> <a href="/software/S0560"> TEARDROP </a> </td> <td> <a href="/software/S0560">TEARDROP</a> files had names that resembled legitimate Window file and directory names.<span onclick=scrollToRef('scite-191') id="scite-ref-191-a" class="scite-citeref-number" title="FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021."data-reference="FireEye SUNBURST Backdoor December 2020"><a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" data-hasqtip="190" aria-describedby="qtip-190">[191]</a><span onclick=scrollToRef('scite-156') id="scite-ref-156-a" class="scite-citeref-number" title="MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021."data-reference="Microsoft Deep Dive Solorigate January 2021"><a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" data-hasqtip="155" aria-describedby="qtip-155">[156]</a> </td> </tr> <tr> <td> <a href="/software/S0595"> S0595 </a> </td> <td> <a href="/software/S0595"> ThiefQuest </a> </td> <td> <a href="/software/S0595">ThiefQuest</a> prepends a copy of itself to the beginning of an executable file while maintaining the name of the executable.<span onclick=scrollToRef('scite-192') id="scite-ref-192-a" class="scite-citeref-number" title="Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021."data-reference="wardle evilquest partii"><a href="https://objective-see.com/blog/blog_0x60.html" target="_blank" data-hasqtip="191" aria-describedby="qtip-191">[192]</a><span onclick=scrollToRef('scite-193') id="scite-ref-193-a" class="scite-citeref-number" title="Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 22, 2021."data-reference="reed thiefquest ransomware analysis"><a href="https://blog.malwarebytes.com/mac/2020/07/mac-thiefquest-malware-may-not-be-ransomware-after-all/" target="_blank" data-hasqtip="192" aria-describedby="qtip-192">[193]</a> </td> </tr> <tr> <td> <a href="/software/S0665"> S0665 </a> </td> <td> <a href="/software/S0665"> ThreatNeedle </a> </td> <td> <a href="/software/S0665">ThreatNeedle</a> chooses its payload creation path from a randomly selected service name from netsvc.<span onclick=scrollToRef('scite-194') id="scite-ref-194-a" class="scite-citeref-number" title="Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021."data-reference="Kaspersky ThreatNeedle Feb 2021"><a href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank" data-hasqtip="193" aria-describedby="qtip-193">[194]</a> </td> </tr> <tr> <td> <a href="/software/S0668"> S0668 </a> </td> <td> <a href="/software/S0668"> TinyTurla </a> </td> <td> <a href="/software/S0668">TinyTurla</a> has been deployed as <code>w64time.dll</code> to appear legitimate.<span onclick=scrollToRef('scite-195') id="scite-ref-195-a" class="scite-citeref-number" title="Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021."data-reference="Talos TinyTurla September 2021"><a href="https://blog.talosintelligence.com/2021/09/tinyturla.html" target="_blank" data-hasqtip="194" aria-describedby="qtip-194">[195]</a> </td> </tr> <tr> <td> <a href="/groups/G1022"> G1022 </a> </td> <td> <a href="/groups/G1022"> ToddyCat </a> </td> <td> <a href="/groups/G1022">ToddyCat</a> has used the name <code>debug.exe</code> for malware components.<span onclick=scrollToRef('scite-169') id="scite-ref-169-a" class="scite-citeref-number" title="Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024."data-reference="Kaspersky ToddyCat June 2022"><a href="https://securelist.com/toddycat/106799/" target="_blank" data-hasqtip="168" aria-describedby="qtip-168">[169]</a> </td> </tr> <tr> <td> <a href="/groups/G0134"> G0134 </a> </td> <td> <a href="/groups/G0134"> Transparent Tribe </a> </td> <td> <a href="/groups/G0134">Transparent Tribe</a> can mimic legitimate Windows directories by using the same icons and names.<span onclick=scrollToRef('scite-196') id="scite-ref-196-a" class="scite-citeref-number" title="Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021."data-reference="Kaspersky Transparent Tribe August 2020"><a href="https://securelist.com/transparent-tribe-part-1/98127/" target="_blank" data-hasqtip="195" aria-describedby="qtip-195">[196]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0030"> C0030 </a> </td> <td> <a href="/campaigns/C0030"> Triton Safety Instrumented System Attack </a> </td> <td> In the <a href="https://attack.mitre.org/campaigns/C0030">Triton Safety Instrumented System Attack</a>, <a href="/groups/G0088">TEMP.Veles</a> renamed files to look like legitimate files, such as Windows update files or Schneider Electric application files. </td> </tr> <tr> <td> <a href="/groups/G0081"> G0081 </a> </td> <td> <a href="/groups/G0081"> Tropic Trooper </a> </td> <td> <a href="/groups/G0081">Tropic Trooper</a> has hidden payloads in Flash directories and fake installer files.<span onclick=scrollToRef('scite-197') id="scite-ref-197-a" class="scite-citeref-number" title="Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."data-reference="TrendMicro Tropic Trooper May 2020"><a href="https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf" target="_blank" data-hasqtip="196" aria-describedby="qtip-196">[197]</a> </td> </tr> <tr> <td> <a href="/groups/G0010"> G0010 </a> </td> <td> <a href="/groups/G0010"> Turla </a> </td> <td> <a href="/groups/G0010">Turla</a> has named components of <a href="/software/S1141">LunarWeb</a> to mimic Zabbix agent logs.<span onclick=scrollToRef('scite-198') id="scite-ref-198-a" class="scite-citeref-number" title="Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024."data-reference="ESET Turla Lunar toolset May 2024"><a href="https://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/" target="_blank" data-hasqtip="197" aria-describedby="qtip-197">[198]</a> </td> </tr> <tr> <td> <a href="/software/S0386"> S0386 </a> </td> <td> <a href="/software/S0386"> Ursnif </a> </td> <td> <a href="/software/S0386">Ursnif</a> has used strings from legitimate system files and existing folders for its file, folder, and Registry entry names.<span onclick=scrollToRef('scite-199') id="scite-ref-199-a" class="scite-citeref-number" title="Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019."data-reference="TrendMicro Ursnif Mar 2015"><a href="https://web.archive.org/web/20210719165945/https://www.trendmicro.com/en_us/research/15/c/ursnif-the-multifaceted-malware.html?_ga=2.165628854.808042651.1508120821-744063452.1505819992" target="_blank" data-hasqtip="198" aria-describedby="qtip-198">[199]</a> </td> </tr> <tr> <td> <a href="/software/S0136"> S0136 </a> </td> <td> <a href="/software/S0136"> USBStealer </a> </td> <td> <a href="/software/S0136">USBStealer</a> mimics a legitimate Russian program called USB Disk Security.<span onclick=scrollToRef('scite-200') id="scite-ref-200-a" class="scite-citeref-number" title="Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017."data-reference="ESET Sednit USBStealer 2014"><a href="http://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/" target="_blank" data-hasqtip="199" aria-describedby="qtip-199">[200]</a> </td> </tr> <tr> <td> <a href="/groups/G1017"> G1017 </a> </td> <td> <a href="/groups/G1017"> Volt Typhoon </a> </td> <td> <a href="/groups/G1017">Volt Typhoon</a> has used legitimate looking filenames for compressed copies of the ntds.dit database and used names including cisco_up.exe, cl64.exe, vm3dservice.exe, watchdogd.exe, Win.exe, WmiPreSV.exe, and WmiPrvSE.exe for the Earthworm and Fast Reverse Proxy tools.<span onclick=scrollToRef('scite-201') id="scite-ref-201-a" class="scite-citeref-number" title="NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023."data-reference="Joint Cybersecurity Advisory Volt Typhoon June 2023"><a href="https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF" target="_blank" data-hasqtip="200" aria-describedby="qtip-200">[201]</a><span onclick=scrollToRef('scite-202') id="scite-ref-202-a" class="scite-citeref-number" title="Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023."data-reference="Secureworks BRONZE SILHOUETTE May 2023"><a href="https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations" target="_blank" data-hasqtip="201" aria-describedby="qtip-201">[202]</a><span onclick=scrollToRef('scite-203') id="scite-ref-203-a" class="scite-citeref-number" title="CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024."data-reference="CISA AA24-038A PRC Critical Infrastructure February 2024"><a href="https://www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf" target="_blank" data-hasqtip="202" aria-describedby="qtip-202">[203]</a> </td> </tr> <tr> <td> <a href="/groups/G0107"> G0107 </a> </td> <td> <a href="/groups/G0107"> Whitefly </a> </td> <td> <a href="/groups/G0107">Whitefly</a> has named the malicious DLL the same name as DLLs belonging to legitimate software from various security vendors.<span onclick=scrollToRef('scite-204') id="scite-ref-204-a" class="scite-citeref-number" title="Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020."data-reference="Symantec Whitefly March 2019"><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/whitefly-espionage-singapore" target="_blank" data-hasqtip="203" aria-describedby="qtip-203">[204]</a> </td> </tr> <tr> <td> <a href="/software/S0141"> S0141 </a> </td> <td> <a href="/software/S0141"> Winnti for Windows </a> </td> <td> A <a href="/software/S0141">Winnti for Windows</a> implant file was named ASPNET_FILTER.DLL, mimicking the legitimate ASP.NET ISAPI filter DLL with the same name.<span onclick=scrollToRef('scite-205') id="scite-ref-205-a" class="scite-citeref-number" title="Cap, P., et al. (2017, January 25). Detecting threat actors in recent German industrial attacks with Windows Defender ATP. Retrieved February 8, 2017."data-reference="Microsoft Winnti Jan 2017"><a href="https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/" target="_blank" data-hasqtip="204" aria-describedby="qtip-204">[205]</a> </td> </tr> <tr> <td> <a href="/groups/G0090"> G0090 </a> </td> <td> <a href="/groups/G0090"> WIRTE </a> </td> <td> <a href="/groups/G0090">WIRTE</a> has named a first stage dropper <code>Kaspersky Update Agent</code> in order to appear legitimate.<span onclick=scrollToRef('scite-206') id="scite-ref-206-a" class="scite-citeref-number" title="Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022."data-reference="Kaspersky WIRTE November 2021"><a href="https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044" target="_blank" data-hasqtip="205" aria-describedby="qtip-205">[206]</a> </td> </tr> <tr> <td> <a href="/software/S0086"> S0086 </a> </td> <td> <a href="/software/S0086"> ZLib </a> </td> <td> <a href="/software/S0086">ZLib</a> mimics the resource version information of legitimate Realtek Semiconductor, Nvidia, or Synaptics modules.<span onclick=scrollToRef('scite-115') id="scite-ref-115-a" class="scite-citeref-number" title="Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021."data-reference="Cylance Dust Storm"><a href="https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" target="_blank" data-hasqtip="114" aria-describedby="qtip-114">[115]</a> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id ="mitigations">Mitigations</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Mitigation</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/mitigations/M1045"> M1045 </a> </td> <td> <a href="/mitigations/M1045"> Code Signing </a> </td> <td> Require signed binaries and images. </td> </tr> <tr> <td> <a href="/mitigations/M1038"> M1038 </a> </td> <td> <a href="/mitigations/M1038"> Execution Prevention </a> </td> <td> Use tools that restrict program execution via application control by attributes other than file name for common operating system utilities that are needed. </td> </tr> <tr> <td> <a href="/mitigations/M1022"> M1022 </a> </td> <td> <a href="/mitigations/M1022"> Restrict File and Directory Permissions </a> </td> <td> Use file system access controls to protect folders such as C:\Windows\System32. </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="detection">Detection</h2> <div class="tables-mobile"> <table class="table datasources-table table-bordered"> <thead> <tr> <th class="p-2" scope="col">ID</th> <th class="p-2 nowrap" scope="col">Data Source</th> <th class="p-2 nowrap" scope="col">Data Component</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="datasource" id="uses-DS0022"> <td> <a href="/datasources/DS0022">DS0022</a> </td> <td class="nowrap"> <a href="/datasources/DS0022">File</a> </td>  <td> <a href="/datasources/DS0022/#File%20Metadata">File Metadata</a> </td> <td> Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect. </td> </tr> <tr class="datasource" id="uses-DS0007"> <td> <a href="/datasources/DS0007">DS0007</a> </td> <td class="nowrap"> <a href="/datasources/DS0007">Image</a> </td>  <td> <a href="/datasources/DS0007/#Image%20Metadata">Image Metadata</a> </td> <td> In containerized environments, use image IDs and layer hashes to compare images instead of relying only on their names.<a href="https://docs.docker.com/engine/reference/commandline/images/" target="_blank" data-hasqtip="206" aria-describedby="qtip-206">[207]</a> Monitor for the unexpected creation of new resources within your cluster in Kubernetes, especially those created by atypical users. </td> </tr> <tr class="datasource" id="uses-DS0009"> <td> <a href="/datasources/DS0009">DS0009</a> </td> <td class="nowrap"> <a href="/datasources/DS0009">Process</a> </td>  <td> <a href="/datasources/DS0009/#Process%20Creation">Process Creation</a> </td> <td> Monitor for newly executed processes that may match or approximate the name or location of legitimate files or resources when naming/placing them. Looks for mismatches between process names and their image paths.Malware authors often use this technique to hide malicious executables behind legitimate Windows executable names (e.g. lsass.exe, svchost.exe, etc).There are several sub-techniques, but this analytic focuses on <a href="/techniques/T1036/005">Match Legitimate Name or Location</a> only.Note: With process monitoring, hunt for processes matching these criteria:<ul><li>process name is svchost.exe, smss.exe, wininit.exe, taskhost.exe, etc.</li><li>process path is not C:\Windows\System32\ or C:\Windows\SysWow64\</li></ul>Examples (true positive):C:\Users\administrator\svchost.exeTo make sure the rule doesn’t miss cases where the executable would be started from a sub-folder of these locations, the entire path is checked for the process path. The below example should be considered as suspicious: C:\Windows\System32\srv\svchost.exeAnalytic 1 - Common Windows Process Masquerading<code>(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688")AND ( (Image=svchost.exe AND (image_path!="C:\Windows\System32\svchost.exe" OR process_path!="C:\Windows\SysWow64\svchost.exe")) OR (Image="*smss.exe" AND image_path!="C:\Windows\System32\smss.exe") OR (Image="wininit.exe" AND image_path!="C:\Windows\System32\wininit.exe") OR (Image="taskhost.exe" AND image_path!="C:\Windows\System32\taskhost.exe") OR (Image="lasass.exe" AND image_path!="C:\Windows\System32\lsass.exe") OR (Image="winlogon.exe" AND image_path!="C:\Windows\System32\winlogon.exe") OR (Image="csrss.exe" AND image_path!="C:\Windows\System32\csrss.exe") OR (Image="services.exe" AND image_path!="C:\Windows\System32\services.exe") OR (Image="lsm.exe" AND image_path!="C:\Windows\System32\lsm.exe") OR (Image="explorer.exe" AND image_path!="C:\Windows\explorer.exe")</code> </td> </tr> <tr class="datacomponent datasource" id="uses-DS0009-Process Metadata"> <td></td> <td></td> <td> <a href="/datasources/DS0009/#Process%20Metadata">Process Metadata</a> </td> <td> Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <a rel="nofollow" class="external text" name="scite-1" href="https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" target="_blank"> Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-2" href="https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" target="_blank"> FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-3" href="https://www.mandiant.com/resources/blog/turla-galaxy-opportunity" target="_blank"> Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-4" href="https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/" target="_blank"> Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-5" href="https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/" target="_blank"> Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-6" href="https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" target="_blank"> Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-7" href="https://www.mandiant.com/sites/default/files/2021-09/mandiant-apt1-report.pdf" target="_blank"> Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-8" href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank"> NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-9" href="https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/" target="_blank"> Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-10" href="https://www.mandiant.com/resources/blog/apt29-continues-targeting-microsoft" target="_blank"> Douglas Bienstock. (2022, August 18). You Can’t Audit Me: APT29 Continues Targeting Microsoft 365. Retrieved February 23, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-11" href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank"> Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-12" href="https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/" target="_blank"> Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-13" href="https://www.bitdefender.com/blog/labs/iranian-chafer-apt-targeted-air-transportation-and-government-in-kuwait-and-saudi-arabia/" target="_blank"> Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-14" href="https://www.iranwatch.org/sites/default/files/public-intelligence-alert.pdf" target="_blank"> FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-15" href="https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" target="_blank"> Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-16" href="https://www.group-ib.com/blog/colunmtk-apt41/" target="_blank"> Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-17" href="https://www.mandiant.com/resources/blog/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices" target="_blank"> Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-18" href="https://go.crowdstrike.com/rs/281-OBQ-266/images/2022OverWatchThreatHuntingReport.pdf" target="_blank"> CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-19" href="https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/" target="_blank"> Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-20" href="https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/" target="_blank"> Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021 </a> </li> <li> <a rel="nofollow" class="external text" name="scite-21" href="https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/" target="_blank"> M.Léveille, M-E.. (2017, October 24). Bad Rabbit: Not‑Petya is back with improved ransomware. Retrieved January 28, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-22" href="https://securelist.com/bad-rabbit-ransomware/82851/" target="_blank"> Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-23" href="https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/" target="_blank"> Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-24" href="https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles" target="_blank"> Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-25" href="https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/" target="_blank"> Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-26" href="https://www.crowdstrike.com/blog/wizard-spider-adversary-update/" target="_blank"> Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-27" href="https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html" target="_blank"> Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-28" href="https://research.checkpoint.com/2022/black-basta-and-the-unnoticed-delivery/" target="_blank"> Check Point. (2022, October 20). BLACK BASTA AND THE UNNOTICED DELIVERY. Retrieved March 8, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-29" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a" target="_blank"> US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-30" href="https://redcanary.com/blog/blue-mockingbird-cryptominer/" target="_blank"> Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-31" href="https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" target="_blank"> Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-32" href="https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/" target="_blank"> Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-33" href="https://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056" target="_blank"> Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-34" href="https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/" target="_blank"> Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-35" href="https://www.mandiant.com/resources/apt41-us-state-governments" target="_blank"> Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-36" href="https://blog.talosintelligence.com/avoslocker-new-arsenal/" target="_blank"> Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-37" href="https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html" target="_blank"> Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-38" href="https://securelist.com/calisto-trojan-for-macos/86543/" target="_blank"> Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-39" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf" target="_blank"> Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-40" href="https://web.archive.org/web/20231227000328/http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf" target="_blank"> Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved September 12, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-41" href="https://web.archive.org/web/20111004014029/http://www.trusteer.com/sites/default/files/Carberp_Analysis.pdf" target="_blank"> Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-42" href="https://www.cybereason.com/hubfs/dam/collateral/reports/11-2020-Chaes-e-commerce-malware-research.pdf" target="_blank"> Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-43" href="https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf" target="_blank"> PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-44" href="https://cycraft.com/download/CyCraft-Whitepaper-Chimera_V4.1.pdf" target="_blank"> Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-45" href="https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" target="_blank"> Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-46" href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf" target="_blank"> Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-47" href="https://www.kandji.io/blog/malware-cuckoo-infostealer-spyware" target="_blank"> Kohler, A. and Lopez, C. (2024, April 30). Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware. Retrieved August 20, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-48" href="https://www.sentinelone.com/blog/macos-cuckoo-stealer-ensuring-detection-and-defense-as-new-samples-rapidly-emerge/" target="_blank"> Stokes, P. (2024, May 9). macOS Cuckoo Stealer | Ensuring Detection and Defense as New Samples Rapidly Emerge. Retrieved August 20, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-49" href="https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf" target="_blank"> NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-50" href="https://www.clearskysec.com/siamesekitten/" target="_blank"> ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-51" href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/DARKCOMET" target="_blank"> TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-52" href="https://www.microsoft.com/security/blog/2016/06/09/reverse-engineering-dubnium-2/" target="_blank"> Microsoft. (2016, June 9). Reverse-engineering DUBNIUM. Retrieved March 31, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-53" href="https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan" target="_blank"> DiMaggio, J. (2016, April 28). Tick cyberespionage group zeros in on Japan. Retrieved July 16, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-54" href="https://www.intezer.com/blog/cloud-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/" target="_blank"> Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-55" href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank"> ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-56" href="https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/" target="_blank"> Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-57" href="https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust" target="_blank"> Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-58" href="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf" target="_blank"> Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-59" href="https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/" target="_blank"> Dragos. (2020, February 3). EKANS Ransomware and ICS Operations. Retrieved February 9, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-60" href="https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html" target="_blank"> Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-61" href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank"> US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-62" href="https://cybersecurity.att.com/blogs/security-essentials/the-felismus-rat-powerful-threat-mysterious-purpose" target="_blank"> Julia Kisielius. (2017, April 25). The Felismus RAT: Powerful Threat, Mysterious Purpose. Retrieved January 10, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-63" href="https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/" target="_blank"> GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-64" href="https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf?__hstc=147695848.3e8f1a482c8f8d4531507747318e660b.1680005306711.1680005306711.1680005306711.1&__hssc=147695848.1.1680005306711&__hsfp=3000179024&hsCtaTracking=189ec409-ae2d-4909-8bf1-62dcdd694372%7Cca91d317-8f10-4a38-9f80-367f551ad64d" target="_blank"> Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-65" href="https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/" target="_blank"> Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-66" href="https://web.archive.org/web/20171222050934/http://www.finfisher.com/FinFisher/index.html" target="_blank"> FinFisher. (n.d.). Retrieved September 12, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-67" href="https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/" target="_blank"> Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-68" href="https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/" target="_blank"> Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-69" href="https://us-cert.cisa.gov/ncas/alerts/aa20-259a" target="_blank"> CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-70" href="https://vms.drweb.com/virus/?i=4276269" target="_blank"> Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-71" href="https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/" target="_blank"> Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-72" href="https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf" target="_blank"> Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-73" href="https://www.trustwave.com/en-us/resources/library/documents/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/" target="_blank"> Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-74" href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank"> Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-75" href="https://www.crowdstrike.com/blog/observations-from-the-stellarparticle-campaign/" target="_blank"> CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-76" href="https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/" target="_blank"> Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-77" href="https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/" target="_blank"> ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-78" href="https://objective-see.com/blog/blog_0x68.html" target="_blank"> Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-79" href="https://www.glitch-cat.com/blog/green-lambert-and-attack" target="_blank"> Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved March 21, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-80" href="https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine" target="_blank"> ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-81" href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa22-264a" target="_blank"> CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-82" href="https://cloud.google.com/blog/topics/threat-intelligence/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against/" target="_blank"> Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-83" href="http://research.zscaler.com/2015/08/chinese-cyber-espionage-apt-group.html" target="_blank"> Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-84" href="https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework.pdf" target="_blank"> CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-85" href="https://www.trendmicro.com/en_us/research/22/l/icedid-botnet-distributors-abuse-google-ppc-to-distribute-malware.html" target="_blank"> Kenefick , I. (2022, December 23). IcedID Botnet Distributors Abuse Google PPC to Distribute Malware. Retrieved July 24, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-86" href="https://www.huntress.com/blog/investigating-new-inc-ransom-group-activity" target="_blank"> Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-87" href="https://socradar.io/dark-web-profile-inc-ransom/" target="_blank"> SOCRadar. (2024, January 24). Dark Web Profile: INC Ransom. Retrieved June 5, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-88" href="https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/" target="_blank"> Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-89" href="https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/" target="_blank"> ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-90" href="https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" target="_blank"> Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-91" href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" target="_blank"> Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-92" href="https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf" target="_blank"> Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-93" href="https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe" target="_blank"> MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-94" href="https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" target="_blank"> Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-95" href="https://www.malwarebytes.com/blog/threat-intelligence/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor" target="_blank"> Hossein Jazi. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved January 10, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-96" href="https://www.securityweek.com/new-lazyscripter-hacking-group-targets-airlines/" target="_blank"> Ionut Arghire. (2021, February 24). New ‘LazyScripter’ Hacking Group Targets Airlines. Retrieved January 10, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-97" href="https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html" target="_blank"> Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-98" href="https://www.elastic.co/security-labs/spring-cleaning-with-latrodectus" target="_blank"> Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-99" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-133b" target="_blank"> USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-100" href="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns" target="_blank"> Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-101" href="https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf" target="_blank"> Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-102" href="https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks" target="_blank"> Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-103" href="https://securelist.com/apt-luminousmoth/103332/" target="_blank"> Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-104" href="https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf" target="_blank"> ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. </a> </li> </ol> </div> <div class="col"> <ol start="105.0"> <li> <a rel="nofollow" class="external text" name="scite-105" href="https://securelist.com/el-machete/66108/" target="_blank"> Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-106" href="https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/" target="_blank"> kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-107" href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank"> DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-108" href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank"> DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-109" href="https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021" target="_blank"> MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-110" href="https://www.secureworks.com/research/mcmd-malware-analysis" target="_blank"> Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-111" href="https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/" target="_blank"> Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-112" href="https://www.justice.gov/opa/page/file/1122671/download" target="_blank"> US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-113" href="https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767" target="_blank"> Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-114" href="https://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/" target="_blank"> ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-115" href="https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" target="_blank"> Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-116" href="https://technet.microsoft.com/en-us/library/cc759136(v=ws.10).aspx" target="_blank"> Microsoft. (2011, January 12). Distributed Transaction Coordinator. Retrieved February 25, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-117" href="https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" target="_blank"> Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-118" href="https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html" target="_blank"> Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-119" href="https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies" target="_blank"> Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-120" href="https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf" target="_blank"> Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-121" href="https://redcanary.com/threat-detection-report/threats/socgholish/" target="_blank"> Red Canary. (2024, March). Red Canary 2024 Threat Detection Report: SocGholish. Retrieved March 22, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-122" href="https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update" target="_blank"> Andrew Northern. (2022, November 22). SocGholish, a very real threat from a very fake update. Retrieved February 13, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-123" href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank"> Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-124" href="https://redcanary.com/blog/netwire-remote-access-trojan-on-linux/" target="_blank"> Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-125" href="https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" target="_blank"> Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-126" href="https://securelist.com/toddycat-keep-calm-and-check-logs/110696/" target="_blank"> Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-127" href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/" target="_blank"> Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-128" href="https://securelist.com/octopus-infested-seas-of-central-asia/88200/" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-129" href="https://www.virusbulletin.com/uploads/pdf/conference_slides/2018/Cherepanov-VB2018-Octopus.pdf" target="_blank"> Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-130" href="https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank"> FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-131" href="https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques" target="_blank"> Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-132" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/" target="_blank"> Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-133" href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf" target="_blank"> Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-134" href="https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf" target="_blank"> Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-135" href="https://blogs.vmware.com/security/2020/02/vmware-carbon-black-tau-threat-analysis-shlayer-macos.html" target="_blank"> Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-136" href="https://www.intego.com/mac-security-blog/osxshlayer-new-mac-malware-comes-out-of-its-shell/" target="_blank"> Long, Joshua. (2018, February 21). OSX/Shlayer: New Mac malware comes out of its shell. Retrieved August 28, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-137" href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank"> Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-138" href="https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage" target="_blank"> Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-139" href="https://web.archive.org/web/20180825085952/https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf" target="_blank"> Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-140" href="https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" target="_blank"> Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-141" href="https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf" target="_blank"> Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-142" href="https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/" target="_blank"> Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-143" href="https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european" target="_blank"> Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-144" href="https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/" target="_blank"> hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-145" href="https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/" target="_blank"> Kaspersky Lab's Global Research and Analysis Team. (2016, February 9). Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage. Retrieved March 16, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-146" href="https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" target="_blank"> FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-147" href="https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html" target="_blank"> Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-148" href="https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf" target="_blank"> Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-149" href="https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" target="_blank"> Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-150" href="http://blog.morphisec.com/security-alert-fin8-is-back" target="_blank"> Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-151" href="https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/" target="_blank"> Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-152" href="https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-003.pdf" target="_blank"> CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-153" href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/" target="_blank"> Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-154" href="https://www.mandiant.com/resources/blog/unc3524-eye-spy-email" target="_blank"> Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-155" href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware" target="_blank"> Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-156" href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank"> MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-157" href="https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/" target="_blank"> Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-158" href="https://www.programmersought.com/article/62493896999/" target="_blank"> Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-159" href="https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/" target="_blank"> Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-160" href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank"> Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-161" href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank"> Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-162" href="https://www.computerweekly.com/news/450302128/Strider-cyber-attack-group-deploying-malware-for-espionage" target="_blank"> Warwick Ashford. (2016, August 8). Strider cyber attack group deploying malware for espionage. Retrieved January 10, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-163" href="https://securelist.com/files/2016/07/The-ProjectSauron-APT_research_KL.pdf" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-164" href="https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware" target="_blank"> Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-165" href="https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html" target="_blank"> Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-166" href="https://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/" target="_blank"> Alex Turing. (2021, May 6). RotaJakiro, the Linux version of the OceanLotus. Retrieved June 14, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-167" href="https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" target="_blank"> Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-168" href="https://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/" target="_blank"> Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-169" href="https://securelist.com/toddycat/106799/" target="_blank"> Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-170" href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank"> Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-171" href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank"> Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-172" href="https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" target="_blank"> Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-173" href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank"> Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-174" href="https://www.rewterz.com/articles/analysis-on-sidewinder-apt-group-covid-19" target="_blank"> Rewterz. (2020, June 22). Analysis on Sidewinder APT Group – COVID-19. Retrieved January 29, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-175" href="https://go.group-ib.com/report-silence-en?_gl=1*d1bh3a*_ga*MTIwMzM5Mzc5MS4xNjk4OTI5NzY4*_ga_QMES53K3Y2*MTcwNDcyMjU2OS40LjEuMTcwNDcyMzU1Mi41My4wLjA." target="_blank"> Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-176" href="https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/" target="_blank"> Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-177" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a" target="_blank"> DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-178" href="https://www.ncsc.gov.uk/files/NCSC-Malware-Analysis-Report-Small-Sieve.pdf" target="_blank"> NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-179" href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank"> Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-180" href="https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/" target="_blank"> MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-181" href="https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" target="_blank"> Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-182" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" target="_blank"> Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-183" href="https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations" target="_blank"> Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-184" href="https://www.mandiant.com/resources/blog/suspected-iranian-actor-targeting-israeli-shipping" target="_blank"> Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-185" href="https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/" target="_blank"> CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-186" href="https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/" target="_blank"> Riley, W. (2020, December 1). SUPERNOVA SolarWinds .NET Webshell Analysis. Retrieved February 18, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-187" href="https://unit42.paloaltonetworks.com/solarstorm-supernova/" target="_blank"> Tennis, M. (2020, December 17). SUPERNOVA: A Novel .NET Webshell. Retrieved February 22, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-188" href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank"> Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-189" href="https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/" target="_blank"> Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-190" href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank"> Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-191" href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank"> FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-192" href="https://objective-see.com/blog/blog_0x60.html" target="_blank"> Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-193" href="https://blog.malwarebytes.com/mac/2020/07/mac-thiefquest-malware-may-not-be-ransomware-after-all/" target="_blank"> Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 22, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-194" href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank"> Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-195" href="https://blog.talosintelligence.com/2021/09/tinyturla.html" target="_blank"> Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-196" href="https://securelist.com/transparent-tribe-part-1/98127/" target="_blank"> Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-197" href="https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf" target="_blank"> Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-198" href="https://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/" target="_blank"> Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-199" href="https://web.archive.org/web/20210719165945/https://www.trendmicro.com/en_us/research/15/c/ursnif-the-multifaceted-malware.html?_ga=2.165628854.808042651.1508120821-744063452.1505819992" target="_blank"> Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-200" href="http://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/" target="_blank"> Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-201" href="https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF" target="_blank"> NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-202" href="https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations" target="_blank"> Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-203" href="https://www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf" target="_blank"> CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-204" href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/whitefly-espionage-singapore" target="_blank"> Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-205" href="https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/" target="_blank"> Cap, P., et al. (2017, January 25). Detecting threat actors in recent German industrial attacks with Windows Defender ATP. Retrieved February 8, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-206" href="https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044" target="_blank"> Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-207" href="https://docs.docker.com/engine/reference/commandline/images/" target="_blank"> Docker. (n.d.). Docker Images. Retrieved April 6, 2021. </a> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div>   <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner">  <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div>  <div id="search-body" class="search-body"> <div class="results" id="search-results">  </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1">  <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a> </div> <div class="px-3 col-footer"> <a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a> </div> <div class="px-3 col-footer"> <a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a> </div> <div class="px-3"> <a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&CK content v16.1Website v4.2.1">Website Changelog</a> </div> </div> <div class="row"> © 2015 - 2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div>  </div>  <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script>  <script src="/theme/scripts/resizer.js"></script>  <script src="/theme/scripts/bootstrap-tourist.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/tour/tour-subtechniques.js"></script> <script src="/theme/scripts/sidebar-load-all.js"></script> </body> </html>

CINXE.COM

Masquerading: Match Legitimate Name or Location, Sub-technique T1036.005 - Enterprise | MITRE ATT&CK®