Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Sub-technique T1547.001 - Enterprise

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Sub-technique T1547.001 - Enterprise | MITRE ATT&CK®</title>   <link rel='stylesheet' href='/theme/style/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-select.min.css' />  <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1">  <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> Matrices </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> Tactics </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> Techniques </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> Defenses </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> Mitigations </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> CTI </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> Resources </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" >Benefactors</a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> Blog  <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1">  <div class="col px-0">   <div class="container-fluid banner-message"> ATT&CK v16 has been released! Check out the <a href='https://medium.com/mitre-attack/attack-v16-561c76af94cf'>blog post</a> for more information. </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0">   <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div>  <div id="sidebars"></div>  </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/techniques/enterprise">Techniques</a></li> <li class="breadcrumb-item"><a href="/techniques/enterprise">Enterprise</a></li> <li class="breadcrumb-item"><a href="/techniques/T1547">Boot or Logon Autostart Execution</a></li> <li class="breadcrumb-item">Registry Run Keys / Startup Folder</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1 id=""> Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder </h1> <div class="row"> <div class="col-md-8">  <div class="card-block pb-2"> <div class="card"> <div class="card-header collapsed" id="subtechniques-card-header" data-toggle="collapse" data-target="#subtechniques-card-body" aria-expanded="false" aria-controls="subtechniques-card-body"> <h5 class="mb-0" id ="sub-techniques">Other sub-techniques of Boot or Logon Autostart Execution (14)</h5> </div> <div id="subtechniques-card-body" class="card-body p-0 collapse" aria-labelledby="subtechniques-card-header"> <table class="table table-bordered"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> </tr> </thead> <tbody> <tr> <td class="active"> T1547.001 </td> <td class="active"> Registry Run Keys / Startup Folder </td> </tr> <tr> <td> <a href="/techniques/T1547/002/" class="subtechnique-table-item" data-subtechnique_id="T1547.002"> T1547.002 </a> </td> <td> <a href="/techniques/T1547/002/" class="subtechnique-table-item" data-subtechnique_id="T1547.002"> Authentication Package </a> </td> </tr> <tr> <td> <a href="/techniques/T1547/003/" class="subtechnique-table-item" data-subtechnique_id="T1547.003"> T1547.003 </a> </td> <td> <a href="/techniques/T1547/003/" class="subtechnique-table-item" data-subtechnique_id="T1547.003"> Time Providers </a> </td> </tr> <tr> <td> <a href="/techniques/T1547/004/" class="subtechnique-table-item" data-subtechnique_id="T1547.004"> T1547.004 </a> </td> <td> <a href="/techniques/T1547/004/" class="subtechnique-table-item" data-subtechnique_id="T1547.004"> Winlogon Helper DLL </a> </td> </tr> <tr> <td> <a href="/techniques/T1547/005/" class="subtechnique-table-item" data-subtechnique_id="T1547.005"> T1547.005 </a> </td> <td> <a href="/techniques/T1547/005/" class="subtechnique-table-item" data-subtechnique_id="T1547.005"> Security Support Provider </a> </td> </tr> <tr> <td> <a href="/techniques/T1547/006/" class="subtechnique-table-item" data-subtechnique_id="T1547.006"> T1547.006 </a> </td> <td> <a href="/techniques/T1547/006/" class="subtechnique-table-item" data-subtechnique_id="T1547.006"> Kernel Modules and Extensions </a> </td> </tr> <tr> <td> <a href="/techniques/T1547/007/" class="subtechnique-table-item" data-subtechnique_id="T1547.007"> T1547.007 </a> </td> <td> <a href="/techniques/T1547/007/" class="subtechnique-table-item" data-subtechnique_id="T1547.007"> Re-opened Applications </a> </td> </tr> <tr> <td> <a href="/techniques/T1547/008/" class="subtechnique-table-item" data-subtechnique_id="T1547.008"> T1547.008 </a> </td> <td> <a href="/techniques/T1547/008/" class="subtechnique-table-item" data-subtechnique_id="T1547.008"> LSASS Driver </a> </td> </tr> <tr> <td> <a href="/techniques/T1547/009/" class="subtechnique-table-item" data-subtechnique_id="T1547.009"> T1547.009 </a> </td> <td> <a href="/techniques/T1547/009/" class="subtechnique-table-item" data-subtechnique_id="T1547.009"> Shortcut Modification </a> </td> </tr> <tr> <td> <a href="/techniques/T1547/010/" class="subtechnique-table-item" data-subtechnique_id="T1547.010"> T1547.010 </a> </td> <td> <a href="/techniques/T1547/010/" class="subtechnique-table-item" data-subtechnique_id="T1547.010"> Port Monitors </a> </td> </tr> <tr> <td> <a href="/techniques/T1547/012/" class="subtechnique-table-item" data-subtechnique_id="T1547.012"> T1547.012 </a> </td> <td> <a href="/techniques/T1547/012/" class="subtechnique-table-item" data-subtechnique_id="T1547.012"> Print Processors </a> </td> </tr> <tr> <td> <a href="/techniques/T1547/013/" class="subtechnique-table-item" data-subtechnique_id="T1547.013"> T1547.013 </a> </td> <td> <a href="/techniques/T1547/013/" class="subtechnique-table-item" data-subtechnique_id="T1547.013"> XDG Autostart Entries </a> </td> </tr> <tr> <td> <a href="/techniques/T1547/014/" class="subtechnique-table-item" data-subtechnique_id="T1547.014"> T1547.014 </a> </td> <td> <a href="/techniques/T1547/014/" class="subtechnique-table-item" data-subtechnique_id="T1547.014"> Active Setup </a> </td> </tr> <tr> <td> <a href="/techniques/T1547/015/" class="subtechnique-table-item" data-subtechnique_id="T1547.015"> T1547.015 </a> </td> <td> <a href="/techniques/T1547/015/" class="subtechnique-table-item" data-subtechnique_id="T1547.015"> Login Items </a> </td> </tr> </tbody> </table> </div> </div> </div>  <div class="description-body"> Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.<a href="https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a> These programs will be executed under the context of the user and will have the account's associated permissions level.The following run keys are created by default on Windows systems:<ul><li><code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</code></li><li><code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce</code></li><li><code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</code></li><li><code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</code></li></ul>Run keys may exist under multiple hives.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Microsoft. (2018, May 31). 32-bit and 64-bit Application Data in the Registry. Retrieved August 3, 2020."data-reference="Microsoft Wow6432Node 2018"><a href="https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Arntz, P. (2016, March 30). Hiding in Plain Sight. Retrieved August 3, 2020."data-reference="Malwarebytes Wow6432Node 2016"><a href="https://blog.malwarebytes.com/cybercrime/2013/10/hiding-in-plain-sight/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a> The <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</code> is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.<a href="https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a> For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: <code>reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll"</code> <span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden from Autoruns.exe. Retrieved June 29, 2018."data-reference="Oddvar Moe RunOnceEx Mar 2018"><a href="https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is <code>C:\Users\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup</code>. The startup folder path for all users is <code>C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp</code>.The following Registry keys can be used to set startup folder items for persistence:<ul><li><code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</code></li><li><code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</code></li><li><code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</code></li><li><code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</code></li></ul>The following Registry keys can control automatic startup of services during boot:<ul><li><code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</code></li><li><code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</code></li><li><code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices</code></li><li><code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices</code></li></ul>Using policy settings to specify startup programs creates corresponding values in either of two Registry keys:<ul><li><code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</code></li><li><code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</code></li></ul>Programs listed in the load value of the registry key <code>HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows</code> run automatically for the currently logged-on user.By default, the multistring <code>BootExecute</code> value of the registry key <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager</code> is set to <code>autocheck autochk *</code>. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use <a href="/techniques/T1036">Masquerading</a> to make the Registry entries look as if they are associated with legitimate programs. </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data" id="card-id"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> ID: T1547.001 </div> </div>  <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> Sub-technique of:  <a href="/techniques/T1547">T1547</a> </div> </div>  <div id="card-tactics" class="row card-data"> <div class="col-md-1 px-0 text-center"> ⓘ </div> <div class="col-md-11 pl-0"> Tactics: <a href="/tactics/TA0003">Persistence</a>, <a href="/tactics/TA0004">Privilege Escalation</a> </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> ⓘ </div> <div class="col-md-11 pl-0"> Platforms: Windows </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The lowest level of permissions the adversary is required to be operating within to perform the (sub-)technique on a system">ⓘ </div> <div class="col-md-11 pl-0"> Permissions Required: Administrator, User </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> Contributors: Dray Agha, @Purp1eW0lf, Huntress Labs; Harun Küßner; Oddvar Moe, @oddvarmoe </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> Version: 2.0 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> Created: 23 January 2020 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> Last Modified: 12 September 2024 </div> </div> </div> </div> <div class="text-center pt-2 version-button live"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of T1547.001" href="/versions/v16/techniques/T1547/001/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of T1547.001" href="/versions/v16/techniques/T1547/001/" data-test-ignore="true">Live Version</a> </div> </div> </div> </div> <h2 class="pt-3" id ="examples">Procedure Examples</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/software/S0045"> S0045 </a> </td> <td> <a href="/software/S0045"> ADVSTORESHELL </a> </td> <td> <a href="/software/S0045">ADVSTORESHELL</a> achieves persistence by adding itself to the <code>HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</code> Registry key.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015."data-reference="Kaspersky Sofacy"><a href="https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016."data-reference="ESET Sednit Part 2"><a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017."data-reference="Bitdefender APT28 Dec 2015"><a href="https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a> </td> </tr> <tr> <td> <a href="/software/S0331"> S0331 </a> </td> <td> <a href="/software/S0331"> Agent Tesla </a> </td> <td> <a href="/software/S0331">Agent Tesla</a> can add itself to the Registry as a startup program to establish persistence.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018."data-reference="Fortinet Agent Tesla April 2018"><a href="https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a><span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Walter, J. (2020, August 10). Agent Tesla | Old RAT Uses New Tricks to Stay on Top. Retrieved December 11, 2020."data-reference="SentinelLabs Agent Tesla Aug 2020"><a href="https://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a> </td> </tr> <tr> <td> <a href="/software/S1025"> S1025 </a> </td> <td> <a href="/software/S1025"> Amadey </a> </td> <td> <a href="/software/S1025">Amadey</a> has changed the Startup folder to the one containing its executable by overwriting the registry keys.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022."data-reference="Korean FSI TA505 2020"><a href="https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1382.do?page=1&column=&search=&searchSDate=&searchEDate=&bbsDataCategory=" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022."data-reference="BlackBerry Amadey 2020"><a href="https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a> </td> </tr> <tr> <td> <a href="/software/S1074"> S1074 </a> </td> <td> <a href="/software/S1074"> ANDROMEDA </a> </td> <td> <a href="/software/S1074">ANDROMEDA</a> can establish persistence by dropping a sample of itself to <code>C:\ProgramData\Local Settings\Temp\mskmde.com</code> and adding a Registry run key to execute every time a user logs on.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023."data-reference="Mandiant Suspected Turla Campaign February 2023"><a href="https://www.mandiant.com/resources/blog/turla-galaxy-opportunity" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a> </td> </tr> <tr> <td> <a href="/software/S0622"> S0622 </a> </td> <td> <a href="/software/S0622"> AppleSeed </a> </td> <td> <a href="/software/S0622">AppleSeed</a> has the ability to create the Registry key name <code>EstsoftAutoUpdate</code> at <code>HKCU\Software\Microsoft/Windows\CurrentVersion\RunOnce</code> to establish persistence.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021."data-reference="Malwarebytes Kimsuky June 2021"><a href="https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a> </td> </tr> <tr> <td> <a href="/groups/G0026"> G0026 </a> </td> <td> <a href="/groups/G0026"> APT18 </a> </td> <td> <a href="/groups/G0026">APT18</a> establishes persistence via the <code>HKCU\Software\Microsoft\Windows\CurrentVersion\Run</code> key.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Shelmire, A. (2015, July 06). Evasive Maneuvers by the Wekby group with custom ROP-packing and DNS covert channels. Retrieved November 15, 2018."data-reference="Anomali Evasive Maneuvers July 2015"><a href="https://www.anomali.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a><span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018."data-reference="PaloAlto DNS Requests May 2016"><a href="https://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a> </td> </tr> <tr> <td> <a href="/groups/G0073"> G0073 </a> </td> <td> <a href="/groups/G0073"> APT19 </a> </td> <td> An <a href="/groups/G0073">APT19</a> HTTP malware variant establishes persistence by setting the Registry key <code>HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Debug Tools-%LOCALAPPDATA%\</code>.<span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018."data-reference="Unit 42 C0d0so0 Jan 2016"><a href="https://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a> </td> </tr> <tr> <td> <a href="/groups/G0007"> G0007 </a> </td> <td> <a href="/groups/G0007"> APT28 </a> </td> <td> <a href="/groups/G0007">APT28</a> has deployed malware that has copied itself to the startup directory for persistence.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021."data-reference="TrendMicro Pawn Storm Dec 2020"><a href="https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a> </td> </tr> <tr> <td> <a href="/groups/G0016"> G0016 </a> </td> <td> <a href="/groups/G0016"> APT29 </a> </td> <td> <a href="/groups/G0016">APT29</a> added Registry Run keys to establish persistence.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024."data-reference="Mandiant No Easy Breach"><a href="https://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a> </td> </tr> <tr> <td> <a href="/groups/G0022"> G0022 </a> </td> <td> <a href="/groups/G0022"> APT3 </a> </td> <td> <a href="/groups/G0022">APT3</a> places scripts in the startup folder for persistence.<span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016."data-reference="FireEye Operation Double Tap"><a href="https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a> </td> </tr> <tr> <td> <a href="/groups/G0050"> G0050 </a> </td> <td> <a href="/groups/G0050"> APT32 </a> </td> <td> <a href="/groups/G0050">APT32</a> established persistence using Registry Run keys, both to execute PowerShell and VBS scripts as well as to execute their backdoor directly.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018."data-reference="Cybereason Oceanlotus May 2017"><a href="https://www.cybereason.com/blog/operation-cobalt-kitty-apt" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a><span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018."data-reference="Cybereason Cobalt Kitty 2017"><a href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a><span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019."data-reference="ESET OceanLotus Mar 2019"><a href="https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a> </td> </tr> <tr> <td> <a href="/groups/G0064"> G0064 </a> </td> <td> <a href="/groups/G0064"> APT33 </a> </td> <td> <a href="/groups/G0064">APT33</a> has deployed a tool known as <a href="/software/S0334">DarkComet</a> to the Startup folder of a victim, and used Registry run keys to gain persistence.<span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019."data-reference="Symantec Elfin Mar 2019"><a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a><span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020."data-reference="Microsoft Holmium June 2020"><a href="https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a> </td> </tr> <tr> <td> <a href="/groups/G0067"> G0067 </a> </td> <td> <a href="/groups/G0067"> APT37 </a> </td> <td> <a href="/groups/G0067">APT37</a>'s has added persistence via the Registry key <code>HKCU\Software\Microsoft\CurrentVersion\Run\</code>.<span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018."data-reference="FireEye APT37 Feb 2018"><a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a><span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018."data-reference="Talos Group123"><a href="https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a> </td> </tr> <tr> <td> <a href="/groups/G0087"> G0087 </a> </td> <td> <a href="/groups/G0087"> APT39 </a> </td> <td> <a href="/groups/G0087">APT39</a> has maintained persistence using the startup folder.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019."data-reference="FireEye APT39 Jan 2019"><a href="https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a> </td> </tr> <tr> <td> <a href="/groups/G0096"> G0096 </a> </td> <td> <a href="/groups/G0096"> APT41 </a> </td> <td> <a href="/groups/G0096">APT41</a> created and modified startup files for persistence.<span onclick=scrollToRef('scite-28') id="scite-ref-28-a" class="scite-citeref-number" title="Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019."data-reference="FireEye APT41 Aug 2019"><a href="https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a><span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" title="Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021."data-reference="Group IB APT 41 June 2021"><a href="https://www.group-ib.com/blog/colunmtk-apt41/" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a> <a href="/groups/G0096">APT41</a> added a registry key in <code>HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost</code> to establish persistence for <a href="/software/S0154">Cobalt Strike</a>.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020."data-reference="FireEye APT41 March 2020"><a href="https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a> </td> </tr> <tr> <td> <a href="/software/S0456"> S0456 </a> </td> <td> <a href="/software/S0456"> Aria-body </a> </td> <td> <a href="/software/S0456">Aria-body</a> has established persistence via the Startup folder or Run Registry key.<span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."data-reference="CheckPoint Naikon May 2020"><a href="https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a> </td> </tr> <tr> <td> <a href="/software/S0373"> S0373 </a> </td> <td> <a href="/software/S0373"> Astaroth </a> </td> <td> <a href="/software/S0373">Astaroth</a> creates a startup item for persistence. <span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" title="Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved September 25, 2024."data-reference="Cofense Astaroth Sept 2018"><a href="https://web.archive.org/web/20200302071436/https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a> </td> </tr> <tr> <td> <a href="/software/S1029"> S1029 </a> </td> <td> <a href="/software/S1029"> AuTo Stealer </a> </td> <td> <a href="/software/S1029">AuTo Stealer</a> can place malicious executables in a victim's AutoRun registry key or StartUp directory, depending on the AV product installed, to maintain persistence.<span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022."data-reference="MalwareBytes SideCopy Dec 2021"><a href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a> </td> </tr> <tr> <td> <a href="/software/S0640"> S0640 </a> </td> <td> <a href="/software/S0640"> Avaddon </a> </td> <td> <a href="/software/S0640">Avaddon</a> uses registry run keys for persistence.<span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" title="Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021."data-reference="Arxiv Avaddon Feb 2021"><a href="https://arxiv.org/pdf/2102.04796.pdf" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a> </td> </tr> <tr> <td> <a href="/software/S1053"> S1053 </a> </td> <td> <a href="/software/S1053"> AvosLocker </a> </td> <td> <a href="/software/S1053">AvosLocker</a> has been executed via the <code>RunOnce</code> Registry key to run itself on safe mode.<span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Trend Micro Research. (2022, April 4). Ransomware Spotlight AvosLocker. Retrieved January 11, 2023."data-reference="Trend Micro AvosLocker Apr 2022"><a href="https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a> </td> </tr> <tr> <td> <a href="/software/S0414"> S0414 </a> </td> <td> <a href="/software/S0414"> BabyShark </a> </td> <td> <a href="/software/S0414">BabyShark</a> has added a Registry key to ensure all future macros are enabled for Microsoft Word and Excel as well as for additional persistence.<span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" title="Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019."data-reference="Unit42 BabyShark Feb 2019"><a href="https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a><span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020."data-reference="CISA AA20-301A Kimsuky"><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-301a" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a> </td> </tr> <tr> <td> <a href="/software/S0093"> S0093 </a> </td> <td> <a href="/software/S0093"> Backdoor.Oldrea </a> </td> <td> <a href="/software/S0093">Backdoor.Oldrea</a> adds Registry Run keys to achieve persistence.<span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" title="Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016."data-reference="Symantec Dragonfly"><a href="https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a><span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021."data-reference="Gigamon Berserk Bear October 2021"><a href="https://vblocalhost.com/uploads/VB2021-Slowik.pdf" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a> </td> </tr> <tr> <td> <a href="/software/S0031"> S0031 </a> </td> <td> <a href="/software/S0031"> BACKSPACE </a> </td> <td> <a href="/software/S0031">BACKSPACE</a> achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory.<span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" title="FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015."data-reference="FireEye APT30"><a href="https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a> </td> </tr> <tr> <td> <a href="/software/S0128"> S0128 </a> </td> <td> <a href="/software/S0128"> BADNEWS </a> </td> <td> <a href="/software/S0128">BADNEWS</a> installs a registry Run key to establish persistence.<span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" title="Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016."data-reference="Forcepoint Monsoon"><a href="https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a> </td> </tr> <tr> <td> <a href="/software/S0337"> S0337 </a> </td> <td> <a href="/software/S0337"> BadPatch </a> </td> <td> <a href="/software/S0337">BadPatch</a> establishes a foothold by adding a link to the malware executable in the startup folder.<span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" title="Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018."data-reference="Unit 42 BadPatch Oct 2017"><a href="https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a> </td> </tr> <tr> <td> <a href="/software/S0534"> S0534 </a> </td> <td> <a href="/software/S0534"> Bazar </a> </td> <td> <a href="/software/S0534">Bazar</a> can create or add files to Registry Run Keys to establish persistence.<span onclick=scrollToRef('scite-43') id="scite-ref-43-a" class="scite-citeref-number" title="Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020."data-reference="Cybereason Bazar July 2020"><a href="https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles" target="_blank" data-hasqtip="42" aria-describedby="qtip-42">[43]</a><span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020."data-reference="NCC Group Team9 June 2020"><a href="https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a> </td> </tr> <tr> <td> <a href="/software/S0127"> S0127 </a> </td> <td> <a href="/software/S0127"> BBSRAT </a> </td> <td> <a href="/software/S0127">BBSRAT</a> has been loaded through DLL side-loading of a legitimate Citrix executable that is set to persist through the Registry Run key location <code>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssonsvr.exe</code>. </td> </tr> <tr> <td> <a href="/software/S0268"> S0268 </a> </td> <td> <a href="/software/S0268"> Bisonal </a> </td> <td> <a href="/software/S0268">Bisonal</a> has added itself to the Registry key <code>HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\Run\</code> for persistence.<span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" title="Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018."data-reference="Unit 42 Bisonal July 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a><span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" title="Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022."data-reference="Talos Bisonal Mar 2020"><a href="https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a> </td> </tr> <tr> <td> <a href="/software/S0570"> S0570 </a> </td> <td> <a href="/software/S0570"> BitPaymer </a> </td> <td> <a href="/software/S0570">BitPaymer</a> has set the run key <code>HKCU\Software\Microsoft\Windows\CurrentVersion\Run</code> for persistence.<span onclick=scrollToRef('scite-47') id="scite-ref-47-a" class="scite-citeref-number" title="Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021."data-reference="Crowdstrike Indrik November 2018"><a href="https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/" target="_blank" data-hasqtip="46" aria-describedby="qtip-46">[47]</a> </td> </tr> <tr> <td> <a href="/software/S0089"> S0089 </a> </td> <td> <a href="/software/S0089"> BlackEnergy </a> </td> <td> The <a href="/software/S0089">BlackEnergy</a> 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.<span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" title="F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016."data-reference="F-Secure BlackEnergy 2014"><a href="https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a> </td> </tr> <tr> <td> <a href="/software/S0635"> S0635 </a> </td> <td> <a href="/software/S0635"> BoomBox </a> </td> <td> <a href="/software/S0635">BoomBox</a> can establish persistence by writing the Registry value <code>MicroNativeCacheSvc</code> to <code>HKCU\Software\Microsoft\Windows\CurrentVersion\Run</code>.<span onclick=scrollToRef('scite-49') id="scite-ref-49-a" class="scite-citeref-number" title="MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021."data-reference="MSTIC Nobelium Toolset May 2021"><a href="https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" target="_blank" data-hasqtip="48" aria-describedby="qtip-48">[49]</a> </td> </tr> <tr> <td> <a href="/software/S0204"> S0204 </a> </td> <td> <a href="/software/S0204"> Briba </a> </td> <td> <a href="/software/S0204">Briba</a> creates run key Registry entries pointing to malicious DLLs dropped to disk.<a href="https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-2843-99" target="_blank" data-hasqtip="49" aria-describedby="qtip-49">[50]</a> </td> </tr> <tr> <td> <a href="/groups/G0060"> G0060 </a> </td> <td> <a href="/groups/G0060"> BRONZE BUTLER </a> </td> <td> <a href="/groups/G0060">BRONZE BUTLER</a> has used a batch script that adds a Registry Run key to establish malware persistence.<span onclick=scrollToRef('scite-51') id="scite-ref-51-a" class="scite-citeref-number" title="Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018."data-reference="Secureworks BRONZE BUTLER Oct 2017"><a href="https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" target="_blank" data-hasqtip="50" aria-describedby="qtip-50">[51]</a> </td> </tr> <tr> <td> <a href="/software/S0471"> S0471 </a> </td> <td> <a href="/software/S0471"> build_downer </a> </td> <td> <a href="/software/S0471">build_downer</a> has the ability to add itself to the Registry Run key for persistence.<span onclick=scrollToRef('scite-52') id="scite-ref-52-a" class="scite-citeref-number" title="Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."data-reference="Trend Micro Tick November 2019"><a href="https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" target="_blank" data-hasqtip="51" aria-describedby="qtip-51">[52]</a> </td> </tr> <tr> <td> <a href="/software/S0030"> S0030 </a> </td> <td> <a href="/software/S0030"> Carbanak </a> </td> <td> <a href="/software/S0030">Carbanak</a> stores a configuration files in the startup directory to automatically execute commands in order to persist across reboots.<span onclick=scrollToRef('scite-53') id="scite-ref-53-a" class="scite-citeref-number" title="Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018."data-reference="FireEye CARBANAK June 2017"><a href="https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html" target="_blank" data-hasqtip="52" aria-describedby="qtip-52">[53]</a> </td> </tr> <tr> <td> <a href="/software/S0484"> S0484 </a> </td> <td> <a href="/software/S0484"> Carberp </a> </td> <td> <a href="/software/S0484">Carberp</a> has maintained persistence by placing itself inside the current user's startup folder.<span onclick=scrollToRef('scite-54') id="scite-ref-54-a" class="scite-citeref-number" title="Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved September 12, 2024."data-reference="Prevx Carberp March 2011"><a href="https://web.archive.org/web/20231227000328/http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf" target="_blank" data-hasqtip="53" aria-describedby="qtip-53">[54]</a> </td> </tr> <tr> <td> <a href="/software/S0348"> S0348 </a> </td> <td> <a href="/software/S0348"> Cardinal RAT </a> </td> <td> <a href="/software/S0348">Cardinal RAT</a> establishes Persistence by setting the <code>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load</code> Registry key to point to its executable.<span onclick=scrollToRef('scite-55') id="scite-ref-55-a" class="scite-citeref-number" title="Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018."data-reference="PaloAlto CardinalRat Apr 2017"><a href="https://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/" target="_blank" data-hasqtip="54" aria-describedby="qtip-54">[55]</a> </td> </tr> <tr> <td> <a href="/software/S0631"> S0631 </a> </td> <td> <a href="/software/S0631"> Chaes </a> </td> <td> <a href="/software/S0631">Chaes</a> has added persistence via the Registry key <code>software\microsoft\windows\currentversion\run\microsoft windows html help</code>.<span onclick=scrollToRef('scite-56') id="scite-ref-56-a" class="scite-citeref-number" title="Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021."data-reference="Cybereason Chaes Nov 2020"><a href="https://www.cybereason.com/hubfs/dam/collateral/reports/11-2020-Chaes-e-commerce-malware-research.pdf" target="_blank" data-hasqtip="55" aria-describedby="qtip-55">[56]</a> </td> </tr> <tr> <td> <a href="/software/S0144"> S0144 </a> </td> <td> <a href="/software/S0144"> ChChes </a> </td> <td> <a href="/software/S0144">ChChes</a> establishes persistence by adding a Registry Run key.<span onclick=scrollToRef('scite-57') id="scite-ref-57-a" class="scite-citeref-number" title="PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017."data-reference="PWC Cloud Hopper Technical Annex April 2017"><a href="https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf" target="_blank" data-hasqtip="56" aria-describedby="qtip-56">[57]</a> </td> </tr> <tr> <td> <a href="/software/S1041"> S1041 </a> </td> <td> <a href="/software/S1041"> Chinoxy </a> </td> <td> <a href="/software/S1041">Chinoxy</a> has established persistence via the <code>HKCU\Software\Microsoft\Windows\CurrentVersion\Run</code> registry key and by loading a dropper to <code>(%COMMON_ STARTUP%\\eoffice.exe)</code>.<span onclick=scrollToRef('scite-58') id="scite-ref-58-a" class="scite-citeref-number" title="Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022."data-reference="Bitdefender FunnyDream Campaign November 2020"><a href="https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" target="_blank" data-hasqtip="57" aria-describedby="qtip-57">[58]</a> </td> </tr> <tr> <td> <a href="/software/S0660"> S0660 </a> </td> <td> <a href="/software/S0660"> Clambling </a> </td> <td> <a href="/software/S0660">Clambling</a> can establish persistence by adding a Registry run key.<span onclick=scrollToRef('scite-59') id="scite-ref-59-a" class="scite-citeref-number" title="Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021."data-reference="Trend Micro DRBControl February 2020"><a href="https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf" target="_blank" data-hasqtip="58" aria-describedby="qtip-58">[59]</a><span onclick=scrollToRef('scite-60') id="scite-ref-60-a" class="scite-citeref-number" title="Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021."data-reference="Talent-Jump Clambling February 2020"><a href="https://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/" target="_blank" data-hasqtip="59" aria-describedby="qtip-59">[60]</a> </td> </tr> <tr> <td> <a href="/groups/G0080"> G0080 </a> </td> <td> <a href="/groups/G0080"> Cobalt Group </a> </td> <td> <a href="/groups/G0080">Cobalt Group</a> has used Registry Run keys for persistence. The group has also set a Startup path to launch the PowerShell shell command and download Cobalt Strike.<span onclick=scrollToRef('scite-61') id="scite-ref-61-a" class="scite-citeref-number" title="Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018."data-reference="Group IB Cobalt Aug 2017"><a href="https://www.group-ib.com/blog/cobalt" target="_blank" data-hasqtip="60" aria-describedby="qtip-60">[61]</a> </td> </tr> <tr> <td> <a href="/software/S0338"> S0338 </a> </td> <td> <a href="/software/S0338"> Cobian RAT </a> </td> <td> <a href="/software/S0338">Cobian RAT</a> creates an autostart Registry key to ensure persistence.<span onclick=scrollToRef('scite-62') id="scite-ref-62-a" class="scite-citeref-number" title="Yadav, A., et al. (2017, August 31). Cobian RAT – A backdoored RAT. Retrieved November 13, 2018."data-reference="Zscaler Cobian Aug 2017"><a href="https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat" target="_blank" data-hasqtip="61" aria-describedby="qtip-61">[62]</a> </td> </tr> <tr> <td> <a href="/software/S0244"> S0244 </a> </td> <td> <a href="/software/S0244"> Comnie </a> </td> <td> <a href="/software/S0244">Comnie</a> achieves persistence by adding a shortcut of itself to the startup path in the Registry.<span onclick=scrollToRef('scite-63') id="scite-ref-63-a" class="scite-citeref-number" title="Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018."data-reference="Palo Alto Comnie"><a href="https://researchcenter.paloaltonetworks.com/2018/01/unit42-comnie-continues-target-organizations-east-asia/" target="_blank" data-hasqtip="62" aria-describedby="qtip-62">[63]</a> </td> </tr> <tr> <td> <a href="/software/S0608"> S0608 </a> </td> <td> <a href="/software/S0608"> Conficker </a> </td> <td> <a href="/software/S0608">Conficker</a> adds Registry Run keys to establish persistence.<a href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/conficker" target="_blank" data-hasqtip="63" aria-describedby="qtip-63">[64]</a> </td> </tr> <tr> <td> <a href="/groups/G0142"> G0142 </a> </td> <td> <a href="/groups/G0142"> Confucius </a> </td> <td> <a href="/groups/G0142">Confucius</a> has dropped malicious files into the startup folder <code>%AppData%\Microsoft\Windows\Start Menu\Programs\Startup</code> on a compromised host in order to maintain persistence.<span onclick=scrollToRef('scite-65') id="scite-ref-65-a" class="scite-citeref-number" title="Uptycs Threat Research Team. (2021, January 12). Confucius APT deploys Warzone RAT. Retrieved December 17, 2021."data-reference="Uptycs Confucius APT Jan 2021"><a href="https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat" target="_blank" data-hasqtip="64" aria-describedby="qtip-64">[65]</a> </td> </tr> <tr> <td> <a href="/software/S0137"> S0137 </a> </td> <td> <a href="/software/S0137"> CORESHELL </a> </td> <td> <a href="/software/S0137">CORESHELL</a> has established persistence by creating autostart extensibility point (ASEP) Registry entries in the Run key and other Registry keys, as well as by creating shortcuts in the Internet Explorer Quick Start folder.<span onclick=scrollToRef('scite-66') id="scite-ref-66-a" class="scite-citeref-number" title="Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015."data-reference="Microsoft SIR Vol 19"><a href="http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf" target="_blank" data-hasqtip="65" aria-describedby="qtip-65">[66]</a> </td> </tr> <tr> <td> <a href="/software/S0046"> S0046 </a> </td> <td> <a href="/software/S0046"> CozyCar </a> </td> <td> One persistence mechanism used by <a href="/software/S0046">CozyCar</a> is to set itself to be executed at system startup by adding a Registry value under one of the following Registry keys: <code>HKLM\Software\Microsoft\Windows\CurrentVersion\Run\</code> <code>HKCU\Software\Microsoft\Windows\CurrentVersion\Run\</code> <code>HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</code> <code>HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</code><span onclick=scrollToRef('scite-67') id="scite-ref-67-a" class="scite-citeref-number" title="F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015."data-reference="F-Secure CozyDuke"><a href="https://www.f-secure.com/documents/996508/1030745/CozyDuke" target="_blank" data-hasqtip="66" aria-describedby="qtip-66">[67]</a> </td> </tr> <tr> <td> <a href="/software/S0115"> S0115 </a> </td> <td> <a href="/software/S0115"> Crimson </a> </td> <td> <a href="/software/S0115">Crimson</a> can add Registry run keys for persistence.<span onclick=scrollToRef('scite-68') id="scite-ref-68-a" class="scite-citeref-number" title="Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016."data-reference="Proofpoint Operation Transparent Tribe March 2016"><a href="https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" target="_blank" data-hasqtip="67" aria-describedby="qtip-67">[68]</a><span onclick=scrollToRef('scite-69') id="scite-ref-69-a" class="scite-citeref-number" title="Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021."data-reference="Kaspersky Transparent Tribe August 2020"><a href="https://securelist.com/transparent-tribe-part-1/98127/" target="_blank" data-hasqtip="68" aria-describedby="qtip-68">[69]</a> </td> </tr> <tr> <td> <a href="/software/S0235"> S0235 </a> </td> <td> <a href="/software/S0235"> CrossRAT </a> </td> <td> <a href="/software/S0235">CrossRAT</a> uses run keys for persistence on Windows.<span onclick=scrollToRef('scite-70') id="scite-ref-70-a" class="scite-citeref-number" title="Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018."data-reference="Lookout Dark Caracal Jan 2018"><a href="https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" target="_blank" data-hasqtip="69" aria-describedby="qtip-69">[70]</a> </td> </tr> <tr> <td> <a href="/groups/G0070"> G0070 </a> </td> <td> <a href="/groups/G0070"> Dark Caracal </a> </td> <td> <a href="/groups/G0070">Dark Caracal</a>'s version of <a href="/software/S0234">Bandook</a> adds a registry key to <code>HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run</code> for persistence.<span onclick=scrollToRef('scite-70') id="scite-ref-70-a" class="scite-citeref-number" title="Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018."data-reference="Lookout Dark Caracal Jan 2018"><a href="https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" target="_blank" data-hasqtip="69" aria-describedby="qtip-69">[70]</a> </td> </tr> <tr> <td> <a href="/software/S0334"> S0334 </a> </td> <td> <a href="/software/S0334"> DarkComet </a> </td> <td> <a href="/software/S0334">DarkComet</a> adds several Registry entries to enable automatic execution at every system startup.<span onclick=scrollToRef('scite-71') id="scite-ref-71-a" class="scite-citeref-number" title="TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018."data-reference="TrendMicro DarkComet Sept 2014"><a href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/DARKCOMET" target="_blank" data-hasqtip="70" aria-describedby="qtip-70">[71]</a><span onclick=scrollToRef('scite-72') id="scite-ref-72-a" class="scite-citeref-number" title="Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018."data-reference="Malwarebytes DarkComet March 2018"><a href="https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/" target="_blank" data-hasqtip="71" aria-describedby="qtip-71">[72]</a> </td> </tr> <tr> <td> <a href="/software/S1111"> S1111 </a> </td> <td> <a href="/software/S1111"> DarkGate </a> </td> <td> <a href="/software/S1111">DarkGate</a> installation includes AutoIt script execution creating a shortcut to itself as an LNK object, such as bill.lnk, in the victim startup folder.<span onclick=scrollToRef('scite-73') id="scite-ref-73-a" class="scite-citeref-number" title="Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024."data-reference="Ensilo Darkgate 2018"><a href="https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign" target="_blank" data-hasqtip="72" aria-describedby="qtip-72">[73]</a> <a href="/software/S1111">DarkGate</a> installation finishes with the creation of a registry Run key.<span onclick=scrollToRef('scite-73') id="scite-ref-73-a" class="scite-citeref-number" title="Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024."data-reference="Ensilo Darkgate 2018"><a href="https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign" target="_blank" data-hasqtip="72" aria-describedby="qtip-72">[73]</a> </td> </tr> <tr> <td> <a href="/groups/G0012"> G0012 </a> </td> <td> <a href="/groups/G0012"> Darkhotel </a> </td> <td> <a href="/groups/G0012">Darkhotel</a> has been known to establish persistence by adding programs to the Run Registry key.<span onclick=scrollToRef('scite-74') id="scite-ref-74-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research and Analysis Team. (2014, November). The Darkhotel APT A Story of Unusual Hospitality. Retrieved November 12, 2014."data-reference="Kaspersky Darkhotel"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070903/darkhotel_kl_07.11.pdf" target="_blank" data-hasqtip="73" aria-describedby="qtip-73">[74]</a> </td> </tr> <tr> <td> <a href="/software/S1066"> S1066 </a> </td> <td> <a href="/software/S1066"> DarkTortilla </a> </td> <td> <a href="/software/S1066">DarkTortilla</a> has established persistence via the <code>Software\Microsoft\Windows NT\CurrentVersion\Run</code> registry key and by creating a .lnk shortcut file in the Windows startup folder.<span onclick=scrollToRef('scite-75') id="scite-ref-75-a" class="scite-citeref-number" title="Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022."data-reference="Secureworks DarkTortilla Aug 2022"><a href="https://www.secureworks.com/research/darktortilla-malware-analysis" target="_blank" data-hasqtip="74" aria-describedby="qtip-74">[75]</a> </td> </tr> <tr> <td> <a href="/software/S1021"> S1021 </a> </td> <td> <a href="/software/S1021"> DnsSystem </a> </td> <td> <a href="/software/S1021">DnsSystem</a> can write itself to the Startup folder to gain persistence.<span onclick=scrollToRef('scite-76') id="scite-ref-76-a" class="scite-citeref-number" title="Shivtarkar, N. and Kumar, A. (2022, June 9). Lyceum .NET DNS Backdoor. Retrieved June 23, 2022."data-reference="Zscaler Lyceum DnsSystem June 2022"><a href="https://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor" target="_blank" data-hasqtip="75" aria-describedby="qtip-75">[76]</a> </td> </tr> <tr> <td> <a href="/software/S0186"> S0186 </a> </td> <td> <a href="/software/S0186"> DownPaper </a> </td> <td> <a href="/software/S0186">DownPaper</a> uses PowerShell to add a Registry Run key in order to establish persistence.<span onclick=scrollToRef('scite-77') id="scite-ref-77-a" class="scite-citeref-number" title="ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017."data-reference="ClearSky Charming Kitten Dec 2017"><a href="http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf" target="_blank" data-hasqtip="76" aria-describedby="qtip-76">[77]</a> </td> </tr> <tr> <td> <a href="/groups/G0035"> G0035 </a> </td> <td> <a href="/groups/G0035"> Dragonfly </a> </td> <td> <a href="/groups/G0035">Dragonfly</a> has added the registry value ntdll to the Registry Run key to establish persistence.<span onclick=scrollToRef('scite-78') id="scite-ref-78-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A"><a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="77" aria-describedby="qtip-77">[78]</a> </td> </tr> <tr> <td> <a href="/software/S0062"> S0062 </a> </td> <td> <a href="/software/S0062"> DustySky </a> </td> <td> <a href="/software/S0062">DustySky</a> achieves persistence by creating a Registry entry in <code>HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</code>.<a href="https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf" target="_blank" data-hasqtip="78" aria-describedby="qtip-78">[79]</a> </td> </tr> <tr> <td> <a href="/software/S0081"> S0081 </a> </td> <td> <a href="/software/S0081"> Elise </a> </td> <td> If establishing persistence by installation as a new service fails, one variant of <a href="/software/S0081">Elise</a> establishes persistence for the created .exe file by setting the following Registry key: <code>HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost : %APPDATA%\Microsoft\Network\svchost.exe</code>. Other variants have set the following Registry keys for persistence: <code>HKCU\Software\Microsoft\Windows\CurrentVersion\Run\imejp : [self]</code> and <code>HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAStorD</code>.<span onclick=scrollToRef('scite-80') id="scite-ref-80-a" class="scite-citeref-number" title="Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016."data-reference="Lotus Blossom Jun 2015"><a href="https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html" target="_blank" data-hasqtip="79" aria-describedby="qtip-79">[80]</a><span onclick=scrollToRef('scite-81') id="scite-ref-81-a" class="scite-citeref-number" title="Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018."data-reference="Accenture Dragonfish Jan 2018"><a href="https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf" target="_blank" data-hasqtip="80" aria-describedby="qtip-80">[81]</a> </td> </tr> <tr> <td> <a href="/software/S0082"> S0082 </a> </td> <td> <a href="/software/S0082"> Emissary </a> </td> <td> Variants of <a href="/software/S0082">Emissary</a> have added Run Registry keys to establish persistence.<span onclick=scrollToRef('scite-82') id="scite-ref-82-a" class="scite-citeref-number" title="Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016."data-reference="Emissary Trojan Feb 2016"><a href="http://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/" target="_blank" data-hasqtip="81" aria-describedby="qtip-81">[82]</a> </td> </tr> <tr> <td> <a href="/software/S0367"> S0367 </a> </td> <td> <a href="/software/S0367"> Emotet </a> </td> <td> <a href="/software/S0367">Emotet</a> has been observed adding the downloaded payload to the <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</code> key to maintain persistence.<span onclick=scrollToRef('scite-83') id="scite-ref-83-a" class="scite-citeref-number" title="Symantec. (2018, July 18). The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved March 25, 2019."data-reference="Symantec Emotet Jul 2018"><a href="https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor" target="_blank" data-hasqtip="82" aria-describedby="qtip-82">[83]</a><span onclick=scrollToRef('scite-84') id="scite-ref-84-a" class="scite-citeref-number" title="US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019."data-reference="US-CERT Emotet Jul 2018"><a href="https://www.us-cert.gov/ncas/alerts/TA18-201A" target="_blank" data-hasqtip="83" aria-describedby="qtip-83">[84]</a><span onclick=scrollToRef('scite-85') id="scite-ref-85-a" class="scite-citeref-number" title="Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019."data-reference="Picus Emotet Dec 2018"><a href="https://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html" target="_blank" data-hasqtip="84" aria-describedby="qtip-84">[85]</a> </td> </tr> <tr> <td> <a href="/software/S0363"> S0363 </a> </td> <td> <a href="/software/S0363"> Empire </a> </td> <td> <a href="/software/S0363">Empire</a> can modify the registry run keys <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</code> and <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</code> for persistence.<span onclick=scrollToRef('scite-86') id="scite-ref-86-a" class="scite-citeref-number" title="Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016."data-reference="Github PowerShell Empire"><a href="https://github.com/PowerShellEmpire/Empire" target="_blank" data-hasqtip="85" aria-describedby="qtip-85">[86]</a> </td> </tr> <tr> <td> <a href="/software/S0396"> S0396 </a> </td> <td> <a href="/software/S0396"> EvilBunny </a> </td> <td> <a href="/software/S0396">EvilBunny</a> has created Registry keys for persistence in <code>[HKLM|HKCU]\…\CurrentVersion\Run</code>.<span onclick=scrollToRef('scite-87') id="scite-ref-87-a" class="scite-citeref-number" title="Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019."data-reference="Cyphort EvilBunny Dec 2014"><a href="https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/" target="_blank" data-hasqtip="86" aria-describedby="qtip-86">[87]</a> </td> </tr> <tr> <td> <a href="/software/S0152"> S0152 </a> </td> <td> <a href="/software/S0152"> EvilGrab </a> </td> <td> <a href="/software/S0152">EvilGrab</a> adds a Registry Run key for ctfmon.exe to establish persistence.<span onclick=scrollToRef('scite-57') id="scite-ref-57-a" class="scite-citeref-number" title="PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017."data-reference="PWC Cloud Hopper Technical Annex April 2017"><a href="https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf" target="_blank" data-hasqtip="56" aria-describedby="qtip-56">[57]</a> </td> </tr> <tr> <td> <a href="/software/S0568"> S0568 </a> </td> <td> <a href="/software/S0568"> EVILNUM </a> </td> <td> <a href="/software/S0568">EVILNUM</a> can achieve persistence through the Registry Run key.<span onclick=scrollToRef('scite-88') id="scite-ref-88-a" class="scite-citeref-number" title="Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021."data-reference="ESET EvilNum July 2020"><a href="https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" target="_blank" data-hasqtip="87" aria-describedby="qtip-87">[88]</a><span onclick=scrollToRef('scite-89') id="scite-ref-89-a" class="scite-citeref-number" title="Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021."data-reference="Prevailion EvilNum May 2020"><a href="https://www.prevailion.com/phantom-in-the-command-shell-2/" target="_blank" data-hasqtip="88" aria-describedby="qtip-88">[89]</a> </td> </tr> <tr> <td> <a href="/software/S0512"> S0512 </a> </td> <td> <a href="/software/S0512"> FatDuke </a> </td> <td> <a href="/software/S0512">FatDuke</a> has used <code>HKLM\SOFTWARE\Microsoft\CurrentVersion\Run</code> to establish persistence.<span onclick=scrollToRef('scite-90') id="scite-ref-90-a" class="scite-citeref-number" title="Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020."data-reference="ESET Dukes October 2019"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="89" aria-describedby="qtip-89">[90]</a> </td> </tr> <tr> <td> <a href="/software/S0267"> S0267 </a> </td> <td> <a href="/software/S0267"> FELIXROOT </a> </td> <td> <a href="/software/S0267">FELIXROOT</a> adds a shortcut file to the startup folder for persistence.<span onclick=scrollToRef('scite-91') id="scite-ref-91-a" class="scite-citeref-number" title="Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018."data-reference="ESET GreyEnergy Oct 2018"><a href="https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf" target="_blank" data-hasqtip="90" aria-describedby="qtip-90">[91]</a> </td> </tr> <tr> <td> <a href="/groups/G0051"> G0051 </a> </td> <td> <a href="/groups/G0051"> FIN10 </a> </td> <td> <a href="/groups/G0051">FIN10</a> has established persistence by using the Registry option in PowerShell Empire to add a Run key.<span onclick=scrollToRef('scite-92') id="scite-ref-92-a" class="scite-citeref-number" title="FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017."data-reference="FireEye FIN10 June 2017"><a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf" target="_blank" data-hasqtip="91" aria-describedby="qtip-91">[92]</a><span onclick=scrollToRef('scite-86') id="scite-ref-86-a" class="scite-citeref-number" title="Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016."data-reference="Github PowerShell Empire"><a href="https://github.com/PowerShellEmpire/Empire" target="_blank" data-hasqtip="85" aria-describedby="qtip-85">[86]</a> </td> </tr> <tr> <td> <a href="/groups/G1016"> G1016 </a> </td> <td> <a href="/groups/G1016"> FIN13 </a> </td> <td> <a href="/groups/G1016">FIN13</a> has used Windows Registry run keys such as, <code>HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hosts</code> to maintain persistence.<span onclick=scrollToRef('scite-93') id="scite-ref-93-a" class="scite-citeref-number" title="Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023."data-reference="Mandiant FIN13 Aug 2022"><a href="https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico" target="_blank" data-hasqtip="92" aria-describedby="qtip-92">[93]</a> </td> </tr> <tr> <td> <a href="/groups/G0037"> G0037 </a> </td> <td> <a href="/groups/G0037"> FIN6 </a> </td> <td> <a href="/groups/G0037">FIN6</a> has used Registry Run keys to establish persistence for its downloader tools known as HARDTACK and SHIPBREAD.<span onclick=scrollToRef('scite-94') id="scite-ref-94-a" class="scite-citeref-number" title="FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016."data-reference="FireEye FIN6 April 2016"><a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf" target="_blank" data-hasqtip="93" aria-describedby="qtip-93">[94]</a> </td> </tr> <tr> <td> <a href="/groups/G0046"> G0046 </a> </td> <td> <a href="/groups/G0046"> FIN7 </a> </td> <td> <a href="/groups/G0046">FIN7</a> malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.<span onclick=scrollToRef('scite-95') id="scite-ref-95-a" class="scite-citeref-number" title="Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017."data-reference="FireEye FIN7 April 2017"><a href="https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html" target="_blank" data-hasqtip="94" aria-describedby="qtip-94">[95]</a><span onclick=scrollToRef('scite-96') id="scite-ref-96-a" class="scite-citeref-number" title="Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018."data-reference="FireEye FIN7 Aug 2018"><a href="https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" target="_blank" data-hasqtip="95" aria-describedby="qtip-95">[96]</a> </td> </tr> <tr> <td> <a href="/software/S0355"> S0355 </a> </td> <td> <a href="/software/S0355"> Final1stspy </a> </td> <td> <a href="/software/S0355">Final1stspy</a> creates a Registry Run key to establish persistence.<span onclick=scrollToRef('scite-97') id="scite-ref-97-a" class="scite-citeref-number" title="Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018."data-reference="Unit 42 Nokki Oct 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/" target="_blank" data-hasqtip="96" aria-describedby="qtip-96">[97]</a> </td> </tr> <tr> <td> <a href="/software/S0182"> S0182 </a> </td> <td> <a href="/software/S0182"> FinFisher </a> </td> <td> <a href="/software/S0182">FinFisher</a> establishes persistence by creating the Registry key <code>HKCU\Software\Microsoft\Windows\Run</code>.<a href="https://web.archive.org/web/20171222050934/http://www.finfisher.com/FinFisher/index.html" target="_blank" data-hasqtip="97" aria-describedby="qtip-97">[98]</a><span onclick=scrollToRef('scite-99') id="scite-ref-99-a" class="scite-citeref-number" title="Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018."data-reference="Microsoft FinFisher March 2018"><a href="https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/" target="_blank" data-hasqtip="98" aria-describedby="qtip-98">[99]</a> </td> </tr> <tr> <td> <a href="/software/S0696"> S0696 </a> </td> <td> <a href="/software/S0696"> Flagpro </a> </td> <td> <a href="/software/S0696">Flagpro</a> has dropped an executable file to the startup directory.<span onclick=scrollToRef('scite-100') id="scite-ref-100-a" class="scite-citeref-number" title="Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022."data-reference="NTT Security Flagpro new December 2021"><a href="https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech" target="_blank" data-hasqtip="99" aria-describedby="qtip-99">[100]</a> </td> </tr> <tr> <td> <a href="/software/S0036"> S0036 </a> </td> <td> <a href="/software/S0036"> FLASHFLOOD </a> </td> <td> <a href="/software/S0036">FLASHFLOOD</a> achieves persistence by making an entry in the Registry's Run key.<span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" title="FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015."data-reference="FireEye APT30"><a href="https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a> </td> </tr> <tr> <td> <a href="/software/S0381"> S0381 </a> </td> <td> <a href="/software/S0381"> FlawedAmmyy </a> </td> <td> <a href="/software/S0381">FlawedAmmyy</a> has established persistence via the <code>HKCU\SOFTWARE\microsoft\windows\currentversion\run</code> registry key.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022."data-reference="Korean FSI TA505 2020"><a href="https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1382.do?page=1&column=&search=&searchSDate=&searchEDate=&bbsDataCategory=" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a> </td> </tr> <tr> <td> <a href="/software/S1044"> S1044 </a> </td> <td> <a href="/software/S1044"> FunnyDream </a> </td> <td> <a href="/software/S1044">FunnyDream</a> can use a Registry Run Key and the Startup folder to establish persistence.<span onclick=scrollToRef('scite-58') id="scite-ref-58-a" class="scite-citeref-number" title="Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022."data-reference="Bitdefender FunnyDream Campaign November 2020"><a href="https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" target="_blank" data-hasqtip="57" aria-describedby="qtip-57">[58]</a> </td> </tr> <tr> <td> <a href="/groups/G0047"> G0047 </a> </td> <td> <a href="/groups/G0047"> Gamaredon Group </a> </td> <td> <a href="/groups/G0047">Gamaredon Group</a> tools have registered Run keys in the registry to give malicious VBS files persistence.<span onclick=scrollToRef('scite-101') id="scite-ref-101-a" class="scite-citeref-number" title="Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020."data-reference="TrendMicro Gamaredon April 2020"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/" target="_blank" data-hasqtip="100" aria-describedby="qtip-100">[101]</a><span onclick=scrollToRef('scite-102') id="scite-ref-102-a" class="scite-citeref-number" title="Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020."data-reference="ESET Gamaredon June 2020"><a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/" target="_blank" data-hasqtip="101" aria-describedby="qtip-101">[102]</a><span onclick=scrollToRef('scite-103') id="scite-ref-103-a" class="scite-citeref-number" title="CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022."data-reference="CERT-EE Gamaredon January 2021"><a href="https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf" target="_blank" data-hasqtip="102" aria-describedby="qtip-102">[103]</a><span onclick=scrollToRef('scite-104') id="scite-ref-104-a" class="scite-citeref-number" title="Unit 42. (2022, December 20). Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. Retrieved September 12, 2024."data-reference="unit42_gamaredon_dec2022"><a href="https://unit42.paloaltonetworks.com/trident-ursa/" target="_blank" data-hasqtip="103" aria-describedby="qtip-103">[104]</a> </td> </tr> <tr> <td> <a href="/software/S0168"> S0168 </a> </td> <td> <a href="/software/S0168"> Gazer </a> </td> <td> <a href="/software/S0168">Gazer</a> can establish persistence by creating a .lnk file in the Start menu.<span onclick=scrollToRef('scite-105') id="scite-ref-105-a" class="scite-citeref-number" title="ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017."data-reference="ESET Gazer Aug 2017"><a href="https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf" target="_blank" data-hasqtip="104" aria-describedby="qtip-104">[105]</a><span onclick=scrollToRef('scite-106') id="scite-ref-106-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017."data-reference="Securelist WhiteBear Aug 2017"><a href="https://securelist.com/introducing-whitebear/81638/" target="_blank" data-hasqtip="105" aria-describedby="qtip-105">[106]</a> </td> </tr> <tr> <td> <a href="/software/S0666"> S0666 </a> </td> <td> <a href="/software/S0666"> Gelsemium </a> </td> <td> <a href="/software/S0666">Gelsemium</a> can set persistence with a Registry run key.<span onclick=scrollToRef('scite-107') id="scite-ref-107-a" class="scite-citeref-number" title="Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021."data-reference="ESET Gelsemium June 2021"><a href="https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf" target="_blank" data-hasqtip="106" aria-describedby="qtip-106">[107]</a> </td> </tr> <tr> <td> <a href="/software/S0032"> S0032 </a> </td> <td> <a href="/software/S0032"> gh0st RAT </a> </td> <td> <a href="/software/S0032">gh0st RAT</a> has added a Registry Run key to establish persistence.<span onclick=scrollToRef('scite-108') id="scite-ref-108-a" class="scite-citeref-number" title="Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018."data-reference="Nccgroup Gh0st April 2018"><a href="https://research.nccgroup.com/2018/04/17/decoding-network-data-from-a-gh0st-rat-variant/" target="_blank" data-hasqtip="107" aria-describedby="qtip-107">[108]</a><span onclick=scrollToRef('scite-109') id="scite-ref-109-a" class="scite-citeref-number" title="Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020."data-reference="Gh0stRAT ATT March 2019"><a href="https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant" target="_blank" data-hasqtip="108" aria-describedby="qtip-108">[109]</a> </td> </tr> <tr> <td> <a href="/software/S0249"> S0249 </a> </td> <td> <a href="/software/S0249"> Gold Dragon </a> </td> <td> <a href="/software/S0249">Gold Dragon</a> establishes persistence in the Startup folder.<span onclick=scrollToRef('scite-110') id="scite-ref-110-a" class="scite-citeref-number" title="Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018."data-reference="McAfee Gold Dragon"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" target="_blank" data-hasqtip="109" aria-describedby="qtip-109">[110]</a> </td> </tr> <tr> <td> <a href="/software/S1138"> S1138 </a> </td> <td> <a href="/software/S1138"> Gootloader </a> </td> <td> <a href="/software/S1138">Gootloader</a> can create an autorun entry for a PowerShell script to run at reboot.<span onclick=scrollToRef('scite-111') id="scite-ref-111-a" class="scite-citeref-number" title="Szappanos, G. & Brandt, A. (2021, March 1). "Gootloader" expands its payload delivery options. Retrieved September 30, 2022."data-reference="Sophos Gootloader"><a href="https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/" target="_blank" data-hasqtip="110" aria-describedby="qtip-110">[111]</a> </td> </tr> <tr> <td> <a href="/groups/G0078"> G0078 </a> </td> <td> <a href="/groups/G0078"> Gorgon Group </a> </td> <td> <a href="/groups/G0078">Gorgon Group</a> malware can create a .lnk file and add a Registry Run key to establish persistence.<span onclick=scrollToRef('scite-112') id="scite-ref-112-a" class="scite-citeref-number" title="Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018."data-reference="Unit 42 Gorgon Group Aug 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" target="_blank" data-hasqtip="111" aria-describedby="qtip-111">[112]</a> </td> </tr> <tr> <td> <a href="/software/S0531"> S0531 </a> </td> <td> <a href="/software/S0531"> Grandoreiro </a> </td> <td> <a href="/software/S0531">Grandoreiro</a> can use run keys and create link files in the startup folder for persistence.<span onclick=scrollToRef('scite-113') id="scite-ref-113-a" class="scite-citeref-number" title="Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020."data-reference="IBM Grandoreiro April 2020"><a href="https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/" target="_blank" data-hasqtip="112" aria-describedby="qtip-112">[113]</a><span onclick=scrollToRef('scite-114') id="scite-ref-114-a" class="scite-citeref-number" title="ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020."data-reference="ESET Grandoreiro April 2020"><a href="https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/" target="_blank" data-hasqtip="113" aria-describedby="qtip-113">[114]</a> </td> </tr> <tr> <td> <a href="/software/S0417"> S0417 </a> </td> <td> <a href="/software/S0417"> GRIFFON </a> </td> <td> <a href="/software/S0417">GRIFFON</a> has used a persistence module that stores the implant inside the Registry, which executes at logon.<span onclick=scrollToRef('scite-115') id="scite-ref-115-a" class="scite-citeref-number" title="Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig "FIN7" continues its activities. Retrieved October 11, 2019."data-reference="SecureList Griffon May 2019"><a href="https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/" target="_blank" data-hasqtip="114" aria-describedby="qtip-114">[115]</a> </td> </tr> <tr> <td> <a href="/software/S0632"> S0632 </a> </td> <td> <a href="/software/S0632"> GrimAgent </a> </td> <td> <a href="/software/S0632">GrimAgent</a> can set persistence with a Registry run key.<span onclick=scrollToRef('scite-116') id="scite-ref-116-a" class="scite-citeref-number" title="Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024."data-reference="Group IB GrimAgent July 2021"><a href="https://www.group-ib.com/blog/grimagent/" target="_blank" data-hasqtip="115" aria-describedby="qtip-115">[116]</a> </td> </tr> <tr> <td> <a href="/software/S0561"> S0561 </a> </td> <td> <a href="/software/S0561"> GuLoader </a> </td> <td> <a href="/software/S0561">GuLoader</a> can establish persistence via the Registry under <code>HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce</code>.<span onclick=scrollToRef('scite-117') id="scite-ref-117-a" class="scite-citeref-number" title="Duncan, B. (2020, April 3). GuLoader: Malspam Campaign Installing NetWire RAT. Retrieved January 7, 2021."data-reference="Unit 42 NETWIRE April 2020"><a href="https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/" target="_blank" data-hasqtip="116" aria-describedby="qtip-116">[117]</a> </td> </tr> <tr> <td> <a href="/software/S0499"> S0499 </a> </td> <td> <a href="/software/S0499"> Hancitor </a> </td> <td> <a href="/software/S0499">Hancitor</a> has added Registry Run keys to establish persistence.<span onclick=scrollToRef('scite-118') id="scite-ref-118-a" class="scite-citeref-number" title="Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020."data-reference="FireEye Hancitor"><a href="https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html" target="_blank" data-hasqtip="117" aria-describedby="qtip-117">[118]</a> </td> </tr> <tr> <td> <a href="/software/S0170"> S0170 </a> </td> <td> <a href="/software/S0170"> Helminth </a> </td> <td> <a href="/software/S0170">Helminth</a> establishes persistence by creating a shortcut in the Start Menu folder.<span onclick=scrollToRef('scite-119') id="scite-ref-119-a" class="scite-citeref-number" title="Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017."data-reference="Palo Alto OilRig May 2016"><a href="http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" target="_blank" data-hasqtip="118" aria-describedby="qtip-118">[119]</a> </td> </tr> <tr> <td> <a href="/software/S1027"> S1027 </a> </td> <td> <a href="/software/S1027"> Heyoka Backdoor </a> </td> <td> <a href="/software/S1027">Heyoka Backdoor</a> can establish persistence with the auto start function including using the value <code>EverNoteTrayUService</code>.<span onclick=scrollToRef('scite-120') id="scite-ref-120-a" class="scite-citeref-number" title="Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022."data-reference="SentinelOne Aoqin Dragon June 2022"><a href="https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/" target="_blank" data-hasqtip="119" aria-describedby="qtip-119">[120]</a> </td> </tr> <tr> <td> <a href="/software/S0087"> S0087 </a> </td> <td> <a href="/software/S0087"> Hi-Zor </a> </td> <td> <a href="/software/S0087">Hi-Zor</a> creates a Registry Run key to establish persistence.<span onclick=scrollToRef('scite-121') id="scite-ref-121-a" class="scite-citeref-number" title="Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016."data-reference="Fidelis INOCNATION"><a href="https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL_0.pdf" target="_blank" data-hasqtip="120" aria-describedby="qtip-120">[121]</a> </td> </tr> <tr> <td> <a href="/groups/G0126"> G0126 </a> </td> <td> <a href="/groups/G0126"> Higaisa </a> </td> <td> <a href="/groups/G0126">Higaisa</a> added a spoofed binary to the start-up folder for persistence.<span onclick=scrollToRef('scite-122') id="scite-ref-122-a" class="scite-citeref-number" title="Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021."data-reference="Malwarebytes Higaisa 2020"><a href="https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/" target="_blank" data-hasqtip="121" aria-describedby="qtip-121">[122]</a><span onclick=scrollToRef('scite-123') id="scite-ref-123-a" class="scite-citeref-number" title="Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021."data-reference="Zscaler Higaisa 2020"><a href="https://www.zscaler.com/blogs/security-research/return-higaisa-apt" target="_blank" data-hasqtip="122" aria-describedby="qtip-122">[123]</a> </td> </tr> <tr> <td> <a href="/software/S0070"> S0070 </a> </td> <td> <a href="/software/S0070"> HTTPBrowser </a> </td> <td> <a href="/software/S0070">HTTPBrowser</a> has established persistence by setting the <code>HKCU\Software\Microsoft\Windows\CurrentVersion\Run</code> key value for <code>wdm</code> to the path of the executable. It has also used the Registry entry <code>HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run vpdn "%ALLUSERPROFILE%\%APPDATA%\vpdn\VPDN_LU.exe"</code> to establish persistence.<span onclick=scrollToRef('scite-124') id="scite-ref-124-a" class="scite-citeref-number" title="Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016."data-reference="ZScaler Hacking Team"><a href="http://research.zscaler.com/2015/08/chinese-cyber-espionage-apt-group.html" target="_blank" data-hasqtip="123" aria-describedby="qtip-123">[124]</a><span onclick=scrollToRef('scite-125') id="scite-ref-125-a" class="scite-citeref-number" title="Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016."data-reference="ThreatStream Evasion Analysis"><a href="https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop" target="_blank" data-hasqtip="124" aria-describedby="qtip-124">[125]</a> </td> </tr> <tr> <td> <a href="/software/S0483"> S0483 </a> </td> <td> <a href="/software/S0483"> IcedID </a> </td> <td> <a href="/software/S0483">IcedID</a> has established persistence by creating a Registry run key.<span onclick=scrollToRef('scite-126') id="scite-ref-126-a" class="scite-citeref-number" title="Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020."data-reference="IBM IcedID November 2017"><a href="https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/" target="_blank" data-hasqtip="125" aria-describedby="qtip-125">[126]</a> </td> </tr> <tr> <td> <a href="/groups/G0100"> G0100 </a> </td> <td> <a href="/groups/G0100"> Inception </a> </td> <td> <a href="/groups/G0100">Inception</a> has maintained persistence by modifying Registry run key value <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\</code>.<span onclick=scrollToRef('scite-127') id="scite-ref-127-a" class="scite-citeref-number" title="GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020."data-reference="Kaspersky Cloud Atlas December 2014"><a href="https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/" target="_blank" data-hasqtip="126" aria-describedby="qtip-126">[127]</a> </td> </tr> <tr> <td> <a href="/software/S0259"> S0259 </a> </td> <td> <a href="/software/S0259"> InnaputRAT </a> </td> <td> Some <a href="/software/S0259">InnaputRAT</a> variants establish persistence by modifying the Registry key <code>HKU\<SID>\Software\Microsoft\Windows\CurrentVersion\Run:%appdata%\NeutralApp\NeutralApp.exe</code>.<span onclick=scrollToRef('scite-128') id="scite-ref-128-a" class="scite-citeref-number" title="ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018."data-reference="ASERT InnaputRAT April 2018"><a href="https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/" target="_blank" data-hasqtip="127" aria-describedby="qtip-127">[128]</a> </td> </tr> <tr> <td> <a href="/software/S0260"> S0260 </a> </td> <td> <a href="/software/S0260"> InvisiMole </a> </td> <td> <a href="/software/S0260">InvisiMole</a> can place a lnk file in the Startup Folder to achieve persistence.<span onclick=scrollToRef('scite-129') id="scite-ref-129-a" class="scite-citeref-number" title="Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020."data-reference="ESET InvisiMole June 2020"><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" target="_blank" data-hasqtip="128" aria-describedby="qtip-128">[129]</a> </td> </tr> <tr> <td> <a href="/software/S0015"> S0015 </a> </td> <td> <a href="/software/S0015"> Ixeshe </a> </td> <td> <a href="/software/S0015">Ixeshe</a> can achieve persistence by adding itself to the <code>HKCU\Software\Microsoft\Windows\CurrentVersion\Run</code> Registry key.<span onclick=scrollToRef('scite-130') id="scite-ref-130-a" class="scite-citeref-number" title="Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019."data-reference="Trend Micro IXESHE 2012"><a href="https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf" target="_blank" data-hasqtip="129" aria-describedby="qtip-129">[130]</a> </td> </tr> <tr> <td> <a href="/software/S0389"> S0389 </a> </td> <td> <a href="/software/S0389"> JCry </a> </td> <td> <a href="/software/S0389">JCry</a> has created payloads in the Startup directory to maintain persistence. <a href="https://www.carbonblack.com/2019/05/14/cb-tau-threat-intelligence-notification-jcry-ransomware-pretends-to-be-adobe-flash-player-update-installer/" target="_blank" data-hasqtip="130" aria-describedby="qtip-130">[131]</a> </td> </tr> <tr> <td> <a href="/software/S0044"> S0044 </a> </td> <td> <a href="/software/S0044"> JHUHUGIT </a> </td> <td> <a href="/software/S0044">JHUHUGIT</a> has used a Registry Run key to establish persistence by executing JavaScript code within the rundll32.exe process.<span onclick=scrollToRef('scite-132') id="scite-ref-132-a" class="scite-citeref-number" title="ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016."data-reference="ESET Sednit Part 1"><a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf" target="_blank" data-hasqtip="131" aria-describedby="qtip-131">[132]</a> </td> </tr> <tr> <td> <a href="/software/S0088"> S0088 </a> </td> <td> <a href="/software/S0088"> Kasidet </a> </td> <td> <a href="/software/S0088">Kasidet</a> creates a Registry Run key to establish persistence.<span onclick=scrollToRef('scite-133') id="scite-ref-133-a" class="scite-citeref-number" title="Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016."data-reference="Zscaler Kasidet"><a href="http://research.zscaler.com/2016/01/malicious-office-files-dropping-kasidet.html" target="_blank" data-hasqtip="132" aria-describedby="qtip-132">[133]</a><span onclick=scrollToRef('scite-134') id="scite-ref-134-a" class="scite-citeref-number" title="Manuel, J. and Plantado, R.. (2015, August 9). Win32/Kasidet. Retrieved March 24, 2016."data-reference="Microsoft Kasidet"><a href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2FKasidet" target="_blank" data-hasqtip="133" aria-describedby="qtip-133">[134]</a> </td> </tr> <tr> <td> <a href="/software/S0265"> S0265 </a> </td> <td> <a href="/software/S0265"> Kazuar </a> </td> <td> <a href="/software/S0265">Kazuar</a> adds a sub-key under several Registry run keys.<span onclick=scrollToRef('scite-135') id="scite-ref-135-a" class="scite-citeref-number" title="Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018."data-reference="Unit 42 Kazuar May 2017"><a href="https://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/" target="_blank" data-hasqtip="134" aria-describedby="qtip-134">[135]</a> </td> </tr> <tr> <td> <a href="/groups/G0004"> G0004 </a> </td> <td> <a href="/groups/G0004"> Ke3chang </a> </td> <td> Several <a href="/groups/G0004">Ke3chang</a> backdoors achieved persistence by adding a Run key.<span onclick=scrollToRef('scite-136') id="scite-ref-136-a" class="scite-citeref-number" title="Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018."data-reference="NCC Group APT15 Alive and Strong"><a href="https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" target="_blank" data-hasqtip="135" aria-describedby="qtip-135">[136]</a> </td> </tr> <tr> <td> <a href="/groups/G0094"> G0094 </a> </td> <td> <a href="/groups/G0094"> Kimsuky </a> </td> <td> <a href="/groups/G0094">Kimsuky</a> has placed scripts in the startup folder for persistence and modified the <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce</code> Registry key.<span onclick=scrollToRef('scite-137') id="scite-ref-137-a" class="scite-citeref-number" title="Tarakanov , D.. (2013, September 11). The "Kimsuky" Operation: A North Korean APT?. Retrieved August 13, 2019."data-reference="Securelist Kimsuky Sept 2013"><a href="https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/" target="_blank" data-hasqtip="136" aria-describedby="qtip-136">[137]</a><span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020."data-reference="CISA AA20-301A Kimsuky"><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-301a" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a><span onclick=scrollToRef('scite-138') id="scite-ref-138-a" class="scite-citeref-number" title="Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020."data-reference="Crowdstrike GTR2020 Mar 2020"><a href="https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" target="_blank" data-hasqtip="137" aria-describedby="qtip-137">[138]</a><span onclick=scrollToRef('scite-139') id="scite-ref-139-a" class="scite-citeref-number" title="An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021."data-reference="Talos Kimsuky Nov 2021"><a href="https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html" target="_blank" data-hasqtip="138" aria-describedby="qtip-138">[139]</a><span onclick=scrollToRef('scite-140') id="scite-ref-140-a" class="scite-citeref-number" title="KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024."data-reference="KISA Operation Muzabi"><a href="https://web.archive.org/web/20220328121326/https://boho.or.kr/filedownload.do?attach_file_seq=2695&attach_file_id=EpF2695.pdf" target="_blank" data-hasqtip="139" aria-describedby="qtip-139">[140]</a> </td> </tr> <tr> <td> <a href="/software/S0250"> S0250 </a> </td> <td> <a href="/software/S0250"> Koadic </a> </td> <td> <a href="/software/S0250">Koadic</a> has added persistence to the <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</code> Registry key.<span onclick=scrollToRef('scite-141') id="scite-ref-141-a" class="scite-citeref-number" title="Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021."data-reference="MalwareBytes LazyScripter Feb 2021"><a href="https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf" target="_blank" data-hasqtip="140" aria-describedby="qtip-140">[141]</a> </td> </tr> <tr> <td> <a href="/software/S0669"> S0669 </a> </td> <td> <a href="/software/S0669"> KOCTOPUS </a> </td> <td> <a href="/software/S0669">KOCTOPUS</a> can set the AutoRun Registry key with a PowerShell command.<span onclick=scrollToRef('scite-141') id="scite-ref-141-a" class="scite-citeref-number" title="Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021."data-reference="MalwareBytes LazyScripter Feb 2021"><a href="https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf" target="_blank" data-hasqtip="140" aria-describedby="qtip-140">[141]</a> </td> </tr> <tr> <td> <a href="/software/S0356"> S0356 </a> </td> <td> <a href="/software/S0356"> KONNI </a> </td> <td> A version of <a href="/software/S0356">KONNI</a> has dropped a Windows shortcut into the Startup folder to establish persistence.<span onclick=scrollToRef('scite-142') id="scite-ref-142-a" class="scite-citeref-number" title="Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018."data-reference="Talos Konni May 2017"><a href="https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html" target="_blank" data-hasqtip="141" aria-describedby="qtip-141">[142]</a> </td> </tr> <tr> <td> <a href="/software/S1160"> S1160 </a> </td> <td> <a href="/software/S1160"> Latrodectus </a> </td> <td> <a href="/software/S1160">Latrodectus</a> can set an AutoRun key to establish persistence.<span onclick=scrollToRef('scite-143') id="scite-ref-143-a" class="scite-citeref-number" title="Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024."data-reference="Latrodectus APR 2024"><a href="https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice" target="_blank" data-hasqtip="142" aria-describedby="qtip-142">[143]</a> </td> </tr> <tr> <td> <a href="/groups/G0032"> G0032 </a> </td> <td> <a href="/groups/G0032"> Lazarus Group </a> </td> <td> <a href="/groups/G0032">Lazarus Group</a> has maintained persistence by loading malicious code into a startup folder or by adding a Registry Run key.<span onclick=scrollToRef('scite-144') id="scite-ref-144-a" class="scite-citeref-number" title="Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016."data-reference="Novetta Blockbuster"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" data-hasqtip="143" aria-describedby="qtip-143">[144]</a><span onclick=scrollToRef('scite-145') id="scite-ref-145-a" class="scite-citeref-number" title="Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016."data-reference="Novetta Blockbuster RATs"><a href="https://web.archive.org/web/20220608001455/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf" target="_blank" data-hasqtip="144" aria-describedby="qtip-144">[145]</a><span onclick=scrollToRef('scite-146') id="scite-ref-146-a" class="scite-citeref-number" title="Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018."data-reference="McAfee Lazarus Resurfaces Feb 2018"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/" target="_blank" data-hasqtip="145" aria-describedby="qtip-145">[146]</a><span onclick=scrollToRef('scite-147') id="scite-ref-147-a" class="scite-citeref-number" title="Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022."data-reference="Lazarus APT January 2022"><a href="https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/" target="_blank" data-hasqtip="146" aria-describedby="qtip-146">[147]</a> </td> </tr> <tr> <td> <a href="/groups/G0140"> G0140 </a> </td> <td> <a href="/groups/G0140"> LazyScripter </a> </td> <td> <a href="/groups/G0140">LazyScripter</a> has achieved persistence via writing a PowerShell script to the autorun registry key.<span onclick=scrollToRef('scite-141') id="scite-ref-141-a" class="scite-citeref-number" title="Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021."data-reference="MalwareBytes LazyScripter Feb 2021"><a href="https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf" target="_blank" data-hasqtip="140" aria-describedby="qtip-140">[141]</a> </td> </tr> <tr> <td> <a href="/groups/G0065"> G0065 </a> </td> <td> <a href="/groups/G0065"> Leviathan </a> </td> <td> <a href="/groups/G0065">Leviathan</a> has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.<span onclick=scrollToRef('scite-148') id="scite-ref-148-a" class="scite-citeref-number" title="Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018."data-reference="Proofpoint Leviathan Oct 2017"><a href="https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets" target="_blank" data-hasqtip="147" aria-describedby="qtip-147">[148]</a><span onclick=scrollToRef('scite-149') id="scite-ref-149-a" class="scite-citeref-number" title="FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018."data-reference="FireEye Periscope March 2018"><a href="https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" target="_blank" data-hasqtip="148" aria-describedby="qtip-148">[149]</a> </td> </tr> <tr> <td> <a href="/software/S0513"> S0513 </a> </td> <td> <a href="/software/S0513"> LiteDuke </a> </td> <td> <a href="/software/S0513">LiteDuke</a> can create persistence by adding a shortcut in the <code>CurrentVersion\Run</code> Registry key.<span onclick=scrollToRef('scite-90') id="scite-ref-90-a" class="scite-citeref-number" title="Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020."data-reference="ESET Dukes October 2019"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="89" aria-describedby="qtip-89">[90]</a> </td> </tr> <tr> <td> <a href="/software/S0397"> S0397 </a> </td> <td> <a href="/software/S0397"> LoJax </a> </td> <td> <a href="/software/S0397">LoJax</a> has modified the Registry key <code>‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute’</code> from <code>‘autocheck autochk ’</code> to <code>‘autocheck autoche ’</code> in order to execute its payload during Windows startup.<span onclick=scrollToRef('scite-150') id="scite-ref-150-a" class="scite-citeref-number" title="ESET. (2018, September). LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group. Retrieved July 2, 2019."data-reference="ESET LoJax Sept 2018"><a href="https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf" target="_blank" data-hasqtip="149" aria-describedby="qtip-149">[150]</a> </td> </tr> <tr> <td> <a href="/software/S0582"> S0582 </a> </td> <td> <a href="/software/S0582"> LookBack </a> </td> <td> <a href="/software/S0582">LookBack</a> sets up a Registry Run key to establish a persistence mechanism.<span onclick=scrollToRef('scite-151') id="scite-ref-151-a" class="scite-citeref-number" title="Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021."data-reference="Proofpoint LookBack Malware Aug 2019"><a href="https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks" target="_blank" data-hasqtip="150" aria-describedby="qtip-150">[151]</a> </td> </tr> <tr> <td> <a href="/software/S0532"> S0532 </a> </td> <td> <a href="/software/S0532"> Lucifer </a> </td> <td> <a href="/software/S0532">Lucifer</a> can persist by setting Registry key values <code>HKLM\Software\Microsoft\Windows\CurrentVersion\Run\QQMusic</code> and <code>HKCU\Software\Microsoft\Windows\CurrentVersion\Run\QQMusic</code>.<span onclick=scrollToRef('scite-152') id="scite-ref-152-a" class="scite-citeref-number" title="Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020."data-reference="Unit 42 Lucifer June 2020"><a href="https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/" target="_blank" data-hasqtip="151" aria-describedby="qtip-151">[152]</a> </td> </tr> <tr> <td> <a href="/groups/G1014"> G1014 </a> </td> <td> <a href="/groups/G1014"> LuminousMoth </a> </td> <td> <a href="/groups/G1014">LuminousMoth</a> has used malicious DLLs that setup persistence in the Registry Key <code>HKCU\Software\Microsoft\Windows\Current Version\Run</code>.<span onclick=scrollToRef('scite-153') id="scite-ref-153-a" class="scite-citeref-number" title="Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022."data-reference="Kaspersky LuminousMoth July 2021"><a href="https://securelist.com/apt-luminousmoth/103332/" target="_blank" data-hasqtip="152" aria-describedby="qtip-152">[153]</a><span onclick=scrollToRef('scite-154') id="scite-ref-154-a" class="scite-citeref-number" title="Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022."data-reference="Bitdefender LuminousMoth July 2021"><a href="https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited" target="_blank" data-hasqtip="153" aria-describedby="qtip-153">[154]</a> </td> </tr> <tr> <td> <a href="/software/S0409"> S0409 </a> </td> <td> <a href="/software/S0409"> Machete </a> </td> <td> <a href="/software/S0409">Machete</a> used the startup folder for persistence.<span onclick=scrollToRef('scite-155') id="scite-ref-155-a" class="scite-citeref-number" title="Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019."data-reference="Securelist Machete Aug 2014"><a href="https://securelist.com/el-machete/66108/" target="_blank" data-hasqtip="154" aria-describedby="qtip-154">[155]</a><span onclick=scrollToRef('scite-156') id="scite-ref-156-a" class="scite-citeref-number" title="The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019."data-reference="Cylance Machete Mar 2017"><a href="https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html" target="_blank" data-hasqtip="155" aria-describedby="qtip-155">[156]</a> </td> </tr> <tr> <td> <a href="/groups/G0059"> G0059 </a> </td> <td> <a href="/groups/G0059"> Magic Hound </a> </td> <td> <a href="/groups/G0059">Magic Hound</a> malware has used Registry Run keys to establish persistence.<span onclick=scrollToRef('scite-157') id="scite-ref-157-a" class="scite-citeref-number" title="Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017."data-reference="Unit 42 Magic Hound Feb 2017"><a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank" data-hasqtip="156" aria-describedby="qtip-156">[157]</a><span onclick=scrollToRef('scite-158') id="scite-ref-158-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021"><a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="157" aria-describedby="qtip-157">[158]</a><span onclick=scrollToRef('scite-159') id="scite-ref-159-a" class="scite-citeref-number" title="MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023."data-reference="Microsoft Iranian Threat Actor Trends November 2021"><a href="https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021" target="_blank" data-hasqtip="158" aria-describedby="qtip-158">[159]</a> </td> </tr> <tr> <td> <a href="/software/S0652"> S0652 </a> </td> <td> <a href="/software/S0652"> MarkiRAT </a> </td> <td> <a href="/software/S0652">MarkiRAT</a> can drop its payload into the Startup directory to ensure it automatically runs when the compromised system is started.<span onclick=scrollToRef('scite-160') id="scite-ref-160-a" class="scite-citeref-number" title="GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021."data-reference="Kaspersky Ferocious Kitten Jun 2021"><a href="https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/" target="_blank" data-hasqtip="159" aria-describedby="qtip-159">[160]</a> </td> </tr> <tr> <td> <a href="/software/S0167"> S0167 </a> </td> <td> <a href="/software/S0167"> Matryoshka </a> </td> <td> <a href="/software/S0167">Matryoshka</a> can establish persistence by adding Registry Run keys.<span onclick=scrollToRef('scite-161') id="scite-ref-161-a" class="scite-citeref-number" title="ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017."data-reference="ClearSky Wilted Tulip July 2017"><a href="http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf" target="_blank" data-hasqtip="160" aria-describedby="qtip-160">[161]</a><span onclick=scrollToRef('scite-162') id="scite-ref-162-a" class="scite-citeref-number" title="Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017."data-reference="CopyKittens Nov 2015"><a href="https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf" target="_blank" data-hasqtip="161" aria-describedby="qtip-161">[162]</a> </td> </tr> <tr> <td> <a href="/software/S0449"> S0449 </a> </td> <td> <a href="/software/S0449"> Maze </a> </td> <td> <a href="/software/S0449">Maze</a> has created a file named "startup_vrun.bat" in the Startup folder of a virtual machine to establish persistence.<span onclick=scrollToRef('scite-163') id="scite-ref-163-a" class="scite-citeref-number" title="Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020."data-reference="Sophos Maze VM September 2020"><a href="https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/" target="_blank" data-hasqtip="162" aria-describedby="qtip-162">[163]</a> </td> </tr> <tr> <td> <a href="/software/S0500"> S0500 </a> </td> <td> <a href="/software/S0500"> MCMD </a> </td> <td> <a href="/software/S0500">MCMD</a> can use Registry Run Keys for persistence.<span onclick=scrollToRef('scite-164') id="scite-ref-164-a" class="scite-citeref-number" title="Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020."data-reference="Secureworks MCMD July 2019"><a href="https://www.secureworks.com/research/mcmd-malware-analysis" target="_blank" data-hasqtip="163" aria-describedby="qtip-163">[164]</a> </td> </tr> <tr> <td> <a href="/software/S0455"> S0455 </a> </td> <td> <a href="/software/S0455"> Metamorfo </a> </td> <td> <a href="/software/S0455">Metamorfo</a> has configured persistence to the Registry key <code>HKCU\Software\Microsoft\Windows\CurrentVersion\Run, Spotify =% APPDATA%\Spotify\Spotify.exe</code> and used .LNK files in the startup folder to achieve persistence.<span onclick=scrollToRef('scite-165') id="scite-ref-165-a" class="scite-citeref-number" title="Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020."data-reference="Medium Metamorfo Apr 2020"><a href="https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767" target="_blank" data-hasqtip="164" aria-describedby="qtip-164">[165]</a><span onclick=scrollToRef('scite-166') id="scite-ref-166-a" class="scite-citeref-number" title="Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020."data-reference="FireEye Metamorfo Apr 2018"><a href="https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html" target="_blank" data-hasqtip="165" aria-describedby="qtip-165">[166]</a><span onclick=scrollToRef('scite-167') id="scite-ref-167-a" class="scite-citeref-number" title="Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020."data-reference="Fortinet Metamorfo Feb 2020"><a href="https://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions" target="_blank" data-hasqtip="166" aria-describedby="qtip-166">[167]</a><span onclick=scrollToRef('scite-168') id="scite-ref-168-a" class="scite-citeref-number" title="ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021."data-reference="ESET Casbaneiro Oct 2019"><a href="https://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/" target="_blank" data-hasqtip="167" aria-describedby="qtip-167">[168]</a> </td> </tr> <tr> <td> <a href="/software/S1122"> S1122 </a> </td> <td> <a href="/software/S1122"> Mispadu </a> </td> <td> <a href="/software/S1122">Mispadu</a> creates a link in the startup folder for persistence.<span onclick=scrollToRef('scite-169') id="scite-ref-169-a" class="scite-citeref-number" title="ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024."data-reference="ESET Security Mispadu Facebook Ads 2019"><a href="https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/" target="_blank" data-hasqtip="168" aria-describedby="qtip-168">[169]</a> <a href="/software/S1122">Mispadu</a> adds persistence via the registry key <code>HKCU\Software\Microsoft\Windows\CurrentVersion\Run</code>.<span onclick=scrollToRef('scite-170') id="scite-ref-170-a" class="scite-citeref-number" title="Garcia, F., Regalado, D. (2023, March 7). Inside Mispadu massive infection campaign in LATAM. Retrieved March 15, 2024."data-reference="Metabase Q Mispadu Trojan 2023"><a href="https://www.metabaseq.com/mispadu-banking-trojan/" target="_blank" data-hasqtip="169" aria-describedby="qtip-169">[170]</a> </td> </tr> <tr> <td> <a href="/software/S0080"> S0080 </a> </td> <td> <a href="/software/S0080"> Mivast </a> </td> <td> <a href="/software/S0080">Mivast</a> creates the following Registry entry: <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Micromedia</code>.<span onclick=scrollToRef('scite-171') id="scite-ref-171-a" class="scite-citeref-number" title="Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016."data-reference="Symantec Backdoor.Mivast"><a href="http://www.symantec.com/security_response/writeup.jsp?docid=2015-020623-0740-99&tabid=2" target="_blank" data-hasqtip="170" aria-describedby="qtip-170">[171]</a> </td> </tr> <tr> <td> <a href="/software/S0553"> S0553 </a> </td> <td> <a href="/software/S0553"> MoleNet </a> </td> <td> <a href="/software/S0553">MoleNet</a> can achieve persitence on the infected machine by setting the Registry run key.<span onclick=scrollToRef('scite-172') id="scite-ref-172-a" class="scite-citeref-number" title="Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020."data-reference="Cybereason Molerats Dec 2020"><a href="https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf" target="_blank" data-hasqtip="171" aria-describedby="qtip-171">[172]</a> </td> </tr> <tr> <td> <a href="/groups/G0021"> G0021 </a> </td> <td> <a href="/groups/G0021"> Molerats </a> </td> <td> <a href="/groups/G0021">Molerats</a> saved malicious files within the AppData and Startup folders to maintain persistence.<span onclick=scrollToRef('scite-173') id="scite-ref-173-a" class="scite-citeref-number" title="GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020."data-reference="Kaspersky MoleRATs April 2019"><a href="https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/" target="_blank" data-hasqtip="172" aria-describedby="qtip-172">[173]</a> </td> </tr> <tr> <td> <a href="/software/S1026"> S1026 </a> </td> <td> <a href="/software/S1026"> Mongall </a> </td> <td> <a href="/software/S1026">Mongall</a> can establish persistence with the auto start function including using the value <code>EverNoteTrayUService</code>.<span onclick=scrollToRef('scite-120') id="scite-ref-120-a" class="scite-citeref-number" title="Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022."data-reference="SentinelOne Aoqin Dragon June 2022"><a href="https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/" target="_blank" data-hasqtip="119" aria-describedby="qtip-119">[120]</a> </td> </tr> <tr> <td> <a href="/groups/G1036"> G1036 </a> </td> <td> <a href="/groups/G1036"> Moonstone Sleet </a> </td> <td> <a href="/groups/G1036">Moonstone Sleet</a> used registry run keys for process execution during initial victim infection.<span onclick=scrollToRef('scite-174') id="scite-ref-174-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024."data-reference="Microsoft Moonstone Sleet 2024"><a href="https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/" target="_blank" data-hasqtip="173" aria-describedby="qtip-173">[174]</a> </td> </tr> <tr> <td> <a href="/software/S0256"> S0256 </a> </td> <td> <a href="/software/S0256"> Mosquito </a> </td> <td> <a href="/software/S0256">Mosquito</a> establishes persistence under the Registry key <code>HKCU\Software\Run auto_update</code>.<span onclick=scrollToRef('scite-175') id="scite-ref-175-a" class="scite-citeref-number" title="ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018."data-reference="ESET Turla Mosquito Jan 2018"><a href="https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" target="_blank" data-hasqtip="174" aria-describedby="qtip-174">[175]</a> </td> </tr> <tr> <td> <a href="/groups/G0069"> G0069 </a> </td> <td> <a href="/groups/G0069"> MuddyWater </a> </td> <td> <a href="/groups/G0069">MuddyWater</a> has added Registry Run key <code>KCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemTextEncoding</code> to establish persistence.<span onclick=scrollToRef('scite-176') id="scite-ref-176-a" class="scite-citeref-number" title="Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018."data-reference="FireEye MuddyWater Mar 2018"><a href="https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" target="_blank" data-hasqtip="175" aria-describedby="qtip-175">[176]</a><span onclick=scrollToRef('scite-177') id="scite-ref-177-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018."data-reference="Securelist MuddyWater Oct 2018"><a href="https://securelist.com/muddywater/88059/" target="_blank" data-hasqtip="176" aria-describedby="qtip-176">[177]</a><span onclick=scrollToRef('scite-178') id="scite-ref-178-a" class="scite-citeref-number" title="Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019."data-reference="Talos MuddyWater May 2019"><a href="https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html" target="_blank" data-hasqtip="177" aria-describedby="qtip-177">[178]</a><span onclick=scrollToRef('scite-179') id="scite-ref-179-a" class="scite-citeref-number" title="Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020."data-reference="Reaqta MuddyWater November 2017"><a href="https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/" target="_blank" data-hasqtip="178" aria-describedby="qtip-178">[179]</a><span onclick=scrollToRef('scite-180') id="scite-ref-180-a" class="scite-citeref-number" title="Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021."data-reference="Trend Micro Muddy Water March 2021"><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" data-hasqtip="179" aria-describedby="qtip-179">[180]</a><span onclick=scrollToRef('scite-181') id="scite-ref-181-a" class="scite-citeref-number" title="Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022."data-reference="Talos MuddyWater Jan 2022"><a href="https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html" target="_blank" data-hasqtip="180" aria-describedby="qtip-180">[181]</a> </td> </tr> <tr> <td> <a href="/groups/G0129"> G0129 </a> </td> <td> <a href="/groups/G0129"> Mustang Panda </a> </td> <td> <a href="/groups/G0129">Mustang Panda</a> has created the registry key <code>HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobelmdyU</code> to maintain persistence.<span onclick=scrollToRef('scite-182') id="scite-ref-182-a" class="scite-citeref-number" title="Proofpoint Threat Research Team. (2020, November 23). TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader. Retrieved April 13, 2021."data-reference="Proofpoint TA416 November 2020"><a href="https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader" target="_blank" data-hasqtip="181" aria-describedby="qtip-181">[182]</a> </td> </tr> <tr> <td> <a href="/groups/G0019"> G0019 </a> </td> <td> <a href="/groups/G0019"> Naikon </a> </td> <td> <a href="/groups/G0019">Naikon</a> has modified a victim's Windows Run registry to establish persistence.<span onclick=scrollToRef('scite-183') id="scite-ref-183-a" class="scite-citeref-number" title="Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021."data-reference="Bitdefender Naikon April 2021"><a href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank" data-hasqtip="182" aria-describedby="qtip-182">[183]</a> </td> </tr> <tr> <td> <a href="/software/S0228"> S0228 </a> </td> <td> <a href="/software/S0228"> NanHaiShu </a> </td> <td> <a href="/software/S0228">NanHaiShu</a> modifies the %regrun% Registry to point itself to an autostart mechanism.<span onclick=scrollToRef('scite-184') id="scite-ref-184-a" class="scite-citeref-number" title="F-Secure Labs. (2016, July). NANHAISHU RATing the South China Sea. Retrieved July 6, 2018."data-reference="fsecure NanHaiShu July 2016"><a href="https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf" target="_blank" data-hasqtip="183" aria-describedby="qtip-183">[184]</a> </td> </tr> <tr> <td> <a href="/software/S0336"> S0336 </a> </td> <td> <a href="/software/S0336"> NanoCore </a> </td> <td> <a href="/software/S0336">NanoCore</a> creates a RunOnce key in the Registry to execute its VBS scripts each time the user logs on to the machine.<span onclick=scrollToRef('scite-185') id="scite-ref-185-a" class="scite-citeref-number" title="Patel, K. (2018, March 02). The NanoCore RAT Has Resurfaced From the Sewers. Retrieved September 25, 2024."data-reference="Cofense NanoCore Mar 2018"><a href="https://web.archive.org/web/20240522112705/https://cofense.com/blog/nanocore-rat-resurfaced-sewers/" target="_blank" data-hasqtip="184" aria-describedby="qtip-184">[185]</a> </td> </tr> <tr> <td> <a href="/software/S0247"> S0247 </a> </td> <td> <a href="/software/S0247"> NavRAT </a> </td> <td> <a href="/software/S0247">NavRAT</a> creates a Registry key to ensure a file gets executed upon reboot in order to establish persistence.<span onclick=scrollToRef('scite-186') id="scite-ref-186-a" class="scite-citeref-number" title="Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018."data-reference="Talos NavRAT May 2018"><a href="https://blog.talosintelligence.com/2018/05/navrat.html" target="_blank" data-hasqtip="185" aria-describedby="qtip-185">[186]</a> </td> </tr> <tr> <td> <a href="/software/S0630"> S0630 </a> </td> <td> <a href="/software/S0630"> Nebulae </a> </td> <td> <a href="/software/S0630">Nebulae</a> can achieve persistence through a Registry Run key.<span onclick=scrollToRef('scite-183') id="scite-ref-183-a" class="scite-citeref-number" title="Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021."data-reference="Bitdefender Naikon April 2021"><a href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank" data-hasqtip="182" aria-describedby="qtip-182">[183]</a> </td> </tr> <tr> <td> <a href="/software/S0034"> S0034 </a> </td> <td> <a href="/software/S0034"> NETEAGLE </a> </td> <td> The "SCOUT" variant of <a href="/software/S0034">NETEAGLE</a> achieves persistence by adding itself to the <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</code> Registry key.<span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" title="FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015."data-reference="FireEye APT30"><a href="https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a> </td> </tr> <tr> <td> <a href="/software/S0198"> S0198 </a> </td> <td> <a href="/software/S0198"> NETWIRE </a> </td> <td> <a href="/software/S0198">NETWIRE</a> creates a Registry start-up entry to establish persistence.<span onclick=scrollToRef('scite-187') id="scite-ref-187-a" class="scite-citeref-number" title="McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018."data-reference="McAfee Netwire Mar 2015"><a href="https://securingtomorrow.mcafee.com/mcafee-labs/netwire-rat-behind-recent-targeted-attacks/" target="_blank" data-hasqtip="186" aria-describedby="qtip-186">[187]</a><span onclick=scrollToRef('scite-188') id="scite-ref-188-a" class="scite-citeref-number" title="Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021."data-reference="Red Canary NETWIRE January 2020"><a href="https://redcanary.com/blog/netwire-remote-access-trojan-on-linux/" target="_blank" data-hasqtip="187" aria-describedby="qtip-187">[188]</a><span onclick=scrollToRef('scite-117') id="scite-ref-117-a" class="scite-citeref-number" title="Duncan, B. (2020, April 3). GuLoader: Malspam Campaign Installing NetWire RAT. Retrieved January 7, 2021."data-reference="Unit 42 NETWIRE April 2020"><a href="https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/" target="_blank" data-hasqtip="116" aria-describedby="qtip-116">[117]</a><span onclick=scrollToRef('scite-189') id="scite-ref-189-a" class="scite-citeref-number" title="Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021."data-reference="Proofpoint NETWIRE December 2020"><a href="https://www.proofpoint.com/us/blog/threat-insight/geofenced-netwire-campaigns" target="_blank" data-hasqtip="188" aria-describedby="qtip-188">[189]</a> </td> </tr> <tr> <td> <a href="/software/S0385"> S0385 </a> </td> <td> <a href="/software/S0385"> njRAT </a> </td> <td> <a href="/software/S0385">njRAT</a> has added persistence via the Registry key <code>HKCU\Software\Microsoft\CurrentVersion\Run\</code> and dropped a shortcut in <code>%STARTUP%</code>.<span onclick=scrollToRef('scite-190') id="scite-ref-190-a" class="scite-citeref-number" title="Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019."data-reference="Fidelis njRAT June 2013"><a href="https://www.threatminer.org/_reports/2013/fta-1009---njrat-uncovered-1.pdf" target="_blank" data-hasqtip="189" aria-describedby="qtip-189">[190]</a><span onclick=scrollToRef('scite-191') id="scite-ref-191-a" class="scite-citeref-number" title="Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019."data-reference="Trend Micro njRAT 2018"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/" target="_blank" data-hasqtip="190" aria-describedby="qtip-190">[191]</a> </td> </tr> <tr> <td> <a href="/software/S0353"> S0353 </a> </td> <td> <a href="/software/S0353"> NOKKI </a> </td> <td> <a href="/software/S0353">NOKKI</a> has established persistence by writing the payload to the Registry key <code>HKCU\Software\Microsoft\Windows\CurrentVersion\Run</code>.<span onclick=scrollToRef('scite-192') id="scite-ref-192-a" class="scite-citeref-number" title="Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018."data-reference="Unit 42 NOKKI Sept 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/" target="_blank" data-hasqtip="191" aria-describedby="qtip-191">[192]</a> </td> </tr> <tr> <td> <a href="/software/S0644"> S0644 </a> </td> <td> <a href="/software/S0644"> ObliqueRAT </a> </td> <td> <a href="/software/S0644">ObliqueRAT</a> can gain persistence by a creating a shortcut in the infected user's Startup directory.<span onclick=scrollToRef('scite-193') id="scite-ref-193-a" class="scite-citeref-number" title="Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021."data-reference="Talos Oblique RAT March 2021"><a href="https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html" target="_blank" data-hasqtip="192" aria-describedby="qtip-192">[193]</a> </td> </tr> <tr> <td> <a href="/software/S0340"> S0340 </a> </td> <td> <a href="/software/S0340"> Octopus </a> </td> <td> <a href="/software/S0340">Octopus</a> achieved persistence by placing a malicious executable in the startup directory and has added the <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</code> key to the Registry.<span onclick=scrollToRef('scite-194') id="scite-ref-194-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018."data-reference="Securelist Octopus Oct 2018"><a href="https://securelist.com/octopus-infested-seas-of-central-asia/88200/" target="_blank" data-hasqtip="193" aria-describedby="qtip-193">[194]</a> </td> </tr> <tr> <td> <a href="/software/S0439"> S0439 </a> </td> <td> <a href="/software/S0439"> Okrum </a> </td> <td> <a href="/software/S0439">Okrum</a> establishes persistence by creating a .lnk shortcut to itself in the Startup folder.<span onclick=scrollToRef('scite-195') id="scite-ref-195-a" class="scite-citeref-number" title="Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."data-reference="ESET Okrum July 2019"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf" target="_blank" data-hasqtip="194" aria-describedby="qtip-194">[195]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0022"> C0022 </a> </td> <td> <a href="/campaigns/C0022"> Operation Dream Job </a> </td> <td> During <a href="https://attack.mitre.org/campaigns/C0022">Operation Dream Job</a>, <a href="/groups/G0032">Lazarus Group</a> placed LNK files into the victims' startup folder for persistence.<span onclick=scrollToRef('scite-196') id="scite-ref-196-a" class="scite-citeref-number" title="Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021."data-reference="McAfee Lazarus Jul 2020"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/?hilite=%27Operation%27%2C%27North%27%2C%27Star%27" target="_blank" data-hasqtip="195" aria-describedby="qtip-195">[196]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0013"> C0013 </a> </td> <td> <a href="/campaigns/C0013"> Operation Sharpshooter </a> </td> <td> During <a href="https://attack.mitre.org/campaigns/C0013">Operation Sharpshooter</a>, a first-stage downloader installed <a href="/software/S0448">Rising Sun</a> to <code>%Startup%\mssync.exe</code> on a compromised host.<span onclick=scrollToRef('scite-197') id="scite-ref-197-a" class="scite-citeref-number" title="Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020."data-reference="McAfee Sharpshooter December 2018"><a href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf" target="_blank" data-hasqtip="196" aria-describedby="qtip-196">[197]</a> </td> </tr> <tr> <td> <a href="/groups/G0040"> G0040 </a> </td> <td> <a href="/groups/G0040"> Patchwork </a> </td> <td> <a href="/groups/G0040">Patchwork</a> has added the path of its second-stage malware to the startup folder to achieve persistence. One of its file stealers has also persisted by adding a Registry Run key.<span onclick=scrollToRef('scite-198') id="scite-ref-198-a" class="scite-citeref-number" title="Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016."data-reference="Cymmetria Patchwork"><a href="https://web.archive.org/web/20180825085952/https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf" target="_blank" data-hasqtip="197" aria-describedby="qtip-197">[198]</a><span onclick=scrollToRef('scite-199') id="scite-ref-199-a" class="scite-citeref-number" title="Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018."data-reference="TrendMicro Patchwork Dec 2017"><a href="https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" target="_blank" data-hasqtip="198" aria-describedby="qtip-198">[199]</a> </td> </tr> <tr> <td> <a href="/software/S1145"> S1145 </a> </td> <td> <a href="/software/S1145"> Pikabot </a> </td> <td> <a href="/software/S1145">Pikabot</a> maintains persistence following system checks through the Run key in the registry.<span onclick=scrollToRef('scite-200') id="scite-ref-200-a" class="scite-citeref-number" title="Brett Stone-Gross & Nikolaos Pantazopoulos. (2023, May 24). Technical Analysis of Pikabot. Retrieved July 12, 2024."data-reference="Zscaler Pikabot 2023"><a href="https://www.zscaler.com/blogs/security-research/technical-analysis-pikabot" target="_blank" data-hasqtip="199" aria-describedby="qtip-199">[200]</a> </td> </tr> <tr> <td> <a href="/software/S0124"> S0124 </a> </td> <td> <a href="/software/S0124"> Pisloader </a> </td> <td> <a href="/software/S0124">Pisloader</a> establishes persistence via a Registry Run key.<span onclick=scrollToRef('scite-201') id="scite-ref-201-a" class="scite-citeref-number" title="Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016."data-reference="Palo Alto DNS Requests"><a href="http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" target="_blank" data-hasqtip="200" aria-describedby="qtip-200">[201]</a> </td> </tr> <tr> <td> <a href="/software/S0254"> S0254 </a> </td> <td> <a href="/software/S0254"> PLAINTEE </a> </td> <td> <a href="/software/S0254">PLAINTEE</a> gains persistence by adding the Registry key <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce</code>.<span onclick=scrollToRef('scite-202') id="scite-ref-202-a" class="scite-citeref-number" title="Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018."data-reference="Rancor Unit42 June 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" target="_blank" data-hasqtip="201" aria-describedby="qtip-201">[202]</a> </td> </tr> <tr> <td> <a href="/software/S0013"> S0013 </a> </td> <td> <a href="/software/S0013"> PlugX </a> </td> <td> <a href="/software/S0013">PlugX</a> adds Run key entries in the Registry to establish persistence.<span onclick=scrollToRef('scite-203') id="scite-ref-203-a" class="scite-citeref-number" title="Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015."data-reference="Lastline PlugX Analysis"><a href="http://labs.lastline.com/an-analysis-of-plugx" target="_blank" data-hasqtip="202" aria-describedby="qtip-202">[203]</a><span onclick=scrollToRef('scite-57') id="scite-ref-57-a" class="scite-citeref-number" title="PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017."data-reference="PWC Cloud Hopper Technical Annex April 2017"><a href="https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf" target="_blank" data-hasqtip="56" aria-describedby="qtip-56">[57]</a><span onclick=scrollToRef('scite-204') id="scite-ref-204-a" class="scite-citeref-number" title="Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018."data-reference="CIRCL PlugX March 2013"><a href="http://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf" target="_blank" data-hasqtip="203" aria-describedby="qtip-203">[204]</a> </td> </tr> <tr> <td> <a href="/software/S0428"> S0428 </a> </td> <td> <a href="/software/S0428"> PoetRAT </a> </td> <td> <a href="/software/S0428">PoetRAT</a> has added a registry key in the <RUN> hive for persistence.<span onclick=scrollToRef('scite-205') id="scite-ref-205-a" class="scite-citeref-number" title="Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020."data-reference="Talos PoetRAT April 2020"><a href="https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html" target="_blank" data-hasqtip="204" aria-describedby="qtip-204">[205]</a> </td> </tr> <tr> <td> <a href="/software/S0012"> S0012 </a> </td> <td> <a href="/software/S0012"> PoisonIvy </a> </td> <td> <a href="/software/S0012">PoisonIvy</a> creates run key Registry entries pointing to a malicious executable dropped to disk.<span onclick=scrollToRef('scite-206') id="scite-ref-206-a" class="scite-citeref-number" title="Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018."data-reference="Symantec Darkmoon Aug 2005"><a href="https://www.symantec.com/security_response/writeup.jsp?docid=2005-081910-3934-99" target="_blank" data-hasqtip="205" aria-describedby="qtip-205">[206]</a> </td> </tr> <tr> <td> <a href="/software/S0139"> S0139 </a> </td> <td> <a href="/software/S0139"> PowerDuke </a> </td> <td> <a href="/software/S0139">PowerDuke</a> achieves persistence by using various Registry Run keys.<span onclick=scrollToRef('scite-207') id="scite-ref-207-a" class="scite-citeref-number" title="Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017."data-reference="Volexity PowerDuke November 2016"><a href="https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" target="_blank" data-hasqtip="206" aria-describedby="qtip-206">[207]</a> </td> </tr> <tr> <td> <a href="/software/S0441"> S0441 </a> </td> <td> <a href="/software/S0441"> PowerShower </a> </td> <td> <a href="/software/S0441">PowerShower</a> sets up persistence with a Registry run key.<span onclick=scrollToRef('scite-208') id="scite-ref-208-a" class="scite-citeref-number" title="Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020."data-reference="Unit 42 Inception November 2018"><a href="https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/" target="_blank" data-hasqtip="207" aria-describedby="qtip-207">[208]</a> </td> </tr> <tr> <td> <a href="/software/S0145"> S0145 </a> </td> <td> <a href="/software/S0145"> POWERSOURCE </a> </td> <td> <a href="/software/S0145">POWERSOURCE</a> achieves persistence by setting a Registry Run key, with the path depending on whether the victim account has user or administrator access.<span onclick=scrollToRef('scite-209') id="scite-ref-209-a" class="scite-citeref-number" title="Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017."data-reference="Cisco DNSMessenger March 2017"><a href="http://blog.talosintelligence.com/2017/03/dnsmessenger.html" target="_blank" data-hasqtip="208" aria-describedby="qtip-208">[209]</a> </td> </tr> <tr> <td> <a href="/software/S0194"> S0194 </a> </td> <td> <a href="/software/S0194"> PowerSploit </a> </td> <td> <a href="/software/S0194">PowerSploit</a>'s <code>New-UserPersistenceOption</code> Persistence argument can be used to establish via the <code>HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</code> Registry key.<span onclick=scrollToRef('scite-210') id="scite-ref-210-a" class="scite-citeref-number" title="PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018."data-reference="GitHub PowerSploit May 2012"><a href="https://github.com/PowerShellMafia/PowerSploit" target="_blank" data-hasqtip="209" aria-describedby="qtip-209">[210]</a><a href="http://powersploit.readthedocs.io" target="_blank" data-hasqtip="210" aria-describedby="qtip-210">[211]</a> </td> </tr> <tr> <td> <a href="/software/S0371"> S0371 </a> </td> <td> <a href="/software/S0371"> POWERTON </a> </td> <td> <a href="/software/S0371">POWERTON</a> can install a Registry Run key for persistence.<span onclick=scrollToRef('scite-212') id="scite-ref-212-a" class="scite-citeref-number" title="Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019."data-reference="FireEye APT33 Guardrail"><a href="https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" target="_blank" data-hasqtip="211" aria-describedby="qtip-211">[212]</a> </td> </tr> <tr> <td> <a href="/software/S0113"> S0113 </a> </td> <td> <a href="/software/S0113"> Prikormka </a> </td> <td> <a href="/software/S0113">Prikormka</a> adds itself to a Registry Run key with the name guidVGA or guidVSA.<span onclick=scrollToRef('scite-213') id="scite-ref-213-a" class="scite-citeref-number" title="Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016."data-reference="ESET Operation Groundbait"><a href="http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf" target="_blank" data-hasqtip="212" aria-describedby="qtip-212">[213]</a> </td> </tr> <tr> <td> <a href="/groups/G0056"> G0056 </a> </td> <td> <a href="/groups/G0056"> PROMETHIUM </a> </td> <td> <a href="/groups/G0056">PROMETHIUM</a> has used Registry run keys to establish persistence.<span onclick=scrollToRef('scite-214') id="scite-ref-214-a" class="scite-citeref-number" title="Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020."data-reference="Talos Promethium June 2020"><a href="https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html" target="_blank" data-hasqtip="213" aria-describedby="qtip-213">[214]</a> </td> </tr> <tr> <td> <a href="/software/S0147"> S0147 </a> </td> <td> <a href="/software/S0147"> Pteranodon </a> </td> <td> <a href="/software/S0147">Pteranodon</a> copies itself to the Startup folder to establish persistence.<span onclick=scrollToRef('scite-215') id="scite-ref-215-a" class="scite-citeref-number" title="Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017."data-reference="Palo Alto Gamaredon Feb 2017"><a href="https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/" target="_blank" data-hasqtip="214" aria-describedby="qtip-214">[215]</a> </td> </tr> <tr> <td> <a href="/software/S0196"> S0196 </a> </td> <td> <a href="/software/S0196"> PUNCHBUGGY </a> </td> <td> <a href="/software/S0196">PUNCHBUGGY</a> has been observed using a Registry Run key.<span onclick=scrollToRef('scite-216') id="scite-ref-216-a" class="scite-citeref-number" title="Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018."data-reference="FireEye Know Your Enemy FIN8 Aug 2016"><a href="https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" target="_blank" data-hasqtip="215" aria-describedby="qtip-215">[216]</a><span onclick=scrollToRef('scite-217') id="scite-ref-217-a" class="scite-citeref-number" title="Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019."data-reference="Morphisec ShellTea June 2019"><a href="http://blog.morphisec.com/security-alert-fin8-is-back" target="_blank" data-hasqtip="216" aria-describedby="qtip-216">[217]</a> </td> </tr> <tr> <td> <a href="/software/S0192"> S0192 </a> </td> <td> <a href="/software/S0192"> Pupy </a> </td> <td> <a href="/software/S0192">Pupy</a> adds itself to the startup folder or adds itself to the Registry key <code>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</code> for persistence.<a href="https://github.com/n1nj4sec/pupy" target="_blank" data-hasqtip="217" aria-describedby="qtip-217">[218]</a> </td> </tr> <tr> <td> <a href="/groups/G0024"> G0024 </a> </td> <td> <a href="/groups/G0024"> Putter Panda </a> </td> <td> A dropper used by <a href="/groups/G0024">Putter Panda</a> installs itself into the ASEP Registry key <code>HKCU\Software\Microsoft\Windows\CurrentVersion\Run</code> with a value named McUpdate.<span onclick=scrollToRef('scite-219') id="scite-ref-219-a" class="scite-citeref-number" title="Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016."data-reference="CrowdStrike Putter Panda"><a href="http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf" target="_blank" data-hasqtip="218" aria-describedby="qtip-218">[219]</a> </td> </tr> <tr> <td> <a href="/software/S0650"> S0650 </a> </td> <td> <a href="/software/S0650"> QakBot </a> </td> <td> <a href="/software/S0650">QakBot</a> can maintain persistence by creating an auto-run Registry key.<span onclick=scrollToRef('scite-220') id="scite-ref-220-a" class="scite-citeref-number" title="Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021."data-reference="Trend Micro Qakbot May 2020"><a href="https://www.trendmicro.com/vinfo/ph/security/news/cybercrime-and-digital-threats/qakbot-resurges-spreads-through-vbs-files" target="_blank" data-hasqtip="219" aria-describedby="qtip-219">[220]</a><span onclick=scrollToRef('scite-221') id="scite-ref-221-a" class="scite-citeref-number" title="CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021."data-reference="Crowdstrike Qakbot October 2020"><a href="https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/" target="_blank" data-hasqtip="220" aria-describedby="qtip-220">[221]</a><span onclick=scrollToRef('scite-222') id="scite-ref-222-a" class="scite-citeref-number" title="Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021."data-reference="Trend Micro Qakbot December 2020"><a href="https://success.trendmicro.com/solution/000283381" target="_blank" data-hasqtip="221" aria-describedby="qtip-221">[222]</a><span onclick=scrollToRef('scite-223') id="scite-ref-223-a" class="scite-citeref-number" title="Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021."data-reference="Group IB Ransomware September 2020"><a href="https://groupib.pathfactory.com/ransomware-reports/prolock_wp" target="_blank" data-hasqtip="222" aria-describedby="qtip-222">[223]</a> </td> </tr> <tr> <td> <a href="/software/S0262"> S0262 </a> </td> <td> <a href="/software/S0262"> QuasarRAT </a> </td> <td> If the <a href="/software/S0262">QuasarRAT</a> client process does not have administrator privileges it will add a registry key to <code>HKCU\Software\Microsoft\Windows\CurrentVersion\Run</code> for persistence.<a href="https://github.com/quasar/QuasarRAT" target="_blank" data-hasqtip="223" aria-describedby="qtip-223">[224]</a><span onclick=scrollToRef('scite-225') id="scite-ref-225-a" class="scite-citeref-number" title="CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022."data-reference="CISA AR18-352A Quasar RAT December 2018"><a href="https://www.cisa.gov/uscert/ncas/analysis-reports/AR18-352A" target="_blank" data-hasqtip="224" aria-describedby="qtip-224">[225]</a> </td> </tr> <tr> <td> <a href="/software/S0458"> S0458 </a> </td> <td> <a href="/software/S0458"> Ramsay </a> </td> <td> <a href="/software/S0458">Ramsay</a> has created Registry Run keys to establish persistence.<span onclick=scrollToRef('scite-226') id="scite-ref-226-a" class="scite-citeref-number" title="Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021."data-reference="Antiy CERT Ramsay April 2020"><a href="https://www.programmersought.com/article/62493896999/" target="_blank" data-hasqtip="225" aria-describedby="qtip-225">[226]</a> </td> </tr> <tr> <td> <a href="/software/S1130"> S1130 </a> </td> <td> <a href="/software/S1130"> Raspberry Robin </a> </td> <td> <a href="/software/S1130">Raspberry Robin</a> will use a Registry key to achieve persistence through reboot, setting a RunOnce key such as: <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce{random value name} = "rundll32 shell32 ShellExec_RunDLLA REGSVR /u /s "{dropped copy path and file name}""</code>.<span onclick=scrollToRef('scite-227') id="scite-ref-227-a" class="scite-citeref-number" title="Christopher So. (2022, December 20). Raspberry Robin Malware Targets Telecom, Governments. Retrieved May 17, 2024."data-reference="TrendMicro RaspberryRobin 2022"><a href="https://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targets-telecom-governments.html" target="_blank" data-hasqtip="226" aria-describedby="qtip-226">[227]</a> </td> </tr> <tr> <td> <a href="/software/S0662"> S0662 </a> </td> <td> <a href="/software/S0662"> RCSession </a> </td> <td> <a href="/software/S0662">RCSession</a> has the ability to modify a Registry Run key to establish persistence.<span onclick=scrollToRef('scite-59') id="scite-ref-59-a" class="scite-citeref-number" title="Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021."data-reference="Trend Micro DRBControl February 2020"><a href="https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf" target="_blank" data-hasqtip="58" aria-describedby="qtip-58">[59]</a><span onclick=scrollToRef('scite-228') id="scite-ref-228-a" class="scite-citeref-number" title="Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021."data-reference="Profero APT27 December 2020"><a href="https://web.archive.org/web/20210104144857/https://shared-public-reports.s3-eu-west-1.amazonaws.com/APT27+turns+to+ransomware.pdf" target="_blank" data-hasqtip="227" aria-describedby="qtip-227">[228]</a> </td> </tr> <tr> <td> <a href="/software/S0172"> S0172 </a> </td> <td> <a href="/software/S0172"> Reaver </a> </td> <td> <a href="/software/S0172">Reaver</a> creates a shortcut file and saves it in a Startup folder to establish persistence.<span onclick=scrollToRef('scite-229') id="scite-ref-229-a" class="scite-citeref-number" title="Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017."data-reference="Palo Alto Reaver Nov 2017"><a href="https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/" target="_blank" data-hasqtip="228" aria-describedby="qtip-228">[229]</a> </td> </tr> <tr> <td> <a href="/groups/G1039"> G1039 </a> </td> <td> <a href="/groups/G1039"> RedCurl </a> </td> <td> <a href="/groups/G1039">RedCurl</a> has established persistence by creating entries in <code>HKCU\Software\Microsoft\Windows\CurrentVersion\Run</code>.<span onclick=scrollToRef('scite-230') id="scite-ref-230-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="229" aria-describedby="qtip-229">[230]</a><span onclick=scrollToRef('scite-231') id="scite-ref-231-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="230" aria-describedby="qtip-230">[231]</a> </td> </tr> <tr> <td> <a href="/software/S0153"> S0153 </a> </td> <td> <a href="/software/S0153"> RedLeaves </a> </td> <td> <a href="/software/S0153">RedLeaves</a> attempts to add a shortcut file in the Startup folder to achieve persistence. If this fails, it attempts to add Registry Run keys.<span onclick=scrollToRef('scite-57') id="scite-ref-57-a" class="scite-citeref-number" title="PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017."data-reference="PWC Cloud Hopper Technical Annex April 2017"><a href="https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf" target="_blank" data-hasqtip="56" aria-describedby="qtip-56">[57]</a><span onclick=scrollToRef('scite-232') id="scite-ref-232-a" class="scite-citeref-number" title="Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018."data-reference="Accenture Hogfish April 2018"><a href="http://web.archive.org/web/20220810112638/https:/www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf" target="_blank" data-hasqtip="231" aria-describedby="qtip-231">[232]</a> </td> </tr> <tr> <td> <a href="/software/S0332"> S0332 </a> </td> <td> <a href="/software/S0332"> Remcos </a> </td> <td> <a href="/software/S0332">Remcos</a> can add itself to the Registry key <code>HKCU\Software\Microsoft\Windows\CurrentVersion\Run</code> for persistence.<span onclick=scrollToRef('scite-233') id="scite-ref-233-a" class="scite-citeref-number" title="Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018."data-reference="Fortinet Remcos Feb 2017"><a href="https://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html" target="_blank" data-hasqtip="232" aria-describedby="qtip-232">[233]</a> </td> </tr> <tr> <td> <a href="/software/S0375"> S0375 </a> </td> <td> <a href="/software/S0375"> Remexi </a> </td> <td> <a href="/software/S0375">Remexi</a> utilizes Run Registry keys in the HKLM hive as a persistence mechanism.<span onclick=scrollToRef('scite-234') id="scite-ref-234-a" class="scite-citeref-number" title="Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019."data-reference="Securelist Remexi Jan 2019"><a href="https://securelist.com/chafer-used-remexi-malware/89538/" target="_blank" data-hasqtip="233" aria-describedby="qtip-233">[234]</a> </td> </tr> <tr> <td> <a href="/software/S0433"> S0433 </a> </td> <td> <a href="/software/S0433"> Rifdoor </a> </td> <td> <a href="/software/S0433">Rifdoor</a> has created a new registry entry at <code>HKEY_CURRENT_USERS\Software\Microsoft\Windows\CurrentVersion\Run\Graphics</code> with a value of <code>C:\ProgramData\Initech\Initech.exe /run</code>.<span onclick=scrollToRef('scite-235') id="scite-ref-235-a" class="scite-citeref-number" title="Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020."data-reference="Carbon Black HotCroissant April 2020"><a href="https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/" target="_blank" data-hasqtip="234" aria-describedby="qtip-234">[235]</a> </td> </tr> <tr> <td> <a href="/software/S1150"> S1150 </a> </td> <td> <a href="/software/S1150"> ROADSWEEP </a> </td> <td> <a href="/software/S1150">ROADSWEEP</a> has been placed in the start up folder to trigger execution upon user login.<span onclick=scrollToRef('scite-236') id="scite-ref-236-a" class="scite-citeref-number" title="MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024."data-reference="Microsoft Albanian Government Attacks September 2022"><a href="https://www.microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/" target="_blank" data-hasqtip="235" aria-describedby="qtip-235">[236]</a> </td> </tr> <tr> <td> <a href="/groups/G0106"> G0106 </a> </td> <td> <a href="/groups/G0106"> Rocke </a> </td> <td> <a href="/groups/G0106">Rocke</a>'s miner has created UPX-packed files in the Windows Start Menu Folder.<span onclick=scrollToRef('scite-237') id="scite-ref-237-a" class="scite-citeref-number" title="Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020."data-reference="Talos Rocke August 2018"><a href="https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html" target="_blank" data-hasqtip="236" aria-describedby="qtip-236">[237]</a> </td> </tr> <tr> <td> <a href="/software/S0270"> S0270 </a> </td> <td> <a href="/software/S0270"> RogueRobin </a> </td> <td> <a href="/software/S0270">RogueRobin</a> created a shortcut in the Windows startup folder to launch a PowerShell script each time the user logs in to establish persistence.<span onclick=scrollToRef('scite-238') id="scite-ref-238-a" class="scite-citeref-number" title="Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018."data-reference="Unit 42 DarkHydrus July 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" target="_blank" data-hasqtip="237" aria-describedby="qtip-237">[238]</a> </td> </tr> <tr> <td> <a href="/software/S0090"> S0090 </a> </td> <td> <a href="/software/S0090"> Rover </a> </td> <td> <a href="/software/S0090">Rover</a> persists by creating a Registry entry in <code>HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\</code>.<span onclick=scrollToRef('scite-239') id="scite-ref-239-a" class="scite-citeref-number" title="Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016."data-reference="Palo Alto Rover"><a href="http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/" target="_blank" data-hasqtip="238" aria-describedby="qtip-238">[239]</a> </td> </tr> <tr> <td> <a href="/software/S0148"> S0148 </a> </td> <td> <a href="/software/S0148"> RTM </a> </td> <td> <a href="/software/S0148">RTM</a> tries to add a Registry Run key under the name "Windows Update" to establish persistence.<span onclick=scrollToRef('scite-240') id="scite-ref-240-a" class="scite-citeref-number" title="Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017."data-reference="ESET RTM Feb 2017"><a href="https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf" target="_blank" data-hasqtip="239" aria-describedby="qtip-239">[240]</a> </td> </tr> <tr> <td> <a href="/groups/G0048"> G0048 </a> </td> <td> <a href="/groups/G0048"> RTM </a> </td> <td> <a href="/groups/G0048">RTM</a> has used Registry run keys to establish persistence for the <a href="/software/S0148">RTM</a> Trojan and other tools, such as a modified version of TeamViewer remote desktop software.<span onclick=scrollToRef('scite-240') id="scite-ref-240-a" class="scite-citeref-number" title="Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017."data-reference="ESET RTM Feb 2017"><a href="https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf" target="_blank" data-hasqtip="239" aria-describedby="qtip-239">[240]</a><span onclick=scrollToRef('scite-241') id="scite-ref-241-a" class="scite-citeref-number" title="Skulkin, O. (2019, August 5). Following the RTM Forensic examination of a computer infected with a banking trojan. Retrieved May 11, 2020."data-reference="Group IB RTM August 2019"><a href="https://www.group-ib.com/blog/rtm" target="_blank" data-hasqtip="240" aria-describedby="qtip-240">[241]</a> </td> </tr> <tr> <td> <a href="/software/S0253"> S0253 </a> </td> <td> <a href="/software/S0253"> RunningRAT </a> </td> <td> <a href="/software/S0253">RunningRAT</a> adds itself to the Registry key <code>Software\Microsoft\Windows\CurrentVersion\Run</code> to establish persistence upon reboot.<span onclick=scrollToRef('scite-110') id="scite-ref-110-a" class="scite-citeref-number" title="Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018."data-reference="McAfee Gold Dragon"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" target="_blank" data-hasqtip="109" aria-describedby="qtip-109">[110]</a> </td> </tr> <tr> <td> <a href="/software/S0446"> S0446 </a> </td> <td> <a href="/software/S0446"> Ryuk </a> </td> <td> <a href="/software/S0446">Ryuk</a> has used the Windows command line to create a Registry entry under <code>HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</code> to establish persistence.<span onclick=scrollToRef('scite-242') id="scite-ref-242-a" class="scite-citeref-number" title="Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020."data-reference="CrowdStrike Ryuk January 2019"><a href="https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" target="_blank" data-hasqtip="241" aria-describedby="qtip-241">[242]</a> </td> </tr> <tr> <td> <a href="/software/S0085"> S0085 </a> </td> <td> <a href="/software/S0085"> S-Type </a> </td> <td> <a href="/software/S0085">S-Type</a> may create a .lnk file to itself that is saved in the Start menu folder. It may also create the Registry key <code>HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ IMJPMIJ8.1{3 characters of Unique Identifier}</code>.<span onclick=scrollToRef('scite-243') id="scite-ref-243-a" class="scite-citeref-number" title="Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021."data-reference="Cylance Dust Storm"><a href="https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" target="_blank" data-hasqtip="242" aria-describedby="qtip-242">[243]</a> </td> </tr> <tr> <td> <a href="/software/S1018"> S1018 </a> </td> <td> <a href="/software/S1018"> Saint Bot </a> </td> <td> <a href="/software/S1018">Saint Bot</a> has established persistence by being copied to the Startup directory or through the <code>\Software\Microsoft\Windows\CurrentVersion\Run</code> registry key.<span onclick=scrollToRef('scite-244') id="scite-ref-244-a" class="scite-citeref-number" title="Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022."data-reference="Malwarebytes Saint Bot April 2021"><a href="https://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/" target="_blank" data-hasqtip="243" aria-describedby="qtip-243">[244]</a><span onclick=scrollToRef('scite-245') id="scite-ref-245-a" class="scite-citeref-number" title="Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022."data-reference="Palo Alto Unit 42 OutSteel SaintBot February 2022 "><a href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank" data-hasqtip="244" aria-describedby="qtip-244">[245]</a> </td> </tr> <tr> <td> <a href="/software/S0074"> S0074 </a> </td> <td> <a href="/software/S0074"> Sakula </a> </td> <td> Most <a href="/software/S0074">Sakula</a> samples maintain persistence by setting the Registry Run key <code>SOFTWARE\Microsoft\Windows\CurrentVersion\Run\</code> in the HKLM or HKCU hive, with the Registry value and file name varying by sample.<span onclick=scrollToRef('scite-246') id="scite-ref-246-a" class="scite-citeref-number" title="Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016."data-reference="Dell Sakula"><a href="http://www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/" target="_blank" data-hasqtip="245" aria-describedby="qtip-245">[246]</a> </td> </tr> <tr> <td> <a href="/software/S0461"> S0461 </a> </td> <td> <a href="/software/S0461"> SDBbot </a> </td> <td> <a href="/software/S0461">SDBbot</a> has the ability to add a value to the Registry Run key to establish persistence if it detects it is running with regular user privilege. <span onclick=scrollToRef('scite-247') id="scite-ref-247-a" class="scite-citeref-number" title="Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."data-reference="Proofpoint TA505 October 2019"><a href="https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader" target="_blank" data-hasqtip="246" aria-describedby="qtip-246">[247]</a><span onclick=scrollToRef('scite-248') id="scite-ref-248-a" class="scite-citeref-number" title="Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020."data-reference="IBM TA505 April 2020"><a href="https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/" target="_blank" data-hasqtip="247" aria-describedby="qtip-247">[248]</a> </td> </tr> <tr> <td> <a href="/software/S0053"> S0053 </a> </td> <td> <a href="/software/S0053"> SeaDuke </a> </td> <td> <a href="/software/S0053">SeaDuke</a> is capable of persisting via the Registry Run key or a .lnk file stored in the Startup directory.<span onclick=scrollToRef('scite-249') id="scite-ref-249-a" class="scite-citeref-number" title="Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016."data-reference="Unit 42 SeaDuke 2015"><a href="http://researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seaduke/" target="_blank" data-hasqtip="248" aria-describedby="qtip-248">[249]</a> </td> </tr> <tr> <td> <a href="/software/S0345"> S0345 </a> </td> <td> <a href="/software/S0345"> Seasalt </a> </td> <td> <a href="/software/S0345">Seasalt</a> creates a Registry entry to ensure infection after reboot under <code>HKLM\Software\Microsoft\Windows\currentVersion\Run</code>.<span onclick=scrollToRef('scite-250') id="scite-ref-250-a" class="scite-citeref-number" title="Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018."data-reference="McAfee Oceansalt Oct 2018"><a href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf" target="_blank" data-hasqtip="249" aria-describedby="qtip-249">[250]</a> </td> </tr> <tr> <td> <a href="/software/S0382"> S0382 </a> </td> <td> <a href="/software/S0382"> ServHelper </a> </td> <td> <a href="/software/S0382">ServHelper</a> may attempt to establish persistence via the <code>HKCU\Software\Microsoft\Windows\CurrentVersion\Run\</code> run key.<span onclick=scrollToRef('scite-251') id="scite-ref-251-a" class="scite-citeref-number" title="Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved September 16, 2024.."data-reference="Deep Instinct TA505 Apr 2019"><a href="https://www.deepinstinct.com/blog/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload" target="_blank" data-hasqtip="250" aria-describedby="qtip-250">[251]</a> </td> </tr> <tr> <td> <a href="/software/S0546"> S0546 </a> </td> <td> <a href="/software/S0546"> SharpStage </a> </td> <td> <a href="/software/S0546">SharpStage</a> has the ability to create persistence for the malware using the Registry autorun key and startup folder.<span onclick=scrollToRef('scite-172') id="scite-ref-172-a" class="scite-citeref-number" title="Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020."data-reference="Cybereason Molerats Dec 2020"><a href="https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf" target="_blank" data-hasqtip="171" aria-describedby="qtip-171">[172]</a> </td> </tr> <tr> <td> <a href="/software/S0444"> S0444 </a> </td> <td> <a href="/software/S0444"> ShimRat </a> </td> <td> <a href="/software/S0444">ShimRat</a> has installed a registry based start-up key <code>HKCU\Software\microsoft\windows\CurrentVersion\Run</code> to maintain persistence should other methods fail.<span onclick=scrollToRef('scite-252') id="scite-ref-252-a" class="scite-citeref-number" title="Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."data-reference="FOX-IT May 2016 Mofang"><a href="https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" target="_blank" data-hasqtip="251" aria-describedby="qtip-251">[252]</a> </td> </tr> <tr> <td> <a href="/software/S0028"> S0028 </a> </td> <td> <a href="/software/S0028"> SHIPSHAPE </a> </td> <td> <a href="/software/S0028">SHIPSHAPE</a> achieves persistence by creating a shortcut in the Startup folder.<span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" title="FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015."data-reference="FireEye APT30"><a href="https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a> </td> </tr> <tr> <td> <a href="/groups/G0121"> G0121 </a> </td> <td> <a href="/groups/G0121"> Sidewinder </a> </td> <td> <a href="/groups/G0121">Sidewinder</a> has added paths to executables in the Registry to establish persistence.<span onclick=scrollToRef('scite-253') id="scite-ref-253-a" class="scite-citeref-number" title="Rewterz. (2020, April 20). Sidewinder APT Group Campaign Analysis. Retrieved January 29, 2021."data-reference="Rewterz Sidewinder APT April 2020"><a href="https://www.rewterz.com/threats/sidewinder-apt-group-campaign-analysis" target="_blank" data-hasqtip="252" aria-describedby="qtip-252">[253]</a><span onclick=scrollToRef('scite-254') id="scite-ref-254-a" class="scite-citeref-number" title="Rewterz. (2020, June 22). Analysis on Sidewinder APT Group – COVID-19. Retrieved January 29, 2021."data-reference="Rewterz Sidewinder COVID-19 June 2020"><a href="https://www.rewterz.com/articles/analysis-on-sidewinder-apt-group-covid-19" target="_blank" data-hasqtip="253" aria-describedby="qtip-253">[254]</a><span onclick=scrollToRef('scite-255') id="scite-ref-255-a" class="scite-citeref-number" title="Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021."data-reference="Cyble Sidewinder September 2020"><a href="https://cybleinc.com/2020/09/26/sidewinder-apt-targets-with-futuristic-tactics-and-techniques/" target="_blank" data-hasqtip="254" aria-describedby="qtip-254">[255]</a> </td> </tr> <tr> <td> <a href="/groups/G0091"> G0091 </a> </td> <td> <a href="/groups/G0091"> Silence </a> </td> <td> <a href="/groups/G0091">Silence</a> has used <code>HKCU\Software\Microsoft\Windows\CurrentVersion\Run</code>, <code>HKLM\Software\Microsoft\Windows\CurrentVersion\Run</code>, and the Startup folder to establish persistence.<span onclick=scrollToRef('scite-256') id="scite-ref-256-a" class="scite-citeref-number" title="Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020."data-reference="Group IB Silence Sept 2018"><a href="https://go.group-ib.com/report-silence-en?_gl=1*d1bh3a*_ga*MTIwMzM5Mzc5MS4xNjk4OTI5NzY4*_ga_QMES53K3Y2*MTcwNDcyMjU2OS40LjEuMTcwNDcyMzU1Mi41My4wLjA." target="_blank" data-hasqtip="255" aria-describedby="qtip-255">[256]</a> </td> </tr> <tr> <td> <a href="/software/S0692"> S0692 </a> </td> <td> <a href="/software/S0692"> SILENTTRINITY </a> </td> <td> <a href="/software/S0692">SILENTTRINITY</a> can establish a LNK file in the startup folder for persistence.<span onclick=scrollToRef('scite-257') id="scite-ref-257-a" class="scite-citeref-number" title="Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022."data-reference="GitHub SILENTTRINITY Modules July 2019"><a href="https://github.com/byt3bl33d3r/SILENTTRINITY/tree/master/silenttrinity/core/teamserver/modules/boo" target="_blank" data-hasqtip="256" aria-describedby="qtip-256">[257]</a> </td> </tr> <tr> <td> <a href="/software/S1035"> S1035 </a> </td> <td> <a href="/software/S1035"> Small Sieve </a> </td> <td> <a href="/software/S1035">Small Sieve</a> has the ability to add itself to <code>HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OutlookMicrosift</code> for persistence.<span onclick=scrollToRef('scite-258') id="scite-ref-258-a" class="scite-citeref-number" title="NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022."data-reference="NCSC GCHQ Small Sieve Jan 2022"><a href="https://www.ncsc.gov.uk/files/NCSC-Malware-Analysis-Report-Small-Sieve.pdf" target="_blank" data-hasqtip="257" aria-describedby="qtip-257">[258]</a> </td> </tr> <tr> <td> <a href="/software/S0226"> S0226 </a> </td> <td> <a href="/software/S0226"> Smoke Loader </a> </td> <td> <a href="/software/S0226">Smoke Loader</a> adds a Registry Run key for persistence and adds a script in the Startup folder to deploy the payload.<span onclick=scrollToRef('scite-259') id="scite-ref-259-a" class="scite-citeref-number" title="Hasherezade. (2016, September 12). Smoke Loader – downloader with a smokescreen still alive. Retrieved March 20, 2018."data-reference="Malwarebytes SmokeLoader 2016"><a href="https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/" target="_blank" data-hasqtip="258" aria-describedby="qtip-258">[259]</a> </td> </tr> <tr> <td> <a href="/software/S0649"> S0649 </a> </td> <td> <a href="/software/S0649"> SMOKEDHAM </a> </td> <td> <a href="/software/S0649">SMOKEDHAM</a> has used <code>reg.exe</code> to create a Registry Run key.<span onclick=scrollToRef('scite-260') id="scite-ref-260-a" class="scite-citeref-number" title="FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021."data-reference="FireEye SMOKEDHAM June 2021"><a href="https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html" target="_blank" data-hasqtip="259" aria-describedby="qtip-259">[260]</a> </td> </tr> <tr> <td> <a href="/software/S1086"> S1086 </a> </td> <td> <a href="/software/S1086"> Snip3 </a> </td> <td> <a href="/software/S1086">Snip3</a> can create a VBS file in startup to persist after system restarts.<span onclick=scrollToRef('scite-261') id="scite-ref-261-a" class="scite-citeref-number" title="Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023."data-reference="Telefonica Snip3 December 2021"><a href="https://telefonicatech.com/blog/snip3-investigacion-malware" target="_blank" data-hasqtip="260" aria-describedby="qtip-260">[261]</a> </td> </tr> <tr> <td> <a href="/software/S0159"> S0159 </a> </td> <td> <a href="/software/S0159"> SNUGRIDE </a> </td> <td> <a href="/software/S0159">SNUGRIDE</a> establishes persistence through a Registry Run key.<span onclick=scrollToRef('scite-262') id="scite-ref-262-a" class="scite-citeref-number" title="FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017."data-reference="FireEye APT10 April 2017"><a href="https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html" target="_blank" data-hasqtip="261" aria-describedby="qtip-261">[262]</a> </td> </tr> <tr> <td> <a href="/software/S0035"> S0035 </a> </td> <td> <a href="/software/S0035"> SPACESHIP </a> </td> <td> <a href="/software/S0035">SPACESHIP</a> achieves persistence by creating a shortcut in the current user's Startup folder.<span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" title="FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015."data-reference="FireEye APT30"><a href="https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a> </td> </tr> <tr> <td> <a href="/software/S0058"> S0058 </a> </td> <td> <a href="/software/S0058"> SslMM </a> </td> <td> To establish persistence, <a href="/software/S0058">SslMM</a> identifies the Start Menu Startup directory and drops a link to its own executable disguised as an "Office Start," "Yahoo Talk," "MSN Gaming Z0ne," or "MSN Talk" shortcut.<span onclick=scrollToRef('scite-263') id="scite-ref-263-a" class="scite-citeref-number" title="Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019."data-reference="Baumgartner Naikon 2015"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" target="_blank" data-hasqtip="262" aria-describedby="qtip-262">[263]</a> </td> </tr> <tr> <td> <a href="/software/S1037"> S1037 </a> </td> <td> <a href="/software/S1037"> STARWHALE </a> </td> <td> <a href="/software/S1037">STARWHALE</a> can establish persistence by installing itself in the startup folder, whereas the GO variant has created a <code>HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OutlookM</code> registry key.<span onclick=scrollToRef('scite-264') id="scite-ref-264-a" class="scite-citeref-number" title="FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022."data-reference="DHS CISA AA22-055A MuddyWater February 2022"><a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" target="_blank" data-hasqtip="263" aria-describedby="qtip-263">[264]</a><span onclick=scrollToRef('scite-265') id="scite-ref-265-a" class="scite-citeref-number" title="Tomcik, R. et al. (2022, February 24). Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity. Retrieved August 18, 2022."data-reference="Mandiant UNC3313 Feb 2022"><a href="https://www.mandiant.com/resources/telegram-malware-iranian-espionage" target="_blank" data-hasqtip="264" aria-describedby="qtip-264">[265]</a> </td> </tr> <tr> <td> <a href="/software/S0491"> S0491 </a> </td> <td> <a href="/software/S0491"> StrongPity </a> </td> <td> <a href="/software/S0491">StrongPity</a> can use the <code>HKCU\Software\Microsoft\Windows\CurrentVersion\Run</code> Registry key for persistence.<span onclick=scrollToRef('scite-214') id="scite-ref-214-a" class="scite-citeref-number" title="Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020."data-reference="Talos Promethium June 2020"><a href="https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html" target="_blank" data-hasqtip="213" aria-describedby="qtip-213">[214]</a> </td> </tr> <tr> <td> <a href="/software/S0018"> S0018 </a> </td> <td> <a href="/software/S0018"> Sykipot </a> </td> <td> <a href="/software/S0018">Sykipot</a> has been known to establish persistence by adding programs to the Run Registry key.<span onclick=scrollToRef('scite-266') id="scite-ref-266-a" class="scite-citeref-number" title="Blasco, J. (2013, March 21). New Sykipot developments [Blog]. Retrieved November 12, 2014."data-reference="Blasco 2013"><a href="http://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments" target="_blank" data-hasqtip="265" aria-describedby="qtip-265">[266]</a> </td> </tr> <tr> <td> <a href="/software/S0663"> S0663 </a> </td> <td> <a href="/software/S0663"> SysUpdate </a> </td> <td> <a href="/software/S0663">SysUpdate</a> can use a Registry Run key to establish persistence.<span onclick=scrollToRef('scite-267') id="scite-ref-267-a" class="scite-citeref-number" title="Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021."data-reference="Trend Micro Iron Tiger April 2021"><a href="https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html" target="_blank" data-hasqtip="266" aria-describedby="qtip-266">[267]</a> </td> </tr> <tr> <td> <a href="/groups/G1018"> G1018 </a> </td> <td> <a href="/groups/G1018"> TA2541 </a> </td> <td> <a href="/groups/G1018">TA2541</a> has placed VBS files in the Startup folder and used Registry run keys to establish persistence for malicious payloads.<span onclick=scrollToRef('scite-268') id="scite-ref-268-a" class="scite-citeref-number" title="Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023."data-reference="Proofpoint TA2541 February 2022"><a href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank" data-hasqtip="267" aria-describedby="qtip-267">[268]</a> </td> </tr> <tr> <td> <a href="/software/S0011"> S0011 </a> </td> <td> <a href="/software/S0011"> Taidoor </a> </td> <td> <a href="/software/S0011">Taidoor</a> has modified the <code>HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</code> key for persistence.<a href="http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf" target="_blank" data-hasqtip="268" aria-describedby="qtip-268">[269]</a> </td> </tr> <tr> <td> <a href="/software/S0586"> S0586 </a> </td> <td> <a href="/software/S0586"> TAINTEDSCRIBE </a> </td> <td> <a href="/software/S0586">TAINTEDSCRIBE</a> can copy itself into the current user’s Startup folder as "Narrator.exe" for persistence.<span onclick=scrollToRef('scite-270') id="scite-ref-270-a" class="scite-citeref-number" title="USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021."data-reference="CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-133b" target="_blank" data-hasqtip="269" aria-describedby="qtip-269">[270]</a> </td> </tr> <tr> <td> <a href="/groups/G0139"> G0139 </a> </td> <td> <a href="/groups/G0139"> TeamTNT </a> </td> <td> <a href="/groups/G0139">TeamTNT</a> has added batch scripts to the startup folder.<span onclick=scrollToRef('scite-271') id="scite-ref-271-a" class="scite-citeref-number" title="AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021."data-reference="ATT TeamTNT Chimaera September 2020"><a href="https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera" target="_blank" data-hasqtip="270" aria-describedby="qtip-270">[271]</a> </td> </tr> <tr> <td> <a href="/groups/G0027"> G0027 </a> </td> <td> <a href="/groups/G0027"> Threat Group-3390 </a> </td> <td> <a href="/groups/G0027">Threat Group-3390</a>'s malware can add a Registry key to <code>Software\Microsoft\Windows\CurrentVersion\Run</code> for persistence.<span onclick=scrollToRef('scite-272') id="scite-ref-272-a" class="scite-citeref-number" title="Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018."data-reference="Nccgroup Emissary Panda May 2018"><a href="https://research.nccgroup.com/2018/05/18/emissary-panda-a-potential-new-malicious-tool/" target="_blank" data-hasqtip="271" aria-describedby="qtip-271">[272]</a><span onclick=scrollToRef('scite-273') id="scite-ref-273-a" class="scite-citeref-number" title="Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023."data-reference="Lunghi Iron Tiger Linux"><a href="https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html" target="_blank" data-hasqtip="272" aria-describedby="qtip-272">[273]</a> </td> </tr> <tr> <td> <a href="/software/S0665"> S0665 </a> </td> <td> <a href="/software/S0665"> ThreatNeedle </a> </td> <td> <a href="/software/S0665">ThreatNeedle</a> can be loaded into the Startup folder (<code>%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\OneDrives.lnk</code>) as a Shortcut file for persistence.<span onclick=scrollToRef('scite-274') id="scite-ref-274-a" class="scite-citeref-number" title="Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021."data-reference="Kaspersky ThreatNeedle Feb 2021"><a href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank" data-hasqtip="273" aria-describedby="qtip-273">[274]</a> </td> </tr> <tr> <td> <a href="/software/S0131"> S0131 </a> </td> <td> <a href="/software/S0131"> TINYTYPHON </a> </td> <td> <a href="/software/S0131">TINYTYPHON</a> installs itself under Registry Run key to establish persistence.<span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" title="Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016."data-reference="Forcepoint Monsoon"><a href="https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a> </td> </tr> <tr> <td> <a href="/software/S0004"> S0004 </a> </td> <td> <a href="/software/S0004"> TinyZBot </a> </td> <td> <a href="/software/S0004">TinyZBot</a> can create a shortcut in the Windows startup folder for persistence.<a href="https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" target="_blank" data-hasqtip="274" aria-describedby="qtip-274">[275]</a> </td> </tr> <tr> <td> <a href="/software/S0266"> S0266 </a> </td> <td> <a href="/software/S0266"> TrickBot </a> </td> <td> <a href="/software/S0266">TrickBot</a> establishes persistence in the Startup folder.<span onclick=scrollToRef('scite-276') id="scite-ref-276-a" class="scite-citeref-number" title="Boutin, J. (2020, October 12). ESET takes part in global operation to disrupt Trickbot. Retrieved March 15, 2021."data-reference="ESET Trickbot Oct 2020"><a href="https://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/" target="_blank" data-hasqtip="275" aria-describedby="qtip-275">[276]</a> </td> </tr> <tr> <td> <a href="/software/S0094"> S0094 </a> </td> <td> <a href="/software/S0094"> Trojan.Karagany </a> </td> <td> <a href="/software/S0094">Trojan.Karagany</a> can create a link to itself in the Startup folder to automatically start itself upon system restart.<span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" title="Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016."data-reference="Symantec Dragonfly"><a href="https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a><span onclick=scrollToRef('scite-277') id="scite-ref-277-a" class="scite-citeref-number" title="Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020."data-reference="Secureworks Karagany July 2019"><a href="https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" target="_blank" data-hasqtip="276" aria-describedby="qtip-276">[277]</a> </td> </tr> <tr> <td> <a href="/groups/G0081"> G0081 </a> </td> <td> <a href="/groups/G0081"> Tropic Trooper </a> </td> <td> <a href="/groups/G0081">Tropic Trooper</a> has created shortcuts in the Startup folder to establish persistence.<span onclick=scrollToRef('scite-278') id="scite-ref-278-a" class="scite-citeref-number" title="Moore, S. et al. (2020, April 30). Anomali Suspects that China-Backed APT Pirate Panda May Be Seeking Access to Vietnam Government Data Center. Retrieved May 19, 2020."data-reference="Anomali Pirate Panda April 2020"><a href="https://www.anomali.com/blog/anomali-suspects-that-china-backed-apt-pirate-panda-may-be-seeking-access-to-vietnam-government-data-center#When:15:00:00Z" target="_blank" data-hasqtip="277" aria-describedby="qtip-277">[278]</a><span onclick=scrollToRef('scite-279') id="scite-ref-279-a" class="scite-citeref-number" title="Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."data-reference="TrendMicro Tropic Trooper May 2020"><a href="https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf" target="_blank" data-hasqtip="278" aria-describedby="qtip-278">[279]</a> </td> </tr> <tr> <td> <a href="/software/S0178"> S0178 </a> </td> <td> <a href="/software/S0178"> Truvasys </a> </td> <td> <a href="/software/S0178">Truvasys</a> adds a Registry Run key to establish persistence.<span onclick=scrollToRef('scite-280') id="scite-ref-280-a" class="scite-citeref-number" title="Microsoft. (2017, September 15). Backdoor:Win32/Truvasys.A!dha. Retrieved November 30, 2017."data-reference="Microsoft Win Defender Truvasys Sep 2017"><a href="https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Truvasys.A!dha" target="_blank" data-hasqtip="279" aria-describedby="qtip-279">[280]</a> </td> </tr> <tr> <td> <a href="/software/S0647"> S0647 </a> </td> <td> <a href="/software/S0647"> Turian </a> </td> <td> <a href="/software/S0647">Turian</a> can establish persistence by adding Registry Run keys.<span onclick=scrollToRef('scite-281') id="scite-ref-281-a" class="scite-citeref-number" title="Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021"data-reference="ESET BackdoorDiplomacy Jun 2021"><a href="https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/" target="_blank" data-hasqtip="280" aria-describedby="qtip-280">[281]</a> </td> </tr> <tr> <td> <a href="/groups/G0010"> G0010 </a> </td> <td> <a href="/groups/G0010"> Turla </a> </td> <td> A <a href="/groups/G0010">Turla</a> Javascript backdoor added a local_update_check value under the Registry key <code>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</code> to establish persistence. Additionally, a <a href="/groups/G0010">Turla</a> custom executable containing Metasploit shellcode is saved to the Startup folder to gain persistence.<span onclick=scrollToRef('scite-175') id="scite-ref-175-a" class="scite-citeref-number" title="ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018."data-reference="ESET Turla Mosquito Jan 2018"><a href="https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" target="_blank" data-hasqtip="174" aria-describedby="qtip-174">[175]</a><span onclick=scrollToRef('scite-282') id="scite-ref-282-a" class="scite-citeref-number" title="ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018."data-reference="ESET Turla Mosquito May 2018"><a href="https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/" target="_blank" data-hasqtip="281" aria-describedby="qtip-281">[282]</a><span onclick=scrollToRef('scite-283') id="scite-ref-283-a" class="scite-citeref-number" title="Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024."data-reference="ESET Turla Lunar toolset May 2024"><a href="https://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/" target="_blank" data-hasqtip="282" aria-describedby="qtip-282">[283]</a> </td> </tr> <tr> <td> <a href="/software/S0199"> S0199 </a> </td> <td> <a href="/software/S0199"> TURNEDUP </a> </td> <td> <a href="/software/S0199">TURNEDUP</a> is capable of writing to a Registry Run key to establish.<span onclick=scrollToRef('scite-284') id="scite-ref-284-a" class="scite-citeref-number" title="Gavriel, H. & Erbesfeld, B. (2018, April 11). New ‘Early Bird’ Code Injection Technique Discovered. Retrieved May 24, 2018."data-reference="CyberBit Early Bird Apr 2018"><a href="https://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/" target="_blank" data-hasqtip="283" aria-describedby="qtip-283">[284]</a> </td> </tr> <tr> <td> <a href="/software/S0386"> S0386 </a> </td> <td> <a href="/software/S0386"> Ursnif </a> </td> <td> <a href="/software/S0386">Ursnif</a> has used Registry Run keys to establish automatic execution at system startup.<span onclick=scrollToRef('scite-285') id="scite-ref-285-a" class="scite-citeref-number" title="Trend Micro. (2014, December 11). PE_URSNIF.A2. Retrieved June 5, 2019."data-reference="TrendMicro PE_URSNIF.A2"><a href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_URSNIF.A2?_ga=2.131425807.1462021705.1559742358-1202584019.1549394279" target="_blank" data-hasqtip="284" aria-describedby="qtip-284">[285]</a><span onclick=scrollToRef('scite-286') id="scite-ref-286-a" class="scite-citeref-number" title="Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019."data-reference="TrendMicro BKDR_URSNIF.SM"><a href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/BKDR_URSNIF.SM?_ga=2.129468940.1462021705.1559742358-1202584019.1549394279" target="_blank" data-hasqtip="285" aria-describedby="qtip-285">[286]</a> </td> </tr> <tr> <td> <a href="/software/S0136"> S0136 </a> </td> <td> <a href="/software/S0136"> USBStealer </a> </td> <td> <a href="/software/S0136">USBStealer</a> registers itself under a Registry Run key with the name "USB Disk Security."<span onclick=scrollToRef('scite-287') id="scite-ref-287-a" class="scite-citeref-number" title="Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017."data-reference="ESET Sednit USBStealer 2014"><a href="http://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/" target="_blank" data-hasqtip="286" aria-describedby="qtip-286">[287]</a> </td> </tr> <tr> <td> <a href="/software/S0207"> S0207 </a> </td> <td> <a href="/software/S0207"> Vasport </a> </td> <td> <a href="/software/S0207">Vasport</a> copies itself to disk and creates an associated run key Registry entry to establish.<span onclick=scrollToRef('scite-288') id="scite-ref-288-a" class="scite-citeref-number" title="Zhou, R. (2012, May 15). Backdoor.Vasport. Retrieved February 22, 2018."data-reference="Symantec Vasport May 2012"><a href="https://www.symantec.com/security_response/writeup.jsp?docid=2012-051606-5938-99" target="_blank" data-hasqtip="287" aria-describedby="qtip-287">[288]</a> </td> </tr> <tr> <td> <a href="/software/S0442"> S0442 </a> </td> <td> <a href="/software/S0442"> VBShower </a> </td> <td> <a href="/software/S0442">VBShower</a> used <code>HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[a-f0-9A-F]{8}</code> to maintain persistence.<span onclick=scrollToRef('scite-289') id="scite-ref-289-a" class="scite-citeref-number" title="GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020."data-reference="Kaspersky Cloud Atlas August 2019"><a href="https://securelist.com/recent-cloud-atlas-activity/92016/" target="_blank" data-hasqtip="288" aria-describedby="qtip-288">[289]</a> </td> </tr> <tr> <td> <a href="/software/S0670"> S0670 </a> </td> <td> <a href="/software/S0670"> WarzoneRAT </a> </td> <td> <a href="/software/S0670">WarzoneRAT</a> can add itself to the <code>HKCU\Software\Microsoft\Windows\CurrentVersion\Run</code> and <code>HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UIF2IS20VK</code> Registry keys.<span onclick=scrollToRef('scite-290') id="scite-ref-290-a" class="scite-citeref-number" title="Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021."data-reference="Check Point Warzone Feb 2020"><a href="https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/" target="_blank" data-hasqtip="289" aria-describedby="qtip-289">[290]</a> </td> </tr> <tr> <td> <a href="/groups/G0112"> G0112 </a> </td> <td> <a href="/groups/G0112"> Windshift </a> </td> <td> <a href="/groups/G0112">Windshift</a> has created LNK files in the Startup folder to establish persistence.<span onclick=scrollToRef('scite-291') id="scite-ref-291-a" class="scite-citeref-number" title="The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021."data-reference="BlackBerry Bahamut"><a href="https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf" target="_blank" data-hasqtip="290" aria-describedby="qtip-290">[291]</a> </td> </tr> <tr> <td> <a href="/software/S0141"> S0141 </a> </td> <td> <a href="/software/S0141"> Winnti for Windows </a> </td> <td> <a href="/software/S0141">Winnti for Windows</a> can add a service named <code>wind0ws</code> to the Registry to achieve persistence after reboot.<span onclick=scrollToRef('scite-292') id="scite-ref-292-a" class="scite-citeref-number" title="Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017."data-reference="Novetta Winnti April 2015"><a href="https://web.archive.org/web/20150412223949/http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf" target="_blank" data-hasqtip="291" aria-describedby="qtip-291">[292]</a> </td> </tr> <tr> <td> <a href="/groups/G0102"> G0102 </a> </td> <td> <a href="/groups/G0102"> Wizard Spider </a> </td> <td> <a href="/groups/G0102">Wizard Spider</a> has established persistence via the Registry key <code>HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</code> and a shortcut within the startup folder.<span onclick=scrollToRef('scite-293') id="scite-ref-293-a" class="scite-citeref-number" title="DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020."data-reference="DHS/CISA Ransomware Targeting Healthcare October 2020"><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-302a" target="_blank" data-hasqtip="292" aria-describedby="qtip-292">[293]</a><span onclick=scrollToRef('scite-294') id="scite-ref-294-a" class="scite-citeref-number" title="Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020."data-reference="FireEye KEGTAP SINGLEMALT October 2020"><a href="https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" target="_blank" data-hasqtip="293" aria-describedby="qtip-293">[294]</a> </td> </tr> <tr> <td> <a href="/software/S0341"> S0341 </a> </td> <td> <a href="/software/S0341"> Xbash </a> </td> <td> <a href="/software/S0341">Xbash</a> can create a Startup item for persistence if it determines it is on a Windows system.<span onclick=scrollToRef('scite-295') id="scite-ref-295-a" class="scite-citeref-number" title="Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018."data-reference="Unit42 Xbash Sept 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/" target="_blank" data-hasqtip="294" aria-describedby="qtip-294">[295]</a> </td> </tr> <tr> <td> <a href="/software/S0251"> S0251 </a> </td> <td> <a href="/software/S0251"> Zebrocy </a> </td> <td> <a href="/software/S0251">Zebrocy</a> creates an entry in a Registry Run key for the malware to execute on startup.<span onclick=scrollToRef('scite-296') id="scite-ref-296-a" class="scite-citeref-number" title="ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019."data-reference="ESET Zebrocy Nov 2018"><a href="https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/" target="_blank" data-hasqtip="295" aria-describedby="qtip-295">[296]</a><span onclick=scrollToRef('scite-297') id="scite-ref-297-a" class="scite-citeref-number" title="ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019."data-reference="ESET Zebrocy May 2019"><a href="https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" target="_blank" data-hasqtip="296" aria-describedby="qtip-296">[297]</a><span onclick=scrollToRef('scite-298') id="scite-ref-298-a" class="scite-citeref-number" title="Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019."data-reference="Accenture SNAKEMACKEREL Nov 2018"><a href="https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" target="_blank" data-hasqtip="297" aria-describedby="qtip-297">[298]</a> </td> </tr> <tr> <td> <a href="/software/S0330"> S0330 </a> </td> <td> <a href="/software/S0330"> Zeus Panda </a> </td> <td> <a href="/software/S0330">Zeus Panda</a> adds persistence by creating Registry Run keys.<span onclick=scrollToRef('scite-299') id="scite-ref-299-a" class="scite-citeref-number" title="Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018."data-reference="Talos Zeus Panda Nov 2017"><a href="https://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html#More" target="_blank" data-hasqtip="298" aria-describedby="qtip-298">[299]</a><span onclick=scrollToRef('scite-300') id="scite-ref-300-a" class="scite-citeref-number" title="Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018."data-reference="GDATA Zeus Panda June 2017"><a href="https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf" target="_blank" data-hasqtip="299" aria-describedby="qtip-299">[300]</a> </td> </tr> <tr> <td> <a href="/groups/G0128"> G0128 </a> </td> <td> <a href="/groups/G0128"> ZIRCONIUM </a> </td> <td> <a href="/groups/G0128">ZIRCONIUM</a> has created a Registry Run key named <code>Dropbox Update Setup</code> to establish persistence for a malicious Python binary.<span onclick=scrollToRef('scite-301') id="scite-ref-301-a" class="scite-citeref-number" title="Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021."data-reference="Zscaler APT31 Covid-19 October 2020"><a href="https://www.zscaler.com/blogs/security-research/apt-31-leverages-covid-19-vaccine-theme-and-abuses-legitimate-online" target="_blank" data-hasqtip="300" aria-describedby="qtip-300">[301]</a> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id ="mitigations">Mitigations</h2> This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features. <h2 class="pt-3" id="detection">Detection</h2> <div class="tables-mobile"> <table class="table datasources-table table-bordered"> <thead> <tr> <th class="p-2" scope="col">ID</th> <th class="p-2 nowrap" scope="col">Data Source</th> <th class="p-2 nowrap" scope="col">Data Component</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="datasource" id="uses-DS0017"> <td> <a href="/datasources/DS0017">DS0017</a> </td> <td class="nowrap"> <a href="/datasources/DS0017">Command</a> </td>  <td> <a href="/datasources/DS0017/#Command%20Execution">Command Execution</a> </td> <td> Monitor executed commands and arguments that may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. </td> </tr> <tr class="datasource" id="uses-DS0022"> <td> <a href="/datasources/DS0022">DS0022</a> </td> <td class="nowrap"> <a href="/datasources/DS0022">File</a> </td>  <td> <a href="/datasources/DS0022/#File%20Modification">File Modification</a> </td> <td> Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including the startup folders. <span onclick=scrollToRef('scite-302') id="scite-ref-302-a" class="scite-citeref-number" title="Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016."data-reference="TechNet Autoruns"><a href="https://technet.microsoft.com/en-us/sysinternals/bb963902" target="_blank" data-hasqtip="301" aria-describedby="qtip-301">[302]</a> </td> </tr> <tr class="datasource" id="uses-DS0009"> <td> <a href="/datasources/DS0009">DS0009</a> </td> <td class="nowrap"> <a href="/datasources/DS0009">Process</a> </td>  <td> <a href="/datasources/DS0009/#Process%20Creation">Process Creation</a> </td> <td> Monitor for newly executed processes executed from the Run/RunOnce registry keys through Windows EID 9707 or "Software\Microsoft\Windows\CurrentVersion\Run" and "Software\Microsoft\Windows\CurrentVersion\RunOnce" registry keys with the full command line.Registry modifications are often essential in establishing persistence via known Windows mechanisms. Many legitimate modifications are done graphically via regedit.exe or by using the corresponding channels, or even calling the Registry APIs directly. The built-in utility reg.exe provides a command-line interface to the registry, so that queries and modifications can be performed from a shell, such as cmd.exe. When a user is responsible for these actions, the parent of cmd.exe will likely be explorer.exe. Occasionally, power users and administrators write scripts that do this behavior as well, but likely from a different process tree. These background scripts must be learned so they can be tuned out accordingly.Output DescriptionThe sequence of processes that resulted in reg.exe being started from a shell. That is, a hierarchy that looks like• great-grand_parent.exe• grand_parent.exe• parent.exe• reg.exeAnalytic 1 - Reg.exe called from Command Shell<code>(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="reg.exe" AND ParentImage="cmd.exe"| join left=L right=R where L.ParentProcessGuid = R.ProcessGuid [search EventCode IN (1, 4688) Image="cmd.exe" ParentImage!="explorer.exe"]</code> </td> </tr> <tr class="datasource" id="uses-DS0024"> <td> <a href="/datasources/DS0024">DS0024</a> </td> <td class="nowrap"> <a href="/datasources/DS0024">Windows Registry</a> </td>  <td> <a href="/datasources/DS0024/#Windows%20Registry%20Key%20Creation">Windows Registry Key Creation</a> </td> <td> Monitor for newly created windows registry keys that may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. </td> </tr> <tr class="datacomponent datasource" id="uses-DS0024-Windows Registry Key Modification"> <td></td> <td></td> <td> <a href="/datasources/DS0024/#Windows%20Registry%20Key%20Modification">Windows Registry Key Modification</a> </td> <td> Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations. <span onclick=scrollToRef('scite-302') id="scite-ref-302-a" class="scite-citeref-number" title="Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016."data-reference="TechNet Autoruns"><a href="https://technet.microsoft.com/en-us/sysinternals/bb963902" target="_blank" data-hasqtip="301" aria-describedby="qtip-301">[302]</a>Detection of the modification of the registry key <code>Common Startup</code> located in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\ and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders. When a user logs on, any files located in the Startup Folder are launched. Attackers may modify these folders with other files in order to evade detection set on these default folders. This detection focuses on EventIDs 4688 and 1 for process creation and EventID 4657 for the modification of the Registry Keys.Analytic 1 - Modification of Default Startup Folder in the Registry Key ‘Common Startup’<code>(source="WinEventLog:Security" EventCode="4657" ObjectValueName="Common Startup") OR (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="13" TargetObject="*Common Startup")</code> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <a rel="nofollow" class="external text" name="scite-1" href="https://learn.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys" target="_blank"> Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September 12, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-2" href="https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry" target="_blank"> Microsoft. (2018, May 31). 32-bit and 64-bit Application Data in the Registry. Retrieved August 3, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-3" href="https://blog.malwarebytes.com/cybercrime/2013/10/hiding-in-plain-sight/" target="_blank"> Arntz, P. (2016, March 30). Hiding in Plain Sight. Retrieved August 3, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-4" href="https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/" target="_blank"> Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden from Autoruns.exe. Retrieved June 29, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-5" href="https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" target="_blank"> Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-6" href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" target="_blank"> ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-7" href="https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" target="_blank"> Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-8" href="https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html" target="_blank"> Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-9" href="https://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/" target="_blank"> Walter, J. (2020, August 10). Agent Tesla | Old RAT Uses New Tricks to Stay on Top. Retrieved December 11, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-10" href="https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1382.do?page=1&column=&search=&searchSDate=&searchEDate=&bbsDataCategory=" target="_blank"> Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-11" href="https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot" target="_blank"> Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-12" href="https://www.mandiant.com/resources/blog/turla-galaxy-opportunity" target="_blank"> Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-13" href="https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/" target="_blank"> Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-14" href="https://www.anomali.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop" target="_blank"> Shelmire, A. (2015, July 06). Evasive Maneuvers by the Wekby group with custom ROP-packing and DNS covert channels. Retrieved November 15, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-15" href="https://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" target="_blank"> Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-16" href="https://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/" target="_blank"> Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-17" href="https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" target="_blank"> Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-18" href="https://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908" target="_blank"> Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-19" href="https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html" target="_blank"> Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-20" href="https://www.cybereason.com/blog/operation-cobalt-kitty-apt" target="_blank"> Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-21" href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank"> Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-22" href="https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/" target="_blank"> Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-23" href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank"> Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-24" href="https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/" target="_blank"> Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-25" href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" target="_blank"> FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-26" href="https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" target="_blank"> Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-27" href="https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html" target="_blank"> Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-28" href="https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" target="_blank"> Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-29" href="https://www.group-ib.com/blog/colunmtk-apt41/" target="_blank"> Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-30" href="https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html" target="_blank"> Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-31" href="https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/" target="_blank"> CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-32" href="https://web.archive.org/web/20200302071436/https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/" target="_blank"> Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved September 25, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-33" href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank"> Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-34" href="https://arxiv.org/pdf/2102.04796.pdf" target="_blank"> Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-35" href="https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker" target="_blank"> Trend Micro Research. (2022, April 4). Ransomware Spotlight AvosLocker. Retrieved January 11, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-36" href="https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/" target="_blank"> Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-37" href="https://us-cert.cisa.gov/ncas/alerts/aa20-301a" target="_blank"> CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-38" href="https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" target="_blank"> Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-39" href="https://vblocalhost.com/uploads/VB2021-Slowik.pdf" target="_blank"> Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-40" href="https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" target="_blank"> FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-41" href="https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" target="_blank"> Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-42" href="https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/" target="_blank"> Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-43" href="https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles" target="_blank"> Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-44" href="https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/" target="_blank"> Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-45" href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/" target="_blank"> Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-46" href="https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html" target="_blank"> Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-47" href="https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/" target="_blank"> Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-48" href="https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" target="_blank"> F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-49" href="https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" target="_blank"> MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-50" href="https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-2843-99" target="_blank"> Ladley, F. (2012, May 15). Backdoor.Briba. Retrieved February 21, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-51" href="https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" target="_blank"> Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-52" href="https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" target="_blank"> Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-53" href="https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html" target="_blank"> Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-54" href="https://web.archive.org/web/20231227000328/http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf" target="_blank"> Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved September 12, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-55" href="https://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/" target="_blank"> Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-56" href="https://www.cybereason.com/hubfs/dam/collateral/reports/11-2020-Chaes-e-commerce-malware-research.pdf" target="_blank"> Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-57" href="https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf" target="_blank"> PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-58" href="https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" target="_blank"> Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-59" href="https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf" target="_blank"> Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-60" href="https://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/" target="_blank"> Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-61" href="https://www.group-ib.com/blog/cobalt" target="_blank"> Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-62" href="https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat" target="_blank"> Yadav, A., et al. (2017, August 31). Cobian RAT – A backdoored RAT. Retrieved November 13, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-63" href="https://researchcenter.paloaltonetworks.com/2018/01/unit42-comnie-continues-target-organizations-east-asia/" target="_blank"> Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-64" href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/conficker" target="_blank"> Trend Micro. (2014, March 18). Conficker. Retrieved February 18, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-65" href="https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat" target="_blank"> Uptycs Threat Research Team. (2021, January 12). Confucius APT deploys Warzone RAT. Retrieved December 17, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-66" href="http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf" target="_blank"> Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-67" href="https://www.f-secure.com/documents/996508/1030745/CozyDuke" target="_blank"> F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-68" href="https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" target="_blank"> Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-69" href="https://securelist.com/transparent-tribe-part-1/98127/" target="_blank"> Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-70" href="https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" target="_blank"> Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-71" href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/DARKCOMET" target="_blank"> TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-72" href="https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/" target="_blank"> Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-73" href="https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign" target="_blank"> Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-74" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070903/darkhotel_kl_07.11.pdf" target="_blank"> Kaspersky Lab's Global Research and Analysis Team. (2014, November). The Darkhotel APT A Story of Unusual Hospitality. Retrieved November 12, 2014. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-75" href="https://www.secureworks.com/research/darktortilla-malware-analysis" target="_blank"> Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-76" href="https://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor" target="_blank"> Shivtarkar, N. and Kumar, A. (2022, June 9). Lyceum .NET DNS Backdoor. Retrieved June 23, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-77" href="http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf" target="_blank"> ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-78" href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank"> US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-79" href="https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf" target="_blank"> ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-80" href="https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html" target="_blank"> Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-81" href="https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf" target="_blank"> Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-82" href="http://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/" target="_blank"> Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-83" href="https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor" target="_blank"> Symantec. (2018, July 18). The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved March 25, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-84" href="https://www.us-cert.gov/ncas/alerts/TA18-201A" target="_blank"> US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-85" href="https://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html" target="_blank"> Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-86" href="https://github.com/PowerShellEmpire/Empire" target="_blank"> Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-87" href="https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/" target="_blank"> Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-88" href="https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" target="_blank"> Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-89" href="https://www.prevailion.com/phantom-in-the-command-shell-2/" target="_blank"> Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-90" href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank"> Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-91" href="https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf" target="_blank"> Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-92" href="https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf" target="_blank"> FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-93" href="https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico" target="_blank"> Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-94" href="https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf" target="_blank"> FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-95" href="https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html" target="_blank"> Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-96" href="https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" target="_blank"> Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-97" href="https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/" target="_blank"> Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-98" href="https://web.archive.org/web/20171222050934/http://www.finfisher.com/FinFisher/index.html" target="_blank"> FinFisher. (n.d.). Retrieved September 12, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-99" href="https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/" target="_blank"> Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-100" href="https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech" target="_blank"> Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-101" href="https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/" target="_blank"> Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-102" href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/" target="_blank"> Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-103" href="https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf" target="_blank"> CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-104" href="https://unit42.paloaltonetworks.com/trident-ursa/" target="_blank"> Unit 42. (2022, December 20). Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. Retrieved September 12, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-105" href="https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf" target="_blank"> ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-106" href="https://securelist.com/introducing-whitebear/81638/" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-107" href="https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf" target="_blank"> Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-108" href="https://research.nccgroup.com/2018/04/17/decoding-network-data-from-a-gh0st-rat-variant/" target="_blank"> Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-109" href="https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant" target="_blank"> Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-110" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" target="_blank"> Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-111" href="https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/" target="_blank"> Szappanos, G. & Brandt, A. (2021, March 1). “Gootloader” expands its payload delivery options. Retrieved September 30, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-112" href="https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" target="_blank"> Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-113" href="https://securityintelligence.com/posts/grandoreiro-malware-now-targeting-banks-in-spain/" target="_blank"> Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-114" href="https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/" target="_blank"> ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-115" href="https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/" target="_blank"> Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-116" href="https://www.group-ib.com/blog/grimagent/" target="_blank"> Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-117" href="https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/" target="_blank"> Duncan, B. (2020, April 3). GuLoader: Malspam Campaign Installing NetWire RAT. Retrieved January 7, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-118" href="https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html" target="_blank"> Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-119" href="http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" target="_blank"> Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-120" href="https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/" target="_blank"> Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-121" href="https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL_0.pdf" target="_blank"> Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-122" href="https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/" target="_blank"> Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-123" href="https://www.zscaler.com/blogs/security-research/return-higaisa-apt" target="_blank"> Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-124" href="http://research.zscaler.com/2015/08/chinese-cyber-espionage-apt-group.html" target="_blank"> Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-125" href="https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop" target="_blank"> Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-126" href="https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/" target="_blank"> Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-127" href="https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/" target="_blank"> GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-128" href="https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/" target="_blank"> ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-129" href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" target="_blank"> Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-130" href="https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf" target="_blank"> Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-131" href="https://www.carbonblack.com/2019/05/14/cb-tau-threat-intelligence-notification-jcry-ransomware-pretends-to-be-adobe-flash-player-update-installer/" target="_blank"> Lee, S.. (2019, May 14). JCry Ransomware. Retrieved June 18, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-132" href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf" target="_blank"> ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-133" href="http://research.zscaler.com/2016/01/malicious-office-files-dropping-kasidet.html" target="_blank"> Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-134" href="http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2FKasidet" target="_blank"> Manuel, J. and Plantado, R.. (2015, August 9). Win32/Kasidet. Retrieved March 24, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-135" href="https://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/" target="_blank"> Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-136" href="https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" target="_blank"> Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-137" href="https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/" target="_blank"> Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-138" href="https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" target="_blank"> Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-139" href="https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html" target="_blank"> An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-140" href="https://web.archive.org/web/20220328121326/https://boho.or.kr/filedownload.do?attach_file_seq=2695&attach_file_id=EpF2695.pdf" target="_blank"> KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-141" href="https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf" target="_blank"> Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-142" href="https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html" target="_blank"> Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-143" href="https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice" target="_blank"> Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-144" href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank"> Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-145" href="https://web.archive.org/web/20220608001455/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf" target="_blank"> Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-146" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/" target="_blank"> Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-147" href="https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/" target="_blank"> Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-148" href="https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets" target="_blank"> Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-149" href="https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" target="_blank"> FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-150" href="https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf" target="_blank"> ESET. (2018, September). LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group. Retrieved July 2, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-151" href="https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks" target="_blank"> Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021. </a> </li> </ol> </div> <div class="col"> <ol start="152.0"> <li> <a rel="nofollow" class="external text" name="scite-152" href="https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/" target="_blank"> Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-153" href="https://securelist.com/apt-luminousmoth/103332/" target="_blank"> Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-154" href="https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited" target="_blank"> Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-155" href="https://securelist.com/el-machete/66108/" target="_blank"> Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-156" href="https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html" target="_blank"> The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-157" href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank"> Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-158" href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank"> DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-159" href="https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021" target="_blank"> MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-160" href="https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/" target="_blank"> GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-161" href="http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf" target="_blank"> ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-162" href="https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf" target="_blank"> Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-163" href="https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/" target="_blank"> Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-164" href="https://www.secureworks.com/research/mcmd-malware-analysis" target="_blank"> Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-165" href="https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767" target="_blank"> Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-166" href="https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html" target="_blank"> Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-167" href="https://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions" target="_blank"> Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-168" href="https://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/" target="_blank"> ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-169" href="https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/" target="_blank"> ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-170" href="https://www.metabaseq.com/mispadu-banking-trojan/" target="_blank"> Garcia, F., Regalado, D. (2023, March 7). Inside Mispadu massive infection campaign in LATAM. Retrieved March 15, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-171" href="http://www.symantec.com/security_response/writeup.jsp?docid=2015-020623-0740-99&tabid=2" target="_blank"> Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-172" href="https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf" target="_blank"> Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-173" href="https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/" target="_blank"> GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-174" href="https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/" target="_blank"> Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-175" href="https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" target="_blank"> ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-176" href="https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" target="_blank"> Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-177" href="https://securelist.com/muddywater/88059/" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-178" href="https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html" target="_blank"> Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-179" href="https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/" target="_blank"> Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-180" href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank"> Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-181" href="https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html" target="_blank"> Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-182" href="https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader" target="_blank"> Proofpoint Threat Research Team. (2020, November 23). TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader. Retrieved April 13, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-183" href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank"> Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-184" href="https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf" target="_blank"> F-Secure Labs. (2016, July). NANHAISHU RATing the South China Sea. Retrieved July 6, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-185" href="https://web.archive.org/web/20240522112705/https://cofense.com/blog/nanocore-rat-resurfaced-sewers/" target="_blank"> Patel, K. (2018, March 02). The NanoCore RAT Has Resurfaced From the Sewers. Retrieved September 25, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-186" href="https://blog.talosintelligence.com/2018/05/navrat.html" target="_blank"> Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-187" href="https://securingtomorrow.mcafee.com/mcafee-labs/netwire-rat-behind-recent-targeted-attacks/" target="_blank"> McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-188" href="https://redcanary.com/blog/netwire-remote-access-trojan-on-linux/" target="_blank"> Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-189" href="https://www.proofpoint.com/us/blog/threat-insight/geofenced-netwire-campaigns" target="_blank"> Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-190" href="https://www.threatminer.org/_reports/2013/fta-1009---njrat-uncovered-1.pdf" target="_blank"> Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-191" href="https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/" target="_blank"> Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-192" href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/" target="_blank"> Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-193" href="https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html" target="_blank"> Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-194" href="https://securelist.com/octopus-infested-seas-of-central-asia/88200/" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-195" href="https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf" target="_blank"> Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-196" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/?hilite=%27Operation%27%2C%27North%27%2C%27Star%27" target="_blank"> Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-197" href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf" target="_blank"> Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-198" href="https://web.archive.org/web/20180825085952/https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf" target="_blank"> Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-199" href="https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" target="_blank"> Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-200" href="https://www.zscaler.com/blogs/security-research/technical-analysis-pikabot" target="_blank"> Brett Stone-Gross & Nikolaos Pantazopoulos. (2023, May 24). Technical Analysis of Pikabot. Retrieved July 12, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-201" href="http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" target="_blank"> Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-202" href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" target="_blank"> Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-203" href="http://labs.lastline.com/an-analysis-of-plugx" target="_blank"> Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-204" href="http://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf" target="_blank"> Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-205" href="https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html" target="_blank"> Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-206" href="https://www.symantec.com/security_response/writeup.jsp?docid=2005-081910-3934-99" target="_blank"> Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-207" href="https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" target="_blank"> Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-208" href="https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/" target="_blank"> Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-209" href="http://blog.talosintelligence.com/2017/03/dnsmessenger.html" target="_blank"> Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-210" href="https://github.com/PowerShellMafia/PowerSploit" target="_blank"> PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-211" href="http://powersploit.readthedocs.io" target="_blank"> PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-212" href="https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" target="_blank"> Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-213" href="http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf" target="_blank"> Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-214" href="https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html" target="_blank"> Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-215" href="https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/" target="_blank"> Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-216" href="https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" target="_blank"> Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-217" href="http://blog.morphisec.com/security-alert-fin8-is-back" target="_blank"> Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-218" href="https://github.com/n1nj4sec/pupy" target="_blank"> Nicolas Verdier. (n.d.). Retrieved January 29, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-219" href="http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf" target="_blank"> Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-220" href="https://www.trendmicro.com/vinfo/ph/security/news/cybercrime-and-digital-threats/qakbot-resurges-spreads-through-vbs-files" target="_blank"> Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-221" href="https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/" target="_blank"> CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-222" href="https://success.trendmicro.com/solution/000283381" target="_blank"> Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-223" href="https://groupib.pathfactory.com/ransomware-reports/prolock_wp" target="_blank"> Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-224" href="https://github.com/quasar/QuasarRAT" target="_blank"> MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-225" href="https://www.cisa.gov/uscert/ncas/analysis-reports/AR18-352A" target="_blank"> CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-226" href="https://www.programmersought.com/article/62493896999/" target="_blank"> Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-227" href="https://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targets-telecom-governments.html" target="_blank"> Christopher So. (2022, December 20). Raspberry Robin Malware Targets Telecom, Governments. Retrieved May 17, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-228" href="https://web.archive.org/web/20210104144857/https://shared-public-reports.s3-eu-west-1.amazonaws.com/APT27+turns+to+ransomware.pdf" target="_blank"> Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-229" href="https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/" target="_blank"> Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-230" href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank"> Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-231" href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank"> Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-232" href="http://web.archive.org/web/20220810112638/https:/www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf" target="_blank"> Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-233" href="https://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html" target="_blank"> Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-234" href="https://securelist.com/chafer-used-remexi-malware/89538/" target="_blank"> Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-235" href="https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/" target="_blank"> Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-236" href="https://www.microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/" target="_blank"> MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-237" href="https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html" target="_blank"> Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-238" href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" target="_blank"> Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-239" href="http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/" target="_blank"> Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-240" href="https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf" target="_blank"> Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-241" href="https://www.group-ib.com/blog/rtm" target="_blank"> Skulkin, O. (2019, August 5). Following the RTM Forensic examination of a computer infected with a banking trojan. Retrieved May 11, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-242" href="https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" target="_blank"> Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-243" href="https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" target="_blank"> Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-244" href="https://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/" target="_blank"> Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-245" href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank"> Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-246" href="http://www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/" target="_blank"> Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-247" href="https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader" target="_blank"> Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-248" href="https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/" target="_blank"> Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-249" href="http://researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seaduke/" target="_blank"> Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-250" href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf" target="_blank"> Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-251" href="https://www.deepinstinct.com/blog/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload" target="_blank"> Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved September 16, 2024.. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-252" href="https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" target="_blank"> Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-253" href="https://www.rewterz.com/threats/sidewinder-apt-group-campaign-analysis" target="_blank"> Rewterz. (2020, April 20). Sidewinder APT Group Campaign Analysis. Retrieved January 29, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-254" href="https://www.rewterz.com/articles/analysis-on-sidewinder-apt-group-covid-19" target="_blank"> Rewterz. (2020, June 22). Analysis on Sidewinder APT Group – COVID-19. Retrieved January 29, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-255" href="https://cybleinc.com/2020/09/26/sidewinder-apt-targets-with-futuristic-tactics-and-techniques/" target="_blank"> Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-256" href="https://go.group-ib.com/report-silence-en?_gl=1*d1bh3a*_ga*MTIwMzM5Mzc5MS4xNjk4OTI5NzY4*_ga_QMES53K3Y2*MTcwNDcyMjU2OS40LjEuMTcwNDcyMzU1Mi41My4wLjA." target="_blank"> Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-257" href="https://github.com/byt3bl33d3r/SILENTTRINITY/tree/master/silenttrinity/core/teamserver/modules/boo" target="_blank"> Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-258" href="https://www.ncsc.gov.uk/files/NCSC-Malware-Analysis-Report-Small-Sieve.pdf" target="_blank"> NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-259" href="https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/" target="_blank"> Hasherezade. (2016, September 12). Smoke Loader – downloader with a smokescreen still alive. Retrieved March 20, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-260" href="https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html" target="_blank"> FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-261" href="https://telefonicatech.com/blog/snip3-investigacion-malware" target="_blank"> Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-262" href="https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html" target="_blank"> FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-263" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" target="_blank"> Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-264" href="https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" target="_blank"> FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-265" href="https://www.mandiant.com/resources/telegram-malware-iranian-espionage" target="_blank"> Tomcik, R. et al. (2022, February 24). Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity. Retrieved August 18, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-266" href="http://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments" target="_blank"> Blasco, J. (2013, March 21). New Sykipot developments [Blog]. Retrieved November 12, 2014. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-267" href="https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html" target="_blank"> Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-268" href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank"> Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-269" href="http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf" target="_blank"> Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-270" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-133b" target="_blank"> USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-271" href="https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera" target="_blank"> AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-272" href="https://research.nccgroup.com/2018/05/18/emissary-panda-a-potential-new-malicious-tool/" target="_blank"> Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-273" href="https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html" target="_blank"> Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-274" href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank"> Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-275" href="https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" target="_blank"> Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-276" href="https://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/" target="_blank"> Boutin, J. (2020, October 12). ESET takes part in global operation to disrupt Trickbot. Retrieved March 15, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-277" href="https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" target="_blank"> Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-278" href="https://www.anomali.com/blog/anomali-suspects-that-china-backed-apt-pirate-panda-may-be-seeking-access-to-vietnam-government-data-center#When:15:00:00Z" target="_blank"> Moore, S. et al. (2020, April 30). Anomali Suspects that China-Backed APT Pirate Panda May Be Seeking Access to Vietnam Government Data Center. Retrieved May 19, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-279" href="https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf" target="_blank"> Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-280" href="https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Truvasys.A!dha" target="_blank"> Microsoft. (2017, September 15). Backdoor:Win32/Truvasys.A!dha. Retrieved November 30, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-281" href="https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/" target="_blank"> Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021 </a> </li> <li> <a rel="nofollow" class="external text" name="scite-282" href="https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/" target="_blank"> ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-283" href="https://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/" target="_blank"> Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-284" href="https://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/" target="_blank"> Gavriel, H. & Erbesfeld, B. (2018, April 11). New ‘Early Bird’ Code Injection Technique Discovered. Retrieved May 24, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-285" href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_URSNIF.A2?_ga=2.131425807.1462021705.1559742358-1202584019.1549394279" target="_blank"> Trend Micro. (2014, December 11). PE_URSNIF.A2. Retrieved June 5, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-286" href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/BKDR_URSNIF.SM?_ga=2.129468940.1462021705.1559742358-1202584019.1549394279" target="_blank"> Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-287" href="http://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/" target="_blank"> Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-288" href="https://www.symantec.com/security_response/writeup.jsp?docid=2012-051606-5938-99" target="_blank"> Zhou, R. (2012, May 15). Backdoor.Vasport. Retrieved February 22, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-289" href="https://securelist.com/recent-cloud-atlas-activity/92016/" target="_blank"> GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-290" href="https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/" target="_blank"> Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-291" href="https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf" target="_blank"> The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-292" href="https://web.archive.org/web/20150412223949/http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf" target="_blank"> Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-293" href="https://us-cert.cisa.gov/ncas/alerts/aa20-302a" target="_blank"> DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-294" href="https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" target="_blank"> Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-295" href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/" target="_blank"> Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-296" href="https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/" target="_blank"> ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-297" href="https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" target="_blank"> ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-298" href="https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" target="_blank"> Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-299" href="https://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html#More" target="_blank"> Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-300" href="https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf" target="_blank"> Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-301" href="https://www.zscaler.com/blogs/security-research/apt-31-leverages-covid-19-vaccine-theme-and-abuses-legitimate-online" target="_blank"> Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-302" href="https://technet.microsoft.com/en-us/sysinternals/bb963902" target="_blank"> Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. </a> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div>   <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner">  <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div>  <div id="search-body" class="search-body"> <div class="results" id="search-results">  </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1">  <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a> </div> <div class="px-3 col-footer"> <a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a> </div> <div class="px-3 col-footer"> <a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a> </div> <div class="px-3"> <a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&CK content v16.1Website v4.2.1">Website Changelog</a> </div> </div> <div class="row"> © 2015 - 2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div>  </div>  <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script>  <script src="/theme/scripts/resizer.js"></script>  <script src="/theme/scripts/bootstrap-tourist.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/tour/tour-subtechniques.js"></script> <script src="/theme/scripts/sidebar-load-all.js"></script> </body> </html>

CINXE.COM

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Sub-technique T1547.001 - Enterprise | MITRE ATT&CK®