<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>System Network Configuration Discovery, Technique T1016 - Enterprise | MITRE ATT&CK&reg;</title> <!-- USWDS CSS --> <!-- Bootstrap CSS --> <link rel='stylesheet' href='/theme/style/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-select.min.css' /> <!-- Fontawesome CSS --> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1"> <!-- header elements --> <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- banner elements --> <div class="col px-0"> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <!-- !versions banner! --> <div class="container-fluid banner-message"> Reminder: the TAXII 2.0 server will be <a href='https://medium.com/mitre-attack/introducing-taxii-2-1-and-a-fond-farewell-to-taxii-2-0-d9fca6ce4c58'>retiring on December 18</a>. Please switch to the <a href='https://github.com/mitre-attack/attack-workbench-taxii-server/blob/main/docs/USAGE.md'>TAXII 2.1 server</a> to ensure uninterrupted service. </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0"> <!-- main content elements --> <!--start-indexing-for-search--> <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div> <!--stop-indexing-for-search--> <div id="sidebars"></div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/techniques/enterprise">Techniques</a></li> <li class="breadcrumb-item"><a href="/techniques/enterprise">Enterprise</a></li> <li class="breadcrumb-item">System Network Configuration Discovery</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1 id=""> System Network Configuration Discovery </h1> <div class="row"> <div class="col-md-8"> <!--stop-indexing-for-search--> <div class="card-block pb-2"> <div class="card"> <div class="card-header collapsed" id="subtechniques-card-header" data-toggle="collapse" data-target="#subtechniques-card-body" aria-expanded="false" aria-controls="subtechniques-card-body"> <h5 class="mb-0" id ="sub-techniques">Sub-techniques (2)</h5> </div> <div id="subtechniques-card-body" class="card-body p-0 collapse" aria-labelledby="subtechniques-card-header"> <table class="table table-bordered"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> </tr> </thead> <tbody> <tr> <td> <a href="/techniques/T1016/001/" class="subtechnique-table-item" data-subtechnique_id="T1016.001"> T1016.001 </a> </td> <td> <a href="/techniques/T1016/001/" class="subtechnique-table-item" data-subtechnique_id="T1016.001"> Internet Connection Discovery </a> </td> </tr> <tr> <td> <a href="/techniques/T1016/002/" class="subtechnique-table-item" data-subtechnique_id="T1016.002"> T1016.002 </a> </td> <td> <a href="/techniques/T1016/002/" class="subtechnique-table-item" data-subtechnique_id="T1016.002"> Wi-Fi Discovery </a> </td> </tr> </tbody> </table> </div> </div> </div> <!--start-indexing-for-search--> <div class="description-body"> <p>Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include <a href="/software/S0099">Arp</a>, <a href="/software/S0100">ipconfig</a>/<a href="/software/S0101">ifconfig</a>, <a href="/software/S0102">nbtstat</a>, and <a href="/software/S0103">route</a>.</p><p>Adversaries may also leverage a <a href="/techniques/T1059/008">Network Device CLI</a> on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes (e.g. <code>show ip route</code>, <code>show ip interface</code>).<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020."data-reference="US-CERT-TA18-106A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-106A" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Gyler, C.,Perez D.,Jones, S.,Miller, S.. (2021, February 25). This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved February 17, 2022."data-reference="Mandiant APT41 Global Intrusion ">^{<a href="https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p><p>Adversaries may use the information from <a href="/techniques/T1016">System Network Configuration Discovery</a> during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. </p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data" id="card-id"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID:&nbsp;</span>T1016 </div> </div> <!--stop-indexing-for-search--> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Sub-techniques:&nbsp;</span> <a href="/techniques/T1016/001">T1016.001</a>, <a href="/techniques/T1016/002">T1016.002</a> </div> </div> <!--start-indexing-for-search--> <div id="card-tactics" class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The tactic objectives that the (sub-)technique can be used to accomplish">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Tactic:</span> <a href="/tactics/TA0007">Discovery</a> </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Platforms:&nbsp;</span>Linux, Network, Windows, macOS </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Contributors:&nbsp;</span>Austin Clark, @c2defense </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version:&nbsp;</span>1.6 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created:&nbsp;</span>31 May 2017 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified:&nbsp;</span>28 July 2023 </div> </div> </div> </div> <div class="text-center pt-2 version-button live"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of T1016" href="/versions/v16/techniques/T1016/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of T1016" href="/versions/v16/techniques/T1016/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <h2 class="pt-3" id ="examples">Procedure Examples</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/software/S1028"> S1028 </a> </td> <td> <a href="/software/S1028"> Action RAT </a> </td> <td> <p><a href="/software/S1028">Action RAT</a> has the ability to collect the MAC address of an infected host.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022."data-reference="MalwareBytes SideCopy Dec 2021">^{<a href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0552"> S0552 </a> </td> <td> <a href="/software/S0552"> AdFind </a> </td> <td> <p><a href="/software/S0552">AdFind</a> can extract subnet information from Active Directory.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020."data-reference="Red Canary Hospital Thwarted Ryuk October 2020">^{<a href="https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019."data-reference="FireEye FIN6 Apr 2019">^{<a href="https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020."data-reference="FireEye Ryuk and Trickbot January 2019">^{<a href="https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0018"> G0018 </a> </td> <td> <a href="/groups/G0018"> admin@338 </a> </td> <td> <p><a href="/groups/G0018">admin@338</a> actors used the following command after exploiting a machine with <a href="/software/S0042">LOWBALL</a> malware to acquire information about local networks: <code>ipconfig /all &gt;&gt; %temp%\download</code><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015."data-reference="FireEye admin@338">^{<a href="https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0331"> S0331 </a> </td> <td> <a href="/software/S0331"> Agent Tesla </a> </td> <td> <p><a href="/software/S0331">Agent Tesla</a> can collect the IP address of the victim machine and spawn instances of netsh.exe to enumerate wireless settings.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018."data-reference="DigiTrust Agent Tesla Jan 2017">^{<a href="https://www.digitrustgroup.com/agent-tesla-keylogger/" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span><span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Walter, J. (2020, August 10). Agent Tesla | Old RAT Uses New Tricks to Stay on Top. Retrieved December 11, 2020."data-reference="SentinelLabs Agent Tesla Aug 2020">^{<a href="https://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/software/S0092"> S0092 </a> </td> <td> <a href="/software/S0092"> Agent.btz </a> </td> <td> <p><a href="/software/S0092">Agent.btz</a> collects the network adapter’s IP and MAC address as well as IP addresses of the network adapter’s default gateway, primary/secondary WINS, DHCP, and DNS servers, and saves them into a log file.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Shevchenko, S.. (2008, November 30). Agent.btz - A Threat That Hit Pentagon. Retrieved April 8, 2016."data-reference="ThreatExpert Agent.btz">^{<a href="http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1025"> S1025 </a> </td> <td> <a href="/software/S1025"> Amadey </a> </td> <td> <p><a href="/software/S1025">Amadey</a> can identify the IP address of a victim machine.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022."data-reference="BlackBerry Amadey 2020">^{<a href="https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0504"> S0504 </a> </td> <td> <a href="/software/S0504"> Anchor </a> </td> <td> <p><a href="/software/S0504">Anchor</a> can determine the public IP and location of a compromised host.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020."data-reference="Medium Anchor DNS July 2020">^{<a href="https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0622"> S0622 </a> </td> <td> <a href="/software/S0622"> AppleSeed </a> </td> <td> <p><a href="/software/S0622">AppleSeed</a> can identify the IP of a targeted system.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021."data-reference="Malwarebytes Kimsuky June 2021">^{<a href="https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0006"> G0006 </a> </td> <td> <a href="/groups/G0006"> APT1 </a> </td> <td> <p><a href="/groups/G0006">APT1</a> used the <code>ipconfig /all</code> command to gather network configuration information.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016."data-reference="Mandiant APT1">^{<a href="https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0073"> G0073 </a> </td> <td> <a href="/groups/G0073"> APT19 </a> </td> <td> <p><a href="/groups/G0073">APT19</a> used an HTTP malware variant and a Port 22 malware variant to collect the MAC address and IP address from the victim’s machine.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018."data-reference="Unit 42 C0d0so0 Jan 2016">^{<a href="https://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0022"> G0022 </a> </td> <td> <a href="/groups/G0022"> APT3 </a> </td> <td> <p>A keylogging tool used by <a href="/groups/G0022">APT3</a> gathers network information from the victim, including the MAC address, IP address, WINS, DHCP server, and gateway.<span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016."data-reference="Symantec Buckeye">^{<a href="http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Yates, M. (2017, June 18). APT3 Uncovered: The code evolution of Pirpi. Retrieved September 28, 2017."data-reference="evolution of pirpi">^{<a href="https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-evolution_of_pirpi.pdf" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0050"> G0050 </a> </td> <td> <a href="/groups/G0050"> APT32 </a> </td> <td> <p><a href="/groups/G0050">APT32</a> used the <code>ipconfig /all</code> command to gather the IP address from the system.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018."data-reference="Cybereason Cobalt Kitty 2017">^{<a href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0096"> G0096 </a> </td> <td> <a href="/groups/G0096"> APT41 </a> </td> <td> <p><a href="/groups/G0096">APT41</a> collected MAC addresses from victim machines.<span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019."data-reference="FireEye APT41 Aug 2019">^{<a href="https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span><span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021."data-reference="Group IB APT 41 June 2021">^{<a href="https://www.group-ib.com/blog/colunmtk-apt41/" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/software/S0456"> S0456 </a> </td> <td> <a href="/software/S0456"> Aria-body </a> </td> <td> <p><a href="/software/S0456">Aria-body</a> has the ability to identify the location, public IP address, and domain name on a compromised host.<span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."data-reference="CheckPoint Naikon May 2020">^{<a href="https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0099"> S0099 </a> </td> <td> <a href="/software/S0099"> Arp </a> </td> <td> <p><a href="/software/S0099">Arp</a> can be used to display ARP configuration information on the host.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Microsoft. (n.d.). Arp. Retrieved April 17, 2016."data-reference="TechNet Arp">^{<a href="https://technet.microsoft.com/en-us/library/bb490864.aspx" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0373"> S0373 </a> </td> <td> <a href="/software/S0373"> Astaroth </a> </td> <td> <p><a href="/software/S0373">Astaroth</a> collects the external IP address from the system. <span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved September 25, 2024."data-reference="Cofense Astaroth Sept 2018">^{<a href="https://web.archive.org/web/20200302071436/https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0640"> S0640 </a> </td> <td> <a href="/software/S0640"> Avaddon </a> </td> <td> <p><a href="/software/S0640">Avaddon</a> can collect the external IP address of the victim.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Gahlot, A. (n.d.). Threat Hunting for Avaddon Ransomware. Retrieved August 19, 2021."data-reference="Awake Security Avaddon">^{<a href="https://awakesecurity.com/blog/threat-hunting-for-avaddon-ransomware/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0473"> S0473 </a> </td> <td> <a href="/software/S0473"> Avenger </a> </td> <td> <p><a href="/software/S0473">Avenger</a> can identify the domain of the compromised host.<span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."data-reference="Trend Micro Tick November 2019">^{<a href="https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0344"> S0344 </a> </td> <td> <a href="/software/S0344"> Azorult </a> </td> <td> <p><a href="/software/S0344">Azorult</a> can collect host IP information from the victim’s machine.<span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018."data-reference="Unit42 Azorult Nov 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0414"> S0414 </a> </td> <td> <a href="/software/S0414"> BabyShark </a> </td> <td> <p><a href="/software/S0414">BabyShark</a> has executed the <code>ipconfig /all</code> command.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019."data-reference="Unit42 BabyShark Feb 2019">^{<a href="https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/software/S0093"> S0093 </a> </td> <td> <a href="/software/S0093"> Backdoor.Oldrea </a> </td> <td> <p><a href="/software/S0093">Backdoor.Oldrea</a> collects information about the Internet adapter configuration.<span onclick=scrollToRef('scite-28') id="scite-ref-28-a" class="scite-citeref-number" title="Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016."data-reference="Symantec Dragonfly">^{<a href="https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a>}</span><span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" title="Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021."data-reference="Gigamon Berserk Bear October 2021">^{<a href="https://vblocalhost.com/uploads/VB2021-Slowik.pdf" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0245"> S0245 </a> </td> <td> <a href="/software/S0245"> BADCALL </a> </td> <td> <p><a href="/software/S0245">BADCALL</a> collects the network adapter information.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018."data-reference="US-CERT BADCALL">^{<a href="https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-G.PDF" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0642"> S0642 </a> </td> <td> <a href="/software/S0642"> BADFLICK </a> </td> <td> <p><a href="/software/S0642">BADFLICK</a> has captured victim IP address details.<span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021."data-reference="Accenture MUDCARP March 2019">^{<a href="https://www.accenture.com/us-en/blogs/cyber-defense/mudcarps-focus-on-submarine-technologies" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0234"> S0234 </a> </td> <td> <a href="/software/S0234"> Bandook </a> </td> <td> <p><a href="/software/S0234">Bandook</a> has a command to get the public IP address from a system.<span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" title="Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021."data-reference="CheckPoint Bandook Nov 2020">^{<a href="https://research.checkpoint.com/2020/bandook-signed-delivered/" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/software/S0534"> S0534 </a> </td> <td> <a href="/software/S0534"> Bazar </a> </td> <td> <p><a href="/software/S0534">Bazar</a> can collect the IP address and NetBIOS name of an infected machine.<span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020."data-reference="Cybereason Bazar July 2020">^{<a href="https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0268"> S0268 </a> </td> <td> <a href="/software/S0268"> Bisonal </a> </td> <td> <p><a href="/software/S0268">Bisonal</a> can execute <code>ipconfig</code> on the victim’s machine.<span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" title="Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018."data-reference="Unit 42 Bisonal July 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a>}</span><span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021."data-reference="Kaspersky CactusPete Aug 2020">^{<a href="https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span><span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" title="Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022."data-reference="Talos Bisonal Mar 2020">^{<a href="https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/software/S0089"> S0089 </a> </td> <td> <a href="/software/S0089"> BlackEnergy </a> </td> <td> <p><a href="/software/S0089">BlackEnergy</a> has gathered information about network IP configurations using <a href="/software/S0100">ipconfig</a>.exe and about routing tables using <a href="/software/S0103">route</a>.exe.<span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016."data-reference="F-Secure BlackEnergy 2014">^{<a href="https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a>}</span><span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" title="Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016."data-reference="Securelist BlackEnergy Nov 2014">^{<a href="https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0520"> S0520 </a> </td> <td> <a href="/software/S0520"> BLINDINGCAN </a> </td> <td> <p><a href="/software/S0520">BLINDINGCAN</a> has collected the victim machine's local IP address information and MAC address.<span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020."data-reference="US-CERT BLINDINGCAN Aug 2020">^{<a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0657"> S0657 </a> </td> <td> <a href="/software/S0657"> BLUELIGHT </a> </td> <td> <p><a href="/software/S0657">BLUELIGHT</a> can collect IP information from the victim’s machine.<span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" title="Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021."data-reference="Volexity InkySquid BLUELIGHT August 2021">^{<a href="https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0486"> S0486 </a> </td> <td> <a href="/software/S0486"> Bonadan </a> </td> <td> <p><a href="/software/S0486">Bonadan</a> can find the external IP address of the infected host.<span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" title="Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020."data-reference="ESET ForSSHe December 2018">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0651"> S0651 </a> </td> <td> <a href="/software/S0651"> BoxCaon </a> </td> <td> <p><a href="/software/S0651">BoxCaon</a> can collect the victim's MAC address by using the <code>GetAdaptersInfo</code> API.<span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" title="CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021."data-reference="Checkpoint IndigoZebra July 2021">^{<a href="https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0252"> S0252 </a> </td> <td> <a href="/software/S0252"> Brave Prince </a> </td> <td> <p><a href="/software/S0252">Brave Prince</a> gathers network configuration information as well as the ARP cache.<span onclick=scrollToRef('scite-43') id="scite-ref-43-a" class="scite-citeref-number" title="Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018."data-reference="McAfee Gold Dragon">^{<a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" target="_blank" data-hasqtip="42" aria-describedby="qtip-42">[43]</a>}</span></p> </td> </tr> <tr> <td> <a href="/campaigns/C0015"> C0015 </a> </td> <td> <a href="/campaigns/C0015"> C0015 </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0015">C0015</a>, the threat actors used code to obtain the external public-facing IPv4 address of the compromised host.<span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022."data-reference="DFIR Conti Bazar Nov 2021">^{<a href="https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/campaigns/C0017"> C0017 </a> </td> <td> <a href="/campaigns/C0017"> C0017 </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0017">C0017</a>, <a href="/groups/G0096">APT41</a> used <code>cmd.exe /c ping %userdomain%</code> for discovery.<span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" title="Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022."data-reference="Mandiant APT41">^{<a href="https://www.mandiant.com/resources/apt41-us-state-governments" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a>}</span></p> </td> </tr> <tr> <td> <a href="/campaigns/C0018"> C0018 </a> </td> <td> <a href="/campaigns/C0018"> C0018 </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0018">C0018</a>, the threat actors ran <code>nslookup</code> and Advanced IP Scanner on the target network.<span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" title="Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023."data-reference="Costa AvosLocker May 2022">^{<a href="https://www.linkedin.com/pulse/raas-avoslocker-incident-response-analysis-fl%C3%A1vio-costa?trk=articles_directory" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0274"> S0274 </a> </td> <td> <a href="/software/S0274"> Calisto </a> </td> <td> <p><a href="/software/S0274">Calisto</a> runs the <code>ifconfig</code> command to obtain the IP address from the victim’s machine.<span onclick=scrollToRef('scite-47') id="scite-ref-47-a" class="scite-citeref-number" title="Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018."data-reference="Securelist Calisto July 2018">^{<a href="https://securelist.com/calisto-trojan-for-macos/86543/" target="_blank" data-hasqtip="46" aria-describedby="qtip-46">[47]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0335"> S0335 </a> </td> <td> <a href="/software/S0335"> Carbon </a> </td> <td> <p><a href="/software/S0335">Carbon</a> can collect the IP address of the victims and other computers on the network using the commands: <code>ipconfig -all</code> <code>nbtstat -n</code>, and <code>nbtstat -s</code>.<span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" title="ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018."data-reference="ESET Carbon Mar 2017">^{<a href="https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a>}</span><span onclick=scrollToRef('scite-49') id="scite-ref-49-a" class="scite-citeref-number" title="GovCERT. (2016, May 23). Technical Report about the Espionage Case at RUAG. Retrieved November 7, 2018."data-reference="GovCERT Carbon May 2016">^{<a href="https://web.archive.org/web/20170718174931/https://www.melani.admin.ch/dam/melani/de/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf" target="_blank" data-hasqtip="48" aria-describedby="qtip-48">[49]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0261"> S0261 </a> </td> <td> <a href="/software/S0261"> Catchamas </a> </td> <td> <p><a href="/software/S0261">Catchamas</a> gathers the Mac address, IP address, and the network adapter information from the victim’s machine.<span onclick=scrollToRef('scite-50') id="scite-ref-50-a" class="scite-citeref-number" title="Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018."data-reference="Symantec Catchamas April 2018">^{<a href="https://www-west.symantec.com/content/symantec/english/en/security-center/writeup.html/2018-040209-1742-99" target="_blank" data-hasqtip="49" aria-describedby="qtip-49">[50]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0572"> S0572 </a> </td> <td> <a href="/software/S0572"> Caterpillar WebShell </a> </td> <td> <p><a href="/software/S0572">Caterpillar WebShell</a> can gather the IP address from the victim's machine using the IP config command.<span onclick=scrollToRef('scite-51') id="scite-ref-51-a" class="scite-citeref-number" title="ClearSky Cyber Security. (2021, January). "Lebanese Cedar" APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021."data-reference="ClearSky Lebanese Cedar Jan 2021">^{<a href="https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf" target="_blank" data-hasqtip="50" aria-describedby="qtip-50">[51]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/software/S0674"> S0674 </a> </td> <td> <a href="/software/S0674"> CharmPower </a> </td> <td> <p><a href="/software/S0674">CharmPower</a> has the ability to use <code>ipconfig</code> to enumerate system network settings.<span onclick=scrollToRef('scite-52') id="scite-ref-52-a" class="scite-citeref-number" title="Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022."data-reference="Check Point APT35 CharmPower January 2022">^{<a href="https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/" target="_blank" data-hasqtip="51" aria-describedby="qtip-51">[52]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0114"> G0114 </a> </td> <td> <a href="/groups/G0114"> Chimera </a> </td> <td> <p><a href="/groups/G0114">Chimera</a> has used <a href="/software/S0100">ipconfig</a>, <a href="/software/S0097">Ping</a>, and <code>tracert</code> to enumerate the IP address and network environment and settings of the local host.<span onclick=scrollToRef('scite-53') id="scite-ref-53-a" class="scite-citeref-number" title="Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024."data-reference="NCC Group Chimera January 2021">^{<a href="https://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/" target="_blank" data-hasqtip="52" aria-describedby="qtip-52">[53]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0667"> S0667 </a> </td> <td> <a href="/software/S0667"> Chrommme </a> </td> <td> <p><a href="/software/S0667">Chrommme</a> can enumerate the IP address of a compromised host.<span onclick=scrollToRef('scite-54') id="scite-ref-54-a" class="scite-citeref-number" title="Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021."data-reference="ESET Gelsemium June 2021">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf" target="_blank" data-hasqtip="53" aria-describedby="qtip-53">[54]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0660"> S0660 </a> </td> <td> <a href="/software/S0660"> Clambling </a> </td> <td> <p><a href="/software/S0660">Clambling</a> can enumerate the IP address of a compromised machine.<span onclick=scrollToRef('scite-55') id="scite-ref-55-a" class="scite-citeref-number" title="Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021."data-reference="Trend Micro DRBControl February 2020">^{<a href="https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf" target="_blank" data-hasqtip="54" aria-describedby="qtip-54">[55]</a>}</span><span onclick=scrollToRef('scite-56') id="scite-ref-56-a" class="scite-citeref-number" title="Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021."data-reference="Talent-Jump Clambling February 2020">^{<a href="https://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/" target="_blank" data-hasqtip="55" aria-describedby="qtip-55">[56]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0154"> S0154 </a> </td> <td> <a href="/software/S0154"> Cobalt Strike </a> </td> <td> <p><a href="/software/S0154">Cobalt Strike</a> can determine the NetBios name and the IP addresses of targets machines including domain controllers.<span onclick=scrollToRef('scite-57') id="scite-ref-57-a" class="scite-citeref-number" title="Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020."data-reference="Cyberreason Anchor December 2019">^{<a href="https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" target="_blank" data-hasqtip="56" aria-describedby="qtip-56">[57]</a>}</span><span onclick=scrollToRef('scite-58') id="scite-ref-58-a" class="scite-citeref-number" title="Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021."data-reference="Cobalt Strike Manual 4.3 November 2020">^{<a href="https://web.archive.org/web/20210708035426/https://www.cobaltstrike.com/downloads/csmanual43.pdf" target="_blank" data-hasqtip="57" aria-describedby="qtip-57">[58]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0244"> S0244 </a> </td> <td> <a href="/software/S0244"> Comnie </a> </td> <td> <p><a href="/software/S0244">Comnie</a> uses <code>ipconfig /all</code> and <code>route PRINT</code> to identify network adapter and interface information.<span onclick=scrollToRef('scite-59') id="scite-ref-59-a" class="scite-citeref-number" title="Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018."data-reference="Palo Alto Comnie">^{<a href="https://researchcenter.paloaltonetworks.com/2018/01/unit42-comnie-continues-target-organizations-east-asia/" target="_blank" data-hasqtip="58" aria-describedby="qtip-58">[59]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0575"> S0575 </a> </td> <td> <a href="/software/S0575"> Conti </a> </td> <td> <p><a href="/software/S0575">Conti</a> can retrieve the ARP cache from the local system by using the <code>GetIpNetTable()</code> API call and check to ensure IP addresses it connects to are for local, non-Internet, systems.<span onclick=scrollToRef('scite-60') id="scite-ref-60-a" class="scite-citeref-number" title="Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021."data-reference="CarbonBlack Conti July 2020">^{<a href="https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/" target="_blank" data-hasqtip="59" aria-describedby="qtip-59">[60]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/software/S0488"> S0488 </a> </td> <td> <a href="/software/S0488"> CrackMapExec </a> </td> <td> <p><a href="/software/S0488">CrackMapExec</a> can collect DNS information from the targeted system.<span onclick=scrollToRef('scite-61') id="scite-ref-61-a" class="scite-citeref-number" title="byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020."data-reference="CME Github September 2018">^{<a href="https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference" target="_blank" data-hasqtip="60" aria-describedby="qtip-60">[61]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1024"> S1024 </a> </td> <td> <a href="/software/S1024"> CreepySnail </a> </td> <td> <p><a href="/software/S1024">CreepySnail</a> can use <code>getmac</code> and <code>Get-NetIPAddress</code> to enumerate network settings.<span onclick=scrollToRef('scite-62') id="scite-ref-62-a" class="scite-citeref-number" title="Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022."data-reference="Microsoft POLONIUM June 2022">^{<a href="https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/" target="_blank" data-hasqtip="61" aria-describedby="qtip-61">[62]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0115"> S0115 </a> </td> <td> <a href="/software/S0115"> Crimson </a> </td> <td> <p><a href="/software/S0115">Crimson</a> contains a command to collect the victim MAC address and LAN IP.<span onclick=scrollToRef('scite-63') id="scite-ref-63-a" class="scite-citeref-number" title="Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016."data-reference="Proofpoint Operation Transparent Tribe March 2016">^{<a href="https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" target="_blank" data-hasqtip="62" aria-describedby="qtip-62">[63]</a>}</span><span onclick=scrollToRef('scite-64') id="scite-ref-64-a" class="scite-citeref-number" title="Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021."data-reference="Kaspersky Transparent Tribe August 2020">^{<a href="https://securelist.com/transparent-tribe-part-1/98127/" target="_blank" data-hasqtip="63" aria-describedby="qtip-63">[64]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0625"> S0625 </a> </td> <td> <a href="/software/S0625"> Cuba </a> </td> <td> <p><a href="/software/S0625">Cuba</a> can retrieve the ARP cache from the local system by using <code>GetIpNetTable</code>.<span onclick=scrollToRef('scite-65') id="scite-ref-65-a" class="scite-citeref-number" title="Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021."data-reference="McAfee Cuba April 2021">^{<a href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf" target="_blank" data-hasqtip="64" aria-describedby="qtip-64">[65]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/software/S0687"> S0687 </a> </td> <td> <a href="/software/S0687"> Cyclops Blink </a> </td> <td> <p><a href="/software/S0687">Cyclops Blink</a> can use the Linux API <code>if_nameindex</code> to gather network interface names.<span onclick=scrollToRef('scite-66') id="scite-ref-66-a" class="scite-citeref-number" title="NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022."data-reference="NCSC Cyclops Blink February 2022">^{<a href="https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf" target="_blank" data-hasqtip="65" aria-describedby="qtip-65">[66]</a>}</span><span onclick=scrollToRef('scite-67') id="scite-ref-67-a" class="scite-citeref-number" title="Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022."data-reference="Trend Micro Cyclops Blink March 2022">^{<a href="https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html" target="_blank" data-hasqtip="66" aria-describedby="qtip-66">[67]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0012"> G0012 </a> </td> <td> <a href="/groups/G0012"> Darkhotel </a> </td> <td> <p><a href="/groups/G0012">Darkhotel</a> has collected the IP address and network adapter information from the victim’s machine.<span onclick=scrollToRef('scite-68') id="scite-ref-68-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018."data-reference="Securelist Darkhotel Aug 2015">^{<a href="https://securelist.com/darkhotels-attacks-in-2015/71713/" target="_blank" data-hasqtip="67" aria-describedby="qtip-67">[68]</a>}</span><span onclick=scrollToRef('scite-69') id="scite-ref-69-a" class="scite-citeref-number" title="Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021."data-reference="Microsoft DUBNIUM July 2016">^{<a href="https://www.microsoft.com/security/blog/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/" target="_blank" data-hasqtip="68" aria-describedby="qtip-68">[69]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1052"> S1052 </a> </td> <td> <a href="/software/S1052"> DEADEYE </a> </td> <td> <p><a href="/software/S1052">DEADEYE</a> can discover the DNS domain name of a targeted system.<span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" title="Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022."data-reference="Mandiant APT41">^{<a href="https://www.mandiant.com/resources/apt41-us-state-governments" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0354"> S0354 </a> </td> <td> <a href="/software/S0354"> Denis </a> </td> <td> <p><a href="/software/S0354">Denis</a> uses <code>ipconfig</code> to gather the IP address from the system.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018."data-reference="Cybereason Cobalt Kitty 2017">^{<a href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0659"> S0659 </a> </td> <td> <a href="/software/S0659"> Diavol </a> </td> <td> <p><a href="/software/S0659">Diavol</a> can enumerate victims' local and external IPs when registering with C2.<span onclick=scrollToRef('scite-70') id="scite-ref-70-a" class="scite-citeref-number" title="Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021."data-reference="Fortinet Diavol July 2021">^{<a href="https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider" target="_blank" data-hasqtip="69" aria-describedby="qtip-69">[70]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0472"> S0472 </a> </td> <td> <a href="/software/S0472"> down_new </a> </td> <td> <p><a href="/software/S0472">down_new</a> has the ability to identify the MAC address of a compromised host.<span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."data-reference="Trend Micro Tick November 2019">^{<a href="https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0035"> G0035 </a> </td> <td> <a href="/groups/G0035"> Dragonfly </a> </td> <td> <p><a href="/groups/G0035">Dragonfly</a> has used batch scripts to enumerate network information, including information about trusts, zones, and the domain.<span onclick=scrollToRef('scite-71') id="scite-ref-71-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="70" aria-describedby="qtip-70">[71]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0567"> S0567 </a> </td> <td> <a href="/software/S0567"> Dtrack </a> </td> <td> <p><a href="/software/S0567">Dtrack</a> can collect the host's IP addresses using the <code>ipconfig</code> command.<span onclick=scrollToRef('scite-72') id="scite-ref-72-a" class="scite-citeref-number" title="Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021."data-reference="Securelist Dtrack">^{<a href="https://securelist.com/my-name-is-dtrack/93338/" target="_blank" data-hasqtip="71" aria-describedby="qtip-71">[72]</a>}</span><span onclick=scrollToRef('scite-73') id="scite-ref-73-a" class="scite-citeref-number" title="Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021."data-reference="CyberBit Dtrack">^{<a href="https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/" target="_blank" data-hasqtip="72" aria-describedby="qtip-72">[73]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0038"> S0038 </a> </td> <td> <a href="/software/S0038"> Duqu </a> </td> <td> <p>The reconnaissance modules used with <a href="/software/S0038">Duqu</a> can collect information on network configuration.<span onclick=scrollToRef('scite-74') id="scite-ref-74-a" class="scite-citeref-number" title="Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015."data-reference="Symantec W32.Duqu">^{<a href="https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf" target="_blank" data-hasqtip="73" aria-describedby="qtip-73">[74]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1159"> S1159 </a> </td> <td> <a href="/software/S1159"> DUSTTRAP </a> </td> <td> <p><a href="/software/S1159">DUSTTRAP</a> can enumerate infected system network information.<span onclick=scrollToRef('scite-75') id="scite-ref-75-a" class="scite-citeref-number" title="Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024."data-reference="Google Cloud APT41 2024">^{<a href="https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust" target="_blank" data-hasqtip="74" aria-describedby="qtip-74">[75]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0024"> S0024 </a> </td> <td> <a href="/software/S0024"> Dyre </a> </td> <td> <p><a href="/software/S0024">Dyre</a> has the ability to identify network settings on a compromised host.<span onclick=scrollToRef('scite-76') id="scite-ref-76-a" class="scite-citeref-number" title="hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020."data-reference="Malwarebytes Dyreza November 2015">^{<a href="https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/" target="_blank" data-hasqtip="75" aria-describedby="qtip-75">[76]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G1006"> G1006 </a> </td> <td> <a href="/groups/G1006"> Earth Lusca </a> </td> <td> <p><a href="/groups/G1006">Earth Lusca</a> used the command <code>ipconfig</code> to obtain information about network configurations.<span onclick=scrollToRef('scite-77') id="scite-ref-77-a" class="scite-citeref-number" title="Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022."data-reference="TrendMicro EarthLusca 2022">^{<a href="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf" target="_blank" data-hasqtip="76" aria-describedby="qtip-76">[77]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0605"> S0605 </a> </td> <td> <a href="/software/S0605"> EKANS </a> </td> <td> <p><a href="/software/S0605">EKANS</a> can determine the domain of a compromised host.<span onclick=scrollToRef('scite-78') id="scite-ref-78-a" class="scite-citeref-number" title="Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021."data-reference="IBM Ransomware Trends September 2020">^{<a href="https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/" target="_blank" data-hasqtip="77" aria-describedby="qtip-77">[78]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0081"> S0081 </a> </td> <td> <a href="/software/S0081"> Elise </a> </td> <td> <p><a href="/software/S0081">Elise</a> executes <code>ipconfig /all</code> after initial communication is made to the remote server.<span onclick=scrollToRef('scite-79') id="scite-ref-79-a" class="scite-citeref-number" title="Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016."data-reference="Lotus Blossom Jun 2015">^{<a href="https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html" target="_blank" data-hasqtip="78" aria-describedby="qtip-78">[79]</a>}</span><span onclick=scrollToRef('scite-80') id="scite-ref-80-a" class="scite-citeref-number" title="Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018."data-reference="Accenture Dragonfish Jan 2018">^{<a href="https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf" target="_blank" data-hasqtip="79" aria-describedby="qtip-79">[80]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0082"> S0082 </a> </td> <td> <a href="/software/S0082"> Emissary </a> </td> <td> <p><a href="/software/S0082">Emissary</a> has the capability to execute the command <code>ipconfig /all</code>.<span onclick=scrollToRef('scite-81') id="scite-ref-81-a" class="scite-citeref-number" title="Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016."data-reference="Emissary Trojan Feb 2016">^{<a href="http://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/" target="_blank" data-hasqtip="80" aria-describedby="qtip-80">[81]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0363"> S0363 </a> </td> <td> <a href="/software/S0363"> Empire </a> </td> <td> <p><a href="/software/S0363">Empire</a> can acquire network configuration information like DNS servers, public IP, and network proxies used by a host.<span onclick=scrollToRef('scite-82') id="scite-ref-82-a" class="scite-citeref-number" title="Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016."data-reference="Github PowerShell Empire">^{<a href="https://github.com/PowerShellEmpire/Empire" target="_blank" data-hasqtip="81" aria-describedby="qtip-81">[82]</a>}</span><span onclick=scrollToRef('scite-83') id="scite-ref-83-a" class="scite-citeref-number" title="Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020."data-reference="Talos Frankenstein June 2019">^{<a href="https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html" target="_blank" data-hasqtip="82" aria-describedby="qtip-82">[83]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0091"> S0091 </a> </td> <td> <a href="/software/S0091"> Epic </a> </td> <td> <p><a href="/software/S0091">Epic</a> uses the <code>nbtstat -n</code> and <code>nbtstat -s</code> commands on the victim’s machine.<span onclick=scrollToRef('scite-84') id="scite-ref-84-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014."data-reference="Kaspersky Turla">^{<a href="https://securelist.com/the-epic-turla-operation/65545/" target="_blank" data-hasqtip="83" aria-describedby="qtip-83">[84]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0569"> S0569 </a> </td> <td> <a href="/software/S0569"> Explosive </a> </td> <td> <p><a href="/software/S0569">Explosive</a> has collected the MAC address from the victim's machine.<span onclick=scrollToRef('scite-85') id="scite-ref-85-a" class="scite-citeref-number" title="Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021."data-reference="CheckPoint Volatile Cedar March 2015">^{<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf" target="_blank" data-hasqtip="84" aria-describedby="qtip-84">[85]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/software/S0181"> S0181 </a> </td> <td> <a href="/software/S0181"> FALLCHILL </a> </td> <td> <p><a href="/software/S0181">FALLCHILL</a> collects MAC address and local IP address information from the victim.<span onclick=scrollToRef('scite-86') id="scite-ref-86-a" class="scite-citeref-number" title="US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017."data-reference="US-CERT FALLCHILL Nov 2017">^{<a href="https://www.us-cert.gov/ncas/alerts/TA17-318A" target="_blank" data-hasqtip="85" aria-describedby="qtip-85">[86]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0512"> S0512 </a> </td> <td> <a href="/software/S0512"> FatDuke </a> </td> <td> <p><a href="/software/S0512">FatDuke</a> can identify the MAC address on the target computer.<span onclick=scrollToRef('scite-87') id="scite-ref-87-a" class="scite-citeref-number" title="Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020."data-reference="ESET Dukes October 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="86" aria-describedby="qtip-86">[87]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0171"> S0171 </a> </td> <td> <a href="/software/S0171"> Felismus </a> </td> <td> <p><a href="/software/S0171">Felismus</a> collects the victim LAN IP address and sends it to the C2 server.<span onclick=scrollToRef('scite-88') id="scite-ref-88-a" class="scite-citeref-number" title="Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017."data-reference="Forcepoint Felismus Mar 2017">^{<a href="https://blogs.forcepoint.com/security-labs/playing-cat-mouse-introducing-felismus-malware" target="_blank" data-hasqtip="87" aria-describedby="qtip-87">[88]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0267"> S0267 </a> </td> <td> <a href="/software/S0267"> FELIXROOT </a> </td> <td> <p><a href="/software/S0267">FELIXROOT</a> collects information about the network including the IP address and DHCP server.<span onclick=scrollToRef('scite-89') id="scite-ref-89-a" class="scite-citeref-number" title="Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018."data-reference="ESET GreyEnergy Oct 2018">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf" target="_blank" data-hasqtip="88" aria-describedby="qtip-88">[89]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G1016"> G1016 </a> </td> <td> <a href="/groups/G1016"> FIN13 </a> </td> <td> <p><a href="/groups/G1016">FIN13</a> has used <code>nslookup</code> and <code>ipconfig</code> for network reconnaissance efforts. <a href="/groups/G1016">FIN13</a> has also utilized a compromised Symantec Altiris console and LanDesk account to retrieve network information.<span onclick=scrollToRef('scite-90') id="scite-ref-90-a" class="scite-citeref-number" title="Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023."data-reference="Mandiant FIN13 Aug 2022">^{<a href="https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico" target="_blank" data-hasqtip="89" aria-describedby="qtip-89">[90]</a>}</span><span onclick=scrollToRef('scite-91') id="scite-ref-91-a" class="scite-citeref-number" title="Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023."data-reference="Sygnia Elephant Beetle Jan 2022">^{<a href="https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf?__hstc=147695848.3e8f1a482c8f8d4531507747318e660b.1680005306711.1680005306711.1680005306711.1&__hssc=147695848.1.1680005306711&__hsfp=3000179024&hsCtaTracking=189ec409-ae2d-4909-8bf1-62dcdd694372%7Cca91d317-8f10-4a38-9f80-367f551ad64d" target="_blank" data-hasqtip="90" aria-describedby="qtip-90">[91]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0696"> S0696 </a> </td> <td> <a href="/software/S0696"> Flagpro </a> </td> <td> <p><a href="/software/S0696">Flagpro</a> has been used to execute the <code>ipconfig /all</code> command on a victim system.<span onclick=scrollToRef('scite-92') id="scite-ref-92-a" class="scite-citeref-number" title="Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022."data-reference="NTT Security Flagpro new December 2021">^{<a href="https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech" target="_blank" data-hasqtip="91" aria-describedby="qtip-91">[92]</a>}</span></p> </td> </tr> <tr> <td> <a href="/campaigns/C0001"> C0001 </a> </td> <td> <a href="/campaigns/C0001"> Frankenstein </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0001">Frankenstein</a>, the threat actors used <a href="/software/S0363">Empire</a> to find the public IP address of a compromised system.<span onclick=scrollToRef('scite-83') id="scite-ref-83-a" class="scite-citeref-number" title="Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020."data-reference="Talos Frankenstein June 2019">^{<a href="https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html" target="_blank" data-hasqtip="82" aria-describedby="qtip-82">[83]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1044"> S1044 </a> </td> <td> <a href="/software/S1044"> FunnyDream </a> </td> <td> <p><a href="/software/S1044">FunnyDream</a> can parse the <code>ProxyServer</code> string in the Registry to discover http proxies.<span onclick=scrollToRef('scite-93') id="scite-ref-93-a" class="scite-citeref-number" title="Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022."data-reference="Bitdefender FunnyDream Campaign November 2020">^{<a href="https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" target="_blank" data-hasqtip="92" aria-describedby="qtip-92">[93]</a>}</span></p> </td> </tr> <tr> <td> <a href="/campaigns/C0007"> C0007 </a> </td> <td> <a href="/campaigns/C0007"> FunnyDream </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0007">FunnyDream</a>, the threat actors used <a href="/software/S0100">ipconfig</a> for discovery on remote systems.<span onclick=scrollToRef('scite-93') id="scite-ref-93-a" class="scite-citeref-number" title="Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022."data-reference="Bitdefender FunnyDream Campaign November 2020">^{<a href="https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" target="_blank" data-hasqtip="92" aria-describedby="qtip-92">[93]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0093"> G0093 </a> </td> <td> <a href="/groups/G0093"> GALLIUM </a> </td> <td> <p><a href="/groups/G0093">GALLIUM</a> used <code>ipconfig /all</code> to obtain information about the victim network configuration. The group also ran a modified version of <a href="/software/S0590">NBTscan</a> to identify available NetBIOS name servers.<span onclick=scrollToRef('scite-94') id="scite-ref-94-a" class="scite-citeref-number" title="Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019."data-reference="Cybereason Soft Cell June 2019">^{<a href="https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" target="_blank" data-hasqtip="93" aria-describedby="qtip-93">[94]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0049"> S0049 </a> </td> <td> <a href="/software/S0049"> GeminiDuke </a> </td> <td> <p><a href="/software/S0049">GeminiDuke</a> collects information on network settings and Internet proxy settings from the victim.<span onclick=scrollToRef('scite-95') id="scite-ref-95-a" class="scite-citeref-number" title="F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015."data-reference="F-Secure The Dukes">^{<a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" data-hasqtip="94" aria-describedby="qtip-94">[95]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0588"> S0588 </a> </td> <td> <a href="/software/S0588"> GoldMax </a> </td> <td> <p><a href="/software/S0588">GoldMax</a> retrieved a list of the system's network interface after execution.<span onclick=scrollToRef('scite-96') id="scite-ref-96-a" class="scite-citeref-number" title="Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021."data-reference="MSTIC NOBELIUM Mar 2021">^{<a href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank" data-hasqtip="95" aria-describedby="qtip-95">[96]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1138"> S1138 </a> </td> <td> <a href="/software/S1138"> Gootloader </a> </td> <td> <p><a href="/software/S1138">Gootloader</a> can use an embedded script to check the IP address of potential victims visiting compromised websites.<span onclick=scrollToRef('scite-97') id="scite-ref-97-a" class="scite-citeref-number" title="Pirozzi, A. (2021, June 16). Gootloader: ‘Initial Access as a Service’ Platform Expands Its Search for High Value Targets. Retrieved May 28, 2024."data-reference="SentinelOne Gootloader June 2021">^{<a href="https://www.sentinelone.com/labs/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/" target="_blank" data-hasqtip="96" aria-describedby="qtip-96">[97]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0531"> S0531 </a> </td> <td> <a href="/software/S0531"> Grandoreiro </a> </td> <td> <p><a href="/software/S0531">Grandoreiro</a> can determine the IP and physical location of the compromised host via IPinfo.<span onclick=scrollToRef('scite-98') id="scite-ref-98-a" class="scite-citeref-number" title="ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020."data-reference="ESET Grandoreiro April 2020">^{<a href="https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/" target="_blank" data-hasqtip="97" aria-describedby="qtip-97">[98]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0237"> S0237 </a> </td> <td> <a href="/software/S0237"> GravityRAT </a> </td> <td> <p><a href="/software/S0237">GravityRAT</a> collects the victim IP address, MAC address, as well as the victim account domain name.<span onclick=scrollToRef('scite-99') id="scite-ref-99-a" class="scite-citeref-number" title="Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018."data-reference="Talos GravityRAT">^{<a href="https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html" target="_blank" data-hasqtip="98" aria-describedby="qtip-98">[99]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0690"> S0690 </a> </td> <td> <a href="/software/S0690"> Green Lambert </a> </td> <td> <p><a href="/software/S0690">Green Lambert</a> can obtain proxy information from a victim's machine using system environment variables.<span onclick=scrollToRef('scite-100') id="scite-ref-100-a" class="scite-citeref-number" title="Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022."data-reference="Objective See Green Lambert for OSX Oct 2021">^{<a href="https://objective-see.com/blog/blog_0x68.html" target="_blank" data-hasqtip="99" aria-describedby="qtip-99">[100]</a>}</span><span onclick=scrollToRef('scite-101') id="scite-ref-101-a" class="scite-citeref-number" title="Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved March 21, 2022."data-reference="Glitch-Cat Green Lambert ATTCK Oct 2021">^{<a href="https://www.glitch-cat.com/blog/green-lambert-and-attack" target="_blank" data-hasqtip="100" aria-describedby="qtip-100">[101]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/software/S0632"> S0632 </a> </td> <td> <a href="/software/S0632"> GrimAgent </a> </td> <td> <p><a href="/software/S0632">GrimAgent</a> can enumerate the IP and domain of a target system.<span onclick=scrollToRef('scite-102') id="scite-ref-102-a" class="scite-citeref-number" title="Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024."data-reference="Group IB GrimAgent July 2021">^{<a href="https://www.group-ib.com/blog/grimagent/" target="_blank" data-hasqtip="101" aria-describedby="qtip-101">[102]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0125"> G0125 </a> </td> <td> <a href="/groups/G0125"> HAFNIUM </a> </td> <td> <p><a href="/groups/G0125">HAFNIUM</a> has collected IP information via IPInfo.<span onclick=scrollToRef('scite-103') id="scite-ref-103-a" class="scite-citeref-number" title="Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022."data-reference="Rapid7 HAFNIUM Mar 2021">^{<a href="https://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/" target="_blank" data-hasqtip="102" aria-describedby="qtip-102">[103]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G1001"> G1001 </a> </td> <td> <a href="/groups/G1001"> HEXANE </a> </td> <td> <p><a href="/groups/G1001">HEXANE</a> has used <a href="/software/S0097">Ping</a> and <code>tracert</code> for network discovery.<span onclick=scrollToRef('scite-104') id="scite-ref-104-a" class="scite-citeref-number" title="Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022."data-reference="Kaspersky Lyceum October 2021">^{<a href="https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf" target="_blank" data-hasqtip="103" aria-describedby="qtip-103">[104]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0126"> G0126 </a> </td> <td> <a href="/groups/G0126"> Higaisa </a> </td> <td> <p><a href="/groups/G0126">Higaisa</a> used <code>ipconfig</code> to gather network configuration information.<span onclick=scrollToRef('scite-105') id="scite-ref-105-a" class="scite-citeref-number" title="Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021."data-reference="Malwarebytes Higaisa 2020">^{<a href="https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/" target="_blank" data-hasqtip="104" aria-describedby="qtip-104">[105]</a>}</span><span onclick=scrollToRef('scite-106') id="scite-ref-106-a" class="scite-citeref-number" title="Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021."data-reference="Zscaler Higaisa 2020">^{<a href="https://www.zscaler.com/blogs/security-research/return-higaisa-apt" target="_blank" data-hasqtip="105" aria-describedby="qtip-105">[106]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0431"> S0431 </a> </td> <td> <a href="/software/S0431"> HotCroissant </a> </td> <td> <p><a href="/software/S0431">HotCroissant</a> has the ability to identify the IP address of the compromised machine.<span onclick=scrollToRef('scite-107') id="scite-ref-107-a" class="scite-citeref-number" title="US-CERT. (2020, February 20). MAR-10271944-1.v1 – North Korean Trojan: HOTCROISSANT. Retrieved May 1, 2020."data-reference="US-CERT HOTCROISSANT February 2020">^{<a href="https://www.us-cert.gov/ncas/analysis-reports/ar20-045d" target="_blank" data-hasqtip="106" aria-describedby="qtip-106">[107]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0203"> S0203 </a> </td> <td> <a href="/software/S0203"> Hydraq </a> </td> <td> <p><a href="/software/S0203">Hydraq</a> creates a backdoor through which remote attackers can retrieve IP addresses of compromised machines.<span onclick=scrollToRef('scite-108') id="scite-ref-108-a" class="scite-citeref-number" title="Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018."data-reference="Symantec Trojan.Hydraq Jan 2010">^{<a href="https://www.symantec.com/connect/blogs/trojanhydraq-incident" target="_blank" data-hasqtip="107" aria-describedby="qtip-107">[108]</a>}</span><span onclick=scrollToRef('scite-109') id="scite-ref-109-a" class="scite-citeref-number" title="Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018."data-reference="Symantec Hydraq Jan 2010">^{<a href="https://www.symantec.com/security_response/writeup.jsp?docid=2010-011114-1830-99" target="_blank" data-hasqtip="108" aria-describedby="qtip-108">[109]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1022"> S1022 </a> </td> <td> <a href="/software/S1022"> IceApple </a> </td> <td> <p>The <a href="/software/S1022">IceApple</a> <a href="/software/S0101">ifconfig</a> module can iterate over all network interfaces on the host and retrieve the name, description, MAC address, DNS suffix, DNS servers, gateways, IPv4 addresses, and subnet masks.<span onclick=scrollToRef('scite-110') id="scite-ref-110-a" class="scite-citeref-number" title="CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022."data-reference="CrowdStrike IceApple May 2022">^{<a href="https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework.pdf" target="_blank" data-hasqtip="109" aria-describedby="qtip-109">[110]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0483"> S0483 </a> </td> <td> <a href="/software/S0483"> IcedID </a> </td> <td> <p><a href="/software/S0483">IcedID</a> used the <code>ipconfig /all</code> command and a batch script to gather network information.<span onclick=scrollToRef('scite-111') id="scite-ref-111-a" class="scite-citeref-number" title="DFIR. (2022, April 25). Quantum Ransomware. Retrieved July 26, 2024."data-reference="DFIR_Quantum_Ransomware">^{<a href="https://thedfirreport.com/2022/04/25/quantum-ransomware/" target="_blank" data-hasqtip="110" aria-describedby="qtip-110">[111]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0101"> S0101 </a> </td> <td> <a href="/software/S0101"> ifconfig </a> </td> <td> <p><a href="/software/S0101">ifconfig</a> can be used to display adapter configuration on Unix systems, including information for TCP/IP, DNS, and DHCP.</p> </td> </tr> <tr> <td> <a href="/software/S0278"> S0278 </a> </td> <td> <a href="/software/S0278"> iKitten </a> </td> <td> <p><a href="/software/S0278">iKitten</a> will look for the current IP address.<span onclick=scrollToRef('scite-112') id="scite-ref-112-a" class="scite-citeref-number" title="Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018."data-reference="objsee mac malware 2017">^{<a href="https://objective-see.com/blog/blog_0x25.html" target="_blank" data-hasqtip="111" aria-describedby="qtip-111">[112]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0604"> S0604 </a> </td> <td> <a href="/software/S0604"> Industroyer </a> </td> <td> <p><a href="/software/S0604">Industroyer</a>’s 61850 payload component enumerates connected network adapters and their corresponding IP addresses.<span onclick=scrollToRef('scite-113') id="scite-ref-113-a" class="scite-citeref-number" title="Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020."data-reference="ESET Industroyer">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="112" aria-describedby="qtip-112">[113]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0260"> S0260 </a> </td> <td> <a href="/software/S0260"> InvisiMole </a> </td> <td> <p><a href="/software/S0260">InvisiMole</a> gathers information on the IP forwarding table, MAC address, configured proxy, and network SSID.<span onclick=scrollToRef('scite-114') id="scite-ref-114-a" class="scite-citeref-number" title="Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018."data-reference="ESET InvisiMole June 2018">^{<a href="https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" target="_blank" data-hasqtip="113" aria-describedby="qtip-113">[114]</a>}</span><span onclick=scrollToRef('scite-115') id="scite-ref-115-a" class="scite-citeref-number" title="Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020."data-reference="ESET InvisiMole June 2020">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" target="_blank" data-hasqtip="114" aria-describedby="qtip-114">[115]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0100"> S0100 </a> </td> <td> <a href="/software/S0100"> ipconfig </a> </td> <td> <p><a href="/software/S0100">ipconfig</a> can be used to display adapter configuration on Windows systems, including information for TCP/IP, DNS, and DHCP.</p> </td> </tr> <tr> <td> <a href="/software/S0015"> S0015 </a> </td> <td> <a href="/software/S0015"> Ixeshe </a> </td> <td> <p><a href="/software/S0015">Ixeshe</a> enumerates the IP address, network proxy settings, and domain name from a victim's system.<span onclick=scrollToRef('scite-116') id="scite-ref-116-a" class="scite-citeref-number" title="Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019."data-reference="Trend Micro IXESHE 2012">^{<a href="https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf" target="_blank" data-hasqtip="115" aria-describedby="qtip-115">[116]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0044"> S0044 </a> </td> <td> <a href="/software/S0044"> JHUHUGIT </a> </td> <td> <p>A <a href="/software/S0044">JHUHUGIT</a> variant gathers network interface card information.<span onclick=scrollToRef('scite-117') id="scite-ref-117-a" class="scite-citeref-number" title="Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017."data-reference="Unit 42 Playbook Dec 2017">^{<a href="https://pan-unit42.github.io/playbook_viewer/" target="_blank" data-hasqtip="116" aria-describedby="qtip-116">[117]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0201"> S0201 </a> </td> <td> <a href="/software/S0201"> JPIN </a> </td> <td> <p><a href="/software/S0201">JPIN</a> can obtain network information, including DNS, IP, and proxies.<span onclick=scrollToRef('scite-118') id="scite-ref-118-a" class="scite-citeref-number" title="Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018."data-reference="Microsoft PLATINUM April 2016">^{<a href="https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" target="_blank" data-hasqtip="117" aria-describedby="qtip-117">[118]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0283"> S0283 </a> </td> <td> <a href="/software/S0283"> jRAT </a> </td> <td> <p><a href="/software/S0283">jRAT</a> can gather victim internal and external IPs.<span onclick=scrollToRef('scite-119') id="scite-ref-119-a" class="scite-citeref-number" title="Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019."data-reference="Kaspersky Adwind Feb 2016">^{<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07195002/KL_AdwindPublicReport_2016.pdf" target="_blank" data-hasqtip="118" aria-describedby="qtip-118">[119]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0265"> S0265 </a> </td> <td> <a href="/software/S0265"> Kazuar </a> </td> <td> <p><a href="/software/S0265">Kazuar</a> gathers information about network adapters.<span onclick=scrollToRef('scite-120') id="scite-ref-120-a" class="scite-citeref-number" title="Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018."data-reference="Unit 42 Kazuar May 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/" target="_blank" data-hasqtip="119" aria-describedby="qtip-119">[120]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0004"> G0004 </a> </td> <td> <a href="/groups/G0004"> Ke3chang </a> </td> <td> <p><a href="/groups/G0004">Ke3chang</a> has performed local network configuration discovery using <code>ipconfig</code>.<span onclick=scrollToRef('scite-121') id="scite-ref-121-a" class="scite-citeref-number" title="Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION "KE3CHANG": Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014."data-reference="Mandiant Operation Ke3chang November 2014">^{<a href="https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs" target="_blank" data-hasqtip="120" aria-describedby="qtip-120">[121]</a>}</span><span onclick=scrollToRef('scite-122') id="scite-ref-122-a" class="scite-citeref-number" title="Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018."data-reference="NCC Group APT15 Alive and Strong">^{<a href="https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" target="_blank" data-hasqtip="121" aria-describedby="qtip-121">[122]</a>}</span><span onclick=scrollToRef('scite-123') id="scite-ref-123-a" class="scite-citeref-number" title="MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022."data-reference="Microsoft NICKEL December 2021">^{<a href="https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe" target="_blank" data-hasqtip="122" aria-describedby="qtip-122">[123]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0487"> S0487 </a> </td> <td> <a href="/software/S0487"> Kessel </a> </td> <td> <p><a href="/software/S0487">Kessel</a> has collected the DNS address of the infected host.<span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" title="Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020."data-reference="ESET ForSSHe December 2018">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1020"> S1020 </a> </td> <td> <a href="/software/S1020"> Kevin </a> </td> <td> <p><a href="/software/S1020">Kevin</a> can collect the MAC address and other information from a victim machine using <code>ipconfig/all</code>.<span onclick=scrollToRef('scite-104') id="scite-ref-104-a" class="scite-citeref-number" title="Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022."data-reference="Kaspersky Lyceum October 2021">^{<a href="https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf" target="_blank" data-hasqtip="103" aria-describedby="qtip-103">[104]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0387"> S0387 </a> </td> <td> <a href="/software/S0387"> KeyBoy </a> </td> <td> <p><a href="/software/S0387">KeyBoy</a> can determine the public or WAN IP address for the system.<span onclick=scrollToRef('scite-124') id="scite-ref-124-a" class="scite-citeref-number" title="Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019."data-reference="PWC KeyBoys Feb 2017">^{<a href="https://web.archive.org/web/20211129064701/https://www.pwc.co.uk/issues/cyber-security-services/research/the-keyboys-are-back-in-town.html" target="_blank" data-hasqtip="123" aria-describedby="qtip-123">[124]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0271"> S0271 </a> </td> <td> <a href="/software/S0271"> KEYMARBLE </a> </td> <td> <p><a href="/software/S0271">KEYMARBLE</a> gathers the MAC address of the victim’s machine.<span onclick=scrollToRef('scite-125') id="scite-ref-125-a" class="scite-citeref-number" title="US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018."data-reference="US-CERT KEYMARBLE Aug 2018">^{<a href="https://www.us-cert.gov/ncas/analysis-reports/AR18-221A" target="_blank" data-hasqtip="124" aria-describedby="qtip-124">[125]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0094"> G0094 </a> </td> <td> <a href="/groups/G0094"> Kimsuky </a> </td> <td> <p><a href="/groups/G0094">Kimsuky</a> has used <code>ipconfig/all</code> and web beacons sent via email to gather network configuration information.<span onclick=scrollToRef('scite-126') id="scite-ref-126-a" class="scite-citeref-number" title="An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021."data-reference="Talos Kimsuky Nov 2021">^{<a href="https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html" target="_blank" data-hasqtip="125" aria-describedby="qtip-125">[126]</a>}</span><span onclick=scrollToRef('scite-127') id="scite-ref-127-a" class="scite-citeref-number" title="Lesnewich, G. et al. (2024, April 16). From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering. Retrieved May 3, 2024."data-reference="Proofpoint TA427 April 2024">^{<a href="https://www.proofpoint.com/us/blog/threat-insight/social-engineering-dmarc-abuse-ta427s-art-information-gathering" target="_blank" data-hasqtip="126" aria-describedby="qtip-126">[127]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0250"> S0250 </a> </td> <td> <a href="/software/S0250"> Koadic </a> </td> <td> <p><a href="/software/S0250">Koadic</a> can retrieve the contents of the IP routing table as well as information about the Windows domain.<span onclick=scrollToRef('scite-128') id="scite-ref-128-a" class="scite-citeref-number" title="Magius, J., et al. (2017, July 19). Koadic. Retrieved September 27, 2024."data-reference="Github Koadic">^{<a href="https://github.com/offsecginger/koadic" target="_blank" data-hasqtip="127" aria-describedby="qtip-127">[128]</a>}</span><span onclick=scrollToRef('scite-129') id="scite-ref-129-a" class="scite-citeref-number" title="Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021."data-reference="MalwareBytes LazyScripter Feb 2021">^{<a href="https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf" target="_blank" data-hasqtip="128" aria-describedby="qtip-128">[129]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0641"> S0641 </a> </td> <td> <a href="/software/S0641"> Kobalos </a> </td> <td> <p><a href="/software/S0641">Kobalos</a> can record the IP address of the target machine.<span onclick=scrollToRef('scite-130') id="scite-ref-130-a" class="scite-citeref-number" title="M.Leveille, M., Sanmillan, I. (2021, January). A WILD KOBALOS APPEARS Tricksy Linux malware goes after HPCs. Retrieved August 24, 2021."data-reference="ESET Kobalos Jan 2021">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf" target="_blank" data-hasqtip="129" aria-describedby="qtip-129">[130]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0356"> S0356 </a> </td> <td> <a href="/software/S0356"> KONNI </a> </td> <td> <p><a href="/software/S0356">KONNI</a> can collect the IP address from the victim’s machine.<span onclick=scrollToRef('scite-131') id="scite-ref-131-a" class="scite-citeref-number" title="Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018."data-reference="Talos Konni May 2017">^{<a href="https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html" target="_blank" data-hasqtip="130" aria-describedby="qtip-130">[131]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1075"> S1075 </a> </td> <td> <a href="/software/S1075"> KOPILUWAK </a> </td> <td> <p><a href="/software/S1075">KOPILUWAK</a> can use <a href="/software/S0099">Arp</a> to discover a target's network configuration setttings.<span onclick=scrollToRef('scite-132') id="scite-ref-132-a" class="scite-citeref-number" title="Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023."data-reference="Mandiant Suspected Turla Campaign February 2023">^{<a href="https://www.mandiant.com/resources/blog/turla-galaxy-opportunity" target="_blank" data-hasqtip="131" aria-describedby="qtip-131">[132]</a>}</span></p> </td> </tr> <tr> <td> <a href="/campaigns/C0035"> C0035 </a> </td> <td> <a href="/campaigns/C0035"> KV Botnet Activity </a> </td> <td> <p><a href="https://attack.mitre.org/campaigns/C0035">KV Botnet Activity</a> gathers victim IP information during initial installation stages.<span onclick=scrollToRef('scite-133') id="scite-ref-133-a" class="scite-citeref-number" title="Black Lotus Labs. (2023, December 13). Routers Roasting On An Open Firewall: The KV-Botnet Investigation. Retrieved June 10, 2024."data-reference="Lumen KVBotnet 2023">^{<a href="https://blog.lumen.com/routers-roasting-on-an-open-firewall-the-kv-botnet-investigation/" target="_blank" data-hasqtip="132" aria-describedby="qtip-132">[133]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0236"> S0236 </a> </td> <td> <a href="/software/S0236"> Kwampirs </a> </td> <td> <p><a href="/software/S0236">Kwampirs</a> collects network adapter and interface information by using the commands <code>ipconfig /all</code>, <code>arp -a</code> and <code>route print</code>. It also collects the system's MAC address with <code>getmac</code> and domain configuration with <code>net config workstation</code>.<span onclick=scrollToRef('scite-134') id="scite-ref-134-a" class="scite-citeref-number" title="Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018."data-reference="Symantec Orangeworm April 2018">^{<a href="https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" target="_blank" data-hasqtip="133" aria-describedby="qtip-133">[134]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1160"> S1160 </a> </td> <td> <a href="/software/S1160"> Latrodectus </a> </td> <td> <p><a href="/software/S1160">Latrodectus</a> can discover the IP and MAC address of a targeted host.<span onclick=scrollToRef('scite-135') id="scite-ref-135-a" class="scite-citeref-number" title="Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024."data-reference="Elastic Latrodectus May 2024">^{<a href="https://www.elastic.co/security-labs/spring-cleaning-with-latrodectus" target="_blank" data-hasqtip="134" aria-describedby="qtip-134">[135]</a>}</span><span onclick=scrollToRef('scite-136') id="scite-ref-136-a" class="scite-citeref-number" title="Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024."data-reference="Bitsight Latrodectus June 2024">^{<a href="https://www.bitsight.com/blog/latrodectus-are-you-coming-back" target="_blank" data-hasqtip="135" aria-describedby="qtip-135">[136]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0032"> G0032 </a> </td> <td> <a href="/groups/G0032"> Lazarus Group </a> </td> <td> <p><a href="/groups/G0032">Lazarus Group</a> malware IndiaIndia obtains and sends to its C2 server information about the first network interface card’s configuration, including IP address, gateways, subnet mask, DHCP information, and whether WINS is available.<span onclick=scrollToRef('scite-137') id="scite-ref-137-a" class="scite-citeref-number" title="Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016."data-reference="Novetta Blockbuster">^{<a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" data-hasqtip="136" aria-describedby="qtip-136">[137]</a>}</span><span onclick=scrollToRef('scite-138') id="scite-ref-138-a" class="scite-citeref-number" title="Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016."data-reference="Novetta Blockbuster Loaders">^{<a href="https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" target="_blank" data-hasqtip="137" aria-describedby="qtip-137">[138]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0395"> S0395 </a> </td> <td> <a href="/software/S0395"> LightNeuron </a> </td> <td> <p><a href="/software/S0395">LightNeuron</a> gathers information about network adapters using the Win32 API call <code>GetAdaptersInfo</code>.<span onclick=scrollToRef('scite-139') id="scite-ref-139-a" class="scite-citeref-number" title="Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019."data-reference="ESET LightNeuron May 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf" target="_blank" data-hasqtip="138" aria-describedby="qtip-138">[139]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0513"> S0513 </a> </td> <td> <a href="/software/S0513"> LiteDuke </a> </td> <td> <p><a href="/software/S0513">LiteDuke</a> has the ability to discover the proxy configuration of Firefox and/or Opera.<span onclick=scrollToRef('scite-87') id="scite-ref-87-a" class="scite-citeref-number" title="Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020."data-reference="ESET Dukes October 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="86" aria-describedby="qtip-86">[87]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0681"> S0681 </a> </td> <td> <a href="/software/S0681"> Lizar </a> </td> <td> <p><a href="/software/S0681">Lizar</a> can retrieve network information from a compromised host.<span onclick=scrollToRef('scite-140') id="scite-ref-140-a" class="scite-citeref-number" title="BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022."data-reference="BiZone Lizar May 2021">^{<a href="https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319" target="_blank" data-hasqtip="139" aria-describedby="qtip-139">[140]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0447"> S0447 </a> </td> <td> <a href="/software/S0447"> Lokibot </a> </td> <td> <p><a href="/software/S0447">Lokibot</a> has the ability to discover the domain name of the infected host.<span onclick=scrollToRef('scite-141') id="scite-ref-141-a" class="scite-citeref-number" title="Kazem, M. (2019, November 25). Trojan:W32/Lokibot. Retrieved May 15, 2020."data-reference="FSecure Lokibot November 2019">^{<a href="https://www.f-secure.com/v-descs/trojan_w32_lokibot.shtml" target="_blank" data-hasqtip="140" aria-describedby="qtip-140">[141]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0451"> S0451 </a> </td> <td> <a href="/software/S0451"> LoudMiner </a> </td> <td> <p><a href="/software/S0451">LoudMiner</a> used a script to gather the IP address of the infected machine before sending to the C2.<span onclick=scrollToRef('scite-142') id="scite-ref-142-a" class="scite-citeref-number" title="Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020."data-reference="ESET LoudMiner June 2019">^{<a href="https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/" target="_blank" data-hasqtip="141" aria-describedby="qtip-141">[142]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0532"> S0532 </a> </td> <td> <a href="/software/S0532"> Lucifer </a> </td> <td> <p><a href="/software/S0532">Lucifer</a> can collect the IP address of a compromised host.<span onclick=scrollToRef('scite-143') id="scite-ref-143-a" class="scite-citeref-number" title="Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020."data-reference="Unit 42 Lucifer June 2020">^{<a href="https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/" target="_blank" data-hasqtip="142" aria-describedby="qtip-142">[143]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1143"> S1143 </a> </td> <td> <a href="/software/S1143"> LunarLoader </a> </td> <td> <p><a href="/software/S1143">LunarLoader</a> can verify the targeted host's DNS name which is then used in the creation of a decyrption key.<span onclick=scrollToRef('scite-144') id="scite-ref-144-a" class="scite-citeref-number" title="Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024."data-reference="ESET Turla Lunar toolset May 2024">^{<a href="https://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/" target="_blank" data-hasqtip="143" aria-describedby="qtip-143">[144]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1141"> S1141 </a> </td> <td> <a href="/software/S1141"> LunarWeb </a> </td> <td> <p><a href="/software/S1141">LunarWeb</a> can use shell commands to discover network adapters and configuration.<span onclick=scrollToRef('scite-144') id="scite-ref-144-a" class="scite-citeref-number" title="Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024."data-reference="ESET Turla Lunar toolset May 2024">^{<a href="https://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/" target="_blank" data-hasqtip="143" aria-describedby="qtip-143">[144]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0409"> S0409 </a> </td> <td> <a href="/software/S0409"> Machete </a> </td> <td> <p><a href="/software/S0409">Machete</a> collects the MAC address of the target computer and other network configuration information.<span onclick=scrollToRef('scite-145') id="scite-ref-145-a" class="scite-citeref-number" title="ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019."data-reference="ESET Machete July 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf" target="_blank" data-hasqtip="144" aria-describedby="qtip-144">[145]</a>}</span><span onclick=scrollToRef('scite-146') id="scite-ref-146-a" class="scite-citeref-number" title="kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020."data-reference="360 Machete Sep 2020">^{<a href="https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/" target="_blank" data-hasqtip="145" aria-describedby="qtip-145">[146]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1016"> S1016 </a> </td> <td> <a href="/software/S1016"> MacMa </a> </td> <td> <p><a href="/software/S1016">MacMa</a> can collect IP addresses from a compromised host.<span onclick=scrollToRef('scite-147') id="scite-ref-147-a" class="scite-citeref-number" title="M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022."data-reference="ESET DazzleSpy Jan 2022">^{<a href="https://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/" target="_blank" data-hasqtip="146" aria-describedby="qtip-146">[147]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1060"> S1060 </a> </td> <td> <a href="/software/S1060"> Mafalda </a> </td> <td> <p><a href="/software/S1060">Mafalda</a> can use the <code>GetAdaptersInfo</code> function to retrieve information about network adapters and the <code>GetIpNetTable</code> function to retrieve the IPv4 to physical network address mapping table.<span onclick=scrollToRef('scite-148') id="scite-ref-148-a" class="scite-citeref-number" title="Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023."data-reference="SentinelLabs Metador Sept 2022">^{<a href="https://assets.sentinelone.com/sentinellabs22/metador#page=1" target="_blank" data-hasqtip="147" aria-describedby="qtip-147">[148]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0059"> G0059 </a> </td> <td> <a href="/groups/G0059"> Magic Hound </a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> malware gathers the victim's local IP address, MAC address, and external IP address.<span onclick=scrollToRef('scite-149') id="scite-ref-149-a" class="scite-citeref-number" title="Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017."data-reference="Unit 42 Magic Hound Feb 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank" data-hasqtip="148" aria-describedby="qtip-148">[149]</a>}</span><span onclick=scrollToRef('scite-150') id="scite-ref-150-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022">^{<a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="149" aria-describedby="qtip-149">[150]</a>}</span><span onclick=scrollToRef('scite-151') id="scite-ref-151-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="150" aria-describedby="qtip-150">[151]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1156"> S1156 </a> </td> <td> <a href="/software/S1156"> Manjusaka </a> </td> <td> <p><a href="/software/S1156">Manjusaka</a> gathers information about current network connections, local and remote addresses associated with them, and associated processes.<span onclick=scrollToRef('scite-152') id="scite-ref-152-a" class="scite-citeref-number" title="Asheer Malhotra & Vitor Ventura. (2022, August 2). Manjusaka: A Chinese sibling of Sliver and Cobalt Strike. Retrieved September 4, 2024."data-reference="Talos Manjusaka 2022">^{<a href="https://blog.talosintelligence.com/manjusaka-offensive-framework/" target="_blank" data-hasqtip="151" aria-describedby="qtip-151">[152]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0045"> G0045 </a> </td> <td> <a href="/groups/G0045"> menuPass </a> </td> <td> <p><a href="/groups/G0045">menuPass</a> has used several tools to scan for open NetBIOS nameservers and enumerate NetBIOS sessions.<span onclick=scrollToRef('scite-153') id="scite-ref-153-a" class="scite-citeref-number" title="PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017."data-reference="PWC Cloud Hopper Technical Annex April 2017">^{<a href="https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf" target="_blank" data-hasqtip="152" aria-describedby="qtip-152">[153]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1015"> S1015 </a> </td> <td> <a href="/software/S1015"> Milan </a> </td> <td> <p><a href="/software/S1015">Milan</a> can run <code>C:\Windows\system32\cmd.exe /c cmd /c ipconfig /all 2&gt;&amp;1</code> to discover network settings.<span onclick=scrollToRef('scite-154') id="scite-ref-154-a" class="scite-citeref-number" title="ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By "Siamesekitten" - Lyceum. Retrieved June 6, 2022."data-reference="ClearSky Siamesekitten August 2021">^{<a href="https://www.clearskysec.com/siamesekitten/" target="_blank" data-hasqtip="153" aria-describedby="qtip-153">[154]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0084"> S0084 </a> </td> <td> <a href="/software/S0084"> Mis-Type </a> </td> <td> <p><a href="/software/S0084">Mis-Type</a> may create a file containing the results of the command <code>cmd.exe /c ipconfig /all</code>.<span onclick=scrollToRef('scite-155') id="scite-ref-155-a" class="scite-citeref-number" title="Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021."data-reference="Cylance Dust Storm">^{<a href="https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" target="_blank" data-hasqtip="154" aria-describedby="qtip-154">[155]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G1036"> G1036 </a> </td> <td> <a href="/groups/G1036"> Moonstone Sleet </a> </td> <td> <p><a href="/groups/G1036">Moonstone Sleet</a> has gathered information on victim network configuration.<span onclick=scrollToRef('scite-156') id="scite-ref-156-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024."data-reference="Microsoft Moonstone Sleet 2024">^{<a href="https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/" target="_blank" data-hasqtip="155" aria-describedby="qtip-155">[156]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0149"> S0149 </a> </td> <td> <a href="/software/S0149"> MoonWind </a> </td> <td> <p><a href="/software/S0149">MoonWind</a> obtains the victim IP address.<span onclick=scrollToRef('scite-157') id="scite-ref-157-a" class="scite-citeref-number" title="Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017."data-reference="Palo Alto MoonWind March 2017">^{<a href="http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/" target="_blank" data-hasqtip="156" aria-describedby="qtip-156">[157]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0284"> S0284 </a> </td> <td> <a href="/software/S0284"> More_eggs </a> </td> <td> <p><a href="/software/S0284">More_eggs</a> has the capability to gather the IP address from the victim's machine.<span onclick=scrollToRef('scite-158') id="scite-ref-158-a" class="scite-citeref-number" title="Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018."data-reference="Talos Cobalt Group July 2018">^{<a href="https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html" target="_blank" data-hasqtip="157" aria-describedby="qtip-157">[158]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G1009"> G1009 </a> </td> <td> <a href="/groups/G1009"> Moses Staff </a> </td> <td> <p><a href="/groups/G1009">Moses Staff</a> has collected the domain name of a compromised network.<span onclick=scrollToRef('scite-159') id="scite-ref-159-a" class="scite-citeref-number" title="Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022."data-reference="Checkpoint MosesStaff Nov 2021">^{<a href="https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/" target="_blank" data-hasqtip="158" aria-describedby="qtip-158">[159]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0256"> S0256 </a> </td> <td> <a href="/software/S0256"> Mosquito </a> </td> <td> <p><a href="/software/S0256">Mosquito</a> uses the <code>ipconfig</code> command.<span onclick=scrollToRef('scite-160') id="scite-ref-160-a" class="scite-citeref-number" title="ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018."data-reference="ESET Turla Mosquito Jan 2018">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" target="_blank" data-hasqtip="159" aria-describedby="qtip-159">[160]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0069"> G0069 </a> </td> <td> <a href="/groups/G0069"> MuddyWater </a> </td> <td> <p><a href="/groups/G0069">MuddyWater</a> has used malware to collect the victim’s IP address and domain name.<span onclick=scrollToRef('scite-161') id="scite-ref-161-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018."data-reference="Securelist MuddyWater Oct 2018">^{<a href="https://securelist.com/muddywater/88059/" target="_blank" data-hasqtip="160" aria-describedby="qtip-160">[161]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0129"> G0129 </a> </td> <td> <a href="/groups/G0129"> Mustang Panda </a> </td> <td> <p><a href="/groups/G0129">Mustang Panda</a> has used <code>ipconfig</code> and <code>arp</code> to determine network configuration information.<span onclick=scrollToRef('scite-162') id="scite-ref-162-a" class="scite-citeref-number" title="Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021."data-reference="Avira Mustang Panda January 2020">^{<a href="https://www.avira.com/en/blog/new-wave-of-plugx-targets-hong-kong" target="_blank" data-hasqtip="161" aria-describedby="qtip-161">[162]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0205"> S0205 </a> </td> <td> <a href="/software/S0205"> Naid </a> </td> <td> <p><a href="/software/S0205">Naid</a> collects the domain name from a compromised host.<span onclick=scrollToRef('scite-163') id="scite-ref-163-a" class="scite-citeref-number" title="Neville, A. (2012, June 15). Trojan.Naid. Retrieved February 22, 2018."data-reference="Symantec Naid June 2012">^{<a href="https://www.symantec.com/security_response/writeup.jsp?docid=2012-061518-4639-99" target="_blank" data-hasqtip="162" aria-describedby="qtip-162">[163]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0019"> G0019 </a> </td> <td> <a href="/groups/G0019"> Naikon </a> </td> <td> <p><a href="/groups/G0019">Naikon</a> uses commands such as <code>netsh interface show</code> to discover network interface settings.<span onclick=scrollToRef('scite-164') id="scite-ref-164-a" class="scite-citeref-number" title="Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019."data-reference="Baumgartner Naikon 2015">^{<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" target="_blank" data-hasqtip="163" aria-describedby="qtip-163">[164]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0228"> S0228 </a> </td> <td> <a href="/software/S0228"> NanHaiShu </a> </td> <td> <p><a href="/software/S0228">NanHaiShu</a> can gather information about the victim proxy server.<span onclick=scrollToRef('scite-165') id="scite-ref-165-a" class="scite-citeref-number" title="Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018."data-reference="Proofpoint Leviathan Oct 2017">^{<a href="https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets" target="_blank" data-hasqtip="164" aria-describedby="qtip-164">[165]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0336"> S0336 </a> </td> <td> <a href="/software/S0336"> NanoCore </a> </td> <td> <p><a href="/software/S0336">NanoCore</a> gathers the IP address from the victim’s machine.<span onclick=scrollToRef('scite-166') id="scite-ref-166-a" class="scite-citeref-number" title="The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018."data-reference="DigiTrust NanoCore Jan 2017">^{<a href="https://www.digitrustgroup.com/nanocore-not-your-average-rat/" target="_blank" data-hasqtip="165" aria-describedby="qtip-165">[166]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0590"> S0590 </a> </td> <td> <a href="/software/S0590"> NBTscan </a> </td> <td> <p><a href="/software/S0590">NBTscan</a> can be used to collect MAC addresses.<span onclick=scrollToRef('scite-167') id="scite-ref-167-a" class="scite-citeref-number" title="Bezroutchko, A. (2019, November 19). NBTscan man page. Retrieved March 17, 2021."data-reference="Debian nbtscan Nov 2019">^{<a href="https://manpages.debian.org/testing/nbtscan/nbtscan.1.en.html" target="_blank" data-hasqtip="166" aria-describedby="qtip-166">[167]</a>}</span><span onclick=scrollToRef('scite-168') id="scite-ref-168-a" class="scite-citeref-number" title="SecTools. (2003, June 11). NBTscan. Retrieved March 17, 2021."data-reference="SecTools nbtscan June 2003">^{<a href="https://sectools.org/tool/nbtscan/" target="_blank" data-hasqtip="167" aria-describedby="qtip-167">[168]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/software/S0102"> S0102 </a> </td> <td> <a href="/software/S0102"> nbtstat </a> </td> <td> <p><a href="/software/S0102">nbtstat</a> can be used to discover local NetBIOS domain names.</p> </td> </tr> <tr> <td> <a href="/software/S0691"> S0691 </a> </td> <td> <a href="/software/S0691"> Neoichor </a> </td> <td> <p><a href="/software/S0691">Neoichor</a> can gather the IP address from an infected host.<span onclick=scrollToRef('scite-123') id="scite-ref-123-a" class="scite-citeref-number" title="MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022."data-reference="Microsoft NICKEL December 2021">^{<a href="https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe" target="_blank" data-hasqtip="122" aria-describedby="qtip-122">[123]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/software/S0198"> S0198 </a> </td> <td> <a href="/software/S0198"> NETWIRE </a> </td> <td> <p><a href="/software/S0198">NETWIRE</a> can collect the IP address of a compromised host.<span onclick=scrollToRef('scite-169') id="scite-ref-169-a" class="scite-citeref-number" title="Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021."data-reference="Red Canary NETWIRE January 2020">^{<a href="https://redcanary.com/blog/netwire-remote-access-trojan-on-linux/" target="_blank" data-hasqtip="168" aria-describedby="qtip-168">[169]</a>}</span><span onclick=scrollToRef('scite-170') id="scite-ref-170-a" class="scite-citeref-number" title="Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021."data-reference="Proofpoint NETWIRE December 2020">^{<a href="https://www.proofpoint.com/us/blog/threat-insight/geofenced-netwire-campaigns" target="_blank" data-hasqtip="169" aria-describedby="qtip-169">[170]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1106"> S1106 </a> </td> <td> <a href="/software/S1106"> NGLite </a> </td> <td> <p><a href="/software/S1106">NGLite</a> identifies the victim system MAC and IPv4 addresses and uses these to establish a victim identifier.<span onclick=scrollToRef('scite-171') id="scite-ref-171-a" class="scite-citeref-number" title="Robert Falcone, Jeff White, and Peter Renals. (2021, November 7). Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer. Retrieved February 8, 2024."data-reference="NGLite Trojan">^{<a href="https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/" target="_blank" data-hasqtip="170" aria-describedby="qtip-170">[171]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1147"> S1147 </a> </td> <td> <a href="/software/S1147"> Nightdoor </a> </td> <td> <p><a href="/software/S1147">Nightdoor</a> gathers information on victim system network configuration such as MAC addresses.<span onclick=scrollToRef('scite-172') id="scite-ref-172-a" class="scite-citeref-number" title="Ahn Ho, Facundo Muñoz, & Marc-Etienne M.Léveillé. (2024, March 7). Evasive Panda leverages Monlam Festival to target Tibetans. Retrieved July 25, 2024."data-reference="ESET EvasivePanda 2024">^{<a href="https://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/" target="_blank" data-hasqtip="171" aria-describedby="qtip-171">[172]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1100"> S1100 </a> </td> <td> <a href="/software/S1100"> Ninja </a> </td> <td> <p><a href="/software/S1100">Ninja</a> can enumerate the IP address on compromised systems.<span onclick=scrollToRef('scite-173') id="scite-ref-173-a" class="scite-citeref-number" title="Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024."data-reference="Kaspersky ToddyCat June 2022">^{<a href="https://securelist.com/toddycat/106799/" target="_blank" data-hasqtip="172" aria-describedby="qtip-172">[173]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0359"> S0359 </a> </td> <td> <a href="/software/S0359"> Nltest </a> </td> <td> <p><a href="/software/S0359">Nltest</a> may be used to enumerate the parent domain of a local machine using <code>/parentdomain</code>.<span onclick=scrollToRef('scite-174') id="scite-ref-174-a" class="scite-citeref-number" title="ss64. (n.d.). NLTEST.exe - Network Location Test. Retrieved February 14, 2019."data-reference="Nltest Manual">^{<a href="https://ss64.com/nt/nltest.html" target="_blank" data-hasqtip="173" aria-describedby="qtip-173">[174]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0353"> S0353 </a> </td> <td> <a href="/software/S0353"> NOKKI </a> </td> <td> <p><a href="/software/S0353">NOKKI</a> can gather information on the victim IP address.<span onclick=scrollToRef('scite-175') id="scite-ref-175-a" class="scite-citeref-number" title="Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018."data-reference="Unit 42 NOKKI Sept 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/" target="_blank" data-hasqtip="174" aria-describedby="qtip-174">[175]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0346"> S0346 </a> </td> <td> <a href="/software/S0346"> OceanSalt </a> </td> <td> <p><a href="/software/S0346">OceanSalt</a> can collect the victim’s IP address.<span onclick=scrollToRef('scite-176') id="scite-ref-176-a" class="scite-citeref-number" title="Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018."data-reference="McAfee Oceansalt Oct 2018">^{<a href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf" target="_blank" data-hasqtip="175" aria-describedby="qtip-175">[176]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0340"> S0340 </a> </td> <td> <a href="/software/S0340"> Octopus </a> </td> <td> <p><a href="/software/S0340">Octopus</a> can collect the host IP address from the victim’s machine.<span onclick=scrollToRef('scite-177') id="scite-ref-177-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018."data-reference="Securelist Octopus Oct 2018">^{<a href="https://securelist.com/octopus-infested-seas-of-central-asia/88200/" target="_blank" data-hasqtip="176" aria-describedby="qtip-176">[177]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0049"> G0049 </a> </td> <td> <a href="/groups/G0049"> OilRig </a> </td> <td> <p><a href="/groups/G0049">OilRig</a> has run <code>ipconfig /all</code> on a victim.<span onclick=scrollToRef('scite-178') id="scite-ref-178-a" class="scite-citeref-number" title="Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017."data-reference="Palo Alto OilRig May 2016">^{<a href="http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" target="_blank" data-hasqtip="177" aria-describedby="qtip-177">[178]</a>}</span><span onclick=scrollToRef('scite-179') id="scite-ref-179-a" class="scite-citeref-number" title="Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017."data-reference="Palo Alto OilRig Oct 2016">^{<a href="http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/" target="_blank" data-hasqtip="178" aria-describedby="qtip-178">[179]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0439"> S0439 </a> </td> <td> <a href="/software/S0439"> Okrum </a> </td> <td> <p><a href="/software/S0439">Okrum</a> can collect network information, including the host IP address, DNS, and proxy information.<span onclick=scrollToRef('scite-180') id="scite-ref-180-a" class="scite-citeref-number" title="Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."data-reference="ESET Okrum July 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf" target="_blank" data-hasqtip="179" aria-describedby="qtip-179">[180]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0365"> S0365 </a> </td> <td> <a href="/software/S0365"> Olympic Destroyer </a> </td> <td> <p><a href="/software/S0365">Olympic Destroyer</a> uses API calls to enumerate the infected system's ARP table.<span onclick=scrollToRef('scite-181') id="scite-ref-181-a" class="scite-citeref-number" title="Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019."data-reference="Talos Olympic Destroyer 2018">^{<a href="https://blog.talosintelligence.com/2018/02/olympic-destroyer.html" target="_blank" data-hasqtip="180" aria-describedby="qtip-180">[181]</a>}</span></p> </td> </tr> <tr> <td> <a href="/campaigns/C0012"> C0012 </a> </td> <td> <a href="/campaigns/C0012"> Operation CuckooBees </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0012">Operation CuckooBees</a>, the threat actors used <code>ipconfig</code>, <code>nbtstat</code>, <code>tracert</code>, <code>route print</code>, and <code>cat /etc/hosts</code> commands.<span onclick=scrollToRef('scite-182') id="scite-ref-182-a" class="scite-citeref-number" title="Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022."data-reference="Cybereason OperationCuckooBees May 2022">^{<a href="https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques" target="_blank" data-hasqtip="181" aria-describedby="qtip-181">[182]</a>}</span></p> </td> </tr> <tr> <td> <a href="/campaigns/C0014"> C0014 </a> </td> <td> <a href="/campaigns/C0014"> Operation Wocao </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0014">Operation Wocao</a>, threat actors discovered the local network configuration with <code>ipconfig</code>.<span onclick=scrollToRef('scite-183') id="scite-ref-183-a" class="scite-citeref-number" title="Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020."data-reference="FoxIT Wocao December 2019">^{<a href="https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf" target="_blank" data-hasqtip="182" aria-describedby="qtip-182">[183]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0229"> S0229 </a> </td> <td> <a href="/software/S0229"> Orz </a> </td> <td> <p><a href="/software/S0229">Orz</a> can gather victim proxy information.<span onclick=scrollToRef('scite-165') id="scite-ref-165-a" class="scite-citeref-number" title="Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018."data-reference="Proofpoint Leviathan Oct 2017">^{<a href="https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets" target="_blank" data-hasqtip="164" aria-describedby="qtip-164">[165]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0165"> S0165 </a> </td> <td> <a href="/software/S0165"> OSInfo </a> </td> <td> <p><a href="/software/S0165">OSInfo</a> discovers the current domain information.<span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016."data-reference="Symantec Buckeye">^{<a href="http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0352"> S0352 </a> </td> <td> <a href="/software/S0352"> OSX_OCEANLOTUS.D </a> </td> <td> <p><a href="/software/S0352">OSX_OCEANLOTUS.D</a> can collect the network interface MAC address on the infected host.<span onclick=scrollToRef('scite-184') id="scite-ref-184-a" class="scite-citeref-number" title="Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018."data-reference="TrendMicro MacOS April 2018">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/" target="_blank" data-hasqtip="183" aria-describedby="qtip-183">[184]</a>}</span><span onclick=scrollToRef('scite-185') id="scite-ref-185-a" class="scite-citeref-number" title="Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020."data-reference="Trend Micro MacOS Backdoor November 2020">^{<a href="https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html" target="_blank" data-hasqtip="184" aria-describedby="qtip-184">[185]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0556"> S0556 </a> </td> <td> <a href="/software/S0556"> Pay2Key </a> </td> <td> <p><a href="/software/S0556">Pay2Key</a> can identify the IP and MAC addresses of the compromised host.<span onclick=scrollToRef('scite-186') id="scite-ref-186-a" class="scite-citeref-number" title="Check Point. (2020, November 6). Ransomware Alert: Pay2Key. Retrieved January 4, 2021."data-reference="Check Point Pay2Key November 2020">^{<a href="https://research.checkpoint.com/2020/ransomware-alert-pay2key/" target="_blank" data-hasqtip="185" aria-describedby="qtip-185">[186]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1050"> S1050 </a> </td> <td> <a href="/software/S1050"> PcShare </a> </td> <td> <p><a href="/software/S1050">PcShare</a> can obtain the proxy settings of a compromised machine using <code>InternetQueryOptionA</code> and its IP address by running <code>nslookup myip.opendns.comresolver1.opendns.com\r\n</code>.<span onclick=scrollToRef('scite-93') id="scite-ref-93-a" class="scite-citeref-number" title="Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022."data-reference="Bitdefender FunnyDream Campaign November 2020">^{<a href="https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" target="_blank" data-hasqtip="92" aria-describedby="qtip-92">[93]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0587"> S0587 </a> </td> <td> <a href="/software/S0587"> Penquin </a> </td> <td> <p><a href="/software/S0587">Penquin</a> can report the IP of the compromised host to attacker controlled infrastructure.<span onclick=scrollToRef('scite-187') id="scite-ref-187-a" class="scite-citeref-number" title="Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA "Penquin_x64". Retrieved March 11, 2021."data-reference="Leonardo Turla Penquin May 2020">^{<a href="https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf" target="_blank" data-hasqtip="186" aria-describedby="qtip-186">[187]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1145"> S1145 </a> </td> <td> <a href="/software/S1145"> Pikabot </a> </td> <td> <p><a href="/software/S1145">Pikabot</a> gathers victim network information through commands such as <code>ipconfig</code> and <code>ipconfig /all</code>.<span onclick=scrollToRef('scite-188') id="scite-ref-188-a" class="scite-citeref-number" title="Brett Stone-Gross & Nikolaos Pantazopoulos. (2023, May 24). Technical Analysis of Pikabot. Retrieved July 12, 2024."data-reference="Zscaler Pikabot 2023">^{<a href="https://www.zscaler.com/blogs/security-research/technical-analysis-pikabot" target="_blank" data-hasqtip="187" aria-describedby="qtip-187">[188]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1031"> S1031 </a> </td> <td> <a href="/software/S1031"> PingPull </a> </td> <td> <p><a href="/software/S1031">PingPull</a> can retrieve the IP address of a compromised host.<span onclick=scrollToRef('scite-189') id="scite-ref-189-a" class="scite-citeref-number" title="Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022."data-reference="Unit 42 PingPull Jun 2022">^{<a href="https://unit42.paloaltonetworks.com/pingpull-gallium/" target="_blank" data-hasqtip="188" aria-describedby="qtip-188">[189]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0501"> S0501 </a> </td> <td> <a href="/software/S0501"> PipeMon </a> </td> <td> <p><a href="/software/S0501">PipeMon</a> can collect and send the local IP address, RDP information, and the network adapter physical address as a part of its C2 beacon.<span onclick=scrollToRef('scite-190') id="scite-ref-190-a" class="scite-citeref-number" title="Tartare, M. et al. (2020, May 21). No "Game over" for the Winnti Group. Retrieved August 24, 2020."data-reference="ESET PipeMon May 2020">^{<a href="https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/" target="_blank" data-hasqtip="189" aria-describedby="qtip-189">[190]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0124"> S0124 </a> </td> <td> <a href="/software/S0124"> Pisloader </a> </td> <td> <p><a href="/software/S0124">Pisloader</a> has a command to collect the victim's IP address.<span onclick=scrollToRef('scite-191') id="scite-ref-191-a" class="scite-citeref-number" title="Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016."data-reference="Palo Alto DNS Requests">^{<a href="http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" target="_blank" data-hasqtip="190" aria-describedby="qtip-190">[191]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0254"> S0254 </a> </td> <td> <a href="/software/S0254"> PLAINTEE </a> </td> <td> <p><a href="/software/S0254">PLAINTEE</a> uses the <code>ipconfig /all</code> command to gather the victim’s IP address.<span onclick=scrollToRef('scite-192') id="scite-ref-192-a" class="scite-citeref-number" title="Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018."data-reference="Rancor Unit42 June 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" target="_blank" data-hasqtip="191" aria-describedby="qtip-191">[192]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G1040"> G1040 </a> </td> <td> <a href="/groups/G1040"> Play </a> </td> <td> <p><a href="/groups/G1040">Play</a> has used the information-stealing tool Grixba to enumerate network information.<span onclick=scrollToRef('scite-193') id="scite-ref-193-a" class="scite-citeref-number" title="CISA. (2023, December 18). #StopRansomware: Play Ransomware AA23-352A. Retrieved September 24, 2024."data-reference="CISA Play Ransomware Advisory December 2023">^{<a href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a" target="_blank" data-hasqtip="192" aria-describedby="qtip-192">[193]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0378"> S0378 </a> </td> <td> <a href="/software/S0378"> PoshC2 </a> </td> <td> <p><a href="/software/S0378">PoshC2</a> can enumerate network adapter information.<span onclick=scrollToRef('scite-194') id="scite-ref-194-a" class="scite-citeref-number" title="Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019."data-reference="GitHub PoshC2">^{<a href="https://github.com/nettitude/PoshC2_Python" target="_blank" data-hasqtip="193" aria-describedby="qtip-193">[194]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0139"> S0139 </a> </td> <td> <a href="/software/S0139"> PowerDuke </a> </td> <td> <p><a href="/software/S0139">PowerDuke</a> has a command to get the victim's domain and NetBIOS name.<span onclick=scrollToRef('scite-195') id="scite-ref-195-a" class="scite-citeref-number" title="Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017."data-reference="Volexity PowerDuke November 2016">^{<a href="https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" target="_blank" data-hasqtip="194" aria-describedby="qtip-194">[195]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0441"> S0441 </a> </td> <td> <a href="/software/S0441"> PowerShower </a> </td> <td> <p><a href="/software/S0441">PowerShower</a> has the ability to identify the current Windows domain of the infected host.<span onclick=scrollToRef('scite-196') id="scite-ref-196-a" class="scite-citeref-number" title="GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020."data-reference="Kaspersky Cloud Atlas August 2019">^{<a href="https://securelist.com/recent-cloud-atlas-activity/92016/" target="_blank" data-hasqtip="195" aria-describedby="qtip-195">[196]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0223"> S0223 </a> </td> <td> <a href="/software/S0223"> POWERSTATS </a> </td> <td> <p><a href="/software/S0223">POWERSTATS</a> can retrieve IP, network adapter configuration information, and domain from compromised hosts.<span onclick=scrollToRef('scite-197') id="scite-ref-197-a" class="scite-citeref-number" title="Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018."data-reference="FireEye MuddyWater Mar 2018">^{<a href="https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" target="_blank" data-hasqtip="196" aria-describedby="qtip-196">[197]</a>}</span><span onclick=scrollToRef('scite-198') id="scite-ref-198-a" class="scite-citeref-number" title="Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020."data-reference="TrendMicro POWERSTATS V3 June 2019">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/" target="_blank" data-hasqtip="197" aria-describedby="qtip-197">[198]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0184"> S0184 </a> </td> <td> <a href="/software/S0184"> POWRUNER </a> </td> <td> <p><a href="/software/S0184">POWRUNER</a> may collect network configuration data by running <code>ipconfig /all</code> on a victim.<span onclick=scrollToRef('scite-199') id="scite-ref-199-a" class="scite-citeref-number" title="Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017."data-reference="FireEye APT34 Dec 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" target="_blank" data-hasqtip="198" aria-describedby="qtip-198">[199]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0113"> S0113 </a> </td> <td> <a href="/software/S0113"> Prikormka </a> </td> <td> <p>A module in <a href="/software/S0113">Prikormka</a> collects information from the victim about its IP addresses and MAC addresses.<span onclick=scrollToRef('scite-200') id="scite-ref-200-a" class="scite-citeref-number" title="Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016."data-reference="ESET Operation Groundbait">^{<a href="http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf" target="_blank" data-hasqtip="199" aria-describedby="qtip-199">[200]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0238"> S0238 </a> </td> <td> <a href="/software/S0238"> Proxysvc </a> </td> <td> <p><a href="/software/S0238">Proxysvc</a> collects the network adapter information and domain/username information based on current remote sessions.<span onclick=scrollToRef('scite-201') id="scite-ref-201-a" class="scite-citeref-number" title="Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018."data-reference="McAfee GhostSecret">^{<a href="https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" target="_blank" data-hasqtip="200" aria-describedby="qtip-200">[201]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0192"> S0192 </a> </td> <td> <a href="/software/S0192"> Pupy </a> </td> <td> <p><a href="/software/S0192">Pupy</a> has built in commands to identify a host’s IP address and find out other network configuration settings by viewing connected sessions.<span onclick=scrollToRef('scite-202') id="scite-ref-202-a" class="scite-citeref-number" title="Nicolas Verdier. (n.d.). Retrieved January 29, 2018."data-reference="GitHub Pupy">^{<a href="https://github.com/n1nj4sec/pupy" target="_blank" data-hasqtip="201" aria-describedby="qtip-201">[202]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0583"> S0583 </a> </td> <td> <a href="/software/S0583"> Pysa </a> </td> <td> <p><a href="/software/S0583">Pysa</a> can perform network reconnaissance using the Advanced IP Scanner tool.<span onclick=scrollToRef('scite-203') id="scite-ref-203-a" class="scite-citeref-number" title="CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021."data-reference="CERT-FR PYSA April 2020">^{<a href="https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-003.pdf" target="_blank" data-hasqtip="202" aria-describedby="qtip-202">[203]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0650"> S0650 </a> </td> <td> <a href="/software/S0650"> QakBot </a> </td> <td> <p><a href="/software/S0650">QakBot</a> can use <code>net config workstation</code>, <code>arp -a</code>, <code>nslookup</code>, and <code>ipconfig /all</code> to gather network configuration information.<span onclick=scrollToRef('scite-204') id="scite-ref-204-a" class="scite-citeref-number" title="CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021."data-reference="Crowdstrike Qakbot October 2020">^{<a href="https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/" target="_blank" data-hasqtip="203" aria-describedby="qtip-203">[204]</a>}</span><span onclick=scrollToRef('scite-205') id="scite-ref-205-a" class="scite-citeref-number" title="Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021."data-reference="Kaspersky QakBot September 2021">^{<a href="https://securelist.com/qakbot-technical-analysis/103931/" target="_blank" data-hasqtip="204" aria-describedby="qtip-204">[205]</a>}</span><span onclick=scrollToRef('scite-206') id="scite-ref-206-a" class="scite-citeref-number" title="Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021."data-reference="Group IB Ransomware September 2020">^{<a href="https://groupib.pathfactory.com/ransomware-reports/prolock_wp" target="_blank" data-hasqtip="205" aria-describedby="qtip-205">[206]</a>}</span><span onclick=scrollToRef('scite-207') id="scite-ref-207-a" class="scite-citeref-number" title="Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023."data-reference="Trend Micro Black Basta October 2022">^{<a href="https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html" target="_blank" data-hasqtip="206" aria-describedby="qtip-206">[207]</a>}</span><span onclick=scrollToRef('scite-208') id="scite-ref-208-a" class="scite-citeref-number" title="Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023."data-reference="Microsoft Ransomware as a Service">^{<a href="https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/" target="_blank" data-hasqtip="207" aria-describedby="qtip-207">[208]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0269"> S0269 </a> </td> <td> <a href="/software/S0269"> QUADAGENT </a> </td> <td> <p><a href="/software/S0269">QUADAGENT</a> gathers the current domain the victim system belongs to.<span onclick=scrollToRef('scite-209') id="scite-ref-209-a" class="scite-citeref-number" title="Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018."data-reference="Unit 42 QUADAGENT July 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/" target="_blank" data-hasqtip="208" aria-describedby="qtip-208">[209]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0262"> S0262 </a> </td> <td> <a href="/software/S0262"> QuasarRAT </a> </td> <td> <p><a href="/software/S0262">QuasarRAT</a> has the ability to enumerate the Wide Area Network (WAN) IP through requests to ip-api[.]com, freegeoip[.]net, or api[.]ipify[.]org observed with user-agent string <code>Mozilla/5.0 (Windows NT 6.3; rv:48.0) Gecko/20100101 Firefox/48.0</code>.<span onclick=scrollToRef('scite-210') id="scite-ref-210-a" class="scite-citeref-number" title="CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022."data-reference="CISA AR18-352A Quasar RAT December 2018">^{<a href="https://www.cisa.gov/uscert/ncas/analysis-reports/AR18-352A" target="_blank" data-hasqtip="209" aria-describedby="qtip-209">[210]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1076"> S1076 </a> </td> <td> <a href="/software/S1076"> QUIETCANARY </a> </td> <td> <p><a href="/software/S1076">QUIETCANARY</a> can identify the default proxy setting on a compromised host.<span onclick=scrollToRef('scite-132') id="scite-ref-132-a" class="scite-citeref-number" title="Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023."data-reference="Mandiant Suspected Turla Campaign February 2023">^{<a href="https://www.mandiant.com/resources/blog/turla-galaxy-opportunity" target="_blank" data-hasqtip="131" aria-describedby="qtip-131">[132]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0458"> S0458 </a> </td> <td> <a href="/software/S0458"> Ramsay </a> </td> <td> <p><a href="/software/S0458">Ramsay</a> can use <a href="/software/S0100">ipconfig</a> and <a href="/software/S0099">Arp</a> to collect network configuration information, including routing information and ARP tables.<span onclick=scrollToRef('scite-211') id="scite-ref-211-a" class="scite-citeref-number" title="Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021."data-reference="Antiy CERT Ramsay April 2020">^{<a href="https://www.programmersought.com/article/62493896999/" target="_blank" data-hasqtip="210" aria-describedby="qtip-210">[211]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0241"> S0241 </a> </td> <td> <a href="/software/S0241"> RATANKBA </a> </td> <td> <p><a href="/software/S0241">RATANKBA</a> gathers the victim’s IP address via the <code>ipconfig -all</code> command.<span onclick=scrollToRef('scite-212') id="scite-ref-212-a" class="scite-citeref-number" title="Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018."data-reference="Lazarus RATANKBA">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/" target="_blank" data-hasqtip="211" aria-describedby="qtip-211">[212]</a>}</span><span onclick=scrollToRef('scite-213') id="scite-ref-213-a" class="scite-citeref-number" title="Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018."data-reference="RATANKBA">^{<a href="https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html" target="_blank" data-hasqtip="212" aria-describedby="qtip-212">[213]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0172"> S0172 </a> </td> <td> <a href="/software/S0172"> Reaver </a> </td> <td> <p><a href="/software/S0172">Reaver</a> collects the victim's IP address.<span onclick=scrollToRef('scite-214') id="scite-ref-214-a" class="scite-citeref-number" title="Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017."data-reference="Palo Alto Reaver Nov 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/" target="_blank" data-hasqtip="213" aria-describedby="qtip-213">[214]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0153"> S0153 </a> </td> <td> <a href="/software/S0153"> RedLeaves </a> </td> <td> <p><a href="/software/S0153">RedLeaves</a> can obtain information about network parameters.<span onclick=scrollToRef('scite-153') id="scite-ref-153-a" class="scite-citeref-number" title="PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017."data-reference="PWC Cloud Hopper Technical Annex April 2017">^{<a href="https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf" target="_blank" data-hasqtip="152" aria-describedby="qtip-152">[153]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0125"> S0125 </a> </td> <td> <a href="/software/S0125"> Remsec </a> </td> <td> <p><a href="/software/S0125">Remsec</a> can obtain information about network configuration, including the routing table, ARP cache, and DNS cache.<span onclick=scrollToRef('scite-215') id="scite-ref-215-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016."data-reference="Kaspersky ProjectSauron Technical Analysis">^{<a href="https://securelist.com/files/2016/07/The-ProjectSauron-APT_Technical_Analysis_KL.pdf" target="_blank" data-hasqtip="214" aria-describedby="qtip-214">[215]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0379"> S0379 </a> </td> <td> <a href="/software/S0379"> Revenge RAT </a> </td> <td> <p><a href="/software/S0379">Revenge RAT</a> collects the IP address and MAC address from the system.<span onclick=scrollToRef('scite-216') id="scite-ref-216-a" class="scite-citeref-number" title="Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019."data-reference="Cylance Shaheen Nov 2018">^{<a href="https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/WhiteCompanyOperationShaheenReport.pdf?_ga=2.161661948.1943296560.1555683782-1066572390.1555511517" target="_blank" data-hasqtip="215" aria-describedby="qtip-215">[216]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0433"> S0433 </a> </td> <td> <a href="/software/S0433"> Rifdoor </a> </td> <td> <p><a href="/software/S0433">Rifdoor</a> has the ability to identify the IP address of the compromised host.<span onclick=scrollToRef('scite-217') id="scite-ref-217-a" class="scite-citeref-number" title="Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020."data-reference="Carbon Black HotCroissant April 2020">^{<a href="https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/" target="_blank" data-hasqtip="216" aria-describedby="qtip-216">[217]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0448"> S0448 </a> </td> <td> <a href="/software/S0448"> Rising Sun </a> </td> <td> <p><a href="/software/S0448">Rising Sun</a> can detect network adapter and IP address information.<span onclick=scrollToRef('scite-218') id="scite-ref-218-a" class="scite-citeref-number" title="Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020."data-reference="McAfee Sharpshooter December 2018">^{<a href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf" target="_blank" data-hasqtip="217" aria-describedby="qtip-217">[218]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/software/S0270"> S0270 </a> </td> <td> <a href="/software/S0270"> RogueRobin </a> </td> <td> <p><a href="/software/S0270">RogueRobin</a> gathers the IP address and domain from the victim’s machine.<span onclick=scrollToRef('scite-219') id="scite-ref-219-a" class="scite-citeref-number" title="Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018."data-reference="Unit 42 DarkHydrus July 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" target="_blank" data-hasqtip="218" aria-describedby="qtip-218">[219]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0103"> S0103 </a> </td> <td> <a href="/software/S0103"> route </a> </td> <td> <p><a href="/software/S0103">route</a> can be used to discover routing configuration information.</p> </td> </tr> <tr> <td> <a href="/software/S1073"> S1073 </a> </td> <td> <a href="/software/S1073"> Royal </a> </td> <td> <p><a href="/software/S1073">Royal</a> can enumerate IP addresses using <code>GetIpAddrTable</code>.<span onclick=scrollToRef('scite-220') id="scite-ref-220-a" class="scite-citeref-number" title="Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023."data-reference="Cybereason Royal December 2022">^{<a href="https://www.cybereason.com/blog/royal-ransomware-analysis" target="_blank" data-hasqtip="219" aria-describedby="qtip-219">[220]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0446"> S0446 </a> </td> <td> <a href="/software/S0446"> Ryuk </a> </td> <td> <p><a href="/software/S0446">Ryuk</a> has called <code>GetIpNetTable</code> in attempt to identify all mounted drives and hosts that have Address Resolution Protocol (ARP) entries.<span onclick=scrollToRef('scite-221') id="scite-ref-221-a" class="scite-citeref-number" title="Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020."data-reference="CrowdStrike Ryuk January 2019">^{<a href="https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" target="_blank" data-hasqtip="220" aria-describedby="qtip-220">[221]</a>}</span><span onclick=scrollToRef('scite-222') id="scite-ref-222-a" class="scite-citeref-number" title="Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021."data-reference="Bleeping Computer - Ryuk WoL">^{<a href="https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/" target="_blank" data-hasqtip="221" aria-describedby="qtip-221">[222]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/software/S0085"> S0085 </a> </td> <td> <a href="/software/S0085"> S-Type </a> </td> <td> <p><a href="/software/S0085">S-Type</a> has used <code>ipconfig /all</code> on a compromised host.<span onclick=scrollToRef('scite-155') id="scite-ref-155-a" class="scite-citeref-number" title="Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021."data-reference="Cylance Dust Storm">^{<a href="https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" target="_blank" data-hasqtip="154" aria-describedby="qtip-154">[155]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1018"> S1018 </a> </td> <td> <a href="/software/S1018"> Saint Bot </a> </td> <td> <p><a href="/software/S1018">Saint Bot</a> can collect the IP address of a victim machine.<span onclick=scrollToRef('scite-223') id="scite-ref-223-a" class="scite-citeref-number" title="Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022."data-reference="Malwarebytes Saint Bot April 2021">^{<a href="https://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/" target="_blank" data-hasqtip="222" aria-describedby="qtip-222">[223]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1085"> S1085 </a> </td> <td> <a href="/software/S1085"> Sardonic </a> </td> <td> <p><a href="/software/S1085">Sardonic</a> has the ability to execute the <code>ipconfig</code> command.<span onclick=scrollToRef('scite-224') id="scite-ref-224-a" class="scite-citeref-number" title="Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023."data-reference="Bitdefender Sardonic Aug 2021">^{<a href="https://www.bitdefender.com/files/News/CaseStudies/study/401/Bitdefender-PR-Whitepaper-FIN8-creat5619-en-EN.pdf" target="_blank" data-hasqtip="223" aria-describedby="qtip-223">[224]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0461"> S0461 </a> </td> <td> <a href="/software/S0461"> SDBbot </a> </td> <td> <p><a href="/software/S0461">SDBbot</a> has the ability to determine the domain name and whether a proxy is configured on a compromised host.<span onclick=scrollToRef('scite-225') id="scite-ref-225-a" class="scite-citeref-number" title="Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."data-reference="Proofpoint TA505 October 2019">^{<a href="https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader" target="_blank" data-hasqtip="224" aria-describedby="qtip-224">[225]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0596"> S0596 </a> </td> <td> <a href="/software/S0596"> ShadowPad </a> </td> <td> <p><a href="/software/S0596">ShadowPad</a> has collected the domain name of the victim system.<span onclick=scrollToRef('scite-226') id="scite-ref-226-a" class="scite-citeref-number" title="Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021."data-reference="Kaspersky ShadowPad Aug 2017">^{<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf" target="_blank" data-hasqtip="225" aria-describedby="qtip-225">[226]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0140"> S0140 </a> </td> <td> <a href="/software/S0140"> Shamoon </a> </td> <td> <p><a href="/software/S0140">Shamoon</a> obtains the target's IP address and local network segment.<span onclick=scrollToRef('scite-227') id="scite-ref-227-a" class="scite-citeref-number" title="Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017."data-reference="Palo Alto Shamoon Nov 2016">^{<a href="http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/" target="_blank" data-hasqtip="226" aria-describedby="qtip-226">[227]</a>}</span><span onclick=scrollToRef('scite-228') id="scite-ref-228-a" class="scite-citeref-number" title="Mundo, A., Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 14). Shamoon Returns to Wipe Systems in Middle East, Europe . Retrieved May 29, 2020."data-reference="McAfee Shamoon December 2018">^{<a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/" target="_blank" data-hasqtip="227" aria-describedby="qtip-227">[228]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0450"> S0450 </a> </td> <td> <a href="/software/S0450"> SHARPSTATS </a> </td> <td> <p><a href="/software/S0450">SHARPSTATS</a> has the ability to identify the domain of the compromised host.<span onclick=scrollToRef('scite-198') id="scite-ref-198-a" class="scite-citeref-number" title="Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020."data-reference="TrendMicro POWERSTATS V3 June 2019">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/" target="_blank" data-hasqtip="197" aria-describedby="qtip-197">[198]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0445"> S0445 </a> </td> <td> <a href="/software/S0445"> ShimRatReporter </a> </td> <td> <p><a href="/software/S0445">ShimRatReporter</a> gathered the local proxy, domain, IP, routing tables, mac address, gateway, DNS servers, and DHCP status information from an infected host.<span onclick=scrollToRef('scite-229') id="scite-ref-229-a" class="scite-citeref-number" title="Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."data-reference="FOX-IT May 2016 Mofang">^{<a href="https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" target="_blank" data-hasqtip="228" aria-describedby="qtip-228">[229]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0589"> S0589 </a> </td> <td> <a href="/software/S0589"> Sibot </a> </td> <td> <p><a href="/software/S0589">Sibot</a> checked if the compromised system is configured to use proxies.<span onclick=scrollToRef('scite-96') id="scite-ref-96-a" class="scite-citeref-number" title="Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021."data-reference="MSTIC NOBELIUM Mar 2021">^{<a href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank" data-hasqtip="95" aria-describedby="qtip-95">[96]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G1008"> G1008 </a> </td> <td> <a href="/groups/G1008"> SideCopy </a> </td> <td> <p><a href="/groups/G1008">SideCopy</a> has identified the IP address of a compromised host.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022."data-reference="MalwareBytes SideCopy Dec 2021">^{<a href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0610"> S0610 </a> </td> <td> <a href="/software/S0610"> SideTwist </a> </td> <td> <p><a href="/software/S0610">SideTwist</a> has the ability to collect the domain name on a compromised host.<span onclick=scrollToRef('scite-230') id="scite-ref-230-a" class="scite-citeref-number" title="Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021."data-reference="Check Point APT34 April 2021">^{<a href="https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/" target="_blank" data-hasqtip="229" aria-describedby="qtip-229">[230]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0121"> G0121 </a> </td> <td> <a href="/groups/G0121"> Sidewinder </a> </td> <td> <p><a href="/groups/G0121">Sidewinder</a> has used malware to collect information on network interfaces, including the MAC address.<span onclick=scrollToRef('scite-231') id="scite-ref-231-a" class="scite-citeref-number" title="Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021."data-reference="ATT Sidewinder January 2021">^{<a href="https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf" target="_blank" data-hasqtip="230" aria-describedby="qtip-230">[231]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0633"> S0633 </a> </td> <td> <a href="/software/S0633"> Sliver </a> </td> <td> <p><a href="/software/S0633">Sliver</a> has the ability to gather network configuration information.<span onclick=scrollToRef('scite-232') id="scite-ref-232-a" class="scite-citeref-number" title="BishopFox. (n.d.). Sliver Ifconfig. Retrieved September 16, 2021."data-reference="GitHub Sliver Ifconfig">^{<a href="https://github.com/BishopFox/sliver/blob/ea329226636ab8e470086a17f13aa8d330baad22/client/command/network/ifconfig.go" target="_blank" data-hasqtip="231" aria-describedby="qtip-231">[232]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1035"> S1035 </a> </td> <td> <a href="/software/S1035"> Small Sieve </a> </td> <td> <p><a href="/software/S1035">Small Sieve</a> can obtain the IP address of a victim host.<span onclick=scrollToRef('scite-233') id="scite-ref-233-a" class="scite-citeref-number" title="NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022."data-reference="NCSC GCHQ Small Sieve Jan 2022">^{<a href="https://www.ncsc.gov.uk/files/NCSC-Malware-Analysis-Report-Small-Sieve.pdf" target="_blank" data-hasqtip="232" aria-describedby="qtip-232">[233]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1124"> S1124 </a> </td> <td> <a href="/software/S1124"> SocGholish </a> </td> <td> <p><a href="/software/S1124">SocGholish</a> has the ability to enumerate the domain name of a victim, as well as if the host is a member of an Active Directory domain.<span onclick=scrollToRef('scite-234') id="scite-ref-234-a" class="scite-citeref-number" title="Andrew Northern. (2022, November 22). SocGholish, a very real threat from a very fake update. Retrieved February 13, 2024."data-reference="SocGholish-update">^{<a href="https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update" target="_blank" data-hasqtip="233" aria-describedby="qtip-233">[234]</a>}</span><span onclick=scrollToRef('scite-235') id="scite-ref-235-a" class="scite-citeref-number" title="Red Canary. (2024, March). Red Canary 2024 Threat Detection Report: SocGholish. Retrieved March 22, 2024."data-reference="Red Canary SocGholish March 2024">^{<a href="https://redcanary.com/threat-detection-report/threats/socgholish/" target="_blank" data-hasqtip="234" aria-describedby="qtip-234">[235]</a>}</span><span onclick=scrollToRef('scite-236') id="scite-ref-236-a" class="scite-citeref-number" title="Secureworks. (n.d.). GOLD PRELUDE . Retrieved March 22, 2024."data-reference="Secureworks Gold Prelude Profile">^{<a href="https://www.secureworks.com/research/threat-profiles/gold-prelude" target="_blank" data-hasqtip="235" aria-describedby="qtip-235">[236]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0516"> S0516 </a> </td> <td> <a href="/software/S0516"> SoreFang </a> </td> <td> <p><a href="/software/S0516">SoreFang</a> can collect the TCP/IP, DNS, DHCP, and network adapter configuration on a compromised host via <code>ipconfig.exe /all</code>.<span onclick=scrollToRef('scite-237') id="scite-ref-237-a" class="scite-citeref-number" title="CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020."data-reference="CISA SoreFang July 2016">^{<a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a" target="_blank" data-hasqtip="236" aria-describedby="qtip-236">[237]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0374"> S0374 </a> </td> <td> <a href="/software/S0374"> SpeakUp </a> </td> <td> <p><a href="/software/S0374">SpeakUp</a> uses the <code>ifconfig -a</code> command. <span onclick=scrollToRef('scite-238') id="scite-ref-238-a" class="scite-citeref-number" title="Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019."data-reference="CheckPoint SpeakUp Feb 2019">^{<a href="https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/" target="_blank" data-hasqtip="237" aria-describedby="qtip-237">[238]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0646"> S0646 </a> </td> <td> <a href="/software/S0646"> SpicyOmelette </a> </td> <td> <p><a href="/software/S0646">SpicyOmelette</a> can identify the IP of a compromised system.<span onclick=scrollToRef('scite-239') id="scite-ref-239-a" class="scite-citeref-number" title="CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021."data-reference="Secureworks GOLD KINGSWOOD September 2018">^{<a href="https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish" target="_blank" data-hasqtip="238" aria-describedby="qtip-238">[239]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1030"> S1030 </a> </td> <td> <a href="/software/S1030"> Squirrelwaffle </a> </td> <td> <p><a href="/software/S1030">Squirrelwaffle</a> has collected the victim’s external IP address.<span onclick=scrollToRef('scite-240') id="scite-ref-240-a" class="scite-citeref-number" title="Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022."data-reference="ZScaler Squirrelwaffle Sep 2021">^{<a href="https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike" target="_blank" data-hasqtip="239" aria-describedby="qtip-239">[240]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1037"> S1037 </a> </td> <td> <a href="/software/S1037"> STARWHALE </a> </td> <td> <p><a href="/software/S1037">STARWHALE</a> has the ability to collect the IP address of an infected host.<span onclick=scrollToRef('scite-241') id="scite-ref-241-a" class="scite-citeref-number" title="FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022."data-reference="DHS CISA AA22-055A MuddyWater February 2022">^{<a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" target="_blank" data-hasqtip="240" aria-describedby="qtip-240">[241]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0038"> G0038 </a> </td> <td> <a href="/groups/G0038"> Stealth Falcon </a> </td> <td> <p><a href="/groups/G0038">Stealth Falcon</a> malware gathers the Address Resolution Protocol (ARP) table from the victim.<span onclick=scrollToRef('scite-242') id="scite-ref-242-a" class="scite-citeref-number" title="Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016."data-reference="Citizen Lab Stealth Falcon May 2016">^{<a href="https://citizenlab.org/2016/05/stealth-falcon/" target="_blank" data-hasqtip="241" aria-describedby="qtip-241">[242]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0491"> S0491 </a> </td> <td> <a href="/software/S0491"> StrongPity </a> </td> <td> <p><a href="/software/S0491">StrongPity</a> can identify the IP address of a compromised host.<span onclick=scrollToRef('scite-243') id="scite-ref-243-a" class="scite-citeref-number" title="Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020."data-reference="Talos Promethium June 2020">^{<a href="https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html" target="_blank" data-hasqtip="242" aria-describedby="qtip-242">[243]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0603"> S0603 </a> </td> <td> <a href="/software/S0603"> Stuxnet </a> </td> <td> <p><a href="/software/S0603">Stuxnet</a> collects the IP address of a compromised system.<span onclick=scrollToRef('scite-244') id="scite-ref-244-a" class="scite-citeref-number" title="Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 "data-reference="Nicolas Falliere, Liam O Murchu, Eric Chien February 2011">^{<a href="https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" target="_blank" data-hasqtip="243" aria-describedby="qtip-243">[244]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0559"> S0559 </a> </td> <td> <a href="/software/S0559"> SUNBURST </a> </td> <td> <p><a href="/software/S0559">SUNBURST</a> collected all network interface MAC addresses that are up and not loopback devices, as well as IP address, DHCP configuration, and domain information.<span onclick=scrollToRef('scite-245') id="scite-ref-245-a" class="scite-citeref-number" title="FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021."data-reference="FireEye SUNBURST Backdoor December 2020">^{<a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" data-hasqtip="244" aria-describedby="qtip-244">[245]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0018"> S0018 </a> </td> <td> <a href="/software/S0018"> Sykipot </a> </td> <td> <p><a href="/software/S0018">Sykipot</a> may use <code>ipconfig /all</code> to gather system network configuration details.<span onclick=scrollToRef('scite-246') id="scite-ref-246-a" class="scite-citeref-number" title="Blasco, J. (2011, December 12). Another Sykipot sample likely targeting US federal agencies. Retrieved March 28, 2016."data-reference="AlienVault Sykipot 2011">^{<a href="https://www.alienvault.com/open-threat-exchange/blog/another-sykipot-sample-likely-targeting-us-federal-agencies" target="_blank" data-hasqtip="245" aria-describedby="qtip-245">[246]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0060"> S0060 </a> </td> <td> <a href="/software/S0060"> Sys10 </a> </td> <td> <p><a href="/software/S0060">Sys10</a> collects the local IP address of the victim and sends it to the C2.<span onclick=scrollToRef('scite-164') id="scite-ref-164-a" class="scite-citeref-number" title="Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019."data-reference="Baumgartner Naikon 2015">^{<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" target="_blank" data-hasqtip="163" aria-describedby="qtip-163">[164]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0663"> S0663 </a> </td> <td> <a href="/software/S0663"> SysUpdate </a> </td> <td> <p><a href="/software/S0663">SysUpdate</a> can collected the IP address and domain name of a compromised host.<span onclick=scrollToRef('scite-247') id="scite-ref-247-a" class="scite-citeref-number" title="Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023."data-reference="Lunghi Iron Tiger Linux">^{<a href="https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html" target="_blank" data-hasqtip="246" aria-describedby="qtip-246">[247]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/software/S0098"> S0098 </a> </td> <td> <a href="/software/S0098"> T9000 </a> </td> <td> <p><a href="/software/S0098">T9000</a> gathers and beacons the MAC and IP addresses during installation.<span onclick=scrollToRef('scite-248') id="scite-ref-248-a" class="scite-citeref-number" title="Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016."data-reference="Palo Alto T9000 Feb 2016">^{<a href="http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/" target="_blank" data-hasqtip="247" aria-describedby="qtip-247">[248]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0011"> S0011 </a> </td> <td> <a href="/software/S0011"> Taidoor </a> </td> <td> <p><a href="/software/S0011">Taidoor</a> has collected the MAC address of a compromised host; it can also use <code>GetAdaptersInfo</code> to identify network adapters.<span onclick=scrollToRef('scite-249') id="scite-ref-249-a" class="scite-citeref-number" title="Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014."data-reference="TrendMicro Taidoor">^{<a href="http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf" target="_blank" data-hasqtip="248" aria-describedby="qtip-248">[249]</a>}</span><span onclick=scrollToRef('scite-250') id="scite-ref-250-a" class="scite-citeref-number" title="CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021."data-reference="CISA MAR-10292089-1.v2 TAIDOOR August 2021">^{<a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a" target="_blank" data-hasqtip="249" aria-describedby="qtip-249">[250]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0467"> S0467 </a> </td> <td> <a href="/software/S0467"> TajMahal </a> </td> <td> <p><a href="/software/S0467">TajMahal</a> has the ability to identify the MAC address on an infected host.<span onclick=scrollToRef('scite-251') id="scite-ref-251-a" class="scite-citeref-number" title="GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019."data-reference="Kaspersky TajMahal April 2019">^{<a href="https://securelist.com/project-tajmahal/90240/" target="_blank" data-hasqtip="250" aria-describedby="qtip-250">[251]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0139"> G0139 </a> </td> <td> <a href="/groups/G0139"> TeamTNT </a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has enumerated the host machine’s IP address.<span onclick=scrollToRef('scite-252') id="scite-ref-252-a" class="scite-citeref-number" title="Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021."data-reference="Trend Micro TeamTNT">^{<a href="https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf" target="_blank" data-hasqtip="251" aria-describedby="qtip-251">[252]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0027"> G0027 </a> </td> <td> <a href="/groups/G0027"> Threat Group-3390 </a> </td> <td> <p><a href="/groups/G0027">Threat Group-3390</a> actors use <a href="/software/S0590">NBTscan</a> to discover vulnerable systems.<span onclick=scrollToRef('scite-253') id="scite-ref-253-a" class="scite-citeref-number" title="Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018."data-reference="Dell TG-3390">^{<a href="https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage" target="_blank" data-hasqtip="252" aria-describedby="qtip-252">[253]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0678"> S0678 </a> </td> <td> <a href="/software/S0678"> Torisma </a> </td> <td> <p><a href="/software/S0678">Torisma</a> can collect the local MAC address using <code>GetAdaptersInfo</code> as well as the system's IP address.<span onclick=scrollToRef('scite-254') id="scite-ref-254-a" class="scite-citeref-number" title="Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021."data-reference="McAfee Lazarus Nov 2020">^{<a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/" target="_blank" data-hasqtip="253" aria-describedby="qtip-253">[254]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0266"> S0266 </a> </td> <td> <a href="/software/S0266"> TrickBot </a> </td> <td> <p><a href="/software/S0266">TrickBot</a> obtains the IP address, location, and other relevant network information from the victim’s machine.<span onclick=scrollToRef('scite-255') id="scite-ref-255-a" class="scite-citeref-number" title="Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018."data-reference="S2 Grupo TrickBot June 2017">^{<a href="https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf" target="_blank" data-hasqtip="254" aria-describedby="qtip-254">[255]</a>}</span><span onclick=scrollToRef('scite-256') id="scite-ref-256-a" class="scite-citeref-number" title="Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018."data-reference="Trend Micro Trickbot Nov 2018">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module/" target="_blank" data-hasqtip="255" aria-describedby="qtip-255">[256]</a>}</span><span onclick=scrollToRef('scite-57') id="scite-ref-57-a" class="scite-citeref-number" title="Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020."data-reference="Cyberreason Anchor December 2019">^{<a href="https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" target="_blank" data-hasqtip="56" aria-describedby="qtip-56">[57]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0094"> S0094 </a> </td> <td> <a href="/software/S0094"> Trojan.Karagany </a> </td> <td> <p><a href="/software/S0094">Trojan.Karagany</a> can gather information on the network configuration of a compromised host.<span onclick=scrollToRef('scite-257') id="scite-ref-257-a" class="scite-citeref-number" title="Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020."data-reference="Secureworks Karagany July 2019">^{<a href="https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" target="_blank" data-hasqtip="256" aria-describedby="qtip-256">[257]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0081"> G0081 </a> </td> <td> <a href="/groups/G0081"> Tropic Trooper </a> </td> <td> <p><a href="/groups/G0081">Tropic Trooper</a> has used scripts to collect the host's network topology.<span onclick=scrollToRef('scite-258') id="scite-ref-258-a" class="scite-citeref-number" title="Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."data-reference="TrendMicro Tropic Trooper May 2020">^{<a href="https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf" target="_blank" data-hasqtip="257" aria-describedby="qtip-257">[258]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/software/S0436"> S0436 </a> </td> <td> <a href="/software/S0436"> TSCookie </a> </td> <td> <p><a href="/software/S0436">TSCookie</a> has the ability to identify the IP of the infected host.<span onclick=scrollToRef('scite-259') id="scite-ref-259-a" class="scite-citeref-number" title="Tomonaga, S. (2018, March 6). Malware "TSCookie". Retrieved May 6, 2020."data-reference="JPCert TSCookie March 2018">^{<a href="https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html" target="_blank" data-hasqtip="258" aria-describedby="qtip-258">[259]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0647"> S0647 </a> </td> <td> <a href="/software/S0647"> Turian </a> </td> <td> <p><a href="/software/S0647">Turian</a> can retrieve the internal IP address of a compromised host.<span onclick=scrollToRef('scite-260') id="scite-ref-260-a" class="scite-citeref-number" title="Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021"data-reference="ESET BackdoorDiplomacy Jun 2021">^{<a href="https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/" target="_blank" data-hasqtip="259" aria-describedby="qtip-259">[260]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0010"> G0010 </a> </td> <td> <a href="/groups/G0010"> Turla </a> </td> <td> <p><a href="/groups/G0010">Turla</a> surveys a system upon check-in to discover network configuration details using the <code>arp -a</code>, <code>nbtstat -n</code>, <code>net config</code>, <code>ipconfig /all</code>, and <code>route</code> commands, as well as <a href="/software/S0590">NBTscan</a>.<span onclick=scrollToRef('scite-84') id="scite-ref-84-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014."data-reference="Kaspersky Turla">^{<a href="https://securelist.com/the-epic-turla-operation/65545/" target="_blank" data-hasqtip="83" aria-describedby="qtip-83">[84]</a>}</span><span onclick=scrollToRef('scite-261') id="scite-ref-261-a" class="scite-citeref-number" title="Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019."data-reference="Symantec Waterbug Jun 2019">^{<a href="https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments" target="_blank" data-hasqtip="260" aria-describedby="qtip-260">[261]</a>}</span><span onclick=scrollToRef('scite-262') id="scite-ref-262-a" class="scite-citeref-number" title="Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."data-reference="ESET ComRAT May 2020">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf" target="_blank" data-hasqtip="261" aria-describedby="qtip-261">[262]</a>}</span> <a href="/groups/G0010">Turla</a> RPC backdoors have also retrieved registered RPC interface information from process memory.<span onclick=scrollToRef('scite-263') id="scite-ref-263-a" class="scite-citeref-number" title="Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019."data-reference="ESET Turla PowerShell May 2019">^{<a href="https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" target="_blank" data-hasqtip="262" aria-describedby="qtip-262">[263]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0130"> S0130 </a> </td> <td> <a href="/software/S0130"> Unknown Logger </a> </td> <td> <p><a href="/software/S0130">Unknown Logger</a> can obtain information about the victim's IP address.<span onclick=scrollToRef('scite-264') id="scite-ref-264-a" class="scite-citeref-number" title="Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016."data-reference="Forcepoint Monsoon">^{<a href="https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" target="_blank" data-hasqtip="263" aria-describedby="qtip-263">[264]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0275"> S0275 </a> </td> <td> <a href="/software/S0275"> UPPERCUT </a> </td> <td> <p><a href="/software/S0275">UPPERCUT</a> has the capability to gather the victim's proxy information.<span onclick=scrollToRef('scite-265') id="scite-ref-265-a" class="scite-citeref-number" title="Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018."data-reference="FireEye APT10 Sept 2018">^{<a href="https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html" target="_blank" data-hasqtip="264" aria-describedby="qtip-264">[265]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0452"> S0452 </a> </td> <td> <a href="/software/S0452"> USBferry </a> </td> <td> <p><a href="/software/S0452">USBferry</a> can detect the infected machine's network topology using <code>ipconfig</code> and <code>arp</code>.<span onclick=scrollToRef('scite-258') id="scite-ref-258-a" class="scite-citeref-number" title="Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."data-reference="TrendMicro Tropic Trooper May 2020">^{<a href="https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf" target="_blank" data-hasqtip="257" aria-describedby="qtip-257">[258]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/software/S0476"> S0476 </a> </td> <td> <a href="/software/S0476"> Valak </a> </td> <td> <p><a href="/software/S0476">Valak</a> has the ability to identify the domain and the MAC and IP addresses of an infected machine.<span onclick=scrollToRef('scite-266') id="scite-ref-266-a" class="scite-citeref-number" title="Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020."data-reference="Cybereason Valak May 2020">^{<a href="https://www.cybereason.com/blog/valak-more-than-meets-the-eye" target="_blank" data-hasqtip="265" aria-describedby="qtip-265">[266]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0257"> S0257 </a> </td> <td> <a href="/software/S0257"> VERMIN </a> </td> <td> <p><a href="/software/S0257">VERMIN</a> gathers the local IP address.<span onclick=scrollToRef('scite-267') id="scite-ref-267-a" class="scite-citeref-number" title="Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018."data-reference="Unit 42 VERMIN Jan 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/" target="_blank" data-hasqtip="266" aria-describedby="qtip-266">[267]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0180"> S0180 </a> </td> <td> <a href="/software/S0180"> Volgmer </a> </td> <td> <p><a href="/software/S0180">Volgmer</a> can gather the IP address from the victim's machine.<span onclick=scrollToRef('scite-268') id="scite-ref-268-a" class="scite-citeref-number" title="Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018."data-reference="Symantec Volgmer Aug 2014">^{<a href="https://web.archive.org/web/20181126143456/https://www.symantec.com/security-center/writeup/2014-081811-3237-99?tabid=2" target="_blank" data-hasqtip="267" aria-describedby="qtip-267">[268]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G1017"> G1017 </a> </td> <td> <a href="/groups/G1017"> Volt Typhoon </a> </td> <td> <p><a href="/groups/G1017">Volt Typhoon</a> has executed multiple commands to enumerate network topology and settings including <code>ipconfig</code>, <code>netsh interface firewall show all</code>, and <code>netsh interface portproxy show all</code>.<span onclick=scrollToRef('scite-269') id="scite-ref-269-a" class="scite-citeref-number" title="NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023."data-reference="Joint Cybersecurity Advisory Volt Typhoon June 2023">^{<a href="https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF" target="_blank" data-hasqtip="268" aria-describedby="qtip-268">[269]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0366"> S0366 </a> </td> <td> <a href="/software/S0366"> WannaCry </a> </td> <td> <p><a href="/software/S0366">WannaCry</a> will attempt to determine the local network segment it is a part of.<span onclick=scrollToRef('scite-270') id="scite-ref-270-a" class="scite-citeref-number" title="Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019."data-reference="SecureWorks WannaCry Analysis">^{<a href="https://www.secureworks.com/research/wcry-ransomware-analysis" target="_blank" data-hasqtip="269" aria-describedby="qtip-269">[270]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0515"> S0515 </a> </td> <td> <a href="/software/S0515"> WellMail </a> </td> <td> <p><a href="/software/S0515">WellMail</a> can identify the IP address of the victim system.<span onclick=scrollToRef('scite-271') id="scite-ref-271-a" class="scite-citeref-number" title="CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020."data-reference="CISA WellMail July 2020">^{<a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c" target="_blank" data-hasqtip="270" aria-describedby="qtip-270">[271]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0514"> S0514 </a> </td> <td> <a href="/software/S0514"> WellMess </a> </td> <td> <p><a href="/software/S0514">WellMess</a> can identify the IP address and user domain on the target machine.<span onclick=scrollToRef('scite-272') id="scite-ref-272-a" class="scite-citeref-number" title="PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020."data-reference="PWC WellMess July 2020">^{<a href="https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html" target="_blank" data-hasqtip="271" aria-describedby="qtip-271">[272]</a>}</span><span onclick=scrollToRef('scite-273') id="scite-ref-273-a" class="scite-citeref-number" title="CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020."data-reference="CISA WellMess July 2020">^{<a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b" target="_blank" data-hasqtip="272" aria-describedby="qtip-272">[273]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0102"> G0102 </a> </td> <td> <a href="/groups/G0102"> Wizard Spider </a> </td> <td> <p><a href="/groups/G0102">Wizard Spider</a> has used <a href="/software/S0100">ipconfig</a> to identify the network configuration of a victim machine. <a href="/groups/G0102">Wizard Spider</a> has also used the PowerShell cmdlet <code>Get-ADComputer</code> to collect IP address data from Active Directory.<span onclick=scrollToRef('scite-274') id="scite-ref-274-a" class="scite-citeref-number" title="Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020."data-reference="Sophos New Ryuk Attack October 2020">^{<a href="https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/" target="_blank" data-hasqtip="273" aria-describedby="qtip-273">[274]</a>}</span><span onclick=scrollToRef('scite-275') id="scite-ref-275-a" class="scite-citeref-number" title="Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023."data-reference="Mandiant FIN12 Oct 2021">^{<a href="https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf" target="_blank" data-hasqtip="274" aria-describedby="qtip-274">[275]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1065"> S1065 </a> </td> <td> <a href="/software/S1065"> Woody RAT </a> </td> <td> <p><a href="/software/S1065">Woody RAT</a> can retrieve network interface and proxy information.<span onclick=scrollToRef('scite-276') id="scite-ref-276-a" class="scite-citeref-number" title="MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022."data-reference="MalwareBytes WoodyRAT Aug 2022">^{<a href="https://www.malwarebytes.com/blog/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild" target="_blank" data-hasqtip="275" aria-describedby="qtip-275">[276]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0341"> S0341 </a> </td> <td> <a href="/software/S0341"> Xbash </a> </td> <td> <p><a href="/software/S0341">Xbash</a> can collect IP addresses and local intranet information from a victim’s machine.<span onclick=scrollToRef('scite-277') id="scite-ref-277-a" class="scite-citeref-number" title="Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018."data-reference="Unit42 Xbash Sept 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/" target="_blank" data-hasqtip="276" aria-describedby="qtip-276">[277]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0653"> S0653 </a> </td> <td> <a href="/software/S0653"> xCaon </a> </td> <td> <p><a href="/software/S0653">xCaon</a> has used the GetAdaptersInfo() API call to get the victim's MAC address.<span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" title="CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021."data-reference="Checkpoint IndigoZebra July 2021">^{<a href="https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0248"> S0248 </a> </td> <td> <a href="/software/S0248"> yty </a> </td> <td> <p><a href="/software/S0248">yty</a> runs <code>ipconfig /all</code> and collects the domain name.<span onclick=scrollToRef('scite-278') id="scite-ref-278-a" class="scite-citeref-number" title="Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018."data-reference="ASERT Donot March 2018">^{<a href="https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/" target="_blank" data-hasqtip="277" aria-describedby="qtip-277">[278]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0251"> S0251 </a> </td> <td> <a href="/software/S0251"> Zebrocy </a> </td> <td> <p><a href="/software/S0251">Zebrocy</a> runs the <code>ipconfig /all</code> command.<span onclick=scrollToRef('scite-279') id="scite-ref-279-a" class="scite-citeref-number" title="ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019."data-reference="ESET Zebrocy May 2019">^{<a href="https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" target="_blank" data-hasqtip="278" aria-describedby="qtip-278">[279]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0230"> S0230 </a> </td> <td> <a href="/software/S0230"> ZeroT </a> </td> <td> <p><a href="/software/S0230">ZeroT</a> gathers the victim's IP address and domain information, and then sends it to its C2 server.<span onclick=scrollToRef('scite-280') id="scite-ref-280-a" class="scite-citeref-number" title="Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018."data-reference="Proofpoint ZeroT Feb 2017">^{<a href="https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" target="_blank" data-hasqtip="279" aria-describedby="qtip-279">[280]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0128"> G0128 </a> </td> <td> <a href="/groups/G0128"> ZIRCONIUM </a> </td> <td> <p><a href="/groups/G0128">ZIRCONIUM</a> has used a tool to enumerate proxy settings in the target environment.<span onclick=scrollToRef('scite-281') id="scite-ref-281-a" class="scite-citeref-number" title="Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021."data-reference="Zscaler APT31 Covid-19 October 2020">^{<a href="https://www.zscaler.com/blogs/security-research/apt-31-leverages-covid-19-vaccine-theme-and-abuses-legitimate-online" target="_blank" data-hasqtip="280" aria-describedby="qtip-280">[281]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0350"> S0350 </a> </td> <td> <a href="/software/S0350"> zwShell </a> </td> <td> <p><a href="/software/S0350">zwShell</a> can obtain the victim IP address.<span onclick=scrollToRef('scite-282') id="scite-ref-282-a" class="scite-citeref-number" title="McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: "Night Dragon". Retrieved February 19, 2018."data-reference="McAfee Night Dragon">^{<a href="https://scadahacker.com/library/Documents/Cyber_Events/McAfee%20-%20Night%20Dragon%20-%20Global%20Energy%20Cyberattacks.pdf" target="_blank" data-hasqtip="281" aria-describedby="qtip-281">[282]</a>}</span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id ="mitigations">Mitigations</h2> <p> This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features. </p> <h2 class="pt-3" id="detection">Detection</h2> <div class="tables-mobile"> <table class="table datasources-table table-bordered"> <thead> <tr> <th class="p-2" scope="col">ID</th> <th class="p-2 nowrap" scope="col">Data Source</th> <th class="p-2 nowrap" scope="col">Data Component</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="datasource" id="uses-DS0017"> <td> <a href="/datasources/DS0017">DS0017</a> </td> <td class="nowrap"> <a href="/datasources/DS0017">Command</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0017/#Command%20Execution">Command Execution</a> </td> <td> <p>Monitor executed commands and arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.</p> </td> </tr> <tr class="datasource" id="uses-DS0009"> <td> <a href="/datasources/DS0009">DS0009</a> </td> <td class="nowrap"> <a href="/datasources/DS0009">Process</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0009/#OS%20API%20Execution">OS API Execution</a> </td> <td> <p>Monitor for API calls (such as <code>GetAdaptersInfo()</code> and <code>GetIpNetTable()</code>) that may gather details about the network configuration and settings, such as IP and/or MAC addresses.</p> </td> </tr> <tr class="datacomponent datasource" id="uses-DS0009-Process Creation"> <td></td> <td></td> <td> <a href="/datasources/DS0009/#Process%20Creation">Process Creation</a> </td> <td> <p>Monitor for executed processes (such as ipconfig/ifconfig and arp) with arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses.</p><p>Note: The Analytic looks for the creation of <a href="/software/S0100">ipconfig</a>, <a href="/software/S0103">route</a>, and <a href="/software/S0102">nbtstat</a> processes, all of which are system administration utilities that can be used for the purpose of system network configuration discovery. If these tools are commonly used in your environment (e.g., by system administrators) this may lead to false positives and this analytic will therefore require tuning. </p><p>Analytic 1 - Suspicious Process</p><p><code>(sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (sourcetype="WinEventLog:Security" EventCode="4688") AND (Image="C:\Windows\System32\ipconfig.exe" OR Image="C:\Windows\System32\route.exe" OR Image="C:\Windows\System32\nbtstat.exe")</code></p> </td> </tr> <tr class="datasource" id="uses-DS0012"> <td> <a href="/datasources/DS0012">DS0012</a> </td> <td class="nowrap"> <a href="/datasources/DS0012">Script</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0012/#Script%20Execution">Script Execution</a> </td> <td> <p>Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. </p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://www.us-cert.gov/ncas/alerts/TA18-106A" target="_blank"> US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://www.mandiant.com/resources/apt41-initiates-global-intrusion-campaign-using-multiple-exploits" target="_blank"> Gyler, C.,Perez D.,Jones, S.,Miller, S.. (2021, February 25). This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved February 17, 2022. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank"> Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/" target="_blank"> Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html" target="_blank"> McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" target="_blank"> Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" target="_blank"> FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://www.digitrustgroup.com/agent-tesla-keylogger/" target="_blank"> The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/" target="_blank"> Walter, J. (2020, August 10). Agent Tesla | Old RAT Uses New Tricks to Stay on Top. Retrieved December 11, 2020. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html" target="_blank"> Shevchenko, S.. (2008, November 30). Agent.btz - A Threat That Hit Pentagon. Retrieved April 8, 2016. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot" target="_blank"> Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30" target="_blank"> Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/" target="_blank"> Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021. </a> </span> </span> </li> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" target="_blank"> Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. </a> </span> </span> </li> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="https://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/" target="_blank"> Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018. </a> </span> </span> </li> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" target="_blank"> Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-evolution_of_pirpi.pdf" target="_blank"> Yates, M. (2017, June 18). APT3 Uncovered: The code evolution of Pirpi. Retrieved September 28, 2017. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank"> Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. </a> </span> </span> </li> <li> <span id="scite-19" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-19" href="https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" target="_blank"> Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. </a> </span> </span> </li> <li> <span id="scite-20" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-20" href="https://www.group-ib.com/blog/colunmtk-apt41/" target="_blank"> Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021. </a> </span> </span> </li> <li> <span id="scite-21" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-21" href="https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/" target="_blank"> CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020. </a> </span> </span> </li> <li> <span id="scite-22" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-22" href="https://technet.microsoft.com/en-us/library/bb490864.aspx" target="_blank"> Microsoft. (n.d.). Arp. Retrieved April 17, 2016. </a> </span> </span> </li> <li> <span id="scite-23" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-23" href="https://web.archive.org/web/20200302071436/https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/" target="_blank"> Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved September 25, 2024. </a> </span> </span> </li> <li> <span id="scite-24" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-24" href="https://awakesecurity.com/blog/threat-hunting-for-avaddon-ransomware/" target="_blank"> Gahlot, A. (n.d.). Threat Hunting for Avaddon Ransomware. Retrieved August 19, 2021. </a> </span> </span> </li> <li> <span id="scite-25" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-25" href="https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" target="_blank"> Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020. </a> </span> </span> </li> <li> <span id="scite-26" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-26" href="https://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/" target="_blank"> Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018. </a> </span> </span> </li> <li> <span id="scite-27" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-27" href="https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/" target="_blank"> Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019. </a> </span> </span> </li> <li> <span id="scite-28" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-28" href="https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" target="_blank"> Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016. </a> </span> </span> </li> <li> <span id="scite-29" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-29" href="https://vblocalhost.com/uploads/VB2021-Slowik.pdf" target="_blank"> Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021. </a> </span> </span> </li> <li> <span id="scite-30" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-30" href="https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-G.PDF" target="_blank"> US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018. </a> </span> </span> </li> <li> <span id="scite-31" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-31" href="https://www.accenture.com/us-en/blogs/cyber-defense/mudcarps-focus-on-submarine-technologies" target="_blank"> Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021. </a> </span> </span> </li> <li> <span id="scite-32" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-32" href="https://research.checkpoint.com/2020/bandook-signed-delivered/" target="_blank"> Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021. </a> </span> </span> </li> <li> <span id="scite-33" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-33" href="https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles" target="_blank"> Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. </a> </span> </span> </li> <li> <span id="scite-34" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-34" href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/" target="_blank"> Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018. </a> </span> </span> </li> <li> <span id="scite-35" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-35" href="https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/" target="_blank"> Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021. </a> </span> </span> </li> <li> <span id="scite-36" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-36" href="https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html" target="_blank"> Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022. </a> </span> </span> </li> <li> <span id="scite-37" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-37" href="https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" target="_blank"> F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016. </a> </span> </span> </li> <li> <span id="scite-38" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-38" href="https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/" target="_blank"> Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016. </a> </span> </span> </li> <li> <span id="scite-39" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-39" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a" target="_blank"> US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020. </a> </span> </span> </li> <li> <span id="scite-40" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-40" href="https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/" target="_blank"> Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021. </a> </span> </span> </li> <li> <span id="scite-41" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-41" href="https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" target="_blank"> Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020. </a> </span> </span> </li> <li> <span id="scite-42" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-42" href="https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/" target="_blank"> CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021. </a> </span> </span> </li> <li> <span id="scite-43" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-43" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" target="_blank"> Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018. </a> </span> </span> </li> <li> <span id="scite-44" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-44" href="https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/" target="_blank"> DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022. </a> </span> </span> </li> <li> <span id="scite-45" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-45" href="https://www.mandiant.com/resources/apt41-us-state-governments" target="_blank"> Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022. </a> </span> </span> </li> <li> <span id="scite-46" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-46" href="https://www.linkedin.com/pulse/raas-avoslocker-incident-response-analysis-fl%C3%A1vio-costa?trk=articles_directory" target="_blank"> Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023. </a> </span> </span> </li> <li> <span id="scite-47" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-47" href="https://securelist.com/calisto-trojan-for-macos/86543/" target="_blank"> Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018. </a> </span> </span> </li> <li> <span id="scite-48" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-48" href="https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" target="_blank"> ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018. </a> </span> </span> </li> <li> <span id="scite-49" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-49" href="https://web.archive.org/web/20170718174931/https://www.melani.admin.ch/dam/melani/de/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf" target="_blank"> GovCERT. (2016, May 23). Technical Report about the Espionage Case at RUAG. Retrieved November 7, 2018. </a> </span> </span> </li> <li> <span id="scite-50" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-50" href="https://www-west.symantec.com/content/symantec/english/en/security-center/writeup.html/2018-040209-1742-99" target="_blank"> Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018. </a> </span> </span> </li> <li> <span id="scite-51" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-51" href="https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf" target="_blank"> ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021. </a> </span> </span> </li> <li> <span id="scite-52" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-52" href="https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/" target="_blank"> Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022. </a> </span> </span> </li> <li> <span id="scite-53" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-53" href="https://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/" target="_blank"> Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024. </a> </span> </span> </li> <li> <span id="scite-54" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-54" href="https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf" target="_blank"> Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. </a> </span> </span> </li> <li> <span id="scite-55" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-55" href="https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf" target="_blank"> Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. </a> </span> </span> </li> <li> <span id="scite-56" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-56" href="https://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/" target="_blank"> Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021. </a> </span> </span> </li> <li> <span id="scite-57" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-57" href="https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" target="_blank"> Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020. </a> </span> </span> </li> <li> <span id="scite-58" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-58" href="https://web.archive.org/web/20210708035426/https://www.cobaltstrike.com/downloads/csmanual43.pdf" target="_blank"> Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. </a> </span> </span> </li> <li> <span id="scite-59" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-59" href="https://researchcenter.paloaltonetworks.com/2018/01/unit42-comnie-continues-target-organizations-east-asia/" target="_blank"> Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018. </a> </span> </span> </li> <li> <span id="scite-60" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-60" href="https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/" target="_blank"> Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021. </a> </span> </span> </li> <li> <span id="scite-61" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-61" href="https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference" target="_blank"> byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020. </a> </span> </span> </li> <li> <span id="scite-62" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-62" href="https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/" target="_blank"> Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022. </a> </span> </span> </li> <li> <span id="scite-63" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-63" href="https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" target="_blank"> Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016. </a> </span> </span> </li> <li> <span id="scite-64" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-64" href="https://securelist.com/transparent-tribe-part-1/98127/" target="_blank"> Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021. </a> </span> </span> </li> <li> <span id="scite-65" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-65" href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf" target="_blank"> Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021. </a> </span> </span> </li> <li> <span id="scite-66" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-66" href="https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf" target="_blank"> NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022. </a> </span> </span> </li> <li> <span id="scite-67" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-67" href="https://www.trendmicro.com/en_us/research/22/c/cyclops-blink-sets-sights-on-asus-routers--.html" target="_blank"> Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022. </a> </span> </span> </li> <li> <span id="scite-68" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-68" href="https://securelist.com/darkhotels-attacks-in-2015/71713/" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018. </a> </span> </span> </li> <li> <span id="scite-69" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-69" href="https://www.microsoft.com/security/blog/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/" target="_blank"> Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021. </a> </span> </span> </li> <li> <span id="scite-70" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-70" href="https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider" target="_blank"> Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021. </a> </span> </span> </li> <li> <span id="scite-71" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-71" href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank"> US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. </a> </span> </span> </li> <li> <span id="scite-72" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-72" href="https://securelist.com/my-name-is-dtrack/93338/" target="_blank"> Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021. </a> </span> </span> </li> <li> <span id="scite-73" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-73" href="https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/" target="_blank"> Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021. </a> </span> </span> </li> <li> <span id="scite-74" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-74" href="https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf" target="_blank"> Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015. </a> </span> </span> </li> <li> <span id="scite-75" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-75" href="https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust" target="_blank"> Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024. </a> </span> </span> </li> <li> <span id="scite-76" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-76" href="https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/" target="_blank"> hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020. </a> </span> </span> </li> <li> <span id="scite-77" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-77" href="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf" target="_blank"> Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. </a> </span> </span> </li> <li> <span id="scite-78" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-78" href="https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/" target="_blank"> Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021. </a> </span> </span> </li> <li> <span id="scite-79" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-79" href="https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html" target="_blank"> Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016. </a> </span> </span> </li> <li> <span id="scite-80" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-80" href="https://www.accenture.com/t20180127T003755Z_w_/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf" target="_blank"> Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018. </a> </span> </span> </li> <li> <span id="scite-81" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-81" href="http://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/" target="_blank"> Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016. </a> </span> </span> </li> <li> <span id="scite-82" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-82" href="https://github.com/PowerShellEmpire/Empire" target="_blank"> Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. </a> </span> </span> </li> <li> <span id="scite-83" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-83" href="https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html" target="_blank"> Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020. </a> </span> </span> </li> <li> <span id="scite-84" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-84" href="https://securelist.com/the-epic-turla-operation/65545/" target="_blank"> Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014. </a> </span> </span> </li> <li> <span id="scite-85" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-85" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf" target="_blank"> Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021. </a> </span> </span> </li> <li> <span id="scite-86" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-86" href="https://www.us-cert.gov/ncas/alerts/TA17-318A" target="_blank"> US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017. </a> </span> </span> </li> <li> <span id="scite-87" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-87" href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank"> Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. </a> </span> </span> </li> <li> <span id="scite-88" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-88" href="https://blogs.forcepoint.com/security-labs/playing-cat-mouse-introducing-felismus-malware" target="_blank"> Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017. </a> </span> </span> </li> <li> <span id="scite-89" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-89" href="https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf" target="_blank"> Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018. </a> </span> </span> </li> <li> <span id="scite-90" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-90" href="https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico" target="_blank"> Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023. </a> </span> </span> </li> <li> <span id="scite-91" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-91" href="https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf?__hstc=147695848.3e8f1a482c8f8d4531507747318e660b.1680005306711.1680005306711.1680005306711.1&__hssc=147695848.1.1680005306711&__hsfp=3000179024&hsCtaTracking=189ec409-ae2d-4909-8bf1-62dcdd694372%7Cca91d317-8f10-4a38-9f80-367f551ad64d" target="_blank"> Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023. </a> </span> </span> </li> <li> <span id="scite-92" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-92" href="https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech" target="_blank"> Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022. </a> </span> </span> </li> <li> <span id="scite-93" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-93" href="https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" target="_blank"> Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. </a> </span> </span> </li> <li> <span id="scite-94" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-94" href="https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" target="_blank"> Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. </a> </span> </span> </li> <li> <span id="scite-95" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-95" href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank"> F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015. </a> </span> </span> </li> <li> <span id="scite-96" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-96" href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank"> Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. </a> </span> </span> </li> <li> <span id="scite-97" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-97" href="https://www.sentinelone.com/labs/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/" target="_blank"> Pirozzi, A. (2021, June 16). Gootloader: ‘Initial Access as a Service’ Platform Expands Its Search for High Value Targets. Retrieved May 28, 2024. </a> </span> </span> </li> <li> <span id="scite-98" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-98" href="https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/" target="_blank"> ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. </a> </span> </span> </li> <li> <span id="scite-99" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-99" href="https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html" target="_blank"> Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018. </a> </span> </span> </li> <li> <span id="scite-100" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-100" href="https://objective-see.com/blog/blog_0x68.html" target="_blank"> Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022. </a> </span> </span> </li> <li> <span id="scite-101" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-101" href="https://www.glitch-cat.com/blog/green-lambert-and-attack" target="_blank"> Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved March 21, 2022. </a> </span> </span> </li> <li> <span id="scite-102" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-102" href="https://www.group-ib.com/blog/grimagent/" target="_blank"> Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024. </a> </span> </span> </li> <li> <span id="scite-103" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-103" href="https://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/" target="_blank"> Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022. </a> </span> </span> </li> <li> <span id="scite-104" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-104" href="https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf" target="_blank"> Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022. </a> </span> </span> </li> <li> <span id="scite-105" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-105" href="https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/" target="_blank"> Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021. </a> </span> </span> </li> <li> <span id="scite-106" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-106" href="https://www.zscaler.com/blogs/security-research/return-higaisa-apt" target="_blank"> Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021. </a> </span> </span> </li> <li> <span id="scite-107" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-107" href="https://www.us-cert.gov/ncas/analysis-reports/ar20-045d" target="_blank"> US-CERT. (2020, February 20). MAR-10271944-1.v1 – North Korean Trojan: HOTCROISSANT. Retrieved May 1, 2020. </a> </span> </span> </li> <li> <span id="scite-108" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-108" href="https://www.symantec.com/connect/blogs/trojanhydraq-incident" target="_blank"> Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018. </a> </span> </span> </li> <li> <span id="scite-109" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-109" href="https://www.symantec.com/security_response/writeup.jsp?docid=2010-011114-1830-99" target="_blank"> Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018. </a> </span> </span> </li> <li> <span id="scite-110" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-110" href="https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework.pdf" target="_blank"> CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022. </a> </span> </span> </li> <li> <span id="scite-111" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-111" href="https://thedfirreport.com/2022/04/25/quantum-ransomware/" target="_blank"> DFIR. (2022, April 25). Quantum Ransomware. Retrieved July 26, 2024. </a> </span> </span> </li> <li> <span id="scite-112" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-112" href="https://objective-see.com/blog/blog_0x25.html" target="_blank"> Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018. </a> </span> </span> </li> <li> <span id="scite-113" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-113" href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank"> Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020. </a> </span> </span> </li> <li> <span id="scite-114" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-114" href="https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" target="_blank"> Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. </a> </span> </span> </li> <li> <span id="scite-115" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-115" href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" target="_blank"> Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. </a> </span> </span> </li> <li> <span id="scite-116" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-116" href="https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf" target="_blank"> Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019. </a> </span> </span> </li> <li> <span id="scite-117" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-117" href="https://pan-unit42.github.io/playbook_viewer/" target="_blank"> Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017. </a> </span> </span> </li> <li> <span id="scite-118" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-118" href="https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" target="_blank"> Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018. </a> </span> </span> </li> <li> <span id="scite-119" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-119" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07195002/KL_AdwindPublicReport_2016.pdf" target="_blank"> Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019. </a> </span> </span> </li> <li> <span id="scite-120" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-120" href="https://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/" target="_blank"> Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018. </a> </span> </span> </li> <li> <span id="scite-121" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-121" href="https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs" target="_blank"> Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014. </a> </span> </span> </li> <li> <span id="scite-122" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-122" href="https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" target="_blank"> Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018. </a> </span> </span> </li> <li> <span id="scite-123" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-123" href="https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe" target="_blank"> MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022. </a> </span> </span> </li> <li> <span id="scite-124" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-124" href="https://web.archive.org/web/20211129064701/https://www.pwc.co.uk/issues/cyber-security-services/research/the-keyboys-are-back-in-town.html" target="_blank"> Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019. </a> </span> </span> </li> <li> <span id="scite-125" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-125" href="https://www.us-cert.gov/ncas/analysis-reports/AR18-221A" target="_blank"> US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018. </a> </span> </span> </li> <li> <span id="scite-126" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-126" href="https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html" target="_blank"> An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. </a> </span> </span> </li> <li> <span id="scite-127" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-127" href="https://www.proofpoint.com/us/blog/threat-insight/social-engineering-dmarc-abuse-ta427s-art-information-gathering" target="_blank"> Lesnewich, G. et al. (2024, April 16). From Social Engineering to DMARC Abuse: TA427’s Art of Information Gathering. Retrieved May 3, 2024. </a> </span> </span> </li> <li> <span id="scite-128" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-128" href="https://github.com/offsecginger/koadic" target="_blank"> Magius, J., et al. (2017, July 19). Koadic. Retrieved September 27, 2024. </a> </span> </span> </li> <li> <span id="scite-129" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-129" href="https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf" target="_blank"> Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. </a> </span> </span> </li> <li> <span id="scite-130" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-130" href="https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf" target="_blank"> M.Leveille, M., Sanmillan, I. (2021, January). A WILD KOBALOS APPEARS Tricksy Linux malware goes after HPCs. Retrieved August 24, 2021. </a> </span> </span> </li> <li> <span id="scite-131" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-131" href="https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html" target="_blank"> Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018. </a> </span> </span> </li> <li> <span id="scite-132" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-132" href="https://www.mandiant.com/resources/blog/turla-galaxy-opportunity" target="_blank"> Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023. </a> </span> </span> </li> <li> <span id="scite-133" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-133" href="https://blog.lumen.com/routers-roasting-on-an-open-firewall-the-kv-botnet-investigation/" target="_blank"> Black Lotus Labs. (2023, December 13). Routers Roasting On An Open Firewall: The KV-Botnet Investigation. Retrieved June 10, 2024. </a> </span> </span> </li> <li> <span id="scite-134" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-134" href="https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" target="_blank"> Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018. </a> </span> </span> </li> <li> <span id="scite-135" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-135" href="https://www.elastic.co/security-labs/spring-cleaning-with-latrodectus" target="_blank"> Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024. </a> </span> </span> </li> <li> <span id="scite-136" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-136" href="https://www.bitsight.com/blog/latrodectus-are-you-coming-back" target="_blank"> Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024. </a> </span> </span> </li> <li> <span id="scite-137" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-137" href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank"> Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. </a> </span> </span> </li> <li> <span id="scite-138" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-138" href="https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" target="_blank"> Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016. </a> </span> </span> </li> <li> <span id="scite-139" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-139" href="https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf" target="_blank"> Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019. </a> </span> </span> </li> <li> <span id="scite-140" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-140" href="https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319" target="_blank"> BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022. </a> </span> </span> </li> <li> <span id="scite-141" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-141" href="https://www.f-secure.com/v-descs/trojan_w32_lokibot.shtml" target="_blank"> Kazem, M. (2019, November 25). Trojan:W32/Lokibot. Retrieved May 15, 2020. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="142.0"> <li> <span id="scite-142" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-142" href="https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/" target="_blank"> Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020. </a> </span> </span> </li> <li> <span id="scite-143" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-143" href="https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/" target="_blank"> Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020. </a> </span> </span> </li> <li> <span id="scite-144" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-144" href="https://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/" target="_blank"> Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024. </a> </span> </span> </li> <li> <span id="scite-145" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-145" href="https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf" target="_blank"> ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. </a> </span> </span> </li> <li> <span id="scite-146" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-146" href="https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/" target="_blank"> kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020. </a> </span> </span> </li> <li> <span id="scite-147" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-147" href="https://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/" target="_blank"> M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022. </a> </span> </span> </li> <li> <span id="scite-148" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-148" href="https://assets.sentinelone.com/sentinellabs22/metador#page=1" target="_blank"> Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023. </a> </span> </span> </li> <li> <span id="scite-149" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-149" href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank"> Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017. </a> </span> </span> </li> <li> <span id="scite-150" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-150" href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank"> DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022. </a> </span> </span> </li> <li> <span id="scite-151" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-151" href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank"> DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023. </a> </span> </span> </li> <li> <span id="scite-152" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-152" href="https://blog.talosintelligence.com/manjusaka-offensive-framework/" target="_blank"> Asheer Malhotra & Vitor Ventura. (2022, August 2). Manjusaka: A Chinese sibling of Sliver and Cobalt Strike. Retrieved September 4, 2024. </a> </span> </span> </li> <li> <span id="scite-153" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-153" href="https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf" target="_blank"> PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. </a> </span> </span> </li> <li> <span id="scite-154" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-154" href="https://www.clearskysec.com/siamesekitten/" target="_blank"> ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022. </a> </span> </span> </li> <li> <span id="scite-155" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-155" href="https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" target="_blank"> Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. </a> </span> </span> </li> <li> <span id="scite-156" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-156" href="https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/" target="_blank"> Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024. </a> </span> </span> </li> <li> <span id="scite-157" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-157" href="http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/" target="_blank"> Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017. </a> </span> </span> </li> <li> <span id="scite-158" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-158" href="https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html" target="_blank"> Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018. </a> </span> </span> </li> <li> <span id="scite-159" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-159" href="https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/" target="_blank"> Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022. </a> </span> </span> </li> <li> <span id="scite-160" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-160" href="https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" target="_blank"> ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018. </a> </span> </span> </li> <li> <span id="scite-161" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-161" href="https://securelist.com/muddywater/88059/" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018. </a> </span> </span> </li> <li> <span id="scite-162" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-162" href="https://www.avira.com/en/blog/new-wave-of-plugx-targets-hong-kong" target="_blank"> Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. </a> </span> </span> </li> <li> <span id="scite-163" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-163" href="https://www.symantec.com/security_response/writeup.jsp?docid=2012-061518-4639-99" target="_blank"> Neville, A. (2012, June 15). Trojan.Naid. Retrieved February 22, 2018. </a> </span> </span> </li> <li> <span id="scite-164" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-164" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" target="_blank"> Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019. </a> </span> </span> </li> <li> <span id="scite-165" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-165" href="https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets" target="_blank"> Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018. </a> </span> </span> </li> <li> <span id="scite-166" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-166" href="https://www.digitrustgroup.com/nanocore-not-your-average-rat/" target="_blank"> The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018. </a> </span> </span> </li> <li> <span id="scite-167" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-167" href="https://manpages.debian.org/testing/nbtscan/nbtscan.1.en.html" target="_blank"> Bezroutchko, A. (2019, November 19). NBTscan man page. Retrieved March 17, 2021. </a> </span> </span> </li> <li> <span id="scite-168" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-168" href="https://sectools.org/tool/nbtscan/" target="_blank"> SecTools. (2003, June 11). NBTscan. Retrieved March 17, 2021. </a> </span> </span> </li> <li> <span id="scite-169" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-169" href="https://redcanary.com/blog/netwire-remote-access-trojan-on-linux/" target="_blank"> Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021. </a> </span> </span> </li> <li> <span id="scite-170" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-170" href="https://www.proofpoint.com/us/blog/threat-insight/geofenced-netwire-campaigns" target="_blank"> Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021. </a> </span> </span> </li> <li> <span id="scite-171" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-171" href="https://unit42.paloaltonetworks.com/manageengine-godzilla-nglite-kdcsponge/" target="_blank"> Robert Falcone, Jeff White, and Peter Renals. (2021, November 7). Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer. Retrieved February 8, 2024. </a> </span> </span> </li> <li> <span id="scite-172" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-172" href="https://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/" target="_blank"> Ahn Ho, Facundo Muñoz, & Marc-Etienne M.Léveillé. (2024, March 7). Evasive Panda leverages Monlam Festival to target Tibetans. Retrieved July 25, 2024. </a> </span> </span> </li> <li> <span id="scite-173" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-173" href="https://securelist.com/toddycat/106799/" target="_blank"> Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024. </a> </span> </span> </li> <li> <span id="scite-174" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-174" href="https://ss64.com/nt/nltest.html" target="_blank"> ss64. (n.d.). NLTEST.exe - Network Location Test. Retrieved February 14, 2019. </a> </span> </span> </li> <li> <span id="scite-175" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-175" href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/" target="_blank"> Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018. </a> </span> </span> </li> <li> <span id="scite-176" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-176" href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf" target="_blank"> Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018. </a> </span> </span> </li> <li> <span id="scite-177" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-177" href="https://securelist.com/octopus-infested-seas-of-central-asia/88200/" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018. </a> </span> </span> </li> <li> <span id="scite-178" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-178" href="http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" target="_blank"> Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. </a> </span> </span> </li> <li> <span id="scite-179" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-179" href="http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/" target="_blank"> Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017. </a> </span> </span> </li> <li> <span id="scite-180" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-180" href="https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf" target="_blank"> Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. </a> </span> </span> </li> <li> <span id="scite-181" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-181" href="https://blog.talosintelligence.com/2018/02/olympic-destroyer.html" target="_blank"> Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019. </a> </span> </span> </li> <li> <span id="scite-182" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-182" href="https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques" target="_blank"> Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022. </a> </span> </span> </li> <li> <span id="scite-183" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-183" href="https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf" target="_blank"> Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. </a> </span> </span> </li> <li> <span id="scite-184" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-184" href="https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/" target="_blank"> Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018. </a> </span> </span> </li> <li> <span id="scite-185" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-185" href="https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html" target="_blank"> Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020. </a> </span> </span> </li> <li> <span id="scite-186" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-186" href="https://research.checkpoint.com/2020/ransomware-alert-pay2key/" target="_blank"> Check Point. (2020, November 6). Ransomware Alert: Pay2Key. Retrieved January 4, 2021. </a> </span> </span> </li> <li> <span id="scite-187" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-187" href="https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf" target="_blank"> Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021. </a> </span> </span> </li> <li> <span id="scite-188" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-188" href="https://www.zscaler.com/blogs/security-research/technical-analysis-pikabot" target="_blank"> Brett Stone-Gross & Nikolaos Pantazopoulos. (2023, May 24). Technical Analysis of Pikabot. Retrieved July 12, 2024. </a> </span> </span> </li> <li> <span id="scite-189" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-189" href="https://unit42.paloaltonetworks.com/pingpull-gallium/" target="_blank"> Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022. </a> </span> </span> </li> <li> <span id="scite-190" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-190" href="https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/" target="_blank"> Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020. </a> </span> </span> </li> <li> <span id="scite-191" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-191" href="http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" target="_blank"> Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016. </a> </span> </span> </li> <li> <span id="scite-192" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-192" href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" target="_blank"> Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018. </a> </span> </span> </li> <li> <span id="scite-193" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-193" href="https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-352a" target="_blank"> CISA. (2023, December 18). #StopRansomware: Play Ransomware AA23-352A. Retrieved September 24, 2024. </a> </span> </span> </li> <li> <span id="scite-194" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-194" href="https://github.com/nettitude/PoshC2_Python" target="_blank"> Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019. </a> </span> </span> </li> <li> <span id="scite-195" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-195" href="https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" target="_blank"> Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017. </a> </span> </span> </li> <li> <span id="scite-196" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-196" href="https://securelist.com/recent-cloud-atlas-activity/92016/" target="_blank"> GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020. </a> </span> </span> </li> <li> <span id="scite-197" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-197" href="https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" target="_blank"> Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018. </a> </span> </span> </li> <li> <span id="scite-198" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-198" href="https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/" target="_blank"> Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020. </a> </span> </span> </li> <li> <span id="scite-199" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-199" href="https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" target="_blank"> Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. </a> </span> </span> </li> <li> <span id="scite-200" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-200" href="http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf" target="_blank"> Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016. </a> </span> </span> </li> <li> <span id="scite-201" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-201" href="https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" target="_blank"> Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018. </a> </span> </span> </li> <li> <span id="scite-202" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-202" href="https://github.com/n1nj4sec/pupy" target="_blank"> Nicolas Verdier. (n.d.). Retrieved January 29, 2018. </a> </span> </span> </li> <li> <span id="scite-203" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-203" href="https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-003.pdf" target="_blank"> CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021. </a> </span> </span> </li> <li> <span id="scite-204" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-204" href="https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/" target="_blank"> CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021. </a> </span> </span> </li> <li> <span id="scite-205" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-205" href="https://securelist.com/qakbot-technical-analysis/103931/" target="_blank"> Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. </a> </span> </span> </li> <li> <span id="scite-206" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-206" href="https://groupib.pathfactory.com/ransomware-reports/prolock_wp" target="_blank"> Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021. </a> </span> </span> </li> <li> <span id="scite-207" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-207" href="https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html" target="_blank"> Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023. </a> </span> </span> </li> <li> <span id="scite-208" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-208" href="https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/" target="_blank"> Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023. </a> </span> </span> </li> <li> <span id="scite-209" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-209" href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/" target="_blank"> Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018. </a> </span> </span> </li> <li> <span id="scite-210" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-210" href="https://www.cisa.gov/uscert/ncas/analysis-reports/AR18-352A" target="_blank"> CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022. </a> </span> </span> </li> <li> <span id="scite-211" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-211" href="https://www.programmersought.com/article/62493896999/" target="_blank"> Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021. </a> </span> </span> </li> <li> <span id="scite-212" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-212" href="https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/" target="_blank"> Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018. </a> </span> </span> </li> <li> <span id="scite-213" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-213" href="https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html" target="_blank"> Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018. </a> </span> </span> </li> <li> <span id="scite-214" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-214" href="https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/" target="_blank"> Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017. </a> </span> </span> </li> <li> <span id="scite-215" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-215" href="https://securelist.com/files/2016/07/The-ProjectSauron-APT_Technical_Analysis_KL.pdf" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016. </a> </span> </span> </li> <li> <span id="scite-216" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-216" href="https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/WhiteCompanyOperationShaheenReport.pdf?_ga=2.161661948.1943296560.1555683782-1066572390.1555511517" target="_blank"> Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019. </a> </span> </span> </li> <li> <span id="scite-217" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-217" href="https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/" target="_blank"> Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020. </a> </span> </span> </li> <li> <span id="scite-218" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-218" href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf" target="_blank"> Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. </a> </span> </span> </li> <li> <span id="scite-219" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-219" href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" target="_blank"> Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018. </a> </span> </span> </li> <li> <span id="scite-220" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-220" href="https://www.cybereason.com/blog/royal-ransomware-analysis" target="_blank"> Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023. </a> </span> </span> </li> <li> <span id="scite-221" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-221" href="https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" target="_blank"> Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020. </a> </span> </span> </li> <li> <span id="scite-222" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-222" href="https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/" target="_blank"> Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021. </a> </span> </span> </li> <li> <span id="scite-223" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-223" href="https://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/" target="_blank"> Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022. </a> </span> </span> </li> <li> <span id="scite-224" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-224" href="https://www.bitdefender.com/files/News/CaseStudies/study/401/Bitdefender-PR-Whitepaper-FIN8-creat5619-en-EN.pdf" target="_blank"> Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023. </a> </span> </span> </li> <li> <span id="scite-225" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-225" href="https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader" target="_blank"> Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020. </a> </span> </span> </li> <li> <span id="scite-226" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-226" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf" target="_blank"> Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021. </a> </span> </span> </li> <li> <span id="scite-227" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-227" href="http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/" target="_blank"> Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017. </a> </span> </span> </li> <li> <span id="scite-228" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-228" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/" target="_blank"> Mundo, A., Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 14). Shamoon Returns to Wipe Systems in Middle East, Europe . Retrieved May 29, 2020. </a> </span> </span> </li> <li> <span id="scite-229" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-229" href="https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" target="_blank"> Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. </a> </span> </span> </li> <li> <span id="scite-230" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-230" href="https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/" target="_blank"> Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021. </a> </span> </span> </li> <li> <span id="scite-231" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-231" href="https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf" target="_blank"> Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021. </a> </span> </span> </li> <li> <span id="scite-232" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-232" href="https://github.com/BishopFox/sliver/blob/ea329226636ab8e470086a17f13aa8d330baad22/client/command/network/ifconfig.go" target="_blank"> BishopFox. (n.d.). Sliver Ifconfig. Retrieved September 16, 2021. </a> </span> </span> </li> <li> <span id="scite-233" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-233" href="https://www.ncsc.gov.uk/files/NCSC-Malware-Analysis-Report-Small-Sieve.pdf" target="_blank"> NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022. </a> </span> </span> </li> <li> <span id="scite-234" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-234" href="https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update" target="_blank"> Andrew Northern. (2022, November 22). SocGholish, a very real threat from a very fake update. Retrieved February 13, 2024. </a> </span> </span> </li> <li> <span id="scite-235" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-235" href="https://redcanary.com/threat-detection-report/threats/socgholish/" target="_blank"> Red Canary. (2024, March). Red Canary 2024 Threat Detection Report: SocGholish. Retrieved March 22, 2024. </a> </span> </span> </li> <li> <span id="scite-236" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-236" href="https://www.secureworks.com/research/threat-profiles/gold-prelude" target="_blank"> Secureworks. (n.d.). GOLD PRELUDE . Retrieved March 22, 2024. </a> </span> </span> </li> <li> <span id="scite-237" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-237" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a" target="_blank"> CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020. </a> </span> </span> </li> <li> <span id="scite-238" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-238" href="https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/" target="_blank"> Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019. </a> </span> </span> </li> <li> <span id="scite-239" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-239" href="https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish" target="_blank"> CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021. </a> </span> </span> </li> <li> <span id="scite-240" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-240" href="https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike" target="_blank"> Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022. </a> </span> </span> </li> <li> <span id="scite-241" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-241" href="https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" target="_blank"> FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022. </a> </span> </span> </li> <li> <span id="scite-242" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-242" href="https://citizenlab.org/2016/05/stealth-falcon/" target="_blank"> Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016. </a> </span> </span> </li> <li> <span id="scite-243" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-243" href="https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html" target="_blank"> Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020. </a> </span> </span> </li> <li> <span id="scite-244" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-244" href="https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" target="_blank"> Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 </a> </span> </span> </li> <li> <span id="scite-245" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-245" href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank"> FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. </a> </span> </span> </li> <li> <span id="scite-246" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-246" href="https://www.alienvault.com/open-threat-exchange/blog/another-sykipot-sample-likely-targeting-us-federal-agencies" target="_blank"> Blasco, J. (2011, December 12). Another Sykipot sample likely targeting US federal agencies. Retrieved March 28, 2016. </a> </span> </span> </li> <li> <span id="scite-247" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-247" href="https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html" target="_blank"> Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023. </a> </span> </span> </li> <li> <span id="scite-248" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-248" href="http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/" target="_blank"> Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016. </a> </span> </span> </li> <li> <span id="scite-249" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-249" href="http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf" target="_blank"> Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014. </a> </span> </span> </li> <li> <span id="scite-250" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-250" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a" target="_blank"> CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021. </a> </span> </span> </li> <li> <span id="scite-251" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-251" href="https://securelist.com/project-tajmahal/90240/" target="_blank"> GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019. </a> </span> </span> </li> <li> <span id="scite-252" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-252" href="https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf" target="_blank"> Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021. </a> </span> </span> </li> <li> <span id="scite-253" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-253" href="https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage" target="_blank"> Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018. </a> </span> </span> </li> <li> <span id="scite-254" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-254" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/" target="_blank"> Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021. </a> </span> </span> </li> <li> <span id="scite-255" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-255" href="https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf" target="_blank"> Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018. </a> </span> </span> </li> <li> <span id="scite-256" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-256" href="https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module/" target="_blank"> Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018. </a> </span> </span> </li> <li> <span id="scite-257" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-257" href="https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" target="_blank"> Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020. </a> </span> </span> </li> <li> <span id="scite-258" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-258" href="https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf" target="_blank"> Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020. </a> </span> </span> </li> <li> <span id="scite-259" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-259" href="https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html" target="_blank"> Tomonaga, S. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020. </a> </span> </span> </li> <li> <span id="scite-260" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-260" href="https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/" target="_blank"> Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021 </a> </span> </span> </li> <li> <span id="scite-261" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-261" href="https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments" target="_blank"> Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019. </a> </span> </span> </li> <li> <span id="scite-262" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-262" href="https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf" target="_blank"> Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020. </a> </span> </span> </li> <li> <span id="scite-263" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-263" href="https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" target="_blank"> Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019. </a> </span> </span> </li> <li> <span id="scite-264" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-264" href="https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" target="_blank"> Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016. </a> </span> </span> </li> <li> <span id="scite-265" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-265" href="https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html" target="_blank"> Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018. </a> </span> </span> </li> <li> <span id="scite-266" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-266" href="https://www.cybereason.com/blog/valak-more-than-meets-the-eye" target="_blank"> Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020. </a> </span> </span> </li> <li> <span id="scite-267" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-267" href="https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/" target="_blank"> Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018. </a> </span> </span> </li> <li> <span id="scite-268" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-268" href="https://web.archive.org/web/20181126143456/https://www.symantec.com/security-center/writeup/2014-081811-3237-99?tabid=2" target="_blank"> Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018. </a> </span> </span> </li> <li> <span id="scite-269" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-269" href="https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF" target="_blank"> NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023. </a> </span> </span> </li> <li> <span id="scite-270" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-270" href="https://www.secureworks.com/research/wcry-ransomware-analysis" target="_blank"> Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019. </a> </span> </span> </li> <li> <span id="scite-271" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-271" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c" target="_blank"> CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020. </a> </span> </span> </li> <li> <span id="scite-272" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-272" href="https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html" target="_blank"> PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020. </a> </span> </span> </li> <li> <span id="scite-273" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-273" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b" target="_blank"> CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020. </a> </span> </span> </li> <li> <span id="scite-274" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-274" href="https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/" target="_blank"> Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020. </a> </span> </span> </li> <li> <span id="scite-275" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-275" href="https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf" target="_blank"> Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023. </a> </span> </span> </li> <li> <span id="scite-276" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-276" href="https://www.malwarebytes.com/blog/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild" target="_blank"> MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022. </a> </span> </span> </li> <li> <span id="scite-277" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-277" href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/" target="_blank"> Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018. </a> </span> </span> </li> <li> <span id="scite-278" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-278" href="https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/" target="_blank"> Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018. </a> </span> </span> </li> <li> <span id="scite-279" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-279" href="https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" target="_blank"> ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. </a> </span> </span> </li> <li> <span id="scite-280" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-280" href="https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" target="_blank"> Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018. </a> </span> </span> </li> <li> <span id="scite-281" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-281" href="https://www.zscaler.com/blogs/security-research/apt-31-leverages-covid-19-vaccine-theme-and-abuses-legitimate-online" target="_blank"> Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021. </a> </span> </span> </li> <li> <span id="scite-282" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-282" href="https://scadahacker.com/library/Documents/Cyber_Events/McAfee%20-%20Night%20Dragon%20-%20Global%20Energy%20Cyberattacks.pdf" target="_blank"> McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <!-- search overlay for entire page -- not displayed inline --> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- footer elements --> <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&amp;CK content v16.1&#013;Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> &copy;&nbsp;2015&nbsp;-&nbsp;2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div> <!--stopindex--> </div> <!--SCRIPTS--> <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script> <!--SCRIPTS--> <script src="/theme/scripts/resizer.js"></script> <!--SCRIPTS--> <script src="/theme/scripts/bootstrap-tourist.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/tour/tour-techniques.js"></script> <script src="/theme/scripts/sidebar-load-all.js"></script> </body> </html>