<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>Data from Local System, Technique T1005 - Enterprise | MITRE ATT&CK&reg;</title> <!-- USWDS CSS --> <!-- Bootstrap CSS --> <link rel='stylesheet' href='/theme/style/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-select.min.css' /> <!-- Fontawesome CSS --> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1"> <!-- header elements --> <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- banner elements --> <div class="col px-0"> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <!-- !versions banner! --> <div class="container-fluid banner-message"> ATT&CK v16 has been released! Check out the <a href='https://medium.com/mitre-attack/attack-v16-561c76af94cf'>blog post</a> for more information. </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0"> <!-- main content elements --> <!--start-indexing-for-search--> <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div> <!--stop-indexing-for-search--> <div id="sidebars"></div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/techniques/enterprise">Techniques</a></li> <li class="breadcrumb-item"><a href="/techniques/enterprise">Enterprise</a></li> <li class="breadcrumb-item">Data from Local System</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1 id=""> Data from Local System </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p>Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.</p><p>Adversaries may do this using a <a href="/techniques/T1059">Command and Scripting Interpreter</a>, such as <a href="/software/S0106">cmd</a> as well as a <a href="/techniques/T1059/008">Network Device CLI</a>, which have functionality to interact with the file system to gather information.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Cisco. (2022, August 16). show running-config - Cisco IOS Configuration Fundamentals Command Reference . Retrieved July 13, 2022."data-reference="show_run_config_cmd_cisco">^{<a href="https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/show_protocols_through_showmon.html#wp2760878733" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span> Adversaries may also use <a href="/techniques/T1119">Automated Collection</a> on the local system.</p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data" id="card-id"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID:&nbsp;</span>T1005 </div> </div> <!--stop-indexing-for-search--> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Sub-techniques:&nbsp;</span> No sub-techniques </div> </div> <!--start-indexing-for-search--> <div id="card-tactics" class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The tactic objectives that the (sub-)technique can be used to accomplish">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Tactic:</span> <a href="/tactics/TA0009">Collection</a> </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Platforms:&nbsp;</span>Linux, Network, Windows, macOS </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="Additional information on requirements the adversary needs to meet or about the state of the system (software, patch level, etc.) that may be required for the (sub-)technique to work">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">System Requirements:&nbsp;</span>Privileges to access certain files and directories </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Contributors:&nbsp;</span>Austin Clark, @c2defense; William Cain </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version:&nbsp;</span>1.6 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created:&nbsp;</span>31 May 2017 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified:&nbsp;</span>12 April 2023 </div> </div> </div> </div> <div class="text-center pt-2 version-button live"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of T1005" href="/versions/v16/techniques/T1005/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of T1005" href="/versions/v16/techniques/T1005/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <h2 class="pt-3" id ="examples">Procedure Examples</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/software/S1028"> S1028 </a> </td> <td> <a href="/software/S1028"> Action RAT </a> </td> <td> <p><a href="/software/S1028">Action RAT</a> can collect local data from an infected machine.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022."data-reference="MalwareBytes SideCopy Dec 2021">^{<a href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G1030"> G1030 </a> </td> <td> <a href="/groups/G1030"> Agrius </a> </td> <td> <p><a href="/groups/G1030">Agrius</a> gathered data from database and other critical servers in victim environments, then used wiping mechanisms as an anti-analysis and anti-forensics mechanism.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024."data-reference="Unit42 Agrius 2023">^{<a href="https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1025"> S1025 </a> </td> <td> <a href="/software/S1025"> Amadey </a> </td> <td> <p><a href="/software/S1025">Amadey</a> can collect information from a compromised host.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022."data-reference="BlackBerry Amadey 2020">^{<a href="https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0138"> G0138 </a> </td> <td> <a href="/groups/G0138"> Andariel </a> </td> <td> <p><a href="/groups/G0138">Andariel</a> has collected large numbers of files from compromised network systems for later extraction.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="FSI. (2017, July 27). Campaign Rifle - Andariel, the Maiden of Anguish. Retrieved September 12, 2024."data-reference="FSI Andariel Campaign Rifle July 2017">^{<a href="https://fsiceat.tistory.com/2" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0622"> S0622 </a> </td> <td> <a href="/software/S0622"> AppleSeed </a> </td> <td> <p><a href="/software/S0622">AppleSeed</a> can collect data on a compromised host.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021."data-reference="Malwarebytes Kimsuky June 2021">^{<a href="https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024."data-reference="KISA Operation Muzabi">^{<a href="https://web.archive.org/web/20220328121326/https://boho.or.kr/filedownload.do?attach_file_seq=2695&attach_file_id=EpF2695.pdf" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0006"> G0006 </a> </td> <td> <a href="/groups/G0006"> APT1 </a> </td> <td> <p><a href="/groups/G0006">APT1</a> has collected files from a local victim.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016."data-reference="Mandiant APT1">^{<a href="https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0007"> G0007 </a> </td> <td> <a href="/groups/G0007"> APT28 </a> </td> <td> <p><a href="/groups/G0007">APT28</a> has retrieved internal documents from machines inside victim environments, including by using <a href="/software/S0193">Forfiles</a> to stage documents before exfiltration.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018."data-reference="Überwachung APT28 Forfiles June 2015">^{<a href="https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018."data-reference="DOJ GRU Indictment Jul 2018">^{<a href="https://www.justice.gov/file/1080281/download" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Hacquebord, F. (n.d.). Pawn Storm in 2019 A Year of Scanning and Credential Phishing on High-Profile Targets. Retrieved December 29, 2020."data-reference="TrendMicro Pawn Storm 2019">^{<a href="https://documents.trendmicro.com/assets/white_papers/wp-pawn-storm-in-2019.pdf" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span><span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021">^{<a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0016"> G0016 </a> </td> <td> <a href="/groups/G0016"> APT29 </a> </td> <td> <p><a href="/groups/G0016">APT29</a> has stolen data from compromised hosts.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023."data-reference="Mandiant APT29 Eye Spy Email Nov 22">^{<a href="https://www.mandiant.com/resources/blog/unc3524-eye-spy-email" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0022"> G0022 </a> </td> <td> <a href="/groups/G0022"> APT3 </a> </td> <td> <p><a href="/groups/G0022">APT3</a> will identify Microsoft Office documents on the victim's computer.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017."data-reference="aptsim">^{<a href="http://carnal0wnage.attackresearch.com/2012/09/more-on-aptsim.html" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0067"> G0067 </a> </td> <td> <a href="/groups/G0067"> APT37 </a> </td> <td> <p><a href="/groups/G0067">APT37</a> has collected data from victims' local systems.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018."data-reference="FireEye APT37 Feb 2018">^{<a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0082"> G0082 </a> </td> <td> <a href="/groups/G0082"> APT38 </a> </td> <td> <p><a href="/groups/G0082">APT38</a> has collected data from a compromised host.<span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021."data-reference="CISA AA20-239A BeagleBoyz August 2020">^{<a href="https://us-cert.cisa.gov/ncas/alerts/aa20-239a" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0087"> G0087 </a> </td> <td> <a href="/groups/G0087"> APT39 </a> </td> <td> <p><a href="/groups/G0087">APT39</a> has used various tools to steal files from the compromised host.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020."data-reference="Symantec Chafer February 2018">^{<a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020."data-reference="FBI FLASH APT39 September 2020">^{<a href="https://www.iranwatch.org/sites/default/files/public-intelligence-alert.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0096"> G0096 </a> </td> <td> <a href="/groups/G0096"> APT41 </a> </td> <td> <p><a href="/groups/G0096">APT41</a> has uploaded files and data from a compromised host.<span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021."data-reference="Group IB APT 41 June 2021">^{<a href="https://www.group-ib.com/blog/colunmtk-apt41/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0143"> G0143 </a> </td> <td> <a href="/groups/G0143"> Aquatic Panda </a> </td> <td> <p><a href="/groups/G0143">Aquatic Panda</a> captured local Windows security event log data from victim machines using the <code>wevtutil</code> utility to extract contents to an <code>evtx</code> output file.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024."data-reference="Crowdstrike HuntReport 2022">^{<a href="https://go.crowdstrike.com/rs/281-OBQ-266/images/2022OverWatchThreatHuntingReport.pdf" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1029"> S1029 </a> </td> <td> <a href="/software/S1029"> AuTo Stealer </a> </td> <td> <p><a href="/software/S1029">AuTo Stealer</a> can collect data such as PowerPoint files, Word documents, Excel files, PDF files, text files, database files, and image files from an infected machine.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022."data-reference="MalwareBytes SideCopy Dec 2021">^{<a href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0001"> G0001 </a> </td> <td> <a href="/groups/G0001"> Axiom </a> </td> <td> <p><a href="/groups/G0001">Axiom</a> has collected data from a compromised network.<span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014."data-reference="Novetta-Axiom">^{<a href="https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0642"> S0642 </a> </td> <td> <a href="/software/S0642"> BADFLICK </a> </td> <td> <p><a href="/software/S0642">BADFLICK</a> has uploaded files from victims' machines.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021."data-reference="Accenture MUDCARP March 2019">^{<a href="https://www.accenture.com/us-en/blogs/cyber-defense/mudcarps-focus-on-submarine-technologies" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0128"> S0128 </a> </td> <td> <a href="/software/S0128"> BADNEWS </a> </td> <td> <p>When it first starts, <a href="/software/S0128">BADNEWS</a> crawls the victim's local drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt.<span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016."data-reference="Forcepoint Monsoon">^{<a href="https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span><span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018."data-reference="PaloAlto Patchwork Mar 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0337"> S0337 </a> </td> <td> <a href="/software/S0337"> BadPatch </a> </td> <td> <p><a href="/software/S0337">BadPatch</a> collects files from the local system that have the following extensions, then prepares them for exfiltration: .xls, .xlsx, .pdf, .mdb, .rar, .zip, .doc, .docx.<span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018."data-reference="Unit 42 BadPatch Oct 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0234"> S0234 </a> </td> <td> <a href="/software/S0234"> Bandook </a> </td> <td> <p><a href="/software/S0234">Bandook</a> can collect local files from the system .<span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021."data-reference="CheckPoint Bandook Nov 2020">^{<a href="https://research.checkpoint.com/2020/bandook-signed-delivered/" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/software/S0239"> S0239 </a> </td> <td> <a href="/software/S0239"> Bankshot </a> </td> <td> <p><a href="/software/S0239">Bankshot</a> collects files from the local system.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018."data-reference="McAfee Bankshot">^{<a href="https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0534"> S0534 </a> </td> <td> <a href="/software/S0534"> Bazar </a> </td> <td> <p><a href="/software/S0534">Bazar</a> can retrieve information from the infected machine.<span onclick=scrollToRef('scite-28') id="scite-ref-28-a" class="scite-citeref-number" title="Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020."data-reference="Cybereason Bazar July 2020">^{<a href="https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0268"> S0268 </a> </td> <td> <a href="/software/S0268"> Bisonal </a> </td> <td> <p><a href="/software/S0268">Bisonal</a> has collected information from a compromised host.<span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" title="Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022."data-reference="Talos Bisonal Mar 2020">^{<a href="https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/software/S0564"> S0564 </a> </td> <td> <a href="/software/S0564"> BlackMould </a> </td> <td> <p><a href="/software/S0564">BlackMould</a> can copy files on a compromised host.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021."data-reference="Microsoft GALLIUM December 2019">^{<a href="https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0520"> S0520 </a> </td> <td> <a href="/software/S0520"> BLINDINGCAN </a> </td> <td> <p><a href="/software/S0520">BLINDINGCAN</a> has uploaded files from victim machines.<span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020."data-reference="US-CERT BLINDINGCAN Aug 2020">^{<a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0651"> S0651 </a> </td> <td> <a href="/software/S0651"> BoxCaon </a> </td> <td> <p><a href="/software/S0651">BoxCaon</a> can upload files from a compromised host.<span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" title="CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021."data-reference="Checkpoint IndigoZebra July 2021">^{<a href="https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0060"> G0060 </a> </td> <td> <a href="/groups/G0060"> BRONZE BUTLER </a> </td> <td> <p><a href="/groups/G0060">BRONZE BUTLER</a> has exfiltrated files stolen from local systems.<span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018."data-reference="Secureworks BRONZE BUTLER Oct 2017">^{<a href="https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1063"> S1063 </a> </td> <td> <a href="/software/S1063"> Brute Ratel C4 </a> </td> <td> <p><a href="/software/S1063">Brute Ratel C4</a> has the ability to upload files from a compromised system.<span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" title="Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023."data-reference="Palo Alto Brute Ratel July 2022">^{<a href="https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1039"> S1039 </a> </td> <td> <a href="/software/S1039"> Bumblebee </a> </td> <td> <p><a href="/software/S1039">Bumblebee</a> can capture and compress stolen credentials from the Registry and volume shadow copies.<span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022."data-reference="Cybereason Bumblebee August 2022">^{<a href="https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span></p> </td> </tr> <tr> <td> <a href="/campaigns/C0015"> C0015 </a> </td> <td> <a href="/campaigns/C0015"> C0015 </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0015">C0015</a>, the threat actors obtained files and data from the compromised network.<span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" title="DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022."data-reference="DFIR Conti Bazar Nov 2021">^{<a href="https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a>}</span></p> </td> </tr> <tr> <td> <a href="/campaigns/C0017"> C0017 </a> </td> <td> <a href="/campaigns/C0017"> C0017 </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0017">C0017</a>, <a href="/groups/G0096">APT41</a> collected information related to compromised machines as well as Personal Identifiable Information (PII) from victim networks.<span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022."data-reference="Mandiant APT41">^{<a href="https://www.mandiant.com/resources/apt41-us-state-governments" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/campaigns/C0026"> C0026 </a> </td> <td> <a href="/campaigns/C0026"> C0026 </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0026">C0026</a>, the threat actors collected documents from compromised hosts.<span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" title="Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023."data-reference="Mandiant Suspected Turla Campaign February 2023">^{<a href="https://www.mandiant.com/resources/blog/turla-galaxy-opportunity" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0274"> S0274 </a> </td> <td> <a href="/software/S0274"> Calisto </a> </td> <td> <p><a href="/software/S0274">Calisto</a> can collect data from user directories.<span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018."data-reference="Securelist Calisto July 2018">^{<a href="https://securelist.com/calisto-trojan-for-macos/86543/" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0572"> S0572 </a> </td> <td> <a href="/software/S0572"> Caterpillar WebShell </a> </td> <td> <p><a href="/software/S0572">Caterpillar WebShell</a> has a module to collect information from the local database.<span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" title="ClearSky Cyber Security. (2021, January). "Lebanese Cedar" APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021."data-reference="ClearSky Lebanese Cedar Jan 2021">^{<a href="https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/software/S1043"> S1043 </a> </td> <td> <a href="/software/S1043"> ccf32 </a> </td> <td> <p><a href="/software/S1043">ccf32</a> can collect files from a compromised host.<span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" title="Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022."data-reference="Bitdefender FunnyDream Campaign November 2020">^{<a href="https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0674"> S0674 </a> </td> <td> <a href="/software/S0674"> CharmPower </a> </td> <td> <p><a href="/software/S0674">CharmPower</a> can collect data and files from a compromised host.<span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" title="Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022."data-reference="Check Point APT35 CharmPower January 2022">^{<a href="https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1149"> S1149 </a> </td> <td> <a href="/software/S1149"> CHIMNEYSWEEP </a> </td> <td> <p><a href="/software/S1149">CHIMNEYSWEEP</a> can collect files from compromised hosts.<span onclick=scrollToRef('scite-43') id="scite-ref-43-a" class="scite-citeref-number" title="Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024."data-reference="Mandiant ROADSWEEP August 2022">^{<a href="https://cloud.google.com/blog/topics/threat-intelligence/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against/" target="_blank" data-hasqtip="42" aria-describedby="qtip-42">[43]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0020"> S0020 </a> </td> <td> <a href="/software/S0020"> China Chopper </a> </td> <td> <p><a href="/software/S0020">China Chopper</a>'s server component can upload local files.<span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018."data-reference="FireEye Periscope March 2018">^{<a href="https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a>}</span><span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" title="Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015."data-reference="Lee 2013">^{<a href="https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a>}</span><span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" title="The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019."data-reference="NCSC Joint Report Public Tools">^{<a href="https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a>}</span><span onclick=scrollToRef('scite-47') id="scite-ref-47-a" class="scite-citeref-number" title="Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022."data-reference="Rapid7 HAFNIUM Mar 2021">^{<a href="https://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/" target="_blank" data-hasqtip="46" aria-describedby="qtip-46">[47]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0667"> S0667 </a> </td> <td> <a href="/software/S0667"> Chrommme </a> </td> <td> <p><a href="/software/S0667">Chrommme</a> can collect data from a local system.<span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" title="Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021."data-reference="ESET Gelsemium June 2021">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0660"> S0660 </a> </td> <td> <a href="/software/S0660"> Clambling </a> </td> <td> <p><a href="/software/S0660">Clambling</a> can collect information from a compromised host.<span onclick=scrollToRef('scite-49') id="scite-ref-49-a" class="scite-citeref-number" title="Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021."data-reference="Trend Micro DRBControl February 2020">^{<a href="https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf" target="_blank" data-hasqtip="48" aria-describedby="qtip-48">[49]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0154"> S0154 </a> </td> <td> <a href="/software/S0154"> Cobalt Strike </a> </td> <td> <p><a href="/software/S0154">Cobalt Strike</a> can collect data from a local system.<span onclick=scrollToRef('scite-50') id="scite-ref-50-a" class="scite-citeref-number" title="Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017."data-reference="Cobalt Strike TTPs Dec 2017">^{<a href="https://www.cobaltstrike.com/downloads/reports/tacticstechniquesandprocedures.pdf" target="_blank" data-hasqtip="49" aria-describedby="qtip-49">[50]</a>}</span><span onclick=scrollToRef('scite-51') id="scite-ref-51-a" class="scite-citeref-number" title="Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021."data-reference="Cobalt Strike Manual 4.3 November 2020">^{<a href="https://web.archive.org/web/20210708035426/https://www.cobaltstrike.com/downloads/csmanual43.pdf" target="_blank" data-hasqtip="50" aria-describedby="qtip-50">[51]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0492"> S0492 </a> </td> <td> <a href="/software/S0492"> CookieMiner </a> </td> <td> <p><a href="/software/S0492">CookieMiner</a> has retrieved iPhone text messages from iTunes phone backup files.<span onclick=scrollToRef('scite-52') id="scite-ref-52-a" class="scite-citeref-number" title="Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020."data-reference="Unit42 CookieMiner Jan 2019">^{<a href="https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/" target="_blank" data-hasqtip="51" aria-describedby="qtip-51">[52]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0050"> S0050 </a> </td> <td> <a href="/software/S0050"> CosmicDuke </a> </td> <td> <p><a href="/software/S0050">CosmicDuke</a> steals user files from local hard drives with file extensions that match a predefined list.<span onclick=scrollToRef('scite-53') id="scite-ref-53-a" class="scite-citeref-number" title="F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014."data-reference="F-Secure Cosmicduke">^{<a href="https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf" target="_blank" data-hasqtip="52" aria-describedby="qtip-52">[53]</a>}</span></p> </td> </tr> <tr> <td> <a href="/campaigns/C0004"> C0004 </a> </td> <td> <a href="/campaigns/C0004"> CostaRicto </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0004">CostaRicto</a>, the threat actors collected data and files from compromised networks.<span onclick=scrollToRef('scite-54') id="scite-ref-54-a" class="scite-citeref-number" title="The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021."data-reference="BlackBerry CostaRicto November 2020">^{<a href="https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced" target="_blank" data-hasqtip="53" aria-describedby="qtip-53">[54]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1023"> S1023 </a> </td> <td> <a href="/software/S1023"> CreepyDrive </a> </td> <td> <p><a href="/software/S1023">CreepyDrive</a> can upload files to C2 from victim machines.<span onclick=scrollToRef('scite-55') id="scite-ref-55-a" class="scite-citeref-number" title="Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022."data-reference="Microsoft POLONIUM June 2022">^{<a href="https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/" target="_blank" data-hasqtip="54" aria-describedby="qtip-54">[55]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0115"> S0115 </a> </td> <td> <a href="/software/S0115"> Crimson </a> </td> <td> <p><a href="/software/S0115">Crimson</a> can collect information from a compromised host.<span onclick=scrollToRef('scite-56') id="scite-ref-56-a" class="scite-citeref-number" title="N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022."data-reference="Cisco Talos Transparent Tribe Education Campaign July 2022">^{<a href="https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html" target="_blank" data-hasqtip="55" aria-describedby="qtip-55">[56]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0538"> S0538 </a> </td> <td> <a href="/software/S0538"> Crutch </a> </td> <td> <p><a href="/software/S0538">Crutch</a> can exfiltrate files from compromised systems.<span onclick=scrollToRef('scite-57') id="scite-ref-57-a" class="scite-citeref-number" title="Faou, M. (2020, December 2). Turla Crutch: Keeping the "back door" open. Retrieved December 4, 2020."data-reference="ESET Crutch December 2020">^{<a href="https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/" target="_blank" data-hasqtip="56" aria-describedby="qtip-56">[57]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0498"> S0498 </a> </td> <td> <a href="/software/S0498"> Cryptoistic </a> </td> <td> <p><a href="/software/S0498">Cryptoistic</a> can retrieve files from the local file system.<span onclick=scrollToRef('scite-58') id="scite-ref-58-a" class="scite-citeref-number" title="Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020."data-reference="SentinelOne Lazarus macOS July 2020">^{<a href="https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/" target="_blank" data-hasqtip="57" aria-describedby="qtip-57">[58]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G1012"> G1012 </a> </td> <td> <a href="/groups/G1012"> CURIUM </a> </td> <td> <p><a href="/groups/G1012">CURIUM</a> has exfiltrated data from a compromised machine.<span onclick=scrollToRef('scite-59') id="scite-ref-59-a" class="scite-citeref-number" title="MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023."data-reference="Microsoft Iranian Threat Actor Trends November 2021">^{<a href="https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021" target="_blank" data-hasqtip="58" aria-describedby="qtip-58">[59]</a>}</span></p> </td> </tr> <tr> <td> <a href="/campaigns/C0029"> C0029 </a> </td> <td> <a href="/campaigns/C0029"> Cutting Edge </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0029">Cutting Edge</a>, threat actors stole the running configuration and cache data from targeted Ivanti Connect Secure VPNs.<span onclick=scrollToRef('scite-60') id="scite-ref-60-a" class="scite-citeref-number" title="Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024."data-reference="Volexity Ivanti Zero-Day Exploitation January 2024">^{<a href="https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/" target="_blank" data-hasqtip="59" aria-describedby="qtip-59">[60]</a>}</span><span onclick=scrollToRef('scite-61') id="scite-ref-61-a" class="scite-citeref-number" title="Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024."data-reference="Mandiant Cutting Edge Part 2 January 2024">^{<a href="https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation" target="_blank" data-hasqtip="60" aria-describedby="qtip-60">[61]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0687"> S0687 </a> </td> <td> <a href="/software/S0687"> Cyclops Blink </a> </td> <td> <p><a href="/software/S0687">Cyclops Blink</a> can upload files from a compromised host.<span onclick=scrollToRef('scite-62') id="scite-ref-62-a" class="scite-citeref-number" title="NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022."data-reference="NCSC Cyclops Blink February 2022">^{<a href="https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf" target="_blank" data-hasqtip="61" aria-describedby="qtip-61">[62]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1014"> S1014 </a> </td> <td> <a href="/software/S1014"> DanBot </a> </td> <td> <p><a href="/software/S1014">DanBot</a> can upload files from compromised hosts.<span onclick=scrollToRef('scite-63') id="scite-ref-63-a" class="scite-citeref-number" title="SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19 "data-reference="SecureWorks August 2019">^{<a href="https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign" target="_blank" data-hasqtip="62" aria-describedby="qtip-62">[63]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0070"> G0070 </a> </td> <td> <a href="/groups/G0070"> Dark Caracal </a> </td> <td> <p><a href="/groups/G0070">Dark Caracal</a> collected complete contents of the 'Pictures' folder from compromised Windows systems.<span onclick=scrollToRef('scite-64') id="scite-ref-64-a" class="scite-citeref-number" title="Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018."data-reference="Lookout Dark Caracal Jan 2018">^{<a href="https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" target="_blank" data-hasqtip="63" aria-describedby="qtip-63">[64]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0673"> S0673 </a> </td> <td> <a href="/software/S0673"> DarkWatchman </a> </td> <td> <p><a href="/software/S0673">DarkWatchman</a> can collect files from a compromised host.<span onclick=scrollToRef('scite-65') id="scite-ref-65-a" class="scite-citeref-number" title="Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022."data-reference="Prevailion DarkWatchman 2021">^{<a href="https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/" target="_blank" data-hasqtip="64" aria-describedby="qtip-64">[65]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1021"> S1021 </a> </td> <td> <a href="/software/S1021"> DnsSystem </a> </td> <td> <p><a href="/software/S1021">DnsSystem</a> can upload files from infected machines after receiving a command with <code>uploaddd</code> in the string.<span onclick=scrollToRef('scite-66') id="scite-ref-66-a" class="scite-citeref-number" title="Shivtarkar, N. and Kumar, A. (2022, June 9). Lyceum .NET DNS Backdoor. Retrieved June 23, 2022."data-reference="Zscaler Lyceum DnsSystem June 2022">^{<a href="https://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor" target="_blank" data-hasqtip="65" aria-describedby="qtip-65">[66]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0035"> G0035 </a> </td> <td> <a href="/groups/G0035"> Dragonfly </a> </td> <td> <p><a href="/groups/G0035">Dragonfly</a> has collected data from local victim systems.<span onclick=scrollToRef('scite-67') id="scite-ref-67-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="66" aria-describedby="qtip-66">[67]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0694"> S0694 </a> </td> <td> <a href="/software/S0694"> DRATzarus </a> </td> <td> <p><a href="/software/S0694">DRATzarus</a> can collect information from a compromised host.<span onclick=scrollToRef('scite-68') id="scite-ref-68-a" class="scite-citeref-number" title="ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021."data-reference="ClearSky Lazarus Aug 2020">^{<a href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank" data-hasqtip="67" aria-describedby="qtip-67">[68]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0502"> S0502 </a> </td> <td> <a href="/software/S0502"> Drovorub </a> </td> <td> <p><a href="/software/S0502">Drovorub</a> can transfer files from the victim machine.<span onclick=scrollToRef('scite-69') id="scite-ref-69-a" class="scite-citeref-number" title="NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020."data-reference="NSA/FBI Drovorub August 2020">^{<a href="https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF" target="_blank" data-hasqtip="68" aria-describedby="qtip-68">[69]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0567"> S0567 </a> </td> <td> <a href="/software/S0567"> Dtrack </a> </td> <td> <p><a href="/software/S0567">Dtrack</a> can collect a variety of information from victim machines.<span onclick=scrollToRef('scite-70') id="scite-ref-70-a" class="scite-citeref-number" title="Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021."data-reference="CyberBit Dtrack">^{<a href="https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/" target="_blank" data-hasqtip="69" aria-describedby="qtip-69">[70]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1159"> S1159 </a> </td> <td> <a href="/software/S1159"> DUSTTRAP </a> </td> <td> <p><a href="/software/S1159">DUSTTRAP</a> can gather data from infected systems.<span onclick=scrollToRef('scite-71') id="scite-ref-71-a" class="scite-citeref-number" title="Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024."data-reference="Google Cloud APT41 2024">^{<a href="https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust" target="_blank" data-hasqtip="70" aria-describedby="qtip-70">[71]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G1003"> G1003 </a> </td> <td> <a href="/groups/G1003"> Ember Bear </a> </td> <td> <p><a href="/groups/G1003">Ember Bear</a> gathers victim system information such as enumerating the volume of a given device or extracting system and security event logs for analysis.<span onclick=scrollToRef('scite-72') id="scite-ref-72-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023."data-reference="Cadet Blizzard emerges as novel threat actor">^{<a href="https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" target="_blank" data-hasqtip="71" aria-describedby="qtip-71">[72]</a>}</span><span onclick=scrollToRef('scite-73') id="scite-ref-73-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024">^{<a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="72" aria-describedby="qtip-72">[73]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0634"> S0634 </a> </td> <td> <a href="/software/S0634"> EnvyScout </a> </td> <td> <p><a href="/software/S0634">EnvyScout</a> can collect sensitive NTLM material from a compromised host.<span onclick=scrollToRef('scite-74') id="scite-ref-74-a" class="scite-citeref-number" title="MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021."data-reference="MSTIC Nobelium Toolset May 2021">^{<a href="https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" target="_blank" data-hasqtip="73" aria-describedby="qtip-73">[74]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0404"> S0404 </a> </td> <td> <a href="/software/S0404"> esentutl </a> </td> <td> <p><a href="/software/S0404">esentutl</a> can be used to collect data from local file systems.<span onclick=scrollToRef('scite-75') id="scite-ref-75-a" class="scite-citeref-number" title="Red Canary. (2021, March 31). 2021 Threat Detection Report. Retrieved August 31, 2021."data-reference="Red Canary 2021 Threat Detection Report March 2021">^{<a href="https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf?mkt_tok=MDAzLVlSVS0zMTQAAAF_PIlmhNTaG2McG4X_foM-cIr20UfyB12MIQ10W0HbtMRwxGOJaD0Xj6CRTNg_S-8KniRxtf9xzhz_ACvm_TpbJAIgWCV8yIsFgbhb8cuaZA" target="_blank" data-hasqtip="74" aria-describedby="qtip-74">[75]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0512"> S0512 </a> </td> <td> <a href="/software/S0512"> FatDuke </a> </td> <td> <p><a href="/software/S0512">FatDuke</a> can copy files and directories from a compromised host.<span onclick=scrollToRef('scite-76') id="scite-ref-76-a" class="scite-citeref-number" title="Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020."data-reference="ESET Dukes October 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="75" aria-describedby="qtip-75">[76]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G1016"> G1016 </a> </td> <td> <a href="/groups/G1016"> FIN13 </a> </td> <td> <p><a href="/groups/G1016">FIN13</a> has gathered stolen credentials, sensitive data such as point-of-sale (POS), and ATM data from a compromised network before exfiltration.<span onclick=scrollToRef('scite-77') id="scite-ref-77-a" class="scite-citeref-number" title="Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023."data-reference="Mandiant FIN13 Aug 2022">^{<a href="https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico" target="_blank" data-hasqtip="76" aria-describedby="qtip-76">[77]</a>}</span><span onclick=scrollToRef('scite-78') id="scite-ref-78-a" class="scite-citeref-number" title="Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023."data-reference="Sygnia Elephant Beetle Jan 2022">^{<a href="https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf?__hstc=147695848.3e8f1a482c8f8d4531507747318e660b.1680005306711.1680005306711.1680005306711.1&__hssc=147695848.1.1680005306711&__hsfp=3000179024&hsCtaTracking=189ec409-ae2d-4909-8bf1-62dcdd694372%7Cca91d317-8f10-4a38-9f80-367f551ad64d" target="_blank" data-hasqtip="77" aria-describedby="qtip-77">[78]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0037"> G0037 </a> </td> <td> <a href="/groups/G0037"> FIN6 </a> </td> <td> <p><a href="/groups/G0037">FIN6</a> has collected and exfiltrated payment card data from compromised systems.<span onclick=scrollToRef('scite-79') id="scite-ref-79-a" class="scite-citeref-number" title="Chen, J. (2019, October 10). Magecart Card Skimmers Injected Into Online Shops. Retrieved September 9, 2020."data-reference="Trend Micro FIN6 October 2019">^{<a href="https://www.trendmicro.com/en_us/research/19/j/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops.html" target="_blank" data-hasqtip="78" aria-describedby="qtip-78">[79]</a>}</span><span onclick=scrollToRef('scite-80') id="scite-ref-80-a" class="scite-citeref-number" title="Klijnsma, Y. (2018, September 11). Inside the Magecart Breach of British Airways: How 22 Lines of Code Claimed 380,000 Victims. Retrieved September 9, 2020."data-reference="RiskIQ British Airways September 2018">^{<a href="https://web.archive.org/web/20181231220607/https://riskiq.com/blog/labs/magecart-british-airways-breach/" target="_blank" data-hasqtip="79" aria-describedby="qtip-79">[80]</a>}</span><span onclick=scrollToRef('scite-81') id="scite-ref-81-a" class="scite-citeref-number" title="Klijnsma, Y. (2018, September 19). Another Victim of the Magecart Assault Emerges: Newegg. Retrieved September 9, 2020."data-reference="RiskIQ Newegg September 2018">^{<a href="https://web.archive.org/web/20181209083100/https://www.riskiq.com/blog/labs/magecart-newegg/" target="_blank" data-hasqtip="80" aria-describedby="qtip-80">[81]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0046"> G0046 </a> </td> <td> <a href="/groups/G0046"> FIN7 </a> </td> <td> <p><a href="/groups/G0046">FIN7</a> has collected files and other sensitive information from a compromised network.<span onclick=scrollToRef('scite-82') id="scite-ref-82-a" class="scite-citeref-number" title="Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021."data-reference="CrowdStrike Carbon Spider August 2021">^{<a href="https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/" target="_blank" data-hasqtip="81" aria-describedby="qtip-81">[82]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0696"> S0696 </a> </td> <td> <a href="/software/S0696"> Flagpro </a> </td> <td> <p><a href="/software/S0696">Flagpro</a> can collect data from a compromised host, including Windows authentication information.<span onclick=scrollToRef('scite-83') id="scite-ref-83-a" class="scite-citeref-number" title="Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022."data-reference="NTT Security Flagpro new December 2021">^{<a href="https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech" target="_blank" data-hasqtip="82" aria-describedby="qtip-82">[83]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0036"> S0036 </a> </td> <td> <a href="/software/S0036"> FLASHFLOOD </a> </td> <td> <p><a href="/software/S0036">FLASHFLOOD</a> searches for interesting files (either a default or customized set of file extensions) on the local system. <a href="/software/S0036">FLASHFLOOD</a> will scan the My Recent Documents, Desktop, Temporary Internet Files, and TEMP directories. <a href="/software/S0036">FLASHFLOOD</a> also collects information stored in the Windows Address Book.<span onclick=scrollToRef('scite-84') id="scite-ref-84-a" class="scite-citeref-number" title="FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015."data-reference="FireEye APT30">^{<a href="https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" target="_blank" data-hasqtip="83" aria-describedby="qtip-83">[84]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0381"> S0381 </a> </td> <td> <a href="/software/S0381"> FlawedAmmyy </a> </td> <td> <p><a href="/software/S0381">FlawedAmmyy</a> has collected information and files from a compromised machine.<span onclick=scrollToRef('scite-85') id="scite-ref-85-a" class="scite-citeref-number" title="Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022."data-reference="Korean FSI TA505 2020">^{<a href="https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1382.do?page=1&column=&search=&searchSDate=&searchEDate=&bbsDataCategory=" target="_blank" data-hasqtip="84" aria-describedby="qtip-84">[85]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0661"> S0661 </a> </td> <td> <a href="/software/S0661"> FoggyWeb </a> </td> <td> <p><a href="/software/S0661">FoggyWeb</a> can retrieve configuration data from a compromised AD FS server.<span onclick=scrollToRef('scite-86') id="scite-ref-86-a" class="scite-citeref-number" title="Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021."data-reference="MSTIC FoggyWeb September 2021">^{<a href="https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/" target="_blank" data-hasqtip="85" aria-describedby="qtip-85">[86]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0193"> S0193 </a> </td> <td> <a href="/software/S0193"> Forfiles </a> </td> <td> <p><a href="/software/S0193">Forfiles</a> can be used to act on (ex: copy, move, etc.) files/directories in a system during (ex: copy files into a staging area before).<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018."data-reference="Überwachung APT28 Forfiles June 2015">^{<a href="https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0117"> G0117 </a> </td> <td> <a href="/groups/G0117"> Fox Kitten </a> </td> <td> <p><a href="/groups/G0117">Fox Kitten</a> has searched local system resources to access sensitive documents.<span onclick=scrollToRef('scite-87') id="scite-ref-87-a" class="scite-citeref-number" title="CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020."data-reference="CISA AA20-259A Iran-Based Actor September 2020">^{<a href="https://us-cert.cisa.gov/ncas/alerts/aa20-259a" target="_blank" data-hasqtip="86" aria-describedby="qtip-86">[87]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0503"> S0503 </a> </td> <td> <a href="/software/S0503"> FrameworkPOS </a> </td> <td> <p><a href="/software/S0503">FrameworkPOS</a> can collect elements related to credit card data from process memory.<span onclick=scrollToRef('scite-88') id="scite-ref-88-a" class="scite-citeref-number" title="Kremez, V. (2019, September 19). FIN6 "FrameworkPOS": Point-of-Sale Malware Analysis & Internals. Retrieved September 8, 2020."data-reference="SentinelOne FrameworkPOS September 2019">^{<a href="https://labs.sentinelone.com/fin6-frameworkpos-point-of-sale-malware-analysis-internals-2/" target="_blank" data-hasqtip="87" aria-describedby="qtip-87">[88]</a>}</span></p> </td> </tr> <tr> <td> <a href="/campaigns/C0001"> C0001 </a> </td> <td> <a href="/campaigns/C0001"> Frankenstein </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0001">Frankenstein</a>, the threat actors used <a href="/software/S0363">Empire</a> to gather various local system information.<span onclick=scrollToRef('scite-89') id="scite-ref-89-a" class="scite-citeref-number" title="Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020."data-reference="Talos Frankenstein June 2019">^{<a href="https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html" target="_blank" data-hasqtip="88" aria-describedby="qtip-88">[89]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1044"> S1044 </a> </td> <td> <a href="/software/S1044"> FunnyDream </a> </td> <td> <p><a href="/software/S1044">FunnyDream</a> can upload files from victims' machines.<span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" title="Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022."data-reference="Bitdefender FunnyDream Campaign November 2020">^{<a href="https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a>}</span><span onclick=scrollToRef('scite-90') id="scite-ref-90-a" class="scite-citeref-number" title="Global Research and Analysis Team. (2020, April 30). APT trends report Q1 2020. Retrieved September 19, 2022."data-reference="Kaspersky APT Trends Q1 2020">^{<a href="https://securelist.com/apt-trends-report-q1-2020/96826/" target="_blank" data-hasqtip="89" aria-describedby="qtip-89">[90]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0093"> G0093 </a> </td> <td> <a href="/groups/G0093"> GALLIUM </a> </td> <td> <p><a href="/groups/G0093">GALLIUM</a> collected data from the victim's local system, including password hashes from the SAM hive in the Registry.<span onclick=scrollToRef('scite-91') id="scite-ref-91-a" class="scite-citeref-number" title="Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019."data-reference="Cybereason Soft Cell June 2019">^{<a href="https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" target="_blank" data-hasqtip="90" aria-describedby="qtip-90">[91]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0047"> G0047 </a> </td> <td> <a href="/groups/G0047"> Gamaredon Group </a> </td> <td> <p><a href="/groups/G0047">Gamaredon Group</a> has collected files from infected systems and uploaded them to a C2 server.<span onclick=scrollToRef('scite-92') id="scite-ref-92-a" class="scite-citeref-number" title="Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020."data-reference="ESET Gamaredon June 2020">^{<a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/" target="_blank" data-hasqtip="91" aria-describedby="qtip-91">[92]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0666"> S0666 </a> </td> <td> <a href="/software/S0666"> Gelsemium </a> </td> <td> <p><a href="/software/S0666">Gelsemium</a> can collect data from a compromised host.<span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" title="Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021."data-reference="ESET Gelsemium June 2021">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0477"> S0477 </a> </td> <td> <a href="/software/S0477"> Goopy </a> </td> <td> <p><a href="/software/S0477">Goopy</a> has the ability to exfiltrate documents from infected systems.<span onclick=scrollToRef('scite-93') id="scite-ref-93-a" class="scite-citeref-number" title="Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018."data-reference="Cybereason Cobalt Kitty 2017">^{<a href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank" data-hasqtip="92" aria-describedby="qtip-92">[93]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/software/S0237"> S0237 </a> </td> <td> <a href="/software/S0237"> GravityRAT </a> </td> <td> <p><a href="/software/S0237">GravityRAT</a> steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf.<span onclick=scrollToRef('scite-94') id="scite-ref-94-a" class="scite-citeref-number" title="Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018."data-reference="Talos GravityRAT">^{<a href="https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html" target="_blank" data-hasqtip="93" aria-describedby="qtip-93">[94]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0690"> S0690 </a> </td> <td> <a href="/software/S0690"> Green Lambert </a> </td> <td> <p><a href="/software/S0690">Green Lambert</a> can collect data from a compromised host.<span onclick=scrollToRef('scite-95') id="scite-ref-95-a" class="scite-citeref-number" title="Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022."data-reference="Objective See Green Lambert for OSX Oct 2021">^{<a href="https://objective-see.com/blog/blog_0x68.html" target="_blank" data-hasqtip="94" aria-describedby="qtip-94">[95]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0632"> S0632 </a> </td> <td> <a href="/software/S0632"> GrimAgent </a> </td> <td> <p><a href="/software/S0632">GrimAgent</a> can collect data and files from a compromised host.<span onclick=scrollToRef('scite-96') id="scite-ref-96-a" class="scite-citeref-number" title="Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024."data-reference="Group IB GrimAgent July 2021">^{<a href="https://www.group-ib.com/blog/grimagent/" target="_blank" data-hasqtip="95" aria-describedby="qtip-95">[96]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0125"> G0125 </a> </td> <td> <a href="/groups/G0125"> HAFNIUM </a> </td> <td> <p><a href="/groups/G0125">HAFNIUM</a> has collected data and files from a compromised machine.<span onclick=scrollToRef('scite-47') id="scite-ref-47-a" class="scite-citeref-number" title="Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022."data-reference="Rapid7 HAFNIUM Mar 2021">^{<a href="https://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/" target="_blank" data-hasqtip="46" aria-describedby="qtip-46">[47]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0009"> S0009 </a> </td> <td> <a href="/software/S0009"> Hikit </a> </td> <td> <p><a href="/software/S0009">Hikit</a> can upload files from compromised machines.<span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014."data-reference="Novetta-Axiom">^{<a href="https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0203"> S0203 </a> </td> <td> <a href="/software/S0203"> Hydraq </a> </td> <td> <p><a href="/software/S0203">Hydraq</a> creates a backdoor through which remote attackers can read data from files.<span onclick=scrollToRef('scite-97') id="scite-ref-97-a" class="scite-citeref-number" title="Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018."data-reference="Symantec Trojan.Hydraq Jan 2010">^{<a href="https://www.symantec.com/connect/blogs/trojanhydraq-incident" target="_blank" data-hasqtip="96" aria-describedby="qtip-96">[97]</a>}</span><span onclick=scrollToRef('scite-98') id="scite-ref-98-a" class="scite-citeref-number" title="Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018."data-reference="Symantec Hydraq Jan 2010">^{<a href="https://www.symantec.com/security_response/writeup.jsp?docid=2010-011114-1830-99" target="_blank" data-hasqtip="97" aria-describedby="qtip-97">[98]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1022"> S1022 </a> </td> <td> <a href="/software/S1022"> IceApple </a> </td> <td> <p><a href="/software/S1022">IceApple</a> can collect files, passwords, and other data from a compromised host.<span onclick=scrollToRef('scite-99') id="scite-ref-99-a" class="scite-citeref-number" title="CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022."data-reference="CrowdStrike IceApple May 2022">^{<a href="https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework.pdf" target="_blank" data-hasqtip="98" aria-describedby="qtip-98">[99]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0100"> G0100 </a> </td> <td> <a href="/groups/G0100"> Inception </a> </td> <td> <p><a href="/groups/G0100">Inception</a> used a file hunting plugin to collect .txt, .pdf, .xls or .doc files from the infected host.<span onclick=scrollToRef('scite-100') id="scite-ref-100-a" class="scite-citeref-number" title="GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020."data-reference="Kaspersky Cloud Atlas August 2019">^{<a href="https://securelist.com/recent-cloud-atlas-activity/92016/" target="_blank" data-hasqtip="99" aria-describedby="qtip-99">[100]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0260"> S0260 </a> </td> <td> <a href="/software/S0260"> InvisiMole </a> </td> <td> <p><a href="/software/S0260">InvisiMole</a> can collect data from the system, and can monitor changes in specified directories.<span onclick=scrollToRef('scite-101') id="scite-ref-101-a" class="scite-citeref-number" title="Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018."data-reference="ESET InvisiMole June 2018">^{<a href="https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" target="_blank" data-hasqtip="100" aria-describedby="qtip-100">[101]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1132"> S1132 </a> </td> <td> <a href="/software/S1132"> IPsec Helper </a> </td> <td> <p><a href="/software/S1132">IPsec Helper</a> can identify specific files and folders for follow-on exfiltration.<span onclick=scrollToRef('scite-102') id="scite-ref-102-a" class="scite-citeref-number" title="Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024."data-reference="SentinelOne Agrius 2021">^{<a href="https://assets.sentinelone.com/sentinellabs/evol-agrius" target="_blank" data-hasqtip="101" aria-describedby="qtip-101">[102]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0015"> S0015 </a> </td> <td> <a href="/software/S0015"> Ixeshe </a> </td> <td> <p><a href="/software/S0015">Ixeshe</a> can collect data from a local system.<span onclick=scrollToRef('scite-103') id="scite-ref-103-a" class="scite-citeref-number" title="Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019."data-reference="Trend Micro IXESHE 2012">^{<a href="https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf" target="_blank" data-hasqtip="102" aria-describedby="qtip-102">[103]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0265"> S0265 </a> </td> <td> <a href="/software/S0265"> Kazuar </a> </td> <td> <p><a href="/software/S0265">Kazuar</a> uploads files from a specified directory to the C2 server.<span onclick=scrollToRef('scite-104') id="scite-ref-104-a" class="scite-citeref-number" title="Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018."data-reference="Unit 42 Kazuar May 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/" target="_blank" data-hasqtip="103" aria-describedby="qtip-103">[104]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0004"> G0004 </a> </td> <td> <a href="/groups/G0004"> Ke3chang </a> </td> <td> <p><a href="/groups/G0004">Ke3chang</a> gathered information and files from local directories for exfiltration.<span onclick=scrollToRef('scite-105') id="scite-ref-105-a" class="scite-citeref-number" title="Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION "KE3CHANG": Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014."data-reference="Mandiant Operation Ke3chang November 2014">^{<a href="https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs" target="_blank" data-hasqtip="104" aria-describedby="qtip-104">[105]</a>}</span><span onclick=scrollToRef('scite-106') id="scite-ref-106-a" class="scite-citeref-number" title="MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022."data-reference="Microsoft NICKEL December 2021">^{<a href="https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe" target="_blank" data-hasqtip="105" aria-describedby="qtip-105">[106]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1020"> S1020 </a> </td> <td> <a href="/software/S1020"> Kevin </a> </td> <td> <p><a href="/software/S1020">Kevin</a> can upload logs and other data from a compromised host.<span onclick=scrollToRef('scite-107') id="scite-ref-107-a" class="scite-citeref-number" title="Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022."data-reference="Kaspersky Lyceum October 2021">^{<a href="https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf" target="_blank" data-hasqtip="106" aria-describedby="qtip-106">[107]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0526"> S0526 </a> </td> <td> <a href="/software/S0526"> KGH_SPY </a> </td> <td> <p><a href="/software/S0526">KGH_SPY</a> can send a file containing victim system information to C2.<span onclick=scrollToRef('scite-108') id="scite-ref-108-a" class="scite-citeref-number" title="Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020."data-reference="Cybereason Kimsuky November 2020">^{<a href="https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" target="_blank" data-hasqtip="107" aria-describedby="qtip-107">[108]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0094"> G0094 </a> </td> <td> <a href="/groups/G0094"> Kimsuky </a> </td> <td> <p><a href="/groups/G0094">Kimsuky</a> has collected Office, PDF, and HWP documents from its victims.<span onclick=scrollToRef('scite-109') id="scite-ref-109-a" class="scite-citeref-number" title="Tarakanov , D.. (2013, September 11). The "Kimsuky" Operation: A North Korean APT?. Retrieved August 13, 2019."data-reference="Securelist Kimsuky Sept 2013">^{<a href="https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/" target="_blank" data-hasqtip="108" aria-describedby="qtip-108">[109]</a>}</span><span onclick=scrollToRef('scite-110') id="scite-ref-110-a" class="scite-citeref-number" title="An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021."data-reference="Talos Kimsuky Nov 2021">^{<a href="https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html" target="_blank" data-hasqtip="109" aria-describedby="qtip-109">[110]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0250"> S0250 </a> </td> <td> <a href="/software/S0250"> Koadic </a> </td> <td> <p><a href="/software/S0250">Koadic</a> can download files off the target system to send back to the server.<span onclick=scrollToRef('scite-111') id="scite-ref-111-a" class="scite-citeref-number" title="Magius, J., et al. (2017, July 19). Koadic. Retrieved September 27, 2024."data-reference="Github Koadic">^{<a href="https://github.com/offsecginger/koadic" target="_blank" data-hasqtip="110" aria-describedby="qtip-110">[111]</a>}</span><span onclick=scrollToRef('scite-112') id="scite-ref-112-a" class="scite-citeref-number" title="Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021."data-reference="MalwareBytes LazyScripter Feb 2021">^{<a href="https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf" target="_blank" data-hasqtip="111" aria-describedby="qtip-111">[112]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0356"> S0356 </a> </td> <td> <a href="/software/S0356"> KONNI </a> </td> <td> <p><a href="/software/S0356">KONNI</a> has stored collected information and discovered processes in a tmp file.<span onclick=scrollToRef('scite-113') id="scite-ref-113-a" class="scite-citeref-number" title="Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022."data-reference="Malwarebytes Konni Aug 2021">^{<a href="https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/" target="_blank" data-hasqtip="112" aria-describedby="qtip-112">[113]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1075"> S1075 </a> </td> <td> <a href="/software/S1075"> KOPILUWAK </a> </td> <td> <p><a href="/software/S1075">KOPILUWAK</a> can gather information from compromised hosts.<span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" title="Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023."data-reference="Mandiant Suspected Turla Campaign February 2023">^{<a href="https://www.mandiant.com/resources/blog/turla-galaxy-opportunity" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G1004"> G1004 </a> </td> <td> <a href="/groups/G1004"> LAPSUS$ </a> </td> <td> <p><a href="/groups/G1004">LAPSUS$</a> uploaded sensitive files, information, and credentials from a targeted organization for extortion or public release.<span onclick=scrollToRef('scite-114') id="scite-ref-114-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022">^{<a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="113" aria-describedby="qtip-113">[114]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1160"> S1160 </a> </td> <td> <a href="/software/S1160"> Latrodectus </a> </td> <td> <p><a href="/software/S1160">Latrodectus</a> can collect data from a compromised host using a stealer module.<span onclick=scrollToRef('scite-115') id="scite-ref-115-a" class="scite-citeref-number" title="Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024."data-reference="Bitsight Latrodectus June 2024">^{<a href="https://www.bitsight.com/blog/latrodectus-are-you-coming-back" target="_blank" data-hasqtip="114" aria-describedby="qtip-114">[115]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0032"> G0032 </a> </td> <td> <a href="/groups/G0032"> Lazarus Group </a> </td> <td> <p><a href="/groups/G0032">Lazarus Group</a> has collected data and files from compromised networks.<span onclick=scrollToRef('scite-116') id="scite-ref-116-a" class="scite-citeref-number" title="Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016."data-reference="Novetta Blockbuster">^{<a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" data-hasqtip="115" aria-describedby="qtip-115">[116]</a>}</span><span onclick=scrollToRef('scite-117') id="scite-ref-117-a" class="scite-citeref-number" title="Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016."data-reference="Novetta Blockbuster Loaders">^{<a href="https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" target="_blank" data-hasqtip="116" aria-describedby="qtip-116">[117]</a>}</span><span onclick=scrollToRef('scite-118') id="scite-ref-118-a" class="scite-citeref-number" title="Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016."data-reference="Novetta Blockbuster RATs">^{<a href="https://web.archive.org/web/20220608001455/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf" target="_blank" data-hasqtip="117" aria-describedby="qtip-117">[118]</a>}</span><span onclick=scrollToRef('scite-119') id="scite-ref-119-a" class="scite-citeref-number" title="Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021."data-reference="Kaspersky ThreatNeedle Feb 2021">^{<a href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank" data-hasqtip="118" aria-describedby="qtip-118">[119]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0395"> S0395 </a> </td> <td> <a href="/software/S0395"> LightNeuron </a> </td> <td> <p><a href="/software/S0395">LightNeuron</a> can collect files from a local system.<span onclick=scrollToRef('scite-120') id="scite-ref-120-a" class="scite-citeref-number" title="Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019."data-reference="ESET LightNeuron May 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf" target="_blank" data-hasqtip="119" aria-describedby="qtip-119">[120]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0211"> S0211 </a> </td> <td> <a href="/software/S0211"> Linfo </a> </td> <td> <p><a href="/software/S0211">Linfo</a> creates a backdoor through which remote attackers can obtain data from local systems.<span onclick=scrollToRef('scite-121') id="scite-ref-121-a" class="scite-citeref-number" title="Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018."data-reference="Symantec Linfo May 2012">^{<a href="https://www.symantec.com/security_response/writeup.jsp?docid=2012-051605-2535-99" target="_blank" data-hasqtip="120" aria-describedby="qtip-120">[121]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1101"> S1101 </a> </td> <td> <a href="/software/S1101"> LoFiSe </a> </td> <td> <p><a href="/software/S1101">LoFiSe</a> can collect files of interest from targeted systems.<span onclick=scrollToRef('scite-122') id="scite-ref-122-a" class="scite-citeref-number" title="Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024."data-reference="Kaspersky ToddyCat Check Logs October 2023">^{<a href="https://securelist.com/toddycat-keep-calm-and-check-logs/110696/" target="_blank" data-hasqtip="121" aria-describedby="qtip-121">[122]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G1014"> G1014 </a> </td> <td> <a href="/groups/G1014"> LuminousMoth </a> </td> <td> <p><a href="/groups/G1014">LuminousMoth</a> has collected files and data from compromised machines.<span onclick=scrollToRef('scite-123') id="scite-ref-123-a" class="scite-citeref-number" title="Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022."data-reference="Kaspersky LuminousMoth July 2021">^{<a href="https://securelist.com/apt-luminousmoth/103332/" target="_blank" data-hasqtip="122" aria-describedby="qtip-122">[123]</a>}</span><span onclick=scrollToRef('scite-124') id="scite-ref-124-a" class="scite-citeref-number" title="Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022."data-reference="Bitdefender LuminousMoth July 2021">^{<a href="https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited" target="_blank" data-hasqtip="123" aria-describedby="qtip-123">[124]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0409"> S0409 </a> </td> <td> <a href="/software/S0409"> Machete </a> </td> <td> <p><a href="/software/S0409">Machete</a> searches the File system for files of interest.<span onclick=scrollToRef('scite-125') id="scite-ref-125-a" class="scite-citeref-number" title="ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019."data-reference="ESET Machete July 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf" target="_blank" data-hasqtip="124" aria-describedby="qtip-124">[125]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/software/S1016"> S1016 </a> </td> <td> <a href="/software/S1016"> MacMa </a> </td> <td> <p><a href="/software/S1016">MacMa</a> can collect then exfiltrate files from the compromised system.<span onclick=scrollToRef('scite-126') id="scite-ref-126-a" class="scite-citeref-number" title="M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022."data-reference="ESET DazzleSpy Jan 2022">^{<a href="https://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/" target="_blank" data-hasqtip="125" aria-describedby="qtip-125">[126]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1060"> S1060 </a> </td> <td> <a href="/software/S1060"> Mafalda </a> </td> <td> <p><a href="/software/S1060">Mafalda</a> can collect files and information from a compromised host.<span onclick=scrollToRef('scite-127') id="scite-ref-127-a" class="scite-citeref-number" title="Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023."data-reference="SentinelLabs Metador Sept 2022">^{<a href="https://assets.sentinelone.com/sentinellabs22/metador#page=1" target="_blank" data-hasqtip="126" aria-describedby="qtip-126">[127]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0059"> G0059 </a> </td> <td> <a href="/groups/G0059"> Magic Hound </a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has used a web shell to exfiltrate a ZIP file containing a dump of LSASS memory on a compromised machine.<span onclick=scrollToRef('scite-128') id="scite-ref-128-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022">^{<a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="127" aria-describedby="qtip-127">[128]</a>}</span><span onclick=scrollToRef('scite-129') id="scite-ref-129-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="128" aria-describedby="qtip-128">[129]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0652"> S0652 </a> </td> <td> <a href="/software/S0652"> MarkiRAT </a> </td> <td> <p><a href="/software/S0652">MarkiRAT</a> can upload data from the victim's machine to the C2 server.<span onclick=scrollToRef('scite-130') id="scite-ref-130-a" class="scite-citeref-number" title="GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021."data-reference="Kaspersky Ferocious Kitten Jun 2021">^{<a href="https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/" target="_blank" data-hasqtip="129" aria-describedby="qtip-129">[130]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0500"> S0500 </a> </td> <td> <a href="/software/S0500"> MCMD </a> </td> <td> <p><a href="/software/S0500">MCMD</a> has the ability to upload files from an infected device.<span onclick=scrollToRef('scite-131') id="scite-ref-131-a" class="scite-citeref-number" title="Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020."data-reference="Secureworks MCMD July 2019">^{<a href="https://www.secureworks.com/research/mcmd-malware-analysis" target="_blank" data-hasqtip="130" aria-describedby="qtip-130">[131]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0045"> G0045 </a> </td> <td> <a href="/groups/G0045"> menuPass </a> </td> <td> <p><a href="/groups/G0045">menuPass</a> has collected various files from the compromised computers.<span onclick=scrollToRef('scite-132') id="scite-ref-132-a" class="scite-citeref-number" title="United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019."data-reference="DOJ APT10 Dec 2018">^{<a href="https://www.justice.gov/opa/pr/two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion" target="_blank" data-hasqtip="131" aria-describedby="qtip-131">[132]</a>}</span><span onclick=scrollToRef('scite-133') id="scite-ref-133-a" class="scite-citeref-number" title="Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020."data-reference="Symantec Cicada November 2020">^{<a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage" target="_blank" data-hasqtip="132" aria-describedby="qtip-132">[133]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1059"> S1059 </a> </td> <td> <a href="/software/S1059"> metaMain </a> </td> <td> <p><a href="/software/S1059">metaMain</a> can collect files and system information from a compromised host.<span onclick=scrollToRef('scite-127') id="scite-ref-127-a" class="scite-citeref-number" title="Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023."data-reference="SentinelLabs Metador Sept 2022">^{<a href="https://assets.sentinelone.com/sentinellabs22/metador#page=1" target="_blank" data-hasqtip="126" aria-describedby="qtip-126">[127]</a>}</span><span onclick=scrollToRef('scite-134') id="scite-ref-134-a" class="scite-citeref-number" title="SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023."data-reference="SentinelLabs Metador Technical Appendix Sept 2022">^{<a href="https://docs.google.com/document/d/1e9ZTW9b71YwFWS_18ZwDAxa-cYbV8q1wUefmKZLYVsA/edit#heading=h.lmnbtht1ikzm" target="_blank" data-hasqtip="133" aria-describedby="qtip-133">[134]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1146"> S1146 </a> </td> <td> <a href="/software/S1146"> MgBot </a> </td> <td> <p><a href="/software/S1146">MgBot</a> includes modules for collecting files from local systems based on a given set of properties and filenames.<span onclick=scrollToRef('scite-135') id="scite-ref-135-a" class="scite-citeref-number" title="Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024."data-reference="ESET EvasivePanda 2023">^{<a href="https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/" target="_blank" data-hasqtip="134" aria-describedby="qtip-134">[135]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1015"> S1015 </a> </td> <td> <a href="/software/S1015"> Milan </a> </td> <td> <p><a href="/software/S1015">Milan</a> can upload files from a compromised host.<span onclick=scrollToRef('scite-136') id="scite-ref-136-a" class="scite-citeref-number" title="ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By "Siamesekitten" - Lyceum. Retrieved June 6, 2022."data-reference="ClearSky Siamesekitten August 2021">^{<a href="https://www.clearskysec.com/siamesekitten/" target="_blank" data-hasqtip="135" aria-describedby="qtip-135">[136]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0084"> S0084 </a> </td> <td> <a href="/software/S0084"> Mis-Type </a> </td> <td> <p><a href="/software/S0084">Mis-Type</a> has collected files and data from a compromised host.<span onclick=scrollToRef('scite-137') id="scite-ref-137-a" class="scite-citeref-number" title="Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021."data-reference="Cylance Dust Storm">^{<a href="https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" target="_blank" data-hasqtip="136" aria-describedby="qtip-136">[137]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0083"> S0083 </a> </td> <td> <a href="/software/S0083"> Misdat </a> </td> <td> <p><a href="/software/S0083">Misdat</a> has collected files and data from a compromised host.<span onclick=scrollToRef('scite-137') id="scite-ref-137-a" class="scite-citeref-number" title="Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021."data-reference="Cylance Dust Storm">^{<a href="https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" target="_blank" data-hasqtip="136" aria-describedby="qtip-136">[137]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0079"> S0079 </a> </td> <td> <a href="/software/S0079"> MobileOrder </a> </td> <td> <p><a href="/software/S0079">MobileOrder</a> exfiltrates data collected from the victim mobile device.<span onclick=scrollToRef('scite-138') id="scite-ref-138-a" class="scite-citeref-number" title="Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016."data-reference="Scarlet Mimic Jan 2016">^{<a href="http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" target="_blank" data-hasqtip="137" aria-describedby="qtip-137">[138]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1026"> S1026 </a> </td> <td> <a href="/software/S1026"> Mongall </a> </td> <td> <p><a href="/software/S1026">Mongall</a> has the ability to upload files from victim's machines.<span onclick=scrollToRef('scite-139') id="scite-ref-139-a" class="scite-citeref-number" title="Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022."data-reference="SentinelOne Aoqin Dragon June 2022">^{<a href="https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/" target="_blank" data-hasqtip="138" aria-describedby="qtip-138">[139]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0630"> S0630 </a> </td> <td> <a href="/software/S0630"> Nebulae </a> </td> <td> <p><a href="/software/S0630">Nebulae</a> has the capability to upload collected files to C2.<span onclick=scrollToRef('scite-140') id="scite-ref-140-a" class="scite-citeref-number" title="Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021."data-reference="Bitdefender Naikon April 2021">^{<a href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank" data-hasqtip="139" aria-describedby="qtip-139">[140]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0691"> S0691 </a> </td> <td> <a href="/software/S0691"> Neoichor </a> </td> <td> <p><a href="/software/S0691">Neoichor</a> can upload files from a victim's machine.<span onclick=scrollToRef('scite-106') id="scite-ref-106-a" class="scite-citeref-number" title="MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022."data-reference="Microsoft NICKEL December 2021">^{<a href="https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe" target="_blank" data-hasqtip="105" aria-describedby="qtip-105">[106]</a>}</span></p> </td> </tr> <tr> <td> <a href="/campaigns/C0002"> C0002 </a> </td> <td> <a href="/campaigns/C0002"> Night Dragon </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0002">Night Dragon</a>, the threat actors collected files and other data from compromised systems.<span onclick=scrollToRef('scite-141') id="scite-ref-141-a" class="scite-citeref-number" title="McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: "Night Dragon". Retrieved February 19, 2018."data-reference="McAfee Night Dragon">^{<a href="https://scadahacker.com/library/Documents/Cyber_Events/McAfee%20-%20Night%20Dragon%20-%20Global%20Energy%20Cyberattacks.pdf" target="_blank" data-hasqtip="140" aria-describedby="qtip-140">[141]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1090"> S1090 </a> </td> <td> <a href="/software/S1090"> NightClub </a> </td> <td> <p><a href="/software/S1090">NightClub</a> can use a file monitor to steal specific files from targeted systems.<span onclick=scrollToRef('scite-142') id="scite-ref-142-a" class="scite-citeref-number" title="Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023."data-reference="MoustachedBouncer ESET August 2023">^{<a href="https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" target="_blank" data-hasqtip="141" aria-describedby="qtip-141">[142]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0385"> S0385 </a> </td> <td> <a href="/software/S0385"> njRAT </a> </td> <td> <p><a href="/software/S0385">njRAT</a> can collect data from a local system.<span onclick=scrollToRef('scite-143') id="scite-ref-143-a" class="scite-citeref-number" title="Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019."data-reference="Fidelis njRAT June 2013">^{<a href="https://www.threatminer.org/_reports/2013/fta-1009---njrat-uncovered-1.pdf" target="_blank" data-hasqtip="142" aria-describedby="qtip-142">[143]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1131"> S1131 </a> </td> <td> <a href="/software/S1131"> NPPSPY </a> </td> <td> <p><a href="/software/S1131">NPPSPY</a> records data entered from the local system logon at Winlogon to capture credentials in cleartext.<span onclick=scrollToRef('scite-144') id="scite-ref-144-a" class="scite-citeref-number" title="Dray Agha. (2022, August 16). Cleartext Shenanigans: Gifting User Passwords to Adversaries With NPPSPY. Retrieved May 17, 2024."data-reference="Huntress NPPSPY 2022">^{<a href="https://www.huntress.com/blog/cleartext-shenanigans-gifting-user-passwords-to-adversaries-with-nppspy" target="_blank" data-hasqtip="143" aria-describedby="qtip-143">[144]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0340"> S0340 </a> </td> <td> <a href="/software/S0340"> Octopus </a> </td> <td> <p><a href="/software/S0340">Octopus</a> can exfiltrate files from the system using a documents collector tool.<span onclick=scrollToRef('scite-145') id="scite-ref-145-a" class="scite-citeref-number" title="Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021."data-reference="ESET Nomadic Octopus 2018">^{<a href="https://www.virusbulletin.com/uploads/pdf/conference_slides/2018/Cherepanov-VB2018-Octopus.pdf" target="_blank" data-hasqtip="144" aria-describedby="qtip-144">[145]</a>}</span></p> </td> </tr> <tr> <td> <a href="/campaigns/C0012"> C0012 </a> </td> <td> <a href="/campaigns/C0012"> Operation CuckooBees </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0012">Operation CuckooBees</a>, the threat actors collected data, files, and other information from compromised networks.<span onclick=scrollToRef('scite-146') id="scite-ref-146-a" class="scite-citeref-number" title="Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022."data-reference="Cybereason OperationCuckooBees May 2022">^{<a href="https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques" target="_blank" data-hasqtip="145" aria-describedby="qtip-145">[146]</a>}</span></p> </td> </tr> <tr> <td> <a href="/campaigns/C0022"> C0022 </a> </td> <td> <a href="/campaigns/C0022"> Operation Dream Job </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0022">Operation Dream Job</a>, <a href="/groups/G0032">Lazarus Group</a> used malicious Trojans and DLL files to exfiltrate data from an infected host.<span onclick=scrollToRef('scite-68') id="scite-ref-68-a" class="scite-citeref-number" title="ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021."data-reference="ClearSky Lazarus Aug 2020">^{<a href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank" data-hasqtip="67" aria-describedby="qtip-67">[68]</a>}</span><span onclick=scrollToRef('scite-147') id="scite-ref-147-a" class="scite-citeref-number" title="Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021."data-reference="McAfee Lazarus Jul 2020">^{<a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/?hilite=%27Operation%27%2C%27North%27%2C%27Star%27" target="_blank" data-hasqtip="146" aria-describedby="qtip-146">[147]</a>}</span></p> </td> </tr> <tr> <td> <a href="/campaigns/C0006"> C0006 </a> </td> <td> <a href="/campaigns/C0006"> Operation Honeybee </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0006">Operation Honeybee</a>, the threat actors collected data from compromised hosts.<span onclick=scrollToRef('scite-148') id="scite-ref-148-a" class="scite-citeref-number" title="Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018."data-reference="McAfee Honeybee">^{<a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/" target="_blank" data-hasqtip="147" aria-describedby="qtip-147">[148]</a>}</span></p> </td> </tr> <tr> <td> <a href="/campaigns/C0014"> C0014 </a> </td> <td> <a href="/campaigns/C0014"> Operation Wocao </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0014">Operation Wocao</a>, threat actors exfiltrated files and directories of interest from the targeted system.<span onclick=scrollToRef('scite-149') id="scite-ref-149-a" class="scite-citeref-number" title="Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020."data-reference="FoxIT Wocao December 2019">^{<a href="https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf" target="_blank" data-hasqtip="148" aria-describedby="qtip-148">[149]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0352"> S0352 </a> </td> <td> <a href="/software/S0352"> OSX_OCEANLOTUS.D </a> </td> <td> <p><a href="/software/S0352">OSX_OCEANLOTUS.D</a> has the ability to upload files from a compromised host.<span onclick=scrollToRef('scite-150') id="scite-ref-150-a" class="scite-citeref-number" title="Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020."data-reference="Trend Micro MacOS Backdoor November 2020">^{<a href="https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html" target="_blank" data-hasqtip="149" aria-describedby="qtip-149">[150]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0594"> S0594 </a> </td> <td> <a href="/software/S0594"> Out1 </a> </td> <td> <p><a href="/software/S0594">Out1</a> can copy files and Registry data from compromised hosts.<span onclick=scrollToRef('scite-151') id="scite-ref-151-a" class="scite-citeref-number" title="Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021."data-reference="Trend Micro Muddy Water March 2021">^{<a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" data-hasqtip="150" aria-describedby="qtip-150">[151]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1017"> S1017 </a> </td> <td> <a href="/software/S1017"> OutSteel </a> </td> <td> <p><a href="/software/S1017">OutSteel</a> can collect information from a compromised host.<span onclick=scrollToRef('scite-152') id="scite-ref-152-a" class="scite-citeref-number" title="Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022."data-reference="Palo Alto Unit 42 OutSteel SaintBot February 2022 ">^{<a href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank" data-hasqtip="151" aria-describedby="qtip-151">[152]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0598"> S0598 </a> </td> <td> <a href="/software/S0598"> P.A.S. Webshell </a> </td> <td> <p><a href="/software/S0598">P.A.S. Webshell</a> has the ability to copy files on a compromised host.<span onclick=scrollToRef('scite-153') id="scite-ref-153-a" class="scite-citeref-number" title="ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021."data-reference="ANSSI Sandworm January 2021">^{<a href="https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" target="_blank" data-hasqtip="152" aria-describedby="qtip-152">[153]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0208"> S0208 </a> </td> <td> <a href="/software/S0208"> Pasam </a> </td> <td> <p><a href="/software/S0208">Pasam</a> creates a backdoor through which remote attackers can retrieve files.<span onclick=scrollToRef('scite-154') id="scite-ref-154-a" class="scite-citeref-number" title="Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018."data-reference="Symantec Pasam May 2012">^{<a href="https://www.symantec.com/security_response/writeup.jsp?docid=2012-050412-4128-99" target="_blank" data-hasqtip="153" aria-describedby="qtip-153">[154]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0040"> G0040 </a> </td> <td> <a href="/groups/G0040"> Patchwork </a> </td> <td> <p><a href="/groups/G0040">Patchwork</a> collected and exfiltrated files from the infected system.<span onclick=scrollToRef('scite-155') id="scite-ref-155-a" class="scite-citeref-number" title="Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016."data-reference="Cymmetria Patchwork">^{<a href="https://web.archive.org/web/20180825085952/https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf" target="_blank" data-hasqtip="154" aria-describedby="qtip-154">[155]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1102"> S1102 </a> </td> <td> <a href="/software/S1102"> Pcexter </a> </td> <td> <p><a href="/software/S1102">Pcexter</a> can upload files from targeted systems.<span onclick=scrollToRef('scite-122') id="scite-ref-122-a" class="scite-citeref-number" title="Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024."data-reference="Kaspersky ToddyCat Check Logs October 2023">^{<a href="https://securelist.com/toddycat-keep-calm-and-check-logs/110696/" target="_blank" data-hasqtip="121" aria-describedby="qtip-121">[122]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1050"> S1050 </a> </td> <td> <a href="/software/S1050"> PcShare </a> </td> <td> <p><a href="/software/S1050">PcShare</a> can collect files and information from a compromised host.<span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" title="Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022."data-reference="Bitdefender FunnyDream Campaign November 2020">^{<a href="https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0517"> S0517 </a> </td> <td> <a href="/software/S0517"> Pillowmint </a> </td> <td> <p><a href="/software/S0517">Pillowmint</a> has collected credit card data using native API functions.<span onclick=scrollToRef('scite-156') id="scite-ref-156-a" class="scite-citeref-number" title="Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020."data-reference="Trustwave Pillowmint June 2020">^{<a href="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/" target="_blank" data-hasqtip="155" aria-describedby="qtip-155">[156]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0048"> S0048 </a> </td> <td> <a href="/software/S0048"> PinchDuke </a> </td> <td> <p><a href="/software/S0048">PinchDuke</a> collects user files from the compromised host based on predefined file extensions.<span onclick=scrollToRef('scite-157') id="scite-ref-157-a" class="scite-citeref-number" title="F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015."data-reference="F-Secure The Dukes">^{<a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" data-hasqtip="156" aria-describedby="qtip-156">[157]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1031"> S1031 </a> </td> <td> <a href="/software/S1031"> PingPull </a> </td> <td> <p><a href="/software/S1031">PingPull</a> can collect data from a compromised host.<span onclick=scrollToRef('scite-158') id="scite-ref-158-a" class="scite-citeref-number" title="Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022."data-reference="Unit 42 PingPull Jun 2022">^{<a href="https://unit42.paloaltonetworks.com/pingpull-gallium/" target="_blank" data-hasqtip="157" aria-describedby="qtip-157">[158]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0012"> S0012 </a> </td> <td> <a href="/software/S0012"> PoisonIvy </a> </td> <td> <p><a href="/software/S0012">PoisonIvy</a> creates a backdoor through which remote attackers can steal system information.<span onclick=scrollToRef('scite-159') id="scite-ref-159-a" class="scite-citeref-number" title="Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018."data-reference="Symantec Darkmoon Aug 2005">^{<a href="https://www.symantec.com/security_response/writeup.jsp?docid=2005-081910-3934-99" target="_blank" data-hasqtip="158" aria-describedby="qtip-158">[159]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1012"> S1012 </a> </td> <td> <a href="/software/S1012"> PowerLess </a> </td> <td> <p><a href="/software/S1012">PowerLess</a> has the ability to exfiltrate data, including Chrome and Edge browser database files, from compromised machines.<span onclick=scrollToRef('scite-160') id="scite-ref-160-a" class="scite-citeref-number" title="Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022."data-reference="Cybereason PowerLess February 2022">^{<a href="https://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage" target="_blank" data-hasqtip="159" aria-describedby="qtip-159">[160]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0194"> S0194 </a> </td> <td> <a href="/software/S0194"> PowerSploit </a> </td> <td> <p><a href="/software/S0194">PowerSploit</a> contains a collection of Exfiltration modules that can access data from local files, volumes, and processes.<span onclick=scrollToRef('scite-161') id="scite-ref-161-a" class="scite-citeref-number" title="PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018."data-reference="GitHub PowerSploit May 2012">^{<a href="https://github.com/PowerShellMafia/PowerSploit" target="_blank" data-hasqtip="160" aria-describedby="qtip-160">[161]</a>}</span><span onclick=scrollToRef('scite-162') id="scite-ref-162-a" class="scite-citeref-number" title="PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018."data-reference="PowerSploit Documentation">^{<a href="http://powersploit.readthedocs.io" target="_blank" data-hasqtip="161" aria-describedby="qtip-161">[162]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0223"> S0223 </a> </td> <td> <a href="/software/S0223"> POWERSTATS </a> </td> <td> <p><a href="/software/S0223">POWERSTATS</a> can upload files from compromised hosts.<span onclick=scrollToRef('scite-163') id="scite-ref-163-a" class="scite-citeref-number" title="Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018."data-reference="FireEye MuddyWater Mar 2018">^{<a href="https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" target="_blank" data-hasqtip="162" aria-describedby="qtip-162">[163]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0238"> S0238 </a> </td> <td> <a href="/software/S0238"> Proxysvc </a> </td> <td> <p><a href="/software/S0238">Proxysvc</a> searches the local system and gathers data.<span onclick=scrollToRef('scite-164') id="scite-ref-164-a" class="scite-citeref-number" title="Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018."data-reference="McAfee GhostSecret">^{<a href="https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" target="_blank" data-hasqtip="163" aria-describedby="qtip-163">[164]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0197"> S0197 </a> </td> <td> <a href="/software/S0197"> PUNCHTRACK </a> </td> <td> <p><a href="/software/S0197">PUNCHTRACK</a> scrapes memory for properly formatted payment card data.<span onclick=scrollToRef('scite-165') id="scite-ref-165-a" class="scite-citeref-number" title="Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018."data-reference="FireEye Fin8 May 2016">^{<a href="https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html" target="_blank" data-hasqtip="164" aria-describedby="qtip-164">[165]</a>}</span><span onclick=scrollToRef('scite-166') id="scite-ref-166-a" class="scite-citeref-number" title="Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018."data-reference="FireEye Know Your Enemy FIN8 Aug 2016">^{<a href="https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" target="_blank" data-hasqtip="165" aria-describedby="qtip-165">[166]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0650"> S0650 </a> </td> <td> <a href="/software/S0650"> QakBot </a> </td> <td> <p><a href="/software/S0650">QakBot</a> can use a variety of commands, including esentutl.exe to steal sensitive data from Internet Explorer and Microsoft Edge, to acquire information that is subsequently exfiltrated.<span onclick=scrollToRef('scite-167') id="scite-ref-167-a" class="scite-citeref-number" title="Rainey, K. (n.d.). Qbot. Retrieved September 27, 2021."data-reference="Red Canary Qbot">^{<a href="https://redcanary.com/threat-detection-report/threats/qbot/" target="_blank" data-hasqtip="166" aria-describedby="qtip-166">[167]</a>}</span><span onclick=scrollToRef('scite-168') id="scite-ref-168-a" class="scite-citeref-number" title="Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021."data-reference="Kaspersky QakBot September 2021">^{<a href="https://securelist.com/qakbot-technical-analysis/103931/" target="_blank" data-hasqtip="167" aria-describedby="qtip-167">[168]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0262"> S0262 </a> </td> <td> <a href="/software/S0262"> QuasarRAT </a> </td> <td> <p><a href="/software/S0262">QuasarRAT</a> can retrieve files from compromised client machines.<span onclick=scrollToRef('scite-169') id="scite-ref-169-a" class="scite-citeref-number" title="CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022."data-reference="CISA AR18-352A Quasar RAT December 2018">^{<a href="https://www.cisa.gov/uscert/ncas/analysis-reports/AR18-352A" target="_blank" data-hasqtip="168" aria-describedby="qtip-168">[169]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0686"> S0686 </a> </td> <td> <a href="/software/S0686"> QuietSieve </a> </td> <td> <p><a href="/software/S0686">QuietSieve</a> can collect files from a compromised host.<span onclick=scrollToRef('scite-170') id="scite-ref-170-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022."data-reference="Microsoft Actinium February 2022">^{<a href="https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/" target="_blank" data-hasqtip="169" aria-describedby="qtip-169">[170]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1148"> S1148 </a> </td> <td> <a href="/software/S1148"> Raccoon Stealer </a> </td> <td> <p><a href="/software/S1148">Raccoon Stealer</a> collects data from victim machines based on configuration information received from command and control nodes.<span onclick=scrollToRef('scite-171') id="scite-ref-171-a" class="scite-citeref-number" title="S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024."data-reference="S2W Racoon 2022">^{<a href="https://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d" target="_blank" data-hasqtip="170" aria-describedby="qtip-170">[171]</a>}</span><span onclick=scrollToRef('scite-172') id="scite-ref-172-a" class="scite-citeref-number" title="Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024."data-reference="Sekoia Raccoon2 2022">^{<a href="https://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/" target="_blank" data-hasqtip="171" aria-describedby="qtip-171">[172]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0629"> S0629 </a> </td> <td> <a href="/software/S0629"> RainyDay </a> </td> <td> <p><a href="/software/S0629">RainyDay</a> can use a file exfiltration tool to collect recently changed files on a compromised host.<span onclick=scrollToRef('scite-140') id="scite-ref-140-a" class="scite-citeref-number" title="Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021."data-reference="Bitdefender Naikon April 2021">^{<a href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank" data-hasqtip="139" aria-describedby="qtip-139">[140]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0458"> S0458 </a> </td> <td> <a href="/software/S0458"> Ramsay </a> </td> <td> <p><a href="/software/S0458">Ramsay</a> can collect Microsoft Word documents from the target's file system, as well as <code>.txt</code>, <code>.doc</code>, and <code>.xls</code> files from the Internet Explorer cache.<span onclick=scrollToRef('scite-173') id="scite-ref-173-a" class="scite-citeref-number" title="Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020."data-reference="Eset Ramsay May 2020">^{<a href="https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/" target="_blank" data-hasqtip="172" aria-describedby="qtip-172">[173]</a>}</span><span onclick=scrollToRef('scite-174') id="scite-ref-174-a" class="scite-citeref-number" title="Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021."data-reference="Antiy CERT Ramsay April 2020">^{<a href="https://www.programmersought.com/article/62493896999/" target="_blank" data-hasqtip="173" aria-describedby="qtip-173">[174]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/software/S1113"> S1113 </a> </td> <td> <a href="/software/S1113"> RAPIDPULSE </a> </td> <td> <p><a href="/software/S1113">RAPIDPULSE</a> retrieves files from the victim system via encrypted commands sent to the web shell.<span onclick=scrollToRef('scite-175') id="scite-ref-175-a" class="scite-citeref-number" title="Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024."data-reference="Mandiant Pulse Secure Update May 2021">^{<a href="https://www.mandiant.com/resources/blog/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices" target="_blank" data-hasqtip="174" aria-describedby="qtip-174">[175]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0169"> S0169 </a> </td> <td> <a href="/software/S0169"> RawPOS </a> </td> <td> <p><a href="/software/S0169">RawPOS</a> dumps memory from specific processes on a victim system, parses the dumped files, and scrapes them for credit card data.<span onclick=scrollToRef('scite-176') id="scite-ref-176-a" class="scite-citeref-number" title="Nesbit, B. and Ackerman, D. (2017, January). Malware Analysis Report - RawPOS Malware: Deconstructing an Intruder’s Toolkit. Retrieved October 4, 2017."data-reference="Kroll RawPOS Jan 2017">^{<a href="https://www.kroll.com/en/insights/publications/malware-analysis-report-rawpos-malware" target="_blank" data-hasqtip="175" aria-describedby="qtip-175">[176]</a>}</span><span onclick=scrollToRef('scite-177') id="scite-ref-177-a" class="scite-citeref-number" title="TrendLabs Security Intelligence Blog. (2015, April). RawPOS Technical Brief. Retrieved October 4, 2017."data-reference="TrendMicro RawPOS April 2015">^{<a href="http://sjc1-te-ftp.trendmicro.com/images/tex/pdf/RawPOS%20Technical%20Brief.pdf" target="_blank" data-hasqtip="176" aria-describedby="qtip-176">[177]</a>}</span><span onclick=scrollToRef('scite-178') id="scite-ref-178-a" class="scite-citeref-number" title="Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017."data-reference="Mandiant FIN5 GrrCON Oct 2016">^{<a href="https://www.youtube.com/watch?v=fevGZs0EQu8" target="_blank" data-hasqtip="177" aria-describedby="qtip-177">[178]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0662"> S0662 </a> </td> <td> <a href="/software/S0662"> RCSession </a> </td> <td> <p><a href="/software/S0662">RCSession</a> can collect data from a compromised host.<span onclick=scrollToRef('scite-179') id="scite-ref-179-a" class="scite-citeref-number" title="Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021."data-reference="Profero APT27 December 2020">^{<a href="https://web.archive.org/web/20210104144857/https://shared-public-reports.s3-eu-west-1.amazonaws.com/APT27+turns+to+ransomware.pdf" target="_blank" data-hasqtip="178" aria-describedby="qtip-178">[179]</a>}</span><span onclick=scrollToRef('scite-49') id="scite-ref-49-a" class="scite-citeref-number" title="Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021."data-reference="Trend Micro DRBControl February 2020">^{<a href="https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf" target="_blank" data-hasqtip="48" aria-describedby="qtip-48">[49]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G1039"> G1039 </a> </td> <td> <a href="/groups/G1039"> RedCurl </a> </td> <td> <p><a href="/groups/G1039">RedCurl</a> has collected data from the local disk of compromised hosts.<span onclick=scrollToRef('scite-180') id="scite-ref-180-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1">^{<a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="179" aria-describedby="qtip-179">[180]</a>}</span><span onclick=scrollToRef('scite-181') id="scite-ref-181-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2">^{<a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="180" aria-describedby="qtip-180">[181]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0448"> S0448 </a> </td> <td> <a href="/software/S0448"> Rising Sun </a> </td> <td> <p><a href="/software/S0448">Rising Sun</a> has collected data and files from a compromised host.<span onclick=scrollToRef('scite-182') id="scite-ref-182-a" class="scite-citeref-number" title="Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020."data-reference="McAfee Sharpshooter December 2018">^{<a href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf" target="_blank" data-hasqtip="181" aria-describedby="qtip-181">[182]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0240"> S0240 </a> </td> <td> <a href="/software/S0240"> ROKRAT </a> </td> <td> <p><a href="/software/S0240">ROKRAT</a> can collect host data and specific file types.<span onclick=scrollToRef('scite-183') id="scite-ref-183-a" class="scite-citeref-number" title="Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020."data-reference="NCCGroup RokRat Nov 2018">^{<a href="https://research.nccgroup.com/2018/11/08/rokrat-analysis/" target="_blank" data-hasqtip="182" aria-describedby="qtip-182">[183]</a>}</span><span onclick=scrollToRef('scite-184') id="scite-ref-184-a" class="scite-citeref-number" title="Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021."data-reference="Volexity InkySquid RokRAT August 2021">^{<a href="https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/" target="_blank" data-hasqtip="183" aria-describedby="qtip-183">[184]</a>}</span><span onclick=scrollToRef('scite-185') id="scite-ref-185-a" class="scite-citeref-number" title="Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022."data-reference="Malwarebytes RokRAT VBA January 2021">^{<a href="https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/" target="_blank" data-hasqtip="184" aria-describedby="qtip-184">[185]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0090"> S0090 </a> </td> <td> <a href="/software/S0090"> Rover </a> </td> <td> <p><a href="/software/S0090">Rover</a> searches for files on local drives based on a predefined list of file extensions.<span onclick=scrollToRef('scite-186') id="scite-ref-186-a" class="scite-citeref-number" title="Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016."data-reference="Palo Alto Rover">^{<a href="http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/" target="_blank" data-hasqtip="185" aria-describedby="qtip-185">[186]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1018"> S1018 </a> </td> <td> <a href="/software/S1018"> Saint Bot </a> </td> <td> <p><a href="/software/S1018">Saint Bot</a> can collect files and information from a compromised host.<span onclick=scrollToRef('scite-187') id="scite-ref-187-a" class="scite-citeref-number" title="Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022."data-reference="Malwarebytes Saint Bot April 2021">^{<a href="https://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/" target="_blank" data-hasqtip="186" aria-describedby="qtip-186">[187]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1099"> S1099 </a> </td> <td> <a href="/software/S1099"> Samurai </a> </td> <td> <p><a href="/software/S1099">Samurai</a> can leverage an exfiltration module to download arbitrary files from compromised machines.<span onclick=scrollToRef('scite-188') id="scite-ref-188-a" class="scite-citeref-number" title="Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024."data-reference="Kaspersky ToddyCat June 2022">^{<a href="https://securelist.com/toddycat/106799/" target="_blank" data-hasqtip="187" aria-describedby="qtip-187">[188]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0034"> G0034 </a> </td> <td> <a href="/groups/G0034"> Sandworm Team </a> </td> <td> <p><a href="/groups/G0034">Sandworm Team</a> has exfiltrated internal documents, files, and other data from compromised hosts.<span onclick=scrollToRef('scite-189') id="scite-ref-189-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020">^{<a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="188" aria-describedby="qtip-188">[189]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1085"> S1085 </a> </td> <td> <a href="/software/S1085"> Sardonic </a> </td> <td> <p><a href="/software/S1085">Sardonic</a> has the ability to collect data from a compromised machine to deliver to the attacker.<span onclick=scrollToRef('scite-190') id="scite-ref-190-a" class="scite-citeref-number" title="Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023."data-reference="Symantec FIN8 Jul 2023">^{<a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor" target="_blank" data-hasqtip="189" aria-describedby="qtip-189">[190]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/software/S0461"> S0461 </a> </td> <td> <a href="/software/S0461"> SDBbot </a> </td> <td> <p><a href="/software/S0461">SDBbot</a> has the ability to access the file system on a compromised host.<span onclick=scrollToRef('scite-191') id="scite-ref-191-a" class="scite-citeref-number" title="Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."data-reference="Proofpoint TA505 October 2019">^{<a href="https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader" target="_blank" data-hasqtip="190" aria-describedby="qtip-190">[191]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1019"> S1019 </a> </td> <td> <a href="/software/S1019"> Shark </a> </td> <td> <p><a href="/software/S1019">Shark</a> can upload files to its C2.<span onclick=scrollToRef('scite-136') id="scite-ref-136-a" class="scite-citeref-number" title="ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By "Siamesekitten" - Lyceum. Retrieved June 6, 2022."data-reference="ClearSky Siamesekitten August 2021">^{<a href="https://www.clearskysec.com/siamesekitten/" target="_blank" data-hasqtip="135" aria-describedby="qtip-135">[136]</a>}</span><span onclick=scrollToRef('scite-192') id="scite-ref-192-a" class="scite-citeref-number" title="Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022."data-reference="Accenture Lyceum Targets November 2021">^{<a href="https://www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns" target="_blank" data-hasqtip="191" aria-describedby="qtip-191">[192]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1089"> S1089 </a> </td> <td> <a href="/software/S1089"> SharpDisco </a> </td> <td> <p><a href="/software/S1089">SharpDisco</a> has dropped a recent-files stealer plugin to <code>C:\Users\Public\WinSrcNT\It11.exe</code>.<span onclick=scrollToRef('scite-142') id="scite-ref-142-a" class="scite-citeref-number" title="Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023."data-reference="MoustachedBouncer ESET August 2023">^{<a href="https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" target="_blank" data-hasqtip="141" aria-describedby="qtip-141">[142]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0444"> S0444 </a> </td> <td> <a href="/software/S0444"> ShimRat </a> </td> <td> <p><a href="/software/S0444">ShimRat</a> has the capability to upload collected files to a C2.<span onclick=scrollToRef('scite-193') id="scite-ref-193-a" class="scite-citeref-number" title="Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."data-reference="FOX-IT May 2016 Mofang">^{<a href="https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" target="_blank" data-hasqtip="192" aria-describedby="qtip-192">[193]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/software/S0610"> S0610 </a> </td> <td> <a href="/software/S0610"> SideTwist </a> </td> <td> <p><a href="/software/S0610">SideTwist</a> has the ability to upload files from a compromised host.<span onclick=scrollToRef('scite-194') id="scite-ref-194-a" class="scite-citeref-number" title="Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021."data-reference="Check Point APT34 April 2021">^{<a href="https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/" target="_blank" data-hasqtip="193" aria-describedby="qtip-193">[194]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1110"> S1110 </a> </td> <td> <a href="/software/S1110"> SLIGHTPULSE </a> </td> <td> <p><a href="/software/S1110">SLIGHTPULSE</a> can read files specified on the local system.<span onclick=scrollToRef('scite-195') id="scite-ref-195-a" class="scite-citeref-number" title="Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024."data-reference="Mandiant Pulse Secure Zero-Day April 2021">^{<a href="https://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day" target="_blank" data-hasqtip="194" aria-describedby="qtip-194">[195]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0533"> S0533 </a> </td> <td> <a href="/software/S0533"> SLOTHFULMEDIA </a> </td> <td> <p><a href="/software/S0533">SLOTHFULMEDIA</a> has uploaded files and information from victim machines.<span onclick=scrollToRef('scite-196') id="scite-ref-196-a" class="scite-citeref-number" title="DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020."data-reference="CISA MAR SLOTHFULMEDIA October 2020">^{<a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a" target="_blank" data-hasqtip="195" aria-describedby="qtip-195">[196]</a>}</span></p> </td> </tr> <tr> <td> <a href="/campaigns/C0024"> C0024 </a> </td> <td> <a href="/campaigns/C0024"> SolarWinds Compromise </a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> extracted files from compromised networks.<span onclick=scrollToRef('scite-197') id="scite-ref-197-a" class="scite-citeref-number" title="Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020."data-reference="Volexity SolarWinds">^{<a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" data-hasqtip="196" aria-describedby="qtip-196">[197]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0615"> S0615 </a> </td> <td> <a href="/software/S0615"> SombRAT </a> </td> <td> <p><a href="/software/S0615">SombRAT</a> has collected data and files from a compromised host.<span onclick=scrollToRef('scite-54') id="scite-ref-54-a" class="scite-citeref-number" title="The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021."data-reference="BlackBerry CostaRicto November 2020">^{<a href="https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced" target="_blank" data-hasqtip="53" aria-describedby="qtip-53">[54]</a>}</span><span onclick=scrollToRef('scite-198') id="scite-ref-198-a" class="scite-citeref-number" title="CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021."data-reference="CISA AR21-126A FIVEHANDS May 2021">^{<a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a" target="_blank" data-hasqtip="197" aria-describedby="qtip-197">[198]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0646"> S0646 </a> </td> <td> <a href="/software/S0646"> SpicyOmelette </a> </td> <td> <p><a href="/software/S0646">SpicyOmelette</a> has collected data and other information from a compromised host.<span onclick=scrollToRef('scite-199') id="scite-ref-199-a" class="scite-citeref-number" title="CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021."data-reference="Secureworks GOLD KINGSWOOD September 2018">^{<a href="https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish" target="_blank" data-hasqtip="198" aria-describedby="qtip-198">[199]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1037"> S1037 </a> </td> <td> <a href="/software/S1037"> STARWHALE </a> </td> <td> <p><a href="/software/S1037">STARWHALE</a> can collect data from an infected local host.<span onclick=scrollToRef('scite-200') id="scite-ref-200-a" class="scite-citeref-number" title="FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022."data-reference="DHS CISA AA22-055A MuddyWater February 2022">^{<a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" target="_blank" data-hasqtip="199" aria-describedby="qtip-199">[200]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0038"> G0038 </a> </td> <td> <a href="/groups/G0038"> Stealth Falcon </a> </td> <td> <p><a href="/groups/G0038">Stealth Falcon</a> malware gathers data from the local victim system.<span onclick=scrollToRef('scite-201') id="scite-ref-201-a" class="scite-citeref-number" title="Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016."data-reference="Citizen Lab Stealth Falcon May 2016">^{<a href="https://citizenlab.org/2016/05/stealth-falcon/" target="_blank" data-hasqtip="200" aria-describedby="qtip-200">[201]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1034"> S1034 </a> </td> <td> <a href="/software/S1034"> StrifeWater </a> </td> <td> <p><a href="/software/S1034">StrifeWater</a> can collect data from a compromised host.<span onclick=scrollToRef('scite-202') id="scite-ref-202-a" class="scite-citeref-number" title="Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022."data-reference="Cybereason StrifeWater Feb 2022">^{<a href="https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations" target="_blank" data-hasqtip="201" aria-describedby="qtip-201">[202]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0559"> S0559 </a> </td> <td> <a href="/software/S0559"> SUNBURST </a> </td> <td> <p><a href="/software/S0559">SUNBURST</a> collected information from a compromised host.<span onclick=scrollToRef('scite-203') id="scite-ref-203-a" class="scite-citeref-number" title="MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021."data-reference="Microsoft Analyzing Solorigate Dec 2020">^{<a href="https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/" target="_blank" data-hasqtip="202" aria-describedby="qtip-202">[203]</a>}</span><span onclick=scrollToRef('scite-204') id="scite-ref-204-a" class="scite-citeref-number" title="FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021."data-reference="FireEye SUNBURST Backdoor December 2020">^{<a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" data-hasqtip="203" aria-describedby="qtip-203">[204]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1064"> S1064 </a> </td> <td> <a href="/software/S1064"> SVCReady </a> </td> <td> <p><a href="/software/S1064">SVCReady</a> can collect data from an infected host.<span onclick=scrollToRef('scite-205') id="scite-ref-205-a" class="scite-citeref-number" title="Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022."data-reference="HP SVCReady Jun 2022">^{<a href="https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/" target="_blank" data-hasqtip="204" aria-describedby="qtip-204">[205]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0663"> S0663 </a> </td> <td> <a href="/software/S0663"> SysUpdate </a> </td> <td> <p><a href="/software/S0663">SysUpdate</a> can collect information and files from a compromised host.<span onclick=scrollToRef('scite-206') id="scite-ref-206-a" class="scite-citeref-number" title="Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023."data-reference="Lunghi Iron Tiger Linux">^{<a href="https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html" target="_blank" data-hasqtip="205" aria-describedby="qtip-205">[206]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0011"> S0011 </a> </td> <td> <a href="/software/S0011"> Taidoor </a> </td> <td> <p><a href="/software/S0011">Taidoor</a> can upload data and files from a victim's machine.<span onclick=scrollToRef('scite-207') id="scite-ref-207-a" class="scite-citeref-number" title="Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014."data-reference="TrendMicro Taidoor">^{<a href="http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf" target="_blank" data-hasqtip="206" aria-describedby="qtip-206">[207]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0467"> S0467 </a> </td> <td> <a href="/software/S0467"> TajMahal </a> </td> <td> <p><a href="/software/S0467">TajMahal</a> has the ability to steal documents from the local system including the print spooler queue.<span onclick=scrollToRef('scite-208') id="scite-ref-208-a" class="scite-citeref-number" title="GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019."data-reference="Kaspersky TajMahal April 2019">^{<a href="https://securelist.com/project-tajmahal/90240/" target="_blank" data-hasqtip="207" aria-describedby="qtip-207">[208]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0027"> G0027 </a> </td> <td> <a href="/groups/G0027"> Threat Group-3390 </a> </td> <td> <p><a href="/groups/G0027">Threat Group-3390</a> ran a command to compile an archive of file types of interest from the victim user's directories.<span onclick=scrollToRef('scite-209') id="scite-ref-209-a" class="scite-citeref-number" title="Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017."data-reference="SecureWorks BRONZE UNION June 2017">^{<a href="https://www.secureworks.com/research/bronze-union" target="_blank" data-hasqtip="208" aria-describedby="qtip-208">[209]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0665"> S0665 </a> </td> <td> <a href="/software/S0665"> ThreatNeedle </a> </td> <td> <p><a href="/software/S0665">ThreatNeedle</a> can collect data and files from a compromised host.<span onclick=scrollToRef('scite-119') id="scite-ref-119-a" class="scite-citeref-number" title="Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021."data-reference="Kaspersky ThreatNeedle Feb 2021">^{<a href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank" data-hasqtip="118" aria-describedby="qtip-118">[119]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0668"> S0668 </a> </td> <td> <a href="/software/S0668"> TinyTurla </a> </td> <td> <p><a href="/software/S0668">TinyTurla</a> can upload files from a compromised host.<span onclick=scrollToRef('scite-210') id="scite-ref-210-a" class="scite-citeref-number" title="Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021."data-reference="Talos TinyTurla September 2021">^{<a href="https://blog.talosintelligence.com/2021/09/tinyturla.html" target="_blank" data-hasqtip="209" aria-describedby="qtip-209">[210]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G1022"> G1022 </a> </td> <td> <a href="/groups/G1022"> ToddyCat </a> </td> <td> <p><a href="/groups/G1022">ToddyCat</a> has run scripts to collect documents from targeted hosts.<span onclick=scrollToRef('scite-122') id="scite-ref-122-a" class="scite-citeref-number" title="Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024."data-reference="Kaspersky ToddyCat Check Logs October 2023">^{<a href="https://securelist.com/toddycat-keep-calm-and-check-logs/110696/" target="_blank" data-hasqtip="121" aria-describedby="qtip-121">[122]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0671"> S0671 </a> </td> <td> <a href="/software/S0671"> Tomiris </a> </td> <td> <p><a href="/software/S0671">Tomiris</a> has the ability to collect recent files matching a hardcoded list of extensions prior to exfiltration.<span onclick=scrollToRef('scite-211') id="scite-ref-211-a" class="scite-citeref-number" title="Kwiatkoswki, I. and Delcher, P. (2021, September 29). DarkHalo After SolarWinds: the Tomiris connection. Retrieved December 27, 2021."data-reference="Kaspersky Tomiris Sep 2021">^{<a href="https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/" target="_blank" data-hasqtip="210" aria-describedby="qtip-210">[211]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0266"> S0266 </a> </td> <td> <a href="/software/S0266"> TrickBot </a> </td> <td> <p><a href="/software/S0266">TrickBot</a> collects local files and information from the victim’s local machine.<span onclick=scrollToRef('scite-212') id="scite-ref-212-a" class="scite-citeref-number" title="Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018."data-reference="S2 Grupo TrickBot June 2017">^{<a href="https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf" target="_blank" data-hasqtip="211" aria-describedby="qtip-211">[212]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0010"> G0010 </a> </td> <td> <a href="/groups/G0010"> Turla </a> </td> <td> <p><a href="/groups/G0010">Turla</a> RPC backdoors can upload files from victim machines.<span onclick=scrollToRef('scite-213') id="scite-ref-213-a" class="scite-citeref-number" title="Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019."data-reference="ESET Turla PowerShell May 2019">^{<a href="https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" target="_blank" data-hasqtip="212" aria-describedby="qtip-212">[213]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0022"> S0022 </a> </td> <td> <a href="/software/S0022"> Uroburos </a> </td> <td> <p><a href="/software/S0022">Uroburos</a> can use its <code>Get</code> command to exfiltrate specified files from the compromised system.<span onclick=scrollToRef('scite-214') id="scite-ref-214-a" class="scite-citeref-number" title="FBI et al. (2023, May 9). Hunting Russian Intelligence "Snake" Malware. Retrieved June 8, 2023."data-reference="Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023">^{<a href="https://www.cisa.gov/sites/default/files/2023-05/aa23-129a_snake_malware_2.pdf" target="_blank" data-hasqtip="213" aria-describedby="qtip-213">[214]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0386"> S0386 </a> </td> <td> <a href="/software/S0386"> Ursnif </a> </td> <td> <p><a href="/software/S0386">Ursnif</a> has collected files from victim machines, including certificates and cookies.<span onclick=scrollToRef('scite-215') id="scite-ref-215-a" class="scite-citeref-number" title="Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019."data-reference="TrendMicro BKDR_URSNIF.SM">^{<a href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/BKDR_URSNIF.SM?_ga=2.129468940.1462021705.1559742358-1202584019.1549394279" target="_blank" data-hasqtip="214" aria-describedby="qtip-214">[215]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0452"> S0452 </a> </td> <td> <a href="/software/S0452"> USBferry </a> </td> <td> <p><a href="/software/S0452">USBferry</a> can collect information from an air-gapped host machine.<span onclick=scrollToRef('scite-216') id="scite-ref-216-a" class="scite-citeref-number" title="Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."data-reference="TrendMicro Tropic Trooper May 2020">^{<a href="https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf" target="_blank" data-hasqtip="215" aria-describedby="qtip-215">[216]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/groups/G1017"> G1017 </a> </td> <td> <a href="/groups/G1017"> Volt Typhoon </a> </td> <td> <p><a href="/groups/G1017">Volt Typhoon</a> has stolen files from a sensitive file server and the Active Directory database from targeted environments, and used <a href="/software/S0645">Wevtutil</a> to extract event log information.<span onclick=scrollToRef('scite-217') id="scite-ref-217-a" class="scite-citeref-number" title="NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023."data-reference="Joint Cybersecurity Advisory Volt Typhoon June 2023">^{<a href="https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF" target="_blank" data-hasqtip="216" aria-describedby="qtip-216">[217]</a>}</span><span onclick=scrollToRef('scite-218') id="scite-ref-218-a" class="scite-citeref-number" title="Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023."data-reference="Secureworks BRONZE SILHOUETTE May 2023">^{<a href="https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations" target="_blank" data-hasqtip="217" aria-describedby="qtip-217">[218]</a>}</span><span onclick=scrollToRef('scite-219') id="scite-ref-219-a" class="scite-citeref-number" title="CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024."data-reference="CISA AA24-038A PRC Critical Infrastructure February 2024">^{<a href="https://www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf" target="_blank" data-hasqtip="218" aria-describedby="qtip-218">[219]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0670"> S0670 </a> </td> <td> <a href="/software/S0670"> WarzoneRAT </a> </td> <td> <p><a href="/software/S0670">WarzoneRAT</a> can collect data from a compromised host.<span onclick=scrollToRef('scite-220') id="scite-ref-220-a" class="scite-citeref-number" title="Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021."data-reference="Check Point Warzone Feb 2020">^{<a href="https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/" target="_blank" data-hasqtip="219" aria-describedby="qtip-219">[220]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0515"> S0515 </a> </td> <td> <a href="/software/S0515"> WellMail </a> </td> <td> <p><a href="/software/S0515">WellMail</a> can exfiltrate files from the victim machine.<span onclick=scrollToRef('scite-221') id="scite-ref-221-a" class="scite-citeref-number" title="CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020."data-reference="CISA WellMail July 2020">^{<a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c" target="_blank" data-hasqtip="220" aria-describedby="qtip-220">[221]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0514"> S0514 </a> </td> <td> <a href="/software/S0514"> WellMess </a> </td> <td> <p><a href="/software/S0514">WellMess</a> can send files from the victim machine to C2.<span onclick=scrollToRef('scite-222') id="scite-ref-222-a" class="scite-citeref-number" title="PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020."data-reference="PWC WellMess July 2020">^{<a href="https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html" target="_blank" data-hasqtip="221" aria-describedby="qtip-221">[222]</a>}</span><span onclick=scrollToRef('scite-223') id="scite-ref-223-a" class="scite-citeref-number" title="CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020."data-reference="CISA WellMess July 2020">^{<a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b" target="_blank" data-hasqtip="222" aria-describedby="qtip-222">[223]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0645"> S0645 </a> </td> <td> <a href="/software/S0645"> Wevtutil </a> </td> <td> <p><a href="/software/S0645">Wevtutil</a> can be used to export events from a specific log.<span onclick=scrollToRef('scite-224') id="scite-ref-224-a" class="scite-citeref-number" title="Microsoft. (n.d.). wevtutil. Retrieved September 14, 2021."data-reference="Wevtutil Microsoft Documentation">^{<a href="https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil" target="_blank" data-hasqtip="223" aria-describedby="qtip-223">[224]</a>}</span><span onclick=scrollToRef('scite-225') id="scite-ref-225-a" class="scite-citeref-number" title="F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020."data-reference="F-Secure Lazarus Cryptocurrency Aug 2020">^{<a href="https://labs.f-secure.com/assets/BlogFiles/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf" target="_blank" data-hasqtip="224" aria-describedby="qtip-224">[225]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0124"> G0124 </a> </td> <td> <a href="/groups/G0124"> Windigo </a> </td> <td> <p><a href="/groups/G0124">Windigo</a> has used a script to gather credentials in files left on disk by OpenSSH backdoors.<span onclick=scrollToRef('scite-226') id="scite-ref-226-a" class="scite-citeref-number" title="Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020."data-reference="ESET ForSSHe December 2018">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" target="_blank" data-hasqtip="225" aria-describedby="qtip-225">[226]</a>}</span></p> </td> </tr> <tr> <td> <a href="/groups/G0102"> G0102 </a> </td> <td> <a href="/groups/G0102"> Wizard Spider </a> </td> <td> <p><a href="/groups/G0102">Wizard Spider</a> has collected data from a compromised host prior to exfiltration.<span onclick=scrollToRef('scite-227') id="scite-ref-227-a" class="scite-citeref-number" title="Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023."data-reference="Mandiant FIN12 Oct 2021">^{<a href="https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf" target="_blank" data-hasqtip="226" aria-describedby="qtip-226">[227]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1065"> S1065 </a> </td> <td> <a href="/software/S1065"> Woody RAT </a> </td> <td> <p><a href="/software/S1065">Woody RAT</a> can collect information from a compromised host.<span onclick=scrollToRef('scite-228') id="scite-ref-228-a" class="scite-citeref-number" title="MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022."data-reference="MalwareBytes WoodyRAT Aug 2022">^{<a href="https://www.malwarebytes.com/blog/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild" target="_blank" data-hasqtip="227" aria-describedby="qtip-227">[228]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0653"> S0653 </a> </td> <td> <a href="/software/S0653"> xCaon </a> </td> <td> <p><a href="/software/S0653">xCaon</a> has uploaded files from victims' machines.<span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" title="CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021."data-reference="Checkpoint IndigoZebra July 2021">^{<a href="https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0658"> S0658 </a> </td> <td> <a href="/software/S0658"> XCSSET </a> </td> <td> <p><a href="/software/S0658">XCSSET</a> collects contacts and application data from files in Desktop, Documents, Downloads, Dropbox, and WeChat folders.<span onclick=scrollToRef('scite-229') id="scite-ref-229-a" class="scite-citeref-number" title="Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021."data-reference="trendmicro xcsset xcode project 2020">^{<a href="https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf" target="_blank" data-hasqtip="228" aria-describedby="qtip-228">[229]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0248"> S0248 </a> </td> <td> <a href="/software/S0248"> yty </a> </td> <td> <p><a href="/software/S0248">yty</a> collects files with the following extensions: .ppt, .pptx, .pdf, .doc, .docx, .xls, .xlsx, .docm, .rtf, .inp, .xlsm, .csv, .odt, .pps, .vcf and sends them back to the C2 server.<span onclick=scrollToRef('scite-230') id="scite-ref-230-a" class="scite-citeref-number" title="Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018."data-reference="ASERT Donot March 2018">^{<a href="https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/" target="_blank" data-hasqtip="229" aria-describedby="qtip-229">[230]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0672"> S0672 </a> </td> <td> <a href="/software/S0672"> Zox </a> </td> <td> <p><a href="/software/S0672">Zox</a> has the ability to upload files from a targeted system.<span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014."data-reference="Novetta-Axiom">^{<a href="https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S0412"> S0412 </a> </td> <td> <a href="/software/S0412"> ZxShell </a> </td> <td> <p><a href="/software/S0412">ZxShell</a> can transfer files from a compromised host.<span onclick=scrollToRef('scite-231') id="scite-ref-231-a" class="scite-citeref-number" title="Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019."data-reference="Talos ZxShell Oct 2014">^{<a href="https://blogs.cisco.com/security/talos/opening-zxshell" target="_blank" data-hasqtip="230" aria-describedby="qtip-230">[231]</a>}</span></p> </td> </tr> <tr> <td> <a href="/software/S1013"> S1013 </a> </td> <td> <a href="/software/S1013"> ZxxZ </a> </td> <td> <p><a href="/software/S1013">ZxxZ</a> can collect data from a compromised host.<span onclick=scrollToRef('scite-232') id="scite-ref-232-a" class="scite-citeref-number" title="Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022."data-reference="Cisco Talos Bitter Bangladesh May 2022">^{<a href="https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html" target="_blank" data-hasqtip="231" aria-describedby="qtip-231">[232]</a>}</span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id ="mitigations">Mitigations</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Mitigation</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/mitigations/M1057"> M1057 </a> </td> <td> <a href="/mitigations/M1057"> Data Loss Prevention </a> </td> <td> <p>Data loss prevention can restrict access to sensitive data and detect sensitive data that is unencrypted.</p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="detection">Detection</h2> <div class="tables-mobile"> <table class="table datasources-table table-bordered"> <thead> <tr> <th class="p-2" scope="col">ID</th> <th class="p-2 nowrap" scope="col">Data Source</th> <th class="p-2 nowrap" scope="col">Data Component</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="datasource" id="uses-DS0017"> <td> <a href="/datasources/DS0017">DS0017</a> </td> <td class="nowrap"> <a href="/datasources/DS0017">Command</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0017/#Command%20Execution">Command Execution</a> </td> <td> <p>Monitor executed commands and arguments that may search and collect local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. Remote access tools with built-in features may interact directly with the Windows API to gather data. Data may also be acquired through Windows system management tools such as <a href="/techniques/T1047">Windows Management Instrumentation</a> and <a href="/techniques/T1059/001">PowerShell</a>.</p><p>For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.</p> </td> </tr> <tr class="datasource" id="uses-DS0022"> <td> <a href="/datasources/DS0022">DS0022</a> </td> <td class="nowrap"> <a href="/datasources/DS0022">File</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0022/#File%20Access">File Access</a> </td> <td> <p>Monitor for unexpected/abnormal access to files that may be malicious collection of local data, such as user files (pdf, .docx, .jpg, etc.) or local databases.</p> </td> </tr> <tr class="datasource" id="uses-DS0009"> <td> <a href="/datasources/DS0009">DS0009</a> </td> <td class="nowrap"> <a href="/datasources/DS0009">Process</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0009/#OS%20API%20Execution">OS API Execution</a> </td> <td> <p>Monitor for API calls that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration. </p> </td> </tr> <tr class="datacomponent datasource" id="uses-DS0009-Process Creation"> <td></td> <td></td> <td> <a href="/datasources/DS0009/#Process%20Creation">Process Creation</a> </td> <td> <p>Monitor for newly executed processes that may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.</p> </td> </tr> <tr class="datasource" id="uses-DS0012"> <td> <a href="/datasources/DS0012">DS0012</a> </td> <td class="nowrap"> <a href="/datasources/DS0012">Script</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0012/#Script%20Execution">Script Execution</a> </td> <td> <p>Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Data may also be acquired through Windows system management tools such as <a href="/techniques/T1047">Windows Management Instrumentation</a> and <a href="/techniques/T1059/001">PowerShell</a>.</p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/fundamentals/command/cf_command_ref/show_protocols_through_showmon.html#wp2760878733" target="_blank"> Cisco. (2022, August 16). show running-config - Cisco IOS Configuration Fundamentals Command Reference . Retrieved July 13, 2022. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank"> Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://unit42.paloaltonetworks.com/agonizing-serpens-targets-israeli-tech-higher-ed-sectors/" target="_blank"> Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot" target="_blank"> Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://fsiceat.tistory.com/2" target="_blank"> FSI. (2017, July 27). Campaign Rifle - Andariel, the Maiden of Anguish. Retrieved September 12, 2024. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/" target="_blank"> Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://web.archive.org/web/20220328121326/https://boho.or.kr/filedownload.do?attach_file_seq=2695&attach_file_id=EpF2695.pdf" target="_blank"> KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" target="_blank"> Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/" target="_blank"> Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://www.justice.gov/file/1080281/download" target="_blank"> Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://documents.trendmicro.com/assets/white_papers/wp-pawn-storm-in-2019.pdf" target="_blank"> Hacquebord, F. (n.d.). Pawn Storm in 2019 A Year of Scanning and Credential Phishing on High-Profile Targets. Retrieved December 29, 2020. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank"> NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://www.mandiant.com/resources/blog/unc3524-eye-spy-email" target="_blank"> Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023. </a> </span> </span> </li> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="http://carnal0wnage.attackresearch.com/2012/09/more-on-aptsim.html" target="_blank"> valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017. </a> </span> </span> </li> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" target="_blank"> FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018. </a> </span> </span> </li> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="https://us-cert.cisa.gov/ncas/alerts/aa20-239a" target="_blank"> DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions" target="_blank"> Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="https://www.iranwatch.org/sites/default/files/public-intelligence-alert.pdf" target="_blank"> FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. </a> </span> </span> </li> <li> <span id="scite-19" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-19" href="https://www.group-ib.com/blog/colunmtk-apt41/" target="_blank"> Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021. </a> </span> </span> </li> <li> <span id="scite-20" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-20" href="https://go.crowdstrike.com/rs/281-OBQ-266/images/2022OverWatchThreatHuntingReport.pdf" target="_blank"> CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024. </a> </span> </span> </li> <li> <span id="scite-21" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-21" href="https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf" target="_blank"> Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014. </a> </span> </span> </li> <li> <span id="scite-22" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-22" href="https://www.accenture.com/us-en/blogs/cyber-defense/mudcarps-focus-on-submarine-technologies" target="_blank"> Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021. </a> </span> </span> </li> <li> <span id="scite-23" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-23" href="https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" target="_blank"> Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016. </a> </span> </span> </li> <li> <span id="scite-24" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-24" href="https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/" target="_blank"> Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018. </a> </span> </span> </li> <li> <span id="scite-25" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-25" href="https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/" target="_blank"> Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018. </a> </span> </span> </li> <li> <span id="scite-26" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-26" href="https://research.checkpoint.com/2020/bandook-signed-delivered/" target="_blank"> Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021. </a> </span> </span> </li> <li> <span id="scite-27" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-27" href="https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/" target="_blank"> Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018. </a> </span> </span> </li> <li> <span id="scite-28" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-28" href="https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles" target="_blank"> Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. </a> </span> </span> </li> <li> <span id="scite-29" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-29" href="https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html" target="_blank"> Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022. </a> </span> </span> </li> <li> <span id="scite-30" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-30" href="https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/" target="_blank"> MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021. </a> </span> </span> </li> <li> <span id="scite-31" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-31" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a" target="_blank"> US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020. </a> </span> </span> </li> <li> <span id="scite-32" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-32" href="https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/" target="_blank"> CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021. </a> </span> </span> </li> <li> <span id="scite-33" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-33" href="https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" target="_blank"> Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. </a> </span> </span> </li> <li> <span id="scite-34" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-34" href="https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/" target="_blank"> Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023. </a> </span> </span> </li> <li> <span id="scite-35" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-35" href="https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control" target="_blank"> Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022. </a> </span> </span> </li> <li> <span id="scite-36" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-36" href="https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/" target="_blank"> DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022. </a> </span> </span> </li> <li> <span id="scite-37" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-37" href="https://www.mandiant.com/resources/apt41-us-state-governments" target="_blank"> Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022. </a> </span> </span> </li> <li> <span id="scite-38" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-38" href="https://www.mandiant.com/resources/blog/turla-galaxy-opportunity" target="_blank"> Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023. </a> </span> </span> </li> <li> <span id="scite-39" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-39" href="https://securelist.com/calisto-trojan-for-macos/86543/" target="_blank"> Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018. </a> </span> </span> </li> <li> <span id="scite-40" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-40" href="https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf" target="_blank"> ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021. </a> </span> </span> </li> <li> <span id="scite-41" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-41" href="https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" target="_blank"> Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. </a> </span> </span> </li> <li> <span id="scite-42" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-42" href="https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/" target="_blank"> Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022. </a> </span> </span> </li> <li> <span id="scite-43" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-43" href="https://cloud.google.com/blog/topics/threat-intelligence/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against/" target="_blank"> Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024. </a> </span> </span> </li> <li> <span id="scite-44" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-44" href="https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" target="_blank"> FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. </a> </span> </span> </li> <li> <span id="scite-45" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-45" href="https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html" target="_blank"> Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015. </a> </span> </span> </li> <li> <span id="scite-46" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-46" href="https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools" target="_blank"> The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019. </a> </span> </span> </li> <li> <span id="scite-47" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-47" href="https://www.rapid7.com/blog/post/2021/03/23/defending-against-the-zero-day-analyzing-attacker-behavior-post-exploitation-of-microsoft-exchange/" target="_blank"> Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022. </a> </span> </span> </li> <li> <span id="scite-48" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-48" href="https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf" target="_blank"> Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. </a> </span> </span> </li> <li> <span id="scite-49" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-49" href="https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf" target="_blank"> Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. </a> </span> </span> </li> <li> <span id="scite-50" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-50" href="https://www.cobaltstrike.com/downloads/reports/tacticstechniquesandprocedures.pdf" target="_blank"> Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017. </a> </span> </span> </li> <li> <span id="scite-51" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-51" href="https://web.archive.org/web/20210708035426/https://www.cobaltstrike.com/downloads/csmanual43.pdf" target="_blank"> Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. </a> </span> </span> </li> <li> <span id="scite-52" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-52" href="https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/" target="_blank"> Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020. </a> </span> </span> </li> <li> <span id="scite-53" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-53" href="https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf" target="_blank"> F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014. </a> </span> </span> </li> <li> <span id="scite-54" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-54" href="https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced" target="_blank"> The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. </a> </span> </span> </li> <li> <span id="scite-55" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-55" href="https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/" target="_blank"> Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022. </a> </span> </span> </li> <li> <span id="scite-56" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-56" href="https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html" target="_blank"> N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022. </a> </span> </span> </li> <li> <span id="scite-57" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-57" href="https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/" target="_blank"> Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020. </a> </span> </span> </li> <li> <span id="scite-58" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-58" href="https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/" target="_blank"> Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020. </a> </span> </span> </li> <li> <span id="scite-59" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-59" href="https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021" target="_blank"> MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023. </a> </span> </span> </li> <li> <span id="scite-60" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-60" href="https://www.volexity.com/blog/2024/01/10/active-exploitation-of-two-zero-day-vulnerabilities-in-ivanti-connect-secure-vpn/" target="_blank"> Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024. </a> </span> </span> </li> <li> <span id="scite-61" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-61" href="https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation" target="_blank"> Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024. </a> </span> </span> </li> <li> <span id="scite-62" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-62" href="https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf" target="_blank"> NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022. </a> </span> </span> </li> <li> <span id="scite-63" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-63" href="https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign" target="_blank"> SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19 </a> </span> </span> </li> <li> <span id="scite-64" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-64" href="https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" target="_blank"> Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018. </a> </span> </span> </li> <li> <span id="scite-65" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-65" href="https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/" target="_blank"> Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. </a> </span> </span> </li> <li> <span id="scite-66" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-66" href="https://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor" target="_blank"> Shivtarkar, N. and Kumar, A. (2022, June 9). Lyceum .NET DNS Backdoor. Retrieved June 23, 2022. </a> </span> </span> </li> <li> <span id="scite-67" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-67" href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank"> US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. </a> </span> </span> </li> <li> <span id="scite-68" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-68" href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank"> ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021. </a> </span> </span> </li> <li> <span id="scite-69" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-69" href="https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF" target="_blank"> NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020. </a> </span> </span> </li> <li> <span id="scite-70" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-70" href="https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/" target="_blank"> Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021. </a> </span> </span> </li> <li> <span id="scite-71" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-71" href="https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust" target="_blank"> Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024. </a> </span> </span> </li> <li> <span id="scite-72" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-72" href="https://www.microsoft.com/en-us/security/blog/2023/06/14/cadet-blizzard-emerges-as-a-novel-and-distinct-russian-threat-actor/" target="_blank"> Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023. </a> </span> </span> </li> <li> <span id="scite-73" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-73" href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank"> US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024. </a> </span> </span> </li> <li> <span id="scite-74" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-74" href="https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" target="_blank"> MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021. </a> </span> </span> </li> <li> <span id="scite-75" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-75" href="https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf?mkt_tok=MDAzLVlSVS0zMTQAAAF_PIlmhNTaG2McG4X_foM-cIr20UfyB12MIQ10W0HbtMRwxGOJaD0Xj6CRTNg_S-8KniRxtf9xzhz_ACvm_TpbJAIgWCV8yIsFgbhb8cuaZA" target="_blank"> Red Canary. (2021, March 31). 2021 Threat Detection Report. Retrieved August 31, 2021. </a> </span> </span> </li> <li> <span id="scite-76" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-76" href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank"> Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. </a> </span> </span> </li> <li> <span id="scite-77" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-77" href="https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico" target="_blank"> Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023. </a> </span> </span> </li> <li> <span id="scite-78" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-78" href="https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf?__hstc=147695848.3e8f1a482c8f8d4531507747318e660b.1680005306711.1680005306711.1680005306711.1&__hssc=147695848.1.1680005306711&__hsfp=3000179024&hsCtaTracking=189ec409-ae2d-4909-8bf1-62dcdd694372%7Cca91d317-8f10-4a38-9f80-367f551ad64d" target="_blank"> Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023. </a> </span> </span> </li> <li> <span id="scite-79" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-79" href="https://www.trendmicro.com/en_us/research/19/j/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops.html" target="_blank"> Chen, J. (2019, October 10). Magecart Card Skimmers Injected Into Online Shops. Retrieved September 9, 2020. </a> </span> </span> </li> <li> <span id="scite-80" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-80" href="https://web.archive.org/web/20181231220607/https://riskiq.com/blog/labs/magecart-british-airways-breach/" target="_blank"> Klijnsma, Y. (2018, September 11). Inside the Magecart Breach of British Airways: How 22 Lines of Code Claimed 380,000 Victims. Retrieved September 9, 2020. </a> </span> </span> </li> <li> <span id="scite-81" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-81" href="https://web.archive.org/web/20181209083100/https://www.riskiq.com/blog/labs/magecart-newegg/" target="_blank"> Klijnsma, Y. (2018, September 19). Another Victim of the Magecart Assault Emerges: Newegg. Retrieved September 9, 2020. </a> </span> </span> </li> <li> <span id="scite-82" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-82" href="https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/" target="_blank"> Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. </a> </span> </span> </li> <li> <span id="scite-83" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-83" href="https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech" target="_blank"> Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022. </a> </span> </span> </li> <li> <span id="scite-84" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-84" href="https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" target="_blank"> FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015. </a> </span> </span> </li> <li> <span id="scite-85" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-85" href="https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1382.do?page=1&column=&search=&searchSDate=&searchEDate=&bbsDataCategory=" target="_blank"> Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022. </a> </span> </span> </li> <li> <span id="scite-86" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-86" href="https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/" target="_blank"> Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021. </a> </span> </span> </li> <li> <span id="scite-87" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-87" href="https://us-cert.cisa.gov/ncas/alerts/aa20-259a" target="_blank"> CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020. </a> </span> </span> </li> <li> <span id="scite-88" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-88" href="https://labs.sentinelone.com/fin6-frameworkpos-point-of-sale-malware-analysis-internals-2/" target="_blank"> Kremez, V. (2019, September 19). FIN6 “FrameworkPOS”: Point-of-Sale Malware Analysis & Internals. Retrieved September 8, 2020. </a> </span> </span> </li> <li> <span id="scite-89" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-89" href="https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html" target="_blank"> Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020. </a> </span> </span> </li> <li> <span id="scite-90" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-90" href="https://securelist.com/apt-trends-report-q1-2020/96826/" target="_blank"> Global Research and Analysis Team. (2020, April 30). APT trends report Q1 2020. Retrieved September 19, 2022. </a> </span> </span> </li> <li> <span id="scite-91" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-91" href="https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" target="_blank"> Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. </a> </span> </span> </li> <li> <span id="scite-92" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-92" href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/" target="_blank"> Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020. </a> </span> </span> </li> <li> <span id="scite-93" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-93" href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank"> Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. </a> </span> </span> </li> <li> <span id="scite-94" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-94" href="https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html" target="_blank"> Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018. </a> </span> </span> </li> <li> <span id="scite-95" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-95" href="https://objective-see.com/blog/blog_0x68.html" target="_blank"> Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022. </a> </span> </span> </li> <li> <span id="scite-96" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-96" href="https://www.group-ib.com/blog/grimagent/" target="_blank"> Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024. </a> </span> </span> </li> <li> <span id="scite-97" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-97" href="https://www.symantec.com/connect/blogs/trojanhydraq-incident" target="_blank"> Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018. </a> </span> </span> </li> <li> <span id="scite-98" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-98" href="https://www.symantec.com/security_response/writeup.jsp?docid=2010-011114-1830-99" target="_blank"> Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018. </a> </span> </span> </li> <li> <span id="scite-99" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-99" href="https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework.pdf" target="_blank"> CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022. </a> </span> </span> </li> <li> <span id="scite-100" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-100" href="https://securelist.com/recent-cloud-atlas-activity/92016/" target="_blank"> GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020. </a> </span> </span> </li> <li> <span id="scite-101" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-101" href="https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" target="_blank"> Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. </a> </span> </span> </li> <li> <span id="scite-102" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-102" href="https://assets.sentinelone.com/sentinellabs/evol-agrius" target="_blank"> Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024. </a> </span> </span> </li> <li> <span id="scite-103" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-103" href="https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf" target="_blank"> Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019. </a> </span> </span> </li> <li> <span id="scite-104" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-104" href="https://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/" target="_blank"> Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018. </a> </span> </span> </li> <li> <span id="scite-105" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-105" href="https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs" target="_blank"> Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014. </a> </span> </span> </li> <li> <span id="scite-106" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-106" href="https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe" target="_blank"> MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022. </a> </span> </span> </li> <li> <span id="scite-107" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-107" href="https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf" target="_blank"> Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022. </a> </span> </span> </li> <li> <span id="scite-108" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-108" href="https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" target="_blank"> Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. </a> </span> </span> </li> <li> <span id="scite-109" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-109" href="https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/" target="_blank"> Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019. </a> </span> </span> </li> <li> <span id="scite-110" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-110" href="https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html" target="_blank"> An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. </a> </span> </span> </li> <li> <span id="scite-111" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-111" href="https://github.com/offsecginger/koadic" target="_blank"> Magius, J., et al. (2017, July 19). Koadic. Retrieved September 27, 2024. </a> </span> </span> </li> <li> <span id="scite-112" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-112" href="https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf" target="_blank"> Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. </a> </span> </span> </li> <li> <span id="scite-113" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-113" href="https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/" target="_blank"> Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022. </a> </span> </span> </li> <li> <span id="scite-114" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-114" href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank"> MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022. </a> </span> </span> </li> <li> <span id="scite-115" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-115" href="https://www.bitsight.com/blog/latrodectus-are-you-coming-back" target="_blank"> Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024. </a> </span> </span> </li> <li> <span id="scite-116" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-116" href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank"> Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="117.0"> <li> <span id="scite-117" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-117" href="https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" target="_blank"> Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016. </a> </span> </span> </li> <li> <span id="scite-118" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-118" href="https://web.archive.org/web/20220608001455/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf" target="_blank"> Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016. </a> </span> </span> </li> <li> <span id="scite-119" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-119" href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank"> Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021. </a> </span> </span> </li> <li> <span id="scite-120" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-120" href="https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf" target="_blank"> Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019. </a> </span> </span> </li> <li> <span id="scite-121" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-121" href="https://www.symantec.com/security_response/writeup.jsp?docid=2012-051605-2535-99" target="_blank"> Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018. </a> </span> </span> </li> <li> <span id="scite-122" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-122" href="https://securelist.com/toddycat-keep-calm-and-check-logs/110696/" target="_blank"> Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024. </a> </span> </span> </li> <li> <span id="scite-123" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-123" href="https://securelist.com/apt-luminousmoth/103332/" target="_blank"> Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022. </a> </span> </span> </li> <li> <span id="scite-124" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-124" href="https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited" target="_blank"> Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022. </a> </span> </span> </li> <li> <span id="scite-125" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-125" href="https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf" target="_blank"> ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. </a> </span> </span> </li> <li> <span id="scite-126" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-126" href="https://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/" target="_blank"> M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022. </a> </span> </span> </li> <li> <span id="scite-127" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-127" href="https://assets.sentinelone.com/sentinellabs22/metador#page=1" target="_blank"> Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023. </a> </span> </span> </li> <li> <span id="scite-128" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-128" href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank"> DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022. </a> </span> </span> </li> <li> <span id="scite-129" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-129" href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank"> DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023. </a> </span> </span> </li> <li> <span id="scite-130" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-130" href="https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/" target="_blank"> GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021. </a> </span> </span> </li> <li> <span id="scite-131" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-131" href="https://www.secureworks.com/research/mcmd-malware-analysis" target="_blank"> Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020. </a> </span> </span> </li> <li> <span id="scite-132" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-132" href="https://www.justice.gov/opa/pr/two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion" target="_blank"> United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019. </a> </span> </span> </li> <li> <span id="scite-133" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-133" href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage" target="_blank"> Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020. </a> </span> </span> </li> <li> <span id="scite-134" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-134" href="https://docs.google.com/document/d/1e9ZTW9b71YwFWS_18ZwDAxa-cYbV8q1wUefmKZLYVsA/edit#heading=h.lmnbtht1ikzm" target="_blank"> SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023. </a> </span> </span> </li> <li> <span id="scite-135" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-135" href="https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/" target="_blank"> Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024. </a> </span> </span> </li> <li> <span id="scite-136" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-136" href="https://www.clearskysec.com/siamesekitten/" target="_blank"> ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022. </a> </span> </span> </li> <li> <span id="scite-137" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-137" href="https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" target="_blank"> Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. </a> </span> </span> </li> <li> <span id="scite-138" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-138" href="http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" target="_blank"> Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016. </a> </span> </span> </li> <li> <span id="scite-139" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-139" href="https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/" target="_blank"> Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022. </a> </span> </span> </li> <li> <span id="scite-140" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-140" href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank"> Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. </a> </span> </span> </li> <li> <span id="scite-141" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-141" href="https://scadahacker.com/library/Documents/Cyber_Events/McAfee%20-%20Night%20Dragon%20-%20Global%20Energy%20Cyberattacks.pdf" target="_blank"> McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. </a> </span> </span> </li> <li> <span id="scite-142" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-142" href="https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" target="_blank"> Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023. </a> </span> </span> </li> <li> <span id="scite-143" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-143" href="https://www.threatminer.org/_reports/2013/fta-1009---njrat-uncovered-1.pdf" target="_blank"> Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019. </a> </span> </span> </li> <li> <span id="scite-144" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-144" href="https://www.huntress.com/blog/cleartext-shenanigans-gifting-user-passwords-to-adversaries-with-nppspy" target="_blank"> Dray Agha. (2022, August 16). Cleartext Shenanigans: Gifting User Passwords to Adversaries With NPPSPY. Retrieved May 17, 2024. </a> </span> </span> </li> <li> <span id="scite-145" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-145" href="https://www.virusbulletin.com/uploads/pdf/conference_slides/2018/Cherepanov-VB2018-Octopus.pdf" target="_blank"> Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021. </a> </span> </span> </li> <li> <span id="scite-146" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-146" href="https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques" target="_blank"> Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022. </a> </span> </span> </li> <li> <span id="scite-147" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-147" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/?hilite=%27Operation%27%2C%27North%27%2C%27Star%27" target="_blank"> Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021. </a> </span> </span> </li> <li> <span id="scite-148" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-148" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/" target="_blank"> Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. </a> </span> </span> </li> <li> <span id="scite-149" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-149" href="https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf" target="_blank"> Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. </a> </span> </span> </li> <li> <span id="scite-150" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-150" href="https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html" target="_blank"> Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020. </a> </span> </span> </li> <li> <span id="scite-151" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-151" href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank"> Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021. </a> </span> </span> </li> <li> <span id="scite-152" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-152" href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank"> Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022. </a> </span> </span> </li> <li> <span id="scite-153" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-153" href="https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" target="_blank"> ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021. </a> </span> </span> </li> <li> <span id="scite-154" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-154" href="https://www.symantec.com/security_response/writeup.jsp?docid=2012-050412-4128-99" target="_blank"> Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018. </a> </span> </span> </li> <li> <span id="scite-155" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-155" href="https://web.archive.org/web/20180825085952/https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf" target="_blank"> Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016. </a> </span> </span> </li> <li> <span id="scite-156" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-156" href="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/" target="_blank"> Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020. </a> </span> </span> </li> <li> <span id="scite-157" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-157" href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank"> F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015. </a> </span> </span> </li> <li> <span id="scite-158" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-158" href="https://unit42.paloaltonetworks.com/pingpull-gallium/" target="_blank"> Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022. </a> </span> </span> </li> <li> <span id="scite-159" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-159" href="https://www.symantec.com/security_response/writeup.jsp?docid=2005-081910-3934-99" target="_blank"> Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018. </a> </span> </span> </li> <li> <span id="scite-160" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-160" href="https://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage" target="_blank"> Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022. </a> </span> </span> </li> <li> <span id="scite-161" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-161" href="https://github.com/PowerShellMafia/PowerSploit" target="_blank"> PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018. </a> </span> </span> </li> <li> <span id="scite-162" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-162" href="http://powersploit.readthedocs.io" target="_blank"> PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018. </a> </span> </span> </li> <li> <span id="scite-163" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-163" href="https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" target="_blank"> Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018. </a> </span> </span> </li> <li> <span id="scite-164" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-164" href="https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" target="_blank"> Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018. </a> </span> </span> </li> <li> <span id="scite-165" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-165" href="https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html" target="_blank"> Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018. </a> </span> </span> </li> <li> <span id="scite-166" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-166" href="https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" target="_blank"> Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. </a> </span> </span> </li> <li> <span id="scite-167" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-167" href="https://redcanary.com/threat-detection-report/threats/qbot/" target="_blank"> Rainey, K. (n.d.). Qbot. Retrieved September 27, 2021. </a> </span> </span> </li> <li> <span id="scite-168" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-168" href="https://securelist.com/qakbot-technical-analysis/103931/" target="_blank"> Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. </a> </span> </span> </li> <li> <span id="scite-169" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-169" href="https://www.cisa.gov/uscert/ncas/analysis-reports/AR18-352A" target="_blank"> CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022. </a> </span> </span> </li> <li> <span id="scite-170" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-170" href="https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/" target="_blank"> Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022. </a> </span> </span> </li> <li> <span id="scite-171" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-171" href="https://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d" target="_blank"> S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024. </a> </span> </span> </li> <li> <span id="scite-172" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-172" href="https://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/" target="_blank"> Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024. </a> </span> </span> </li> <li> <span id="scite-173" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-173" href="https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/" target="_blank"> Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020. </a> </span> </span> </li> <li> <span id="scite-174" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-174" href="https://www.programmersought.com/article/62493896999/" target="_blank"> Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021. </a> </span> </span> </li> <li> <span id="scite-175" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-175" href="https://www.mandiant.com/resources/blog/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices" target="_blank"> Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024. </a> </span> </span> </li> <li> <span id="scite-176" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-176" href="https://www.kroll.com/en/insights/publications/malware-analysis-report-rawpos-malware" target="_blank"> Nesbit, B. and Ackerman, D. (2017, January). Malware Analysis Report - RawPOS Malware: Deconstructing an Intruder’s Toolkit. Retrieved October 4, 2017. </a> </span> </span> </li> <li> <span id="scite-177" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-177" href="http://sjc1-te-ftp.trendmicro.com/images/tex/pdf/RawPOS%20Technical%20Brief.pdf" target="_blank"> TrendLabs Security Intelligence Blog. (2015, April). RawPOS Technical Brief. Retrieved October 4, 2017. </a> </span> </span> </li> <li> <span id="scite-178" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-178" href="https://www.youtube.com/watch?v=fevGZs0EQu8" target="_blank"> Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017. </a> </span> </span> </li> <li> <span id="scite-179" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-179" href="https://web.archive.org/web/20210104144857/https://shared-public-reports.s3-eu-west-1.amazonaws.com/APT27+turns+to+ransomware.pdf" target="_blank"> Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021. </a> </span> </span> </li> <li> <span id="scite-180" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-180" href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank"> Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024. </a> </span> </span> </li> <li> <span id="scite-181" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-181" href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank"> Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024. </a> </span> </span> </li> <li> <span id="scite-182" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-182" href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf" target="_blank"> Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. </a> </span> </span> </li> <li> <span id="scite-183" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-183" href="https://research.nccgroup.com/2018/11/08/rokrat-analysis/" target="_blank"> Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020. </a> </span> </span> </li> <li> <span id="scite-184" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-184" href="https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/" target="_blank"> Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021. </a> </span> </span> </li> <li> <span id="scite-185" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-185" href="https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/" target="_blank"> Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022. </a> </span> </span> </li> <li> <span id="scite-186" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-186" href="http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/" target="_blank"> Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016. </a> </span> </span> </li> <li> <span id="scite-187" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-187" href="https://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/" target="_blank"> Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022. </a> </span> </span> </li> <li> <span id="scite-188" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-188" href="https://securelist.com/toddycat/106799/" target="_blank"> Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024. </a> </span> </span> </li> <li> <span id="scite-189" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-189" href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank"> Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. </a> </span> </span> </li> <li> <span id="scite-190" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-190" href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor" target="_blank"> Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023. </a> </span> </span> </li> <li> <span id="scite-191" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-191" href="https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader" target="_blank"> Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020. </a> </span> </span> </li> <li> <span id="scite-192" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-192" href="https://www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns" target="_blank"> Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022. </a> </span> </span> </li> <li> <span id="scite-193" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-193" href="https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" target="_blank"> Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. </a> </span> </span> </li> <li> <span id="scite-194" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-194" href="https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/" target="_blank"> Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021. </a> </span> </span> </li> <li> <span id="scite-195" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-195" href="https://www.mandiant.com/resources/blog/suspected-apt-actors-leverage-bypass-techniques-pulse-secure-zero-day" target="_blank"> Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024. </a> </span> </span> </li> <li> <span id="scite-196" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-196" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a" target="_blank"> DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020. </a> </span> </span> </li> <li> <span id="scite-197" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-197" href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank"> Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020. </a> </span> </span> </li> <li> <span id="scite-198" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-198" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a" target="_blank"> CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021. </a> </span> </span> </li> <li> <span id="scite-199" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-199" href="https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish" target="_blank"> CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021. </a> </span> </span> </li> <li> <span id="scite-200" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-200" href="https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" target="_blank"> FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022. </a> </span> </span> </li> <li> <span id="scite-201" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-201" href="https://citizenlab.org/2016/05/stealth-falcon/" target="_blank"> Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016. </a> </span> </span> </li> <li> <span id="scite-202" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-202" href="https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations" target="_blank"> Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022. </a> </span> </span> </li> <li> <span id="scite-203" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-203" href="https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/" target="_blank"> MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021. </a> </span> </span> </li> <li> <span id="scite-204" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-204" href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank"> FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. </a> </span> </span> </li> <li> <span id="scite-205" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-205" href="https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/" target="_blank"> Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022. </a> </span> </span> </li> <li> <span id="scite-206" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-206" href="https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html" target="_blank"> Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023. </a> </span> </span> </li> <li> <span id="scite-207" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-207" href="http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf" target="_blank"> Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014. </a> </span> </span> </li> <li> <span id="scite-208" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-208" href="https://securelist.com/project-tajmahal/90240/" target="_blank"> GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019. </a> </span> </span> </li> <li> <span id="scite-209" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-209" href="https://www.secureworks.com/research/bronze-union" target="_blank"> Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017. </a> </span> </span> </li> <li> <span id="scite-210" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-210" href="https://blog.talosintelligence.com/2021/09/tinyturla.html" target="_blank"> Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021. </a> </span> </span> </li> <li> <span id="scite-211" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-211" href="https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/" target="_blank"> Kwiatkoswki, I. and Delcher, P. (2021, September 29). DarkHalo After SolarWinds: the Tomiris connection. Retrieved December 27, 2021. </a> </span> </span> </li> <li> <span id="scite-212" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-212" href="https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf" target="_blank"> Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018. </a> </span> </span> </li> <li> <span id="scite-213" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-213" href="https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" target="_blank"> Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019. </a> </span> </span> </li> <li> <span id="scite-214" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-214" href="https://www.cisa.gov/sites/default/files/2023-05/aa23-129a_snake_malware_2.pdf" target="_blank"> FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023. </a> </span> </span> </li> <li> <span id="scite-215" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-215" href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/BKDR_URSNIF.SM?_ga=2.129468940.1462021705.1559742358-1202584019.1549394279" target="_blank"> Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019. </a> </span> </span> </li> <li> <span id="scite-216" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-216" href="https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf" target="_blank"> Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020. </a> </span> </span> </li> <li> <span id="scite-217" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-217" href="https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF" target="_blank"> NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023. </a> </span> </span> </li> <li> <span id="scite-218" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-218" href="https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations" target="_blank"> Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023. </a> </span> </span> </li> <li> <span id="scite-219" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-219" href="https://www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf" target="_blank"> CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024. </a> </span> </span> </li> <li> <span id="scite-220" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-220" href="https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/" target="_blank"> Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021. </a> </span> </span> </li> <li> <span id="scite-221" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-221" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c" target="_blank"> CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020. </a> </span> </span> </li> <li> <span id="scite-222" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-222" href="https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html" target="_blank"> PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020. </a> </span> </span> </li> <li> <span id="scite-223" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-223" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b" target="_blank"> CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020. </a> </span> </span> </li> <li> <span id="scite-224" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-224" href="https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil" target="_blank"> Microsoft. (n.d.). wevtutil. Retrieved September 14, 2021. </a> </span> </span> </li> <li> <span id="scite-225" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-225" href="https://labs.f-secure.com/assets/BlogFiles/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf" target="_blank"> F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020. </a> </span> </span> </li> <li> <span id="scite-226" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-226" href="https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" target="_blank"> Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020. </a> </span> </span> </li> <li> <span id="scite-227" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-227" href="https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf" target="_blank"> Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023. </a> </span> </span> </li> <li> <span id="scite-228" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-228" href="https://www.malwarebytes.com/blog/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild" target="_blank"> MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022. </a> </span> </span> </li> <li> <span id="scite-229" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-229" href="https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf" target="_blank"> Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021. </a> </span> </span> </li> <li> <span id="scite-230" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-230" href="https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/" target="_blank"> Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018. </a> </span> </span> </li> <li> <span id="scite-231" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-231" href="https://blogs.cisco.com/security/talos/opening-zxshell" target="_blank"> Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019. </a> </span> </span> </li> <li> <span id="scite-232" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-232" href="https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html" target="_blank"> Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <!-- search overlay for entire page -- not displayed inline --> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- footer elements --> <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&amp;CK content v16.1&#013;Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> &copy;&nbsp;2015&nbsp;-&nbsp;2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div> <!--stopindex--> </div> <!--SCRIPTS--> <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script> <!--SCRIPTS--> <script src="/theme/scripts/resizer.js"></script> <!--SCRIPTS--> <script src="/theme/scripts/bootstrap-tourist.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/tour/tour-techniques.js"></script> <script src="/theme/scripts/sidebar-load-all.js"></script> </body> </html>