System Information Discovery, Technique T1082 - Enterprise

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>System Information Discovery, Technique T1082 - Enterprise | MITRE ATT&CK®</title>   <link rel='stylesheet' href='/theme/style/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-select.min.css' />  <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1">  <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> Matrices </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> Tactics </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> Techniques </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> Defenses </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> Mitigations </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> CTI </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> Resources </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" >Benefactors</a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> Blog  <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1">  <div class="col px-0">   <div class="container-fluid banner-message"> ATT&CKcon 6.0 returns October 14-15, 2025 in McLean, VA. More details about tickets and our CFP can be found <a href='https://na.eventscloud.com/attackcon6'>here</a> </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0">   <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div>  <div id="sidebars"></div>  </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/techniques/enterprise">Techniques</a></li> <li class="breadcrumb-item"><a href="/techniques/enterprise">Enterprise</a></li> <li class="breadcrumb-item">System Information Discovery</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1 id=""> System Information Discovery </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from <a href="/techniques/T1082">System Information Discovery</a> during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.Tools such as <a href="/software/S0096">Systeminfo</a> can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the <code>systemsetup</code> configuration tool on macOS. As an example, adversaries with user-level access can execute the <code>df -aH</code> command to obtain currently mounted disks and associated freely available space. Adversaries may also leverage a <a href="/techniques/T1059/008">Network Device CLI</a> on network devices to gather detailed system information (e.g. <code>show version</code>).<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020."data-reference="US-CERT-TA18-106A"><a href="https://www.us-cert.gov/ncas/alerts/TA18-106A" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a> <a href="/techniques/T1082">System Information Discovery</a> combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Phile Stokes. (2018, September 20). On the Trail of OSX.FairyTale | Adware Playing at Malware. Retrieved August 24, 2021."data-reference="OSX.FairyTale"><a href="https://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021."data-reference="20 macOS Common Tools and Techniques"><a href="https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.<a href="https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a><a href="https://cloud.google.com/compute/docs/reference/rest/v1/instances" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Microsoft. (2019, March 1). Virtual Machines - Get. Retrieved October 8, 2019."data-reference="Microsoft Virutal Machine API"><a href="https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/get" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data" id="card-id"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> ID: T1082 </div> </div>  <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> Sub-techniques:  No sub-techniques </div> </div>  <div id="card-tactics" class="row card-data"> <div class="col-md-1 px-0 text-center"> ⓘ </div> <div class="col-md-11 pl-0"> Tactic: <a href="/tactics/TA0007">Discovery</a> </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> ⓘ </div> <div class="col-md-11 pl-0"> Platforms: IaaS, Linux, Network, Windows, macOS </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> Contributors: Austin Clark, @c2defense; Maril Vernon @shewhohacks; Praetorian </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> Version: 2.5 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> Created: 31 May 2017 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> Last Modified: 15 October 2024 </div> </div> </div> </div> <div class="text-center pt-2 version-button live"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of T1082" href="/versions/v16/techniques/T1082/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of T1082" href="/versions/v16/techniques/T1082/" data-test-ignore="true">Live Version</a> </div> </div> </div> </div> <h2 class="pt-3" id ="examples">Procedure Examples</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/software/S0065"> S0065 </a> </td> <td> <a href="/software/S0065"> 4H RAT </a> </td> <td> <a href="/software/S0065">4H RAT</a> sends an OS version identifier in its beacons.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016."data-reference="CrowdStrike Putter Panda"><a href="http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a> </td> </tr> <tr> <td> <a href="/software/S1028"> S1028 </a> </td> <td> <a href="/software/S1028"> Action RAT </a> </td> <td> <a href="/software/S1028">Action RAT</a> has the ability to collect the hostname, OS version, and OS architecture of an infected host.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022."data-reference="MalwareBytes SideCopy Dec 2021"><a href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a> </td> </tr> <tr> <td> <a href="/groups/G0018"> G0018 </a> </td> <td> <a href="/groups/G0018"> admin@338 </a> </td> <td> <a href="/groups/G0018">admin@338</a> actors used the following commands after exploiting a machine with <a href="/software/S0042">LOWBALL</a> malware to obtain information about the OS: <code>ver >> %temp%\download</code> <code>systeminfo >> %temp%\download</code><span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015."data-reference="FireEye admin@338"><a href="https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a> </td> </tr> <tr> <td> <a href="/software/S0045"> S0045 </a> </td> <td> <a href="/software/S0045"> ADVSTORESHELL </a> </td> <td> <a href="/software/S0045">ADVSTORESHELL</a> can run <a href="/software/S0096">Systeminfo</a> to gather information about the victim.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016."data-reference="ESET Sednit Part 2"><a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017."data-reference="Bitdefender APT28 Dec 2015"><a href="https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a> </td> </tr> <tr> <td> <a href="/software/S0331"> S0331 </a> </td> <td> <a href="/software/S0331"> Agent Tesla </a> </td> <td> <a href="/software/S0331">Agent Tesla</a> can collect the system's computer name and also has the capability to collect information on the processor, memory, OS, and video card from the system.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018."data-reference="Fortinet Agent Tesla April 2018"><a href="https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018."data-reference="Fortinet Agent Tesla June 2017"><a href="https://www.fortinet.com/blog/threat-research/in-depth-analysis-of-net-malware-javaupdtr.html" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020."data-reference="Malwarebytes Agent Tesla April 2020"><a href="https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a> </td> </tr> <tr> <td> <a href="/software/S1129"> S1129 </a> </td> <td> <a href="/software/S1129"> Akira </a> </td> <td> <a href="/software/S1129">Akira</a> uses the <code>GetSystemInfo</code> Windows function to determine the number of processors on a victim machine.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Max Kersten & Alexandre Mundo. (2023, November 29). Akira Ransomware. Retrieved April 4, 2024."data-reference="Kersten Akira 2023"><a href="https://www.trellix.com/blogs/research/akira-ransomware/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a> </td> </tr> <tr> <td> <a href="/software/S1025"> S1025 </a> </td> <td> <a href="/software/S1025"> Amadey </a> </td> <td> <a href="/software/S1025">Amadey</a> has collected the computer name and OS version from a compromised machine.<span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022."data-reference="Korean FSI TA505 2020"><a href="https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1382.do?page=1&column=&search=&searchSDate=&searchEDate=&bbsDataCategory=" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022."data-reference="BlackBerry Amadey 2020"><a href="https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a> </td> </tr> <tr> <td> <a href="/software/S0504"> S0504 </a> </td> <td> <a href="/software/S0504"> Anchor </a> </td> <td> <a href="/software/S0504">Anchor</a> can determine the hostname and linux version on a compromised host.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020."data-reference="Medium Anchor DNS July 2020"><a href="https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a> </td> </tr> <tr> <td> <a href="/software/S0584"> S0584 </a> </td> <td> <a href="/software/S0584"> AppleJeus </a> </td> <td> <a href="/software/S0584">AppleJeus</a> has collected the victim host information after infection.<span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021."data-reference="CISA AppleJeus Feb 2021"><a href="https://us-cert.cisa.gov/ncas/alerts/aa21-048a" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a> </td> </tr> <tr> <td> <a href="/software/S0622"> S0622 </a> </td> <td> <a href="/software/S0622"> AppleSeed </a> </td> <td> <a href="/software/S0622">AppleSeed</a> can identify the OS version of a targeted system.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021."data-reference="Malwarebytes Kimsuky June 2021"><a href="https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a> </td> </tr> <tr> <td> <a href="/groups/G0026"> G0026 </a> </td> <td> <a href="/groups/G0026"> APT18 </a> </td> <td> <a href="/groups/G0026">APT18</a> can collect system information from the victim’s machine.<span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018."data-reference="PaloAlto DNS Requests May 2016"><a href="https://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a> </td> </tr> <tr> <td> <a href="/groups/G0073"> G0073 </a> </td> <td> <a href="/groups/G0073"> APT19 </a> </td> <td> <a href="/groups/G0073">APT19</a> collected system architecture information. <a href="/groups/G0073">APT19</a> used an HTTP malware variant and a Port 22 malware variant to gather the hostname and CPU information from the victim’s machine.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018."data-reference="FireEye APT19"><a href="https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a><span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018."data-reference="Unit 42 C0d0so0 Jan 2016"><a href="https://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a> </td> </tr> <tr> <td> <a href="/groups/G0022"> G0022 </a> </td> <td> <a href="/groups/G0022"> APT3 </a> </td> <td> <a href="/groups/G0022">APT3</a> has a tool that can obtain information about the local system.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016."data-reference="Symantec Buckeye"><a href="http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a><span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="Yates, M. (2017, June 18). APT3 Uncovered: The code evolution of Pirpi. Retrieved September 28, 2017."data-reference="evolution of pirpi"><a href="https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-evolution_of_pirpi.pdf" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a> </td> </tr> <tr> <td> <a href="/groups/G0050"> G0050 </a> </td> <td> <a href="/groups/G0050"> APT32 </a> </td> <td> <a href="/groups/G0050">APT32</a> has collected the OS version and computer name from victims. One of the group's backdoors can also query the Windows Registry to gather system information, and another macOS backdoor performs a fingerprint of the machine on its first connection to the C&C server. <a href="/groups/G0050">APT32</a> executed shellcode to identify the name of the infected host.<span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018."data-reference="ESET OceanLotus"><a href="https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a><span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019."data-reference="ESET OceanLotus Mar 2019"><a href="https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a><span onclick=scrollToRef('scite-28') id="scite-ref-28-a" class="scite-citeref-number" title="Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019."data-reference="ESET OceanLotus macOS April 2019"><a href="https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a><span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" title="Henderson, S., et al. (2020, April 22). Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage. Retrieved April 28, 2020."data-reference="FireEye APT32 April 2020"><a href="https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a> </td> </tr> <tr> <td> <a href="/groups/G0067"> G0067 </a> </td> <td> <a href="/groups/G0067"> APT37 </a> </td> <td> <a href="/groups/G0067">APT37</a> collects the computer name, the BIOS model, and execution path.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018."data-reference="Talos Group123"><a href="https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a> </td> </tr> <tr> <td> <a href="/groups/G0082"> G0082 </a> </td> <td> <a href="/groups/G0082"> APT38 </a> </td> <td> <a href="/groups/G0082">APT38</a> has attempted to get detailed information about a compromised host, including the operating system, version, patches, hotfixes, and service packs.<span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021."data-reference="CISA AA20-239A BeagleBoyz August 2020"><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-239a" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a> </td> </tr> <tr> <td> <a href="/groups/G0096"> G0096 </a> </td> <td> <a href="/groups/G0096"> APT41 </a> </td> <td> <a href="/groups/G0096">APT41</a> uses multiple built-in commands such as <code>systeminfo</code> and <code>net config Workstation</code> to enumerate victim system basic configuration information.<span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" title="Nikita Rostovcev. (2022, August 18). APT41 World Tour 2021 on a tight schedule. Retrieved February 22, 2024."data-reference="Rostovcev APT41 2021"><a href="https://www.group-ib.com/blog/apt41-world-tour-2021/" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a> </td> </tr> <tr> <td> <a href="/groups/G0143"> G0143 </a> </td> <td> <a href="/groups/G0143"> Aquatic Panda </a> </td> <td> <a href="/groups/G0143">Aquatic Panda</a> has used native OS commands to understand privilege levels and system details.<span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022."data-reference="CrowdStrike AQUATIC PANDA December 2021"><a href="https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a> </td> </tr> <tr> <td> <a href="/software/S0456"> S0456 </a> </td> <td> <a href="/software/S0456"> Aria-body </a> </td> <td> <a href="/software/S0456">Aria-body</a> has the ability to identify the hostname, computer name, Windows version, processor speed, machine GUID, and disk information on a compromised host.<span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" title="CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020."data-reference="CheckPoint Naikon May 2020"><a href="https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a> </td> </tr> <tr> <td> <a href="/software/S0373"> S0373 </a> </td> <td> <a href="/software/S0373"> Astaroth </a> </td> <td> <a href="/software/S0373">Astaroth</a> collects the machine name and keyboard language from the system. <span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved September 25, 2024."data-reference="Cofense Astaroth Sept 2018"><a href="https://web.archive.org/web/20200302071436/https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a><span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" title="Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019."data-reference="Cybereason Astaroth Feb 2019"><a href="https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a> </td> </tr> <tr> <td> <a href="/software/S1087"> S1087 </a> </td> <td> <a href="/software/S1087"> AsyncRAT </a> </td> <td> <a href="/software/S1087">AsyncRAT</a> can check the disk size through the values obtained with <code>DeviceInfo.</code><span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023."data-reference="Telefonica Snip3 December 2021"><a href="https://telefonicatech.com/blog/snip3-investigacion-malware" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a> </td> </tr> <tr> <td> <a href="/software/S0438"> S0438 </a> </td> <td> <a href="/software/S0438"> Attor </a> </td> <td> <a href="/software/S0438">Attor</a> monitors the free disk space on the system.<span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" title="Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."data-reference="ESET Attor Oct 2019"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a> </td> </tr> <tr> <td> <a href="/software/S1029"> S1029 </a> </td> <td> <a href="/software/S1029"> AuTo Stealer </a> </td> <td> <a href="/software/S1029">AuTo Stealer</a> has the ability to collect the hostname and OS information from an infected host.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022."data-reference="MalwareBytes SideCopy Dec 2021"><a href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a> </td> </tr> <tr> <td> <a href="/software/S0473"> S0473 </a> </td> <td> <a href="/software/S0473"> Avenger </a> </td> <td> <a href="/software/S0473">Avenger</a> has the ability to identify the host volume ID and the OS architecture on a compromised host.<span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."data-reference="Trend Micro Tick November 2019"><a href="https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a> </td> </tr> <tr> <td> <a href="/software/S0344"> S0344 </a> </td> <td> <a href="/software/S0344"> Azorult </a> </td> <td> <a href="/software/S0344">Azorult</a> can collect the machine information, system architecture, the OS version, computer name, Windows product name, the number of CPU cores, video card information, and the system language.<span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" title="Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018."data-reference="Unit42 Azorult Nov 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a><span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" title="Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018."data-reference="Proofpoint Azorult July 2018"><a href="https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a> </td> </tr> <tr> <td> <a href="/software/S0638"> S0638 </a> </td> <td> <a href="/software/S0638"> Babuk </a> </td> <td> <a href="/software/S0638">Babuk</a> can enumerate disk volumes, get disk information, and query service status.<span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" title="Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021."data-reference="McAfee Babuk February 2021"><a href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-ransomware.pdf" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a> </td> </tr> <tr> <td> <a href="/software/S0414"> S0414 </a> </td> <td> <a href="/software/S0414"> BabyShark </a> </td> <td> <a href="/software/S0414">BabyShark</a> has executed the <code>ver</code> command.<span onclick=scrollToRef('scite-43') id="scite-ref-43-a" class="scite-citeref-number" title="Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019."data-reference="Unit42 BabyShark Feb 2019"><a href="https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/" target="_blank" data-hasqtip="42" aria-describedby="qtip-42">[43]</a> </td> </tr> <tr> <td> <a href="/software/S0475"> S0475 </a> </td> <td> <a href="/software/S0475"> BackConfig </a> </td> <td> <a href="/software/S0475">BackConfig</a> has the ability to gather the victim's computer name.<span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020."data-reference="Unit 42 BackConfig May 2020"><a href="https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a> </td> </tr> <tr> <td> <a href="/software/S0093"> S0093 </a> </td> <td> <a href="/software/S0093"> Backdoor.Oldrea </a> </td> <td> <a href="/software/S0093">Backdoor.Oldrea</a> collects information about the OS and computer name.<span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" title="Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016."data-reference="Symantec Dragonfly"><a href="https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a><span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" title="Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021."data-reference="Gigamon Berserk Bear October 2021"><a href="https://vblocalhost.com/uploads/VB2021-Slowik.pdf" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a> </td> </tr> <tr> <td> <a href="/software/S0031"> S0031 </a> </td> <td> <a href="/software/S0031"> BACKSPACE </a> </td> <td> During its initial execution, <a href="/software/S0031">BACKSPACE</a> extracts operating system information from the infected host.<span onclick=scrollToRef('scite-47') id="scite-ref-47-a" class="scite-citeref-number" title="FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015."data-reference="FireEye APT30"><a href="https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" target="_blank" data-hasqtip="46" aria-describedby="qtip-46">[47]</a> </td> </tr> <tr> <td> <a href="/software/S0245"> S0245 </a> </td> <td> <a href="/software/S0245"> BADCALL </a> </td> <td> <a href="/software/S0245">BADCALL</a> collects the computer name and host name on the compromised system.<span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" title="US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018."data-reference="US-CERT BADCALL"><a href="https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-G.PDF" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a> </td> </tr> <tr> <td> <a href="/software/S0642"> S0642 </a> </td> <td> <a href="/software/S0642"> BADFLICK </a> </td> <td> <a href="/software/S0642">BADFLICK</a> has captured victim computer name, memory space, and CPU details.<span onclick=scrollToRef('scite-49') id="scite-ref-49-a" class="scite-citeref-number" title="Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021."data-reference="Accenture MUDCARP March 2019"><a href="https://www.accenture.com/us-en/blogs/cyber-defense/mudcarps-focus-on-submarine-technologies" target="_blank" data-hasqtip="48" aria-describedby="qtip-48">[49]</a> </td> </tr> <tr> <td> <a href="/software/S1081"> S1081 </a> </td> <td> <a href="/software/S1081"> BADHATCH </a> </td> <td> <a href="/software/S1081">BADHATCH</a> can obtain current system information from a compromised machine such as the <code>SHELL PID</code>, <code>PSVERSION</code>, <code>HOSTNAME</code>, <code>LOGONSERVER</code>, <code>LASTBOOTUP</code>, drive information, OS type/version, bitness, and hostname.<span onclick=scrollToRef('scite-50') id="scite-ref-50-a" class="scite-citeref-number" title="Savelesky, K., et al. (2019, July 23). ABADBABE 8BADFOOD: Discovering BADHATCH and a Detailed Look at FIN8's Tooling. Retrieved September 8, 2021."data-reference="Gigamon BADHATCH Jul 2019"><a href="https://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/" target="_blank" data-hasqtip="49" aria-describedby="qtip-49">[50]</a><span onclick=scrollToRef('scite-51') id="scite-ref-51-a" class="scite-citeref-number" title="Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021."data-reference="BitDefender BADHATCH Mar 2021"><a href="https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf" target="_blank" data-hasqtip="50" aria-describedby="qtip-50">[51]</a> </td> </tr> <tr> <td> <a href="/software/S0337"> S0337 </a> </td> <td> <a href="/software/S0337"> BadPatch </a> </td> <td> <a href="/software/S0337">BadPatch</a> collects the OS system, OS version, MAC address, and the computer name from the victim’s machine.<span onclick=scrollToRef('scite-52') id="scite-ref-52-a" class="scite-citeref-number" title="Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018."data-reference="Unit 42 BadPatch Oct 2017"><a href="https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/" target="_blank" data-hasqtip="51" aria-describedby="qtip-51">[52]</a> </td> </tr> <tr> <td> <a href="/software/S0234"> S0234 </a> </td> <td> <a href="/software/S0234"> Bandook </a> </td> <td> <a href="/software/S0234">Bandook</a> can collect information about the drives available on the system.<span onclick=scrollToRef('scite-53') id="scite-ref-53-a" class="scite-citeref-number" title="Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021."data-reference="CheckPoint Bandook Nov 2020"><a href="https://research.checkpoint.com/2020/bandook-signed-delivered/" target="_blank" data-hasqtip="52" aria-describedby="qtip-52">[53]</a> </td> </tr> <tr> <td> <a href="/software/S0239"> S0239 </a> </td> <td> <a href="/software/S0239"> Bankshot </a> </td> <td> <a href="/software/S0239">Bankshot</a> gathers system information, network addresses, disk type, disk free space, and the operation system version.<span onclick=scrollToRef('scite-54') id="scite-ref-54-a" class="scite-citeref-number" title="Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018."data-reference="McAfee Bankshot"><a href="https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/" target="_blank" data-hasqtip="53" aria-describedby="qtip-53">[54]</a><span onclick=scrollToRef('scite-55') id="scite-ref-55-a" class="scite-citeref-number" title="US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018."data-reference="US-CERT Bankshot Dec 2017"><a href="https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF" target="_blank" data-hasqtip="54" aria-describedby="qtip-54">[55]</a> </td> </tr> <tr> <td> <a href="/software/S0534"> S0534 </a> </td> <td> <a href="/software/S0534"> Bazar </a> </td> <td> <a href="/software/S0534">Bazar</a> can fingerprint architecture, computer name, and OS version on the compromised host. <a href="/software/S0534">Bazar</a> can also check if the Russian language is installed on the infected machine and terminate if it is found.<span onclick=scrollToRef('scite-56') id="scite-ref-56-a" class="scite-citeref-number" title="Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020."data-reference="Cybereason Bazar July 2020"><a href="https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles" target="_blank" data-hasqtip="55" aria-describedby="qtip-55">[56]</a><span onclick=scrollToRef('scite-57') id="scite-ref-57-a" class="scite-citeref-number" title="Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020."data-reference="NCC Group Team9 June 2020"><a href="https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/" target="_blank" data-hasqtip="56" aria-describedby="qtip-56">[57]</a> </td> </tr> <tr> <td> <a href="/software/S0017"> S0017 </a> </td> <td> <a href="/software/S0017"> BISCUIT </a> </td> <td> <a href="/software/S0017">BISCUIT</a> has a command to collect the processor type, operation system, computer name, and whether the system is a laptop or PC.<span onclick=scrollToRef('scite-58') id="scite-ref-58-a" class="scite-citeref-number" title="Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016."data-reference="Mandiant APT1"><a href="https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" target="_blank" data-hasqtip="57" aria-describedby="qtip-57">[58]</a> </td> </tr> <tr> <td> <a href="/software/S0268"> S0268 </a> </td> <td> <a href="/software/S0268"> Bisonal </a> </td> <td> <a href="/software/S0268">Bisonal</a> has used commands and API calls to gather system information.<span onclick=scrollToRef('scite-59') id="scite-ref-59-a" class="scite-citeref-number" title="Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018."data-reference="Unit 42 Bisonal July 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/" target="_blank" data-hasqtip="58" aria-describedby="qtip-58">[59]</a><span onclick=scrollToRef('scite-60') id="scite-ref-60-a" class="scite-citeref-number" title="Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021."data-reference="Kaspersky CactusPete Aug 2020"><a href="https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/" target="_blank" data-hasqtip="59" aria-describedby="qtip-59">[60]</a><span onclick=scrollToRef('scite-61') id="scite-ref-61-a" class="scite-citeref-number" title="Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022."data-reference="Talos Bisonal Mar 2020"><a href="https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html" target="_blank" data-hasqtip="60" aria-describedby="qtip-60">[61]</a> </td> </tr> <tr> <td> <a href="/software/S1070"> S1070 </a> </td> <td> <a href="/software/S1070"> Black Basta </a> </td> <td> <a href="/software/S1070">Black Basta</a> can enumerate volumes and collect system boot configuration and CPU information.<span onclick=scrollToRef('scite-62') id="scite-ref-62-a" class="scite-citeref-number" title="Zargarov, N. (2022, May 2). New Black Basta Ransomware Hijacks Windows Fax Service. Retrieved March 7, 2023."data-reference="Minerva Labs Black Basta May 2022"><a href="https://minerva-labs.com/blog/new-black-basta-ransomware-hijacks-windows-fax-service/" target="_blank" data-hasqtip="61" aria-describedby="qtip-61">[62]</a><span onclick=scrollToRef('scite-63') id="scite-ref-63-a" class="scite-citeref-number" title="Cyble. (2022, May 6). New ransomware variant targeting high-value organizations. Retrieved March 7, 2023."data-reference="Cyble Black Basta May 2022"><a href="https://blog.cyble.com/2022/05/06/black-basta-ransomware/" target="_blank" data-hasqtip="62" aria-describedby="qtip-62">[63]</a> </td> </tr> <tr> <td> <a href="/software/S1068"> S1068 </a> </td> <td> <a href="/software/S1068"> BlackCat </a> </td> <td> <a href="/software/S1068">BlackCat</a> can obtain the computer name and UUID, and enumerate local drives.<span onclick=scrollToRef('scite-64') id="scite-ref-64-a" class="scite-citeref-number" title="Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022."data-reference="Microsoft BlackCat Jun 2022"><a href="https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/" target="_blank" data-hasqtip="63" aria-describedby="qtip-63">[64]</a> </td> </tr> <tr> <td> <a href="/software/S0089"> S0089 </a> </td> <td> <a href="/software/S0089"> BlackEnergy </a> </td> <td> <a href="/software/S0089">BlackEnergy</a> has used <a href="/software/S0096">Systeminfo</a> to gather the OS version, as well as information on the system configuration, BIOS, the motherboard, and the processor.<span onclick=scrollToRef('scite-65') id="scite-ref-65-a" class="scite-citeref-number" title="F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016."data-reference="F-Secure BlackEnergy 2014"><a href="https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" target="_blank" data-hasqtip="64" aria-describedby="qtip-64">[65]</a><span onclick=scrollToRef('scite-66') id="scite-ref-66-a" class="scite-citeref-number" title="Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016."data-reference="Securelist BlackEnergy Nov 2014"><a href="https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/" target="_blank" data-hasqtip="65" aria-describedby="qtip-65">[66]</a> </td> </tr> <tr> <td> <a href="/software/S0564"> S0564 </a> </td> <td> <a href="/software/S0564"> BlackMould </a> </td> <td> <a href="/software/S0564">BlackMould</a> can enumerate local drives on a compromised host.<span onclick=scrollToRef('scite-67') id="scite-ref-67-a" class="scite-citeref-number" title="MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021."data-reference="Microsoft GALLIUM December 2019"><a href="https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/" target="_blank" data-hasqtip="66" aria-describedby="qtip-66">[67]</a> </td> </tr> <tr> <td> <a href="/software/S0520"> S0520 </a> </td> <td> <a href="/software/S0520"> BLINDINGCAN </a> </td> <td> <a href="/software/S0520">BLINDINGCAN</a> has collected from a victim machine the system name, processor information, OS version, and disk information, including type and free space available.<span onclick=scrollToRef('scite-68') id="scite-ref-68-a" class="scite-citeref-number" title="US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020."data-reference="US-CERT BLINDINGCAN Aug 2020"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a" target="_blank" data-hasqtip="67" aria-describedby="qtip-67">[68]</a> </td> </tr> <tr> <td> <a href="/groups/G0108"> G0108 </a> </td> <td> <a href="/groups/G0108"> Blue Mockingbird </a> </td> <td> <a href="/groups/G0108">Blue Mockingbird</a> has collected hardware details for the victim's system, including CPU and memory information.<span onclick=scrollToRef('scite-69') id="scite-ref-69-a" class="scite-citeref-number" title="Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020."data-reference="RedCanary Mockingbird May 2020"><a href="https://redcanary.com/blog/blue-mockingbird-cryptominer/" target="_blank" data-hasqtip="68" aria-describedby="qtip-68">[69]</a> </td> </tr> <tr> <td> <a href="/software/S0657"> S0657 </a> </td> <td> <a href="/software/S0657"> BLUELIGHT </a> </td> <td> <a href="/software/S0657">BLUELIGHT</a> has collected the computer name and OS version from victim machines.<span onclick=scrollToRef('scite-70') id="scite-ref-70-a" class="scite-citeref-number" title="Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021."data-reference="Volexity InkySquid BLUELIGHT August 2021"><a href="https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/" target="_blank" data-hasqtip="69" aria-describedby="qtip-69">[70]</a> </td> </tr> <tr> <td> <a href="/software/S0486"> S0486 </a> </td> <td> <a href="/software/S0486"> Bonadan </a> </td> <td> <a href="/software/S0486">Bonadan</a> has discovered the OS version, CPU model, and RAM size of the system it has been installed on.<span onclick=scrollToRef('scite-71') id="scite-ref-71-a" class="scite-citeref-number" title="Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020."data-reference="ESET ForSSHe December 2018"><a href="https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" target="_blank" data-hasqtip="70" aria-describedby="qtip-70">[71]</a> </td> </tr> <tr> <td> <a href="/software/S0635"> S0635 </a> </td> <td> <a href="/software/S0635"> BoomBox </a> </td> <td> <a href="/software/S0635">BoomBox</a> can enumerate the hostname, domain, and IP of a compromised host.<span onclick=scrollToRef('scite-72') id="scite-ref-72-a" class="scite-citeref-number" title="MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021."data-reference="MSTIC Nobelium Toolset May 2021"><a href="https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" target="_blank" data-hasqtip="71" aria-describedby="qtip-71">[72]</a> </td> </tr> <tr> <td> <a href="/software/S0252"> S0252 </a> </td> <td> <a href="/software/S0252"> Brave Prince </a> </td> <td> <a href="/software/S0252">Brave Prince</a> collects hard drive content and system configuration information.<span onclick=scrollToRef('scite-73') id="scite-ref-73-a" class="scite-citeref-number" title="Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018."data-reference="McAfee Gold Dragon"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" target="_blank" data-hasqtip="72" aria-describedby="qtip-72">[73]</a> </td> </tr> <tr> <td> <a href="/software/S0043"> S0043 </a> </td> <td> <a href="/software/S0043"> BUBBLEWRAP </a> </td> <td> <a href="/software/S0043">BUBBLEWRAP</a> collects system information, including the operating system version and hostname.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015."data-reference="FireEye admin@338"><a href="https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a> </td> </tr> <tr> <td> <a href="/software/S0471"> S0471 </a> </td> <td> <a href="/software/S0471"> build_downer </a> </td> <td> <a href="/software/S0471">build_downer</a> has the ability to send system volume information to C2.<span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."data-reference="Trend Micro Tick November 2019"><a href="https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a> </td> </tr> <tr> <td> <a href="/software/S1039"> S1039 </a> </td> <td> <a href="/software/S1039"> Bumblebee </a> </td> <td> <a href="/software/S1039">Bumblebee</a> can enumerate the OS version and domain on a targeted system.<span onclick=scrollToRef('scite-74') id="scite-ref-74-a" class="scite-citeref-number" title="Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022."data-reference="Google EXOTIC LILY March 2022"><a href="https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/" target="_blank" data-hasqtip="73" aria-describedby="qtip-73">[74]</a><span onclick=scrollToRef('scite-75') id="scite-ref-75-a" class="scite-citeref-number" title="Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022."data-reference="Proofpoint Bumblebee April 2022"><a href="https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming" target="_blank" data-hasqtip="74" aria-describedby="qtip-74">[75]</a><span onclick=scrollToRef('scite-76') id="scite-ref-76-a" class="scite-citeref-number" title="Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022."data-reference="Symantec Bumblebee June 2022"><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime" target="_blank" data-hasqtip="75" aria-describedby="qtip-75">[76]</a> </td> </tr> <tr> <td> <a href="/software/S0482"> S0482 </a> </td> <td> <a href="/software/S0482"> Bundlore </a> </td> <td> <a href="/software/S0482">Bundlore</a> will enumerate the macOS version to determine which follow-on behaviors to execute using <code>/usr/bin/sw_vers -productVersion</code>.<span onclick=scrollToRef('scite-77') id="scite-ref-77-a" class="scite-citeref-number" title="Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020."data-reference="MacKeeper Bundlore Apr 2019"><a href="https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/" target="_blank" data-hasqtip="76" aria-describedby="qtip-76">[77]</a><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021."data-reference="20 macOS Common Tools and Techniques"><a href="https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0017"> C0017 </a> </td> <td> <a href="/campaigns/C0017"> C0017 </a> </td> <td> During <a href="https://attack.mitre.org/campaigns/C0017">C0017</a>, <a href="/groups/G0096">APT41</a> issued <code>ping -n 1 ((cmd /c dir c:\|findstr Number).split()[-1]+</code> commands to find the volume serial number of compromised systems.<span onclick=scrollToRef('scite-78') id="scite-ref-78-a" class="scite-citeref-number" title="Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022."data-reference="Mandiant APT41"><a href="https://www.mandiant.com/resources/apt41-us-state-governments" target="_blank" data-hasqtip="77" aria-describedby="qtip-77">[78]</a> </td> </tr> <tr> <td> <a href="/software/S0693"> S0693 </a> </td> <td> <a href="/software/S0693"> CaddyWiper </a> </td> <td> <a href="/software/S0693">CaddyWiper</a> can use <code>DsRoleGetPrimaryDomainInformation</code> to determine the role of the infected machine. <a href="/software/S0693">CaddyWiper</a> can also halt execution if the compromised host is identified as a domain controller.<span onclick=scrollToRef('scite-79') id="scite-ref-79-a" class="scite-citeref-number" title="Malhotra, A. (2022, March 15). Threat Advisory: CaddyWiper. Retrieved March 23, 2022."data-reference="Cisco CaddyWiper March 2022"><a href="https://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html" target="_blank" data-hasqtip="78" aria-describedby="qtip-78">[79]</a><span onclick=scrollToRef('scite-80') id="scite-ref-80-a" class="scite-citeref-number" title="Threat Intelligence Team. (2022, March 18). Double header: IsaacWiper and CaddyWiper . Retrieved April 11, 2022."data-reference="Malwarebytes IssacWiper CaddyWiper March 2022 "><a href="https://blog.malwarebytes.com/threat-intelligence/2022/03/double-header-isaacwiper-and-caddywiper/" target="_blank" data-hasqtip="79" aria-describedby="qtip-79">[80]</a> </td> </tr> <tr> <td> <a href="/software/S0454"> S0454 </a> </td> <td> <a href="/software/S0454"> Cadelspy </a> </td> <td> <a href="/software/S0454">Cadelspy</a> has the ability to discover information about the compromised host.<span onclick=scrollToRef('scite-81') id="scite-ref-81-a" class="scite-citeref-number" title="Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019."data-reference="Symantec Chafer Dec 2015"><a href="https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" target="_blank" data-hasqtip="80" aria-describedby="qtip-80">[81]</a> </td> </tr> <tr> <td> <a href="/software/S0351"> S0351 </a> </td> <td> <a href="/software/S0351"> Cannon </a> </td> <td> <a href="/software/S0351">Cannon</a> can gather system information from the victim’s machine such as the OS version, machine name, and drive information.<span onclick=scrollToRef('scite-82') id="scite-ref-82-a" class="scite-citeref-number" title="Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018."data-reference="Unit42 Cannon Nov 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/" target="_blank" data-hasqtip="81" aria-describedby="qtip-81">[82]</a><span onclick=scrollToRef('scite-83') id="scite-ref-83-a" class="scite-citeref-number" title="Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019."data-reference="Unit42 Sofacy Dec 2018"><a href="https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/" target="_blank" data-hasqtip="82" aria-describedby="qtip-82">[83]</a> </td> </tr> <tr> <td> <a href="/software/S0484"> S0484 </a> </td> <td> <a href="/software/S0484"> Carberp </a> </td> <td> <a href="/software/S0484">Carberp</a> has collected the operating system version from the infected system.<span onclick=scrollToRef('scite-84') id="scite-ref-84-a" class="scite-citeref-number" title="Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved September 12, 2024."data-reference="Prevx Carberp March 2011"><a href="https://web.archive.org/web/20231227000328/http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf" target="_blank" data-hasqtip="83" aria-describedby="qtip-83">[84]</a> </td> </tr> <tr> <td> <a href="/software/S0348"> S0348 </a> </td> <td> <a href="/software/S0348"> Cardinal RAT </a> </td> <td> <a href="/software/S0348">Cardinal RAT</a> can collect the hostname, Microsoft Windows version, and processor architecture from a victim machine.<span onclick=scrollToRef('scite-85') id="scite-ref-85-a" class="scite-citeref-number" title="Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018."data-reference="PaloAlto CardinalRat Apr 2017"><a href="https://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/" target="_blank" data-hasqtip="84" aria-describedby="qtip-84">[85]</a> </td> </tr> <tr> <td> <a href="/software/S0462"> S0462 </a> </td> <td> <a href="/software/S0462"> CARROTBAT </a> </td> <td> <a href="/software/S0462">CARROTBAT</a> has the ability to determine the operating system of the compromised host and whether Windows is being run with x86 or x64 architecture.<span onclick=scrollToRef('scite-86') id="scite-ref-86-a" class="scite-citeref-number" title="Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020."data-reference="Unit 42 CARROTBAT November 2018"><a href="https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/" target="_blank" data-hasqtip="85" aria-describedby="qtip-85">[86]</a><span onclick=scrollToRef('scite-87') id="scite-ref-87-a" class="scite-citeref-number" title="McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020."data-reference="Unit 42 CARROTBAT January 2020"><a href="https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/" target="_blank" data-hasqtip="86" aria-describedby="qtip-86">[87]</a> </td> </tr> <tr> <td> <a href="/software/S0572"> S0572 </a> </td> <td> <a href="/software/S0572"> Caterpillar WebShell </a> </td> <td> <a href="/software/S0572">Caterpillar WebShell</a> has a module to gather information from the compromrised asset, including the computer version, computer name, IIS version, and more.<span onclick=scrollToRef('scite-88') id="scite-ref-88-a" class="scite-citeref-number" title="ClearSky Cyber Security. (2021, January). "Lebanese Cedar" APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021."data-reference="ClearSky Lebanese Cedar Jan 2021"><a href="https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf" target="_blank" data-hasqtip="87" aria-describedby="qtip-87">[88]</a> </td> </tr> <tr> <td> <a href="/software/S0631"> S0631 </a> </td> <td> <a href="/software/S0631"> Chaes </a> </td> <td> <a href="/software/S0631">Chaes</a> has collected system information, including the machine name and OS version.<span onclick=scrollToRef('scite-89') id="scite-ref-89-a" class="scite-citeref-number" title="Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021."data-reference="Cybereason Chaes Nov 2020"><a href="https://www.cybereason.com/hubfs/dam/collateral/reports/11-2020-Chaes-e-commerce-malware-research.pdf" target="_blank" data-hasqtip="88" aria-describedby="qtip-88">[89]</a> </td> </tr> <tr> <td> <a href="/software/S0674"> S0674 </a> </td> <td> <a href="/software/S0674"> CharmPower </a> </td> <td> <a href="/software/S0674">CharmPower</a> can enumerate the OS version and computer name on a targeted system.<span onclick=scrollToRef('scite-90') id="scite-ref-90-a" class="scite-citeref-number" title="Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022."data-reference="Check Point APT35 CharmPower January 2022"><a href="https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/" target="_blank" data-hasqtip="89" aria-describedby="qtip-89">[90]</a> </td> </tr> <tr> <td> <a href="/software/S0144"> S0144 </a> </td> <td> <a href="/software/S0144"> ChChes </a> </td> <td> <a href="/software/S0144">ChChes</a> collects the victim hostname, window resolution, and Microsoft Windows version.<span onclick=scrollToRef('scite-91') id="scite-ref-91-a" class="scite-citeref-number" title="Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017."data-reference="Palo Alto menuPass Feb 2017"><a href="http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/" target="_blank" data-hasqtip="90" aria-describedby="qtip-90">[91]</a><span onclick=scrollToRef('scite-92') id="scite-ref-92-a" class="scite-citeref-number" title="PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017."data-reference="PWC Cloud Hopper Technical Annex April 2017"><a href="https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf" target="_blank" data-hasqtip="91" aria-describedby="qtip-91">[92]</a> </td> </tr> <tr> <td> <a href="/groups/G0114"> G0114 </a> </td> <td> <a href="/groups/G0114"> Chimera </a> </td> <td> <a href="/groups/G0114">Chimera</a> has used <code>fsutil fsinfo drives</code>, <code>systeminfo</code>, and <code>vssadmin list shadows</code> for system information including shadow volumes and drive information.<span onclick=scrollToRef('scite-93') id="scite-ref-93-a" class="scite-citeref-number" title="Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024."data-reference="NCC Group Chimera January 2021"><a href="https://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/" target="_blank" data-hasqtip="92" aria-describedby="qtip-92">[93]</a> </td> </tr> <tr> <td> <a href="/software/S0667"> S0667 </a> </td> <td> <a href="/software/S0667"> Chrommme </a> </td> <td> <a href="/software/S0667">Chrommme</a> has the ability to list drives and obtain the computer name of a compromised host.<span onclick=scrollToRef('scite-94') id="scite-ref-94-a" class="scite-citeref-number" title="Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021."data-reference="ESET Gelsemium June 2021"><a href="https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf" target="_blank" data-hasqtip="93" aria-describedby="qtip-93">[94]</a> </td> </tr> <tr> <td> <a href="/software/S0660"> S0660 </a> </td> <td> <a href="/software/S0660"> Clambling </a> </td> <td> <a href="/software/S0660">Clambling</a> can discover the hostname, computer name, and Windows version of a targeted machine.<span onclick=scrollToRef('scite-95') id="scite-ref-95-a" class="scite-citeref-number" title="Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021."data-reference="Trend Micro DRBControl February 2020"><a href="https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf" target="_blank" data-hasqtip="94" aria-describedby="qtip-94">[95]</a><span onclick=scrollToRef('scite-96') id="scite-ref-96-a" class="scite-citeref-number" title="Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021."data-reference="Talent-Jump Clambling February 2020"><a href="https://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/" target="_blank" data-hasqtip="95" aria-describedby="qtip-95">[96]</a> </td> </tr> <tr> <td> <a href="/software/S0106"> S0106 </a> </td> <td> <a href="/software/S0106"> cmd </a> </td> <td> <a href="/software/S0106">cmd</a> can be used to find information about the operating system.<a href="https://technet.microsoft.com/en-us/library/cc755121.aspx" target="_blank" data-hasqtip="96" aria-describedby="qtip-96">[97]</a> </td> </tr> <tr> <td> <a href="/software/S0244"> S0244 </a> </td> <td> <a href="/software/S0244"> Comnie </a> </td> <td> <a href="/software/S0244">Comnie</a> collects the hostname of the victim machine.<span onclick=scrollToRef('scite-98') id="scite-ref-98-a" class="scite-citeref-number" title="Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018."data-reference="Palo Alto Comnie"><a href="https://researchcenter.paloaltonetworks.com/2018/01/unit42-comnie-continues-target-organizations-east-asia/" target="_blank" data-hasqtip="97" aria-describedby="qtip-97">[98]</a> </td> </tr> <tr> <td> <a href="/groups/G0142"> G0142 </a> </td> <td> <a href="/groups/G0142"> Confucius </a> </td> <td> <a href="/groups/G0142">Confucius</a> has used a file stealer that can examine system drives, including those other than the C drive.<span onclick=scrollToRef('scite-99') id="scite-ref-99-a" class="scite-citeref-number" title="Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021."data-reference="TrendMicro Confucius APT Aug 2021"><a href="https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html" target="_blank" data-hasqtip="98" aria-describedby="qtip-98">[99]</a> </td> </tr> <tr> <td> <a href="/software/S0137"> S0137 </a> </td> <td> <a href="/software/S0137"> CORESHELL </a> </td> <td> <a href="/software/S0137">CORESHELL</a> collects hostname, volume serial number and OS version data from the victim and sends the information to its C2 server.<span onclick=scrollToRef('scite-100') id="scite-ref-100-a" class="scite-citeref-number" title="FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015."data-reference="FireEye APT28"><a href="https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank" data-hasqtip="99" aria-describedby="qtip-99">[100]</a> </td> </tr> <tr> <td> <a href="/software/S1155"> S1155 </a> </td> <td> <a href="/software/S1155"> Covenant </a> </td> <td> <a href="/software/S1155">Covenant</a> implants can gather basic information on infected systems.<a href="https://github.com/cobbr/Covenant" target="_blank" data-hasqtip="100" aria-describedby="qtip-100">[101]</a> </td> </tr> <tr> <td> <a href="/software/S0046"> S0046 </a> </td> <td> <a href="/software/S0046"> CozyCar </a> </td> <td> A system info module in <a href="/software/S0046">CozyCar</a> gathers information on the victim host’s configuration.<span onclick=scrollToRef('scite-102') id="scite-ref-102-a" class="scite-citeref-number" title="F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015."data-reference="F-Secure CozyDuke"><a href="https://www.f-secure.com/documents/996508/1030745/CozyDuke" target="_blank" data-hasqtip="101" aria-describedby="qtip-101">[102]</a> </td> </tr> <tr> <td> <a href="/software/S0488"> S0488 </a> </td> <td> <a href="/software/S0488"> CrackMapExec </a> </td> <td> <a href="/software/S0488">CrackMapExec</a> can enumerate the system drives and associated system name.<span onclick=scrollToRef('scite-103') id="scite-ref-103-a" class="scite-citeref-number" title="byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020."data-reference="CME Github September 2018"><a href="https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference" target="_blank" data-hasqtip="102" aria-describedby="qtip-102">[103]</a> </td> </tr> <tr> <td> <a href="/software/S0115"> S0115 </a> </td> <td> <a href="/software/S0115"> Crimson </a> </td> <td> <a href="/software/S0115">Crimson</a> contains a command to collect the victim PC name, disk drive information, and operating system.<span onclick=scrollToRef('scite-104') id="scite-ref-104-a" class="scite-citeref-number" title="Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016."data-reference="Proofpoint Operation Transparent Tribe March 2016"><a href="https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" target="_blank" data-hasqtip="103" aria-describedby="qtip-103">[104]</a><span onclick=scrollToRef('scite-105') id="scite-ref-105-a" class="scite-citeref-number" title="Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021."data-reference="Kaspersky Transparent Tribe August 2020"><a href="https://securelist.com/transparent-tribe-part-1/98127/" target="_blank" data-hasqtip="104" aria-describedby="qtip-104">[105]</a><span onclick=scrollToRef('scite-106') id="scite-ref-106-a" class="scite-citeref-number" title="N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022."data-reference="Cisco Talos Transparent Tribe Education Campaign July 2022"><a href="https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html" target="_blank" data-hasqtip="105" aria-describedby="qtip-105">[106]</a> </td> </tr> <tr> <td> <a href="/software/S0625"> S0625 </a> </td> <td> <a href="/software/S0625"> Cuba </a> </td> <td> <a href="/software/S0625">Cuba</a> can enumerate local drives, disk type, and disk free space.<span onclick=scrollToRef('scite-107') id="scite-ref-107-a" class="scite-citeref-number" title="Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021."data-reference="McAfee Cuba April 2021"><a href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf" target="_blank" data-hasqtip="106" aria-describedby="qtip-106">[107]</a> </td> </tr> <tr> <td> <a href="/software/S1153"> S1153 </a> </td> <td> <a href="/software/S1153"> Cuckoo Stealer </a> </td> <td> <a href="/software/S1153">Cuckoo Stealer</a> can gather information about the OS version and hardware on compromised hosts.<span onclick=scrollToRef('scite-108') id="scite-ref-108-a" class="scite-citeref-number" title="Kohler, A. and Lopez, C. (2024, April 30). Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware. Retrieved August 20, 2024."data-reference="Kandji Cuckoo April 2024"><a href="https://www.kandji.io/blog/malware-cuckoo-infostealer-spyware" target="_blank" data-hasqtip="107" aria-describedby="qtip-107">[108]</a><span onclick=scrollToRef('scite-109') id="scite-ref-109-a" class="scite-citeref-number" title="Stokes, P. (2024, May 9). macOS Cuckoo Stealer | Ensuring Detection and Defense as New Samples Rapidly Emerge. Retrieved August 20, 2024."data-reference="SentinelOne Cuckoo Stealer May 2024"><a href="https://www.sentinelone.com/blog/macos-cuckoo-stealer-ensuring-detection-and-defense-as-new-samples-rapidly-emerge/" target="_blank" data-hasqtip="108" aria-describedby="qtip-108">[109]</a> </td> </tr> <tr> <td> <a href="/groups/G1012"> G1012 </a> </td> <td> <a href="/groups/G1012"> CURIUM </a> </td> <td> <a href="/groups/G1012">CURIUM</a> deploys information gathering tools focused on capturing IP configuration, running application, system information, and network connectivity information.<span onclick=scrollToRef('scite-110') id="scite-ref-110-a" class="scite-citeref-number" title="Symantec Threat Hunter Team. (2019, September 18). Tortoiseshell Group Targets IT Providers in Saudi Arabia in Probable Supply Chain Attacks. Retrieved May 20, 2024."data-reference="Symantec Tortoiseshell 2019"><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain" target="_blank" data-hasqtip="109" aria-describedby="qtip-109">[110]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0029"> C0029 </a> </td> <td> <a href="/campaigns/C0029"> Cutting Edge </a> </td> <td> During <a href="https://attack.mitre.org/campaigns/C0029">Cutting Edge</a>, threat actors used the ENUM4LINUX Perl script for discovery on Windows and Samba hosts.<span onclick=scrollToRef('scite-111') id="scite-ref-111-a" class="scite-citeref-number" title="Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024."data-reference="Mandiant Cutting Edge Part 2 January 2024"><a href="https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation" target="_blank" data-hasqtip="110" aria-describedby="qtip-110">[111]</a> </td> </tr> <tr> <td> <a href="/software/S0687"> S0687 </a> </td> <td> <a href="/software/S0687"> Cyclops Blink </a> </td> <td> <a href="/software/S0687">Cyclops Blink</a> has the ability to query device information.<span onclick=scrollToRef('scite-112') id="scite-ref-112-a" class="scite-citeref-number" title="NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022."data-reference="NCSC Cyclops Blink February 2022"><a href="https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf" target="_blank" data-hasqtip="111" aria-describedby="qtip-111">[112]</a> </td> </tr> <tr> <td> <a href="/groups/G1034"> G1034 </a> </td> <td> <a href="/groups/G1034"> Daggerfly </a> </td> <td> <a href="/groups/G1034">Daggerfly</a> utilizes victim machine operating system information to create custom User Agent strings for subsequent command and control communication.<span onclick=scrollToRef('scite-113') id="scite-ref-113-a" class="scite-citeref-number" title="Ahn Ho, Facundo Muñoz, & Marc-Etienne M.Léveillé. (2024, March 7). Evasive Panda leverages Monlam Festival to target Tibetans. Retrieved July 25, 2024."data-reference="ESET EvasivePanda 2024"><a href="https://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/" target="_blank" data-hasqtip="112" aria-describedby="qtip-112">[113]</a> </td> </tr> <tr> <td> <a href="/software/S0334"> S0334 </a> </td> <td> <a href="/software/S0334"> DarkComet </a> </td> <td> <a href="/software/S0334">DarkComet</a> can collect the computer name, RAM used, and operating system version from the victim’s machine.<span onclick=scrollToRef('scite-114') id="scite-ref-114-a" class="scite-citeref-number" title="TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018."data-reference="TrendMicro DarkComet Sept 2014"><a href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/DARKCOMET" target="_blank" data-hasqtip="113" aria-describedby="qtip-113">[114]</a><span onclick=scrollToRef('scite-115') id="scite-ref-115-a" class="scite-citeref-number" title="Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018."data-reference="Malwarebytes DarkComet March 2018"><a href="https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/" target="_blank" data-hasqtip="114" aria-describedby="qtip-114">[115]</a> </td> </tr> <tr> <td> <a href="/software/S1111"> S1111 </a> </td> <td> <a href="/software/S1111"> DarkGate </a> </td> <td> <a href="/software/S1111">DarkGate</a> uses the Delphi methods <code>Sysutils::DiskSize</code> and <code>GlobalMemoryStatusEx</code> to collect disk size and physical memory as part of the malware's anti-analysis checks for running in a virtualized environment.<span onclick=scrollToRef('scite-116') id="scite-ref-116-a" class="scite-citeref-number" title="Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024."data-reference="Ensilo Darkgate 2018"><a href="https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign" target="_blank" data-hasqtip="115" aria-describedby="qtip-115">[116]</a> <a href="/software/S1111">DarkGate</a> will gather various system information such as display adapter description, operating system type and version, processor type, and RAM amount.<span onclick=scrollToRef('scite-116') id="scite-ref-116-a" class="scite-citeref-number" title="Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024."data-reference="Ensilo Darkgate 2018"><a href="https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign" target="_blank" data-hasqtip="115" aria-describedby="qtip-115">[116]</a> </td> </tr> <tr> <td> <a href="/groups/G0012"> G0012 </a> </td> <td> <a href="/groups/G0012"> Darkhotel </a> </td> <td> <a href="/groups/G0012">Darkhotel</a> has collected the hostname, OS version, service pack version, and the processor architecture from the victim’s machine.<span onclick=scrollToRef('scite-117') id="scite-ref-117-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018."data-reference="Securelist Darkhotel Aug 2015"><a href="https://securelist.com/darkhotels-attacks-in-2015/71713/" target="_blank" data-hasqtip="116" aria-describedby="qtip-116">[117]</a><span onclick=scrollToRef('scite-118') id="scite-ref-118-a" class="scite-citeref-number" title="Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021."data-reference="Microsoft DUBNIUM July 2016"><a href="https://www.microsoft.com/security/blog/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/" target="_blank" data-hasqtip="117" aria-describedby="qtip-117">[118]</a> </td> </tr> <tr> <td> <a href="/software/S1066"> S1066 </a> </td> <td> <a href="/software/S1066"> DarkTortilla </a> </td> <td> <a href="/software/S1066">DarkTortilla</a> can obtain system information by querying the <code>Win32_ComputerSystem</code>, <code>Win32_BIOS</code>, <code>Win32_MotherboardDevice</code>, <code>Win32_PnPEntity</code>, and <code>Win32_DiskDrive</code> WMI objects.<span onclick=scrollToRef('scite-119') id="scite-ref-119-a" class="scite-citeref-number" title="Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022."data-reference="Secureworks DarkTortilla Aug 2022"><a href="https://www.secureworks.com/research/darktortilla-malware-analysis" target="_blank" data-hasqtip="118" aria-describedby="qtip-118">[119]</a> </td> </tr> <tr> <td> <a href="/software/S0673"> S0673 </a> </td> <td> <a href="/software/S0673"> DarkWatchman </a> </td> <td> <a href="/software/S0673">DarkWatchman</a> can collect the OS version, system architecture, and computer name.<span onclick=scrollToRef('scite-120') id="scite-ref-120-a" class="scite-citeref-number" title="Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022."data-reference="Prevailion DarkWatchman 2021"><a href="https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/" target="_blank" data-hasqtip="119" aria-describedby="qtip-119">[120]</a> </td> </tr> <tr> <td> <a href="/software/S1052"> S1052 </a> </td> <td> <a href="/software/S1052"> DEADEYE </a> </td> <td> <a href="/software/S1052">DEADEYE</a> can enumerate a victim computer's volume serial number and host name.<span onclick=scrollToRef('scite-78') id="scite-ref-78-a" class="scite-citeref-number" title="Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022."data-reference="Mandiant APT41"><a href="https://www.mandiant.com/resources/apt41-us-state-governments" target="_blank" data-hasqtip="77" aria-describedby="qtip-77">[78]</a> </td> </tr> <tr> <td> <a href="/software/S0616"> S0616 </a> </td> <td> <a href="/software/S0616"> DEATHRANSOM </a> </td> <td> <a href="/software/S0616">DEATHRANSOM</a> can enumerate logical drives on a target system.<span onclick=scrollToRef('scite-121') id="scite-ref-121-a" class="scite-citeref-number" title="McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021."data-reference="FireEye FiveHands April 2021"><a href="https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html" target="_blank" data-hasqtip="120" aria-describedby="qtip-120">[121]</a> </td> </tr> <tr> <td> <a href="/software/S0354"> S0354 </a> </td> <td> <a href="/software/S0354"> Denis </a> </td> <td> <a href="/software/S0354">Denis</a> collects OS information and the computer name from the victim’s machine.<span onclick=scrollToRef('scite-122') id="scite-ref-122-a" class="scite-citeref-number" title="Shulmin, A., Yunakovsky, S. (2017, April 28). Use of DNS Tunneling for C&C Communications. Retrieved November 5, 2018."data-reference="Securelist Denis April 2017"><a href="https://securelist.com/use-of-dns-tunneling-for-cc-communications/78203/" target="_blank" data-hasqtip="121" aria-describedby="qtip-121">[122]</a><span onclick=scrollToRef('scite-123') id="scite-ref-123-a" class="scite-citeref-number" title="Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018."data-reference="Cybereason Cobalt Kitty 2017"><a href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank" data-hasqtip="122" aria-describedby="qtip-122">[123]</a> </td> </tr> <tr> <td> <a href="/software/S0021"> S0021 </a> </td> <td> <a href="/software/S0021"> Derusbi </a> </td> <td> <a href="/software/S0021">Derusbi</a> gathers the name of the local host, version of GNU Compiler Collection (GCC), and the system information about the CPU, machine, and operating system.<span onclick=scrollToRef('scite-124') id="scite-ref-124-a" class="scite-citeref-number" title="Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016."data-reference="Fidelis Turbo"><a href="https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2016/2016.02.29.Turbo_Campaign_Derusbi/TA_Fidelis_Turbo_1602_0.pdf" target="_blank" data-hasqtip="123" aria-describedby="qtip-123">[124]</a> </td> </tr> <tr> <td> <a href="/software/S0659"> S0659 </a> </td> <td> <a href="/software/S0659"> Diavol </a> </td> <td> <a href="/software/S0659">Diavol</a> can collect the computer name and OS version from the system.<span onclick=scrollToRef('scite-125') id="scite-ref-125-a" class="scite-citeref-number" title="Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021."data-reference="Fortinet Diavol July 2021"><a href="https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider" target="_blank" data-hasqtip="124" aria-describedby="qtip-124">[125]</a> </td> </tr> <tr> <td> <a href="/software/S0472"> S0472 </a> </td> <td> <a href="/software/S0472"> down_new </a> </td> <td> <a href="/software/S0472">down_new</a> has the ability to identify the system volume information of a compromised host.<span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020."data-reference="Trend Micro Tick November 2019"><a href="https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a> </td> </tr> <tr> <td> <a href="/software/S0186"> S0186 </a> </td> <td> <a href="/software/S0186"> DownPaper </a> </td> <td> <a href="/software/S0186">DownPaper</a> collects the victim host name and serial number, and then sends the information to the C2 server.<span onclick=scrollToRef('scite-126') id="scite-ref-126-a" class="scite-citeref-number" title="ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017."data-reference="ClearSky Charming Kitten Dec 2017"><a href="http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf" target="_blank" data-hasqtip="125" aria-describedby="qtip-125">[126]</a> </td> </tr> <tr> <td> <a href="/software/S0384"> S0384 </a> </td> <td> <a href="/software/S0384"> Dridex </a> </td> <td> <a href="/software/S0384">Dridex</a> has collected the computer name and OS architecture information from the system.<span onclick=scrollToRef('scite-127') id="scite-ref-127-a" class="scite-citeref-number" title="Check Point Research. (2021, January 4). Stopping Serial Killer: Catching the Next Strike. Retrieved September 7, 2021."data-reference="Checkpoint Dridex Jan 2021"><a href="https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/" target="_blank" data-hasqtip="126" aria-describedby="qtip-126">[127]</a> </td> </tr> <tr> <td> <a href="/software/S0547"> S0547 </a> </td> <td> <a href="/software/S0547"> DropBook </a> </td> <td> <a href="/software/S0547">DropBook</a> has checked for the presence of Arabic language in the infected machine's settings.<span onclick=scrollToRef('scite-128') id="scite-ref-128-a" class="scite-citeref-number" title="Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020."data-reference="Cybereason Molerats Dec 2020"><a href="https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf" target="_blank" data-hasqtip="127" aria-describedby="qtip-127">[128]</a> </td> </tr> <tr> <td> <a href="/software/S0105"> S0105 </a> </td> <td> <a href="/software/S0105"> dsquery </a> </td> <td> <a href="/software/S0105">dsquery</a> has the ability to enumerate various information, such as the operating system and host name, for systems within a domain.<span onclick=scrollToRef('scite-78') id="scite-ref-78-a" class="scite-citeref-number" title="Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022."data-reference="Mandiant APT41"><a href="https://www.mandiant.com/resources/apt41-us-state-governments" target="_blank" data-hasqtip="77" aria-describedby="qtip-77">[78]</a> </td> </tr> <tr> <td> <a href="/software/S0567"> S0567 </a> </td> <td> <a href="/software/S0567"> Dtrack </a> </td> <td> <a href="/software/S0567">Dtrack</a> can collect the victim's computer name, hostname and adapter information to create a unique identifier.<span onclick=scrollToRef('scite-129') id="scite-ref-129-a" class="scite-citeref-number" title="Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021."data-reference="Securelist Dtrack"><a href="https://securelist.com/my-name-is-dtrack/93338/" target="_blank" data-hasqtip="128" aria-describedby="qtip-128">[129]</a><span onclick=scrollToRef('scite-130') id="scite-ref-130-a" class="scite-citeref-number" title="Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021."data-reference="CyberBit Dtrack"><a href="https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/" target="_blank" data-hasqtip="129" aria-describedby="qtip-129">[130]</a> </td> </tr> <tr> <td> <a href="/software/S1159"> S1159 </a> </td> <td> <a href="/software/S1159"> DUSTTRAP </a> </td> <td> <a href="/software/S1159">DUSTTRAP</a> reads the value of the infected system's <code>HKLM\SYSTEM\Microsoft\Cryptography\MachineGUID</code> value.<span onclick=scrollToRef('scite-131') id="scite-ref-131-a" class="scite-citeref-number" title="Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024."data-reference="Google Cloud APT41 2024"><a href="https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust" target="_blank" data-hasqtip="130" aria-describedby="qtip-130">[131]</a> </td> </tr> <tr> <td> <a href="/software/S0062"> S0062 </a> </td> <td> <a href="/software/S0062"> DustySky </a> </td> <td> <a href="/software/S0062">DustySky</a> extracts basic information about the operating system.<a href="https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf" target="_blank" data-hasqtip="131" aria-describedby="qtip-131">[132]</a> </td> </tr> <tr> <td> <a href="/software/S0024"> S0024 </a> </td> <td> <a href="/software/S0024"> Dyre </a> </td> <td> <a href="/software/S0024">Dyre</a> has the ability to identify the computer name, OS version, and hardware configuration on a compromised host.<span onclick=scrollToRef('scite-133') id="scite-ref-133-a" class="scite-citeref-number" title="hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020."data-reference="Malwarebytes Dyreza November 2015"><a href="https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/" target="_blank" data-hasqtip="132" aria-describedby="qtip-132">[133]</a> </td> </tr> <tr> <td> <a href="/software/S0554"> S0554 </a> </td> <td> <a href="/software/S0554"> Egregor </a> </td> <td> <a href="/software/S0554">Egregor</a> can perform a language check of the infected system and can query the CPU information (cupid).<span onclick=scrollToRef('scite-134') id="scite-ref-134-a" class="scite-citeref-number" title="Joe Security. (n.d.). Analysis Report fasm.dll. Retrieved January 6, 2021."data-reference="JoeSecurity Egregor 2020"><a href="https://www.joesandbox.com/analysis/318027/0/html" target="_blank" data-hasqtip="133" aria-describedby="qtip-133">[134]</a><span onclick=scrollToRef('scite-135') id="scite-ref-135-a" class="scite-citeref-number" title="NHS Digital. (2020, November 26). Egregor Ransomware The RaaS successor to Maze. Retrieved December 29, 2020."data-reference="NHS Digital Egregor Nov 2020"><a href="https://digital.nhs.uk/cyber-alerts/2020/cc-3681#summary" target="_blank" data-hasqtip="134" aria-describedby="qtip-134">[135]</a> </td> </tr> <tr> <td> <a href="/software/S0081"> S0081 </a> </td> <td> <a href="/software/S0081"> Elise </a> </td> <td> <a href="/software/S0081">Elise</a> executes <code>systeminfo</code> after initial communication is made to the remote server.<span onclick=scrollToRef('scite-136') id="scite-ref-136-a" class="scite-citeref-number" title="Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016."data-reference="Lotus Blossom Jun 2015"><a href="https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html" target="_blank" data-hasqtip="135" aria-describedby="qtip-135">[136]</a> </td> </tr> <tr> <td> <a href="/software/S0082"> S0082 </a> </td> <td> <a href="/software/S0082"> Emissary </a> </td> <td> <a href="/software/S0082">Emissary</a> has the capability to execute ver and systeminfo commands.<span onclick=scrollToRef('scite-137') id="scite-ref-137-a" class="scite-citeref-number" title="Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016."data-reference="Emissary Trojan Feb 2016"><a href="http://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/" target="_blank" data-hasqtip="136" aria-describedby="qtip-136">[137]</a> </td> </tr> <tr> <td> <a href="/software/S0363"> S0363 </a> </td> <td> <a href="/software/S0363"> Empire </a> </td> <td> <a href="/software/S0363">Empire</a> can enumerate host system information like OS, architecture, domain name, applied patches, and more.<span onclick=scrollToRef('scite-138') id="scite-ref-138-a" class="scite-citeref-number" title="Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016."data-reference="Github PowerShell Empire"><a href="https://github.com/PowerShellEmpire/Empire" target="_blank" data-hasqtip="137" aria-describedby="qtip-137">[138]</a><span onclick=scrollToRef('scite-139') id="scite-ref-139-a" class="scite-citeref-number" title="Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020."data-reference="Talos Frankenstein June 2019"><a href="https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html" target="_blank" data-hasqtip="138" aria-describedby="qtip-138">[139]</a> </td> </tr> <tr> <td> <a href="/software/S0634"> S0634 </a> </td> <td> <a href="/software/S0634"> EnvyScout </a> </td> <td> <a href="/software/S0634">EnvyScout</a> can determine whether the ISO payload was received by a Windows or iOS device.<span onclick=scrollToRef('scite-72') id="scite-ref-72-a" class="scite-citeref-number" title="MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021."data-reference="MSTIC Nobelium Toolset May 2021"><a href="https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" target="_blank" data-hasqtip="71" aria-describedby="qtip-71">[72]</a> </td> </tr> <tr> <td> <a href="/software/S0091"> S0091 </a> </td> <td> <a href="/software/S0091"> Epic </a> </td> <td> <a href="/software/S0091">Epic</a> collects the OS version, hardware information, computer name, available system memory status, disk space information, and system and user language settings.<span onclick=scrollToRef('scite-140') id="scite-ref-140-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018."data-reference="Kaspersky Turla Aug 2014"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08080105/KL_Epic_Turla_Technical_Appendix_20140806.pdf" target="_blank" data-hasqtip="139" aria-describedby="qtip-139">[140]</a> </td> </tr> <tr> <td> <a href="/software/S0568"> S0568 </a> </td> <td> <a href="/software/S0568"> EVILNUM </a> </td> <td> <a href="/software/S0568">EVILNUM</a> can obtain the computer name from the victim's system.<span onclick=scrollToRef('scite-141') id="scite-ref-141-a" class="scite-citeref-number" title="Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021."data-reference="Prevailion EvilNum May 2020"><a href="https://www.prevailion.com/phantom-in-the-command-shell-2/" target="_blank" data-hasqtip="140" aria-describedby="qtip-140">[141]</a> </td> </tr> <tr> <td> <a href="/software/S0569"> S0569 </a> </td> <td> <a href="/software/S0569"> Explosive </a> </td> <td> <a href="/software/S0569">Explosive</a> has collected the computer name from the infected host.<span onclick=scrollToRef('scite-142') id="scite-ref-142-a" class="scite-citeref-number" title="Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021."data-reference="CheckPoint Volatile Cedar March 2015"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf" target="_blank" data-hasqtip="141" aria-describedby="qtip-141">[142]</a> </td> </tr> <tr> <td> <a href="/software/S0181"> S0181 </a> </td> <td> <a href="/software/S0181"> FALLCHILL </a> </td> <td> <a href="/software/S0181">FALLCHILL</a> can collect operating system (OS) version information, processor information, system name, and information about installed disks from the victim.<span onclick=scrollToRef('scite-143') id="scite-ref-143-a" class="scite-citeref-number" title="US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017."data-reference="US-CERT FALLCHILL Nov 2017"><a href="https://www.us-cert.gov/ncas/alerts/TA17-318A" target="_blank" data-hasqtip="142" aria-describedby="qtip-142">[143]</a> </td> </tr> <tr> <td> <a href="/software/S0512"> S0512 </a> </td> <td> <a href="/software/S0512"> FatDuke </a> </td> <td> <a href="/software/S0512">FatDuke</a> can collect the user name, Windows version, computer name, and available space on discs from a compromised host.<span onclick=scrollToRef('scite-144') id="scite-ref-144-a" class="scite-citeref-number" title="Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020."data-reference="ESET Dukes October 2019"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="143" aria-describedby="qtip-143">[144]</a> </td> </tr> <tr> <td> <a href="/software/S0171"> S0171 </a> </td> <td> <a href="/software/S0171"> Felismus </a> </td> <td> <a href="/software/S0171">Felismus</a> collects the system information, including hostname and OS version, and sends it to the C2 server.<span onclick=scrollToRef('scite-145') id="scite-ref-145-a" class="scite-citeref-number" title="Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017."data-reference="Forcepoint Felismus Mar 2017"><a href="https://blogs.forcepoint.com/security-labs/playing-cat-mouse-introducing-felismus-malware" target="_blank" data-hasqtip="144" aria-describedby="qtip-144">[145]</a> </td> </tr> <tr> <td> <a href="/software/S0267"> S0267 </a> </td> <td> <a href="/software/S0267"> FELIXROOT </a> </td> <td> <a href="/software/S0267">FELIXROOT</a> collects the victim’s computer name, processor architecture, OS version, volume serial number, and system type.<span onclick=scrollToRef('scite-146') id="scite-ref-146-a" class="scite-citeref-number" title="Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018."data-reference="FireEye FELIXROOT July 2018"><a href="https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html" target="_blank" data-hasqtip="145" aria-describedby="qtip-145">[146]</a><span onclick=scrollToRef('scite-147') id="scite-ref-147-a" class="scite-citeref-number" title="Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018."data-reference="ESET GreyEnergy Oct 2018"><a href="https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf" target="_blank" data-hasqtip="146" aria-describedby="qtip-146">[147]</a> </td> </tr> <tr> <td> <a href="/software/S0679"> S0679 </a> </td> <td> <a href="/software/S0679"> Ferocious </a> </td> <td> <a href="/software/S0679">Ferocious</a> can use <code>GET.WORKSPACE</code> in Microsoft Excel to determine the OS version of the compromised host.<span onclick=scrollToRef('scite-148') id="scite-ref-148-a" class="scite-citeref-number" title="Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022."data-reference="Kaspersky WIRTE November 2021"><a href="https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044" target="_blank" data-hasqtip="147" aria-describedby="qtip-147">[148]</a> </td> </tr> <tr> <td> <a href="/groups/G1016"> G1016 </a> </td> <td> <a href="/groups/G1016"> FIN13 </a> </td> <td> <a href="/groups/G1016">FIN13</a> has collected local host information by utilizing Windows commands <code>systeminfo</code>, <code>fsutil</code>, and <code>fsinfo</code>. <a href="/groups/G1016">FIN13</a> has also utilized a compromised Symantex Altiris console and LanDesk account to retrieve host information.<span onclick=scrollToRef('scite-149') id="scite-ref-149-a" class="scite-citeref-number" title="Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023."data-reference="Mandiant FIN13 Aug 2022"><a href="https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico" target="_blank" data-hasqtip="148" aria-describedby="qtip-148">[149]</a><span onclick=scrollToRef('scite-150') id="scite-ref-150-a" class="scite-citeref-number" title="Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023."data-reference="Sygnia Elephant Beetle Jan 2022"><a href="https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf?__hstc=147695848.3e8f1a482c8f8d4531507747318e660b.1680005306711.1680005306711.1680005306711.1&__hssc=147695848.1.1680005306711&__hsfp=3000179024&hsCtaTracking=189ec409-ae2d-4909-8bf1-62dcdd694372%7Cca91d317-8f10-4a38-9f80-367f551ad64d" target="_blank" data-hasqtip="149" aria-describedby="qtip-149">[150]</a> </td> </tr> <tr> <td> <a href="/groups/G0061"> G0061 </a> </td> <td> <a href="/groups/G0061"> FIN8 </a> </td> <td> <a href="/groups/G0061">FIN8</a> has used PowerShell Scripts to check the architecture of a compromised machine before the selection of a 32-bit or 64-bit version of a malicious .NET loader.<span onclick=scrollToRef('scite-151') id="scite-ref-151-a" class="scite-citeref-number" title="Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023."data-reference="Symantec FIN8 Jul 2023"><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor" target="_blank" data-hasqtip="150" aria-describedby="qtip-150">[151]</a> </td> </tr> <tr> <td> <a href="/software/S0355"> S0355 </a> </td> <td> <a href="/software/S0355"> Final1stspy </a> </td> <td> <a href="/software/S0355">Final1stspy</a> obtains victim Microsoft Windows version information and CPU architecture.<span onclick=scrollToRef('scite-152') id="scite-ref-152-a" class="scite-citeref-number" title="Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018."data-reference="Unit 42 Nokki Oct 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/" target="_blank" data-hasqtip="151" aria-describedby="qtip-151">[152]</a> </td> </tr> <tr> <td> <a href="/software/S0182"> S0182 </a> </td> <td> <a href="/software/S0182"> FinFisher </a> </td> <td> <a href="/software/S0182">FinFisher</a> checks if the victim OS is 32 or 64-bit.<a href="https://web.archive.org/web/20171222050934/http://www.finfisher.com/FinFisher/index.html" target="_blank" data-hasqtip="152" aria-describedby="qtip-152">[153]</a><span onclick=scrollToRef('scite-154') id="scite-ref-154-a" class="scite-citeref-number" title="Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018."data-reference="Microsoft FinFisher March 2018"><a href="https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/" target="_blank" data-hasqtip="153" aria-describedby="qtip-153">[154]</a> </td> </tr> <tr> <td> <a href="/software/S0381"> S0381 </a> </td> <td> <a href="/software/S0381"> FlawedAmmyy </a> </td> <td> <a href="/software/S0381">FlawedAmmyy</a> can collect the victim's operating system and computer name during the initial infection.<span onclick=scrollToRef('scite-155') id="scite-ref-155-a" class="scite-citeref-number" title="Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019."data-reference="Proofpoint TA505 Mar 2018"><a href="https://www.proofpoint.com/us/threat-insight/post/leaked-ammyy-admin-source-code-turned-malware" target="_blank" data-hasqtip="154" aria-describedby="qtip-154">[155]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0001"> C0001 </a> </td> <td> <a href="/campaigns/C0001"> Frankenstein </a> </td> <td> During <a href="https://attack.mitre.org/campaigns/C0001">Frankenstein</a>, the threat actors used <a href="/software/S0363">Empire</a> to obtain the compromised machine's name.<span onclick=scrollToRef('scite-139') id="scite-ref-139-a" class="scite-citeref-number" title="Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020."data-reference="Talos Frankenstein June 2019"><a href="https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html" target="_blank" data-hasqtip="138" aria-describedby="qtip-138">[139]</a> </td> </tr> <tr> <td> <a href="/software/S1044"> S1044 </a> </td> <td> <a href="/software/S1044"> FunnyDream </a> </td> <td> <a href="/software/S1044">FunnyDream</a> can enumerate all logical drives on a targeted machine.<span onclick=scrollToRef('scite-156') id="scite-ref-156-a" class="scite-citeref-number" title="Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022."data-reference="Bitdefender FunnyDream Campaign November 2020"><a href="https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" target="_blank" data-hasqtip="155" aria-describedby="qtip-155">[156]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0007"> C0007 </a> </td> <td> <a href="/campaigns/C0007"> FunnyDream </a> </td> <td> During <a href="https://attack.mitre.org/campaigns/C0007">FunnyDream</a>, the threat actors used <a href="/software/S0096">Systeminfo</a> to collect information on targeted hosts.<span onclick=scrollToRef('scite-156') id="scite-ref-156-a" class="scite-citeref-number" title="Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022."data-reference="Bitdefender FunnyDream Campaign November 2020"><a href="https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" target="_blank" data-hasqtip="155" aria-describedby="qtip-155">[156]</a> </td> </tr> <tr> <td> <a href="/software/S0410"> S0410 </a> </td> <td> <a href="/software/S0410"> Fysbis </a> </td> <td> <a href="/software/S0410">Fysbis</a> has used the command <code>ls /etc | egrep -e"fedora*|debian*|gentoo*|mandriva*|mandrake*|meego*|redhat*|lsb-*|sun-*|SUSE*|release"</code> to determine which Linux OS version is running.<span onclick=scrollToRef('scite-157') id="scite-ref-157-a" class="scite-citeref-number" title="Bryan Lee and Rob Downs. (2016, February 12). A Look Into Fysbis: Sofacy’s Linux Backdoor. Retrieved September 10, 2017."data-reference="Fysbis Palo Alto Analysis"><a href="https://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/" target="_blank" data-hasqtip="156" aria-describedby="qtip-156">[157]</a> </td> </tr> <tr> <td> <a href="/groups/G0047"> G0047 </a> </td> <td> <a href="/groups/G0047"> Gamaredon Group </a> </td> <td> A <a href="/groups/G0047">Gamaredon Group</a> file stealer can gather the victim's computer name and drive serial numbers to send to a C2 server.<span onclick=scrollToRef('scite-158') id="scite-ref-158-a" class="scite-citeref-number" title="Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017."data-reference="Palo Alto Gamaredon Feb 2017"><a href="https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/" target="_blank" data-hasqtip="157" aria-describedby="qtip-157">[158]</a><span onclick=scrollToRef('scite-159') id="scite-ref-159-a" class="scite-citeref-number" title="Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020."data-reference="TrendMicro Gamaredon April 2020"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/" target="_blank" data-hasqtip="158" aria-describedby="qtip-158">[159]</a><span onclick=scrollToRef('scite-160') id="scite-ref-160-a" class="scite-citeref-number" title="CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022."data-reference="CERT-EE Gamaredon January 2021"><a href="https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf" target="_blank" data-hasqtip="159" aria-describedby="qtip-159">[160]</a> </td> </tr> <tr> <td> <a href="/software/S0666"> S0666 </a> </td> <td> <a href="/software/S0666"> Gelsemium </a> </td> <td> <a href="/software/S0666">Gelsemium</a> can determine the operating system and whether a targeted machine has a 32 or 64 bit architecture.<span onclick=scrollToRef('scite-94') id="scite-ref-94-a" class="scite-citeref-number" title="Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021."data-reference="ESET Gelsemium June 2021"><a href="https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf" target="_blank" data-hasqtip="93" aria-describedby="qtip-93">[94]</a> </td> </tr> <tr> <td> <a href="/software/S0460"> S0460 </a> </td> <td> <a href="/software/S0460"> Get2 </a> </td> <td> <a href="/software/S0460">Get2</a> has the ability to identify the computer name and Windows version of an infected host.<span onclick=scrollToRef('scite-161') id="scite-ref-161-a" class="scite-citeref-number" title="Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."data-reference="Proofpoint TA505 October 2019"><a href="https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader" target="_blank" data-hasqtip="160" aria-describedby="qtip-160">[161]</a> </td> </tr> <tr> <td> <a href="/software/S0032"> S0032 </a> </td> <td> <a href="/software/S0032"> gh0st RAT </a> </td> <td> <a href="/software/S0032">gh0st RAT</a> has gathered system architecture, processor, OS configuration, and installed hardware information.<span onclick=scrollToRef('scite-162') id="scite-ref-162-a" class="scite-citeref-number" title="Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020."data-reference="Gh0stRAT ATT March 2019"><a href="https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant" target="_blank" data-hasqtip="161" aria-describedby="qtip-161">[162]</a> </td> </tr> <tr> <td> <a href="/software/S0249"> S0249 </a> </td> <td> <a href="/software/S0249"> Gold Dragon </a> </td> <td> <a href="/software/S0249">Gold Dragon</a> collects endpoint information using the <code>systeminfo</code> command.<span onclick=scrollToRef('scite-73') id="scite-ref-73-a" class="scite-citeref-number" title="Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018."data-reference="McAfee Gold Dragon"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" target="_blank" data-hasqtip="72" aria-describedby="qtip-72">[73]</a> </td> </tr> <tr> <td> <a href="/software/S0493"> S0493 </a> </td> <td> <a href="/software/S0493"> GoldenSpy </a> </td> <td> <a href="/software/S0493">GoldenSpy</a> has gathered operating system information.<span onclick=scrollToRef('scite-163') id="scite-ref-163-a" class="scite-citeref-number" title="Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020."data-reference="Trustwave GoldenSpy June 2020"><a href="https://www.trustwave.com/en-us/resources/library/documents/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/" target="_blank" data-hasqtip="162" aria-describedby="qtip-162">[163]</a> </td> </tr> <tr> <td> <a href="/software/S1138"> S1138 </a> </td> <td> <a href="/software/S1138"> Gootloader </a> </td> <td> <a href="/software/S1138">Gootloader</a> can inspect the User-Agent string in GET request header information to determine the operating system of targeted systems.<span onclick=scrollToRef('scite-164') id="scite-ref-164-a" class="scite-citeref-number" title="Szappanos, G. & Brandt, A. (2021, March 1). "Gootloader" expands its payload delivery options. Retrieved September 30, 2022."data-reference="Sophos Gootloader"><a href="https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/" target="_blank" data-hasqtip="163" aria-describedby="qtip-163">[164]</a> </td> </tr> <tr> <td> <a href="/software/S0531"> S0531 </a> </td> <td> <a href="/software/S0531"> Grandoreiro </a> </td> <td> <a href="/software/S0531">Grandoreiro</a> can collect the computer name and OS version from a compromised host.<span onclick=scrollToRef('scite-165') id="scite-ref-165-a" class="scite-citeref-number" title="ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020."data-reference="ESET Grandoreiro April 2020"><a href="https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/" target="_blank" data-hasqtip="164" aria-describedby="qtip-164">[165]</a> </td> </tr> <tr> <td> <a href="/software/S0237"> S0237 </a> </td> <td> <a href="/software/S0237"> GravityRAT </a> </td> <td> <a href="/software/S0237">GravityRAT</a> collects the MAC address, computer name, and CPU information.<span onclick=scrollToRef('scite-166') id="scite-ref-166-a" class="scite-citeref-number" title="Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018."data-reference="Talos GravityRAT"><a href="https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html" target="_blank" data-hasqtip="165" aria-describedby="qtip-165">[166]</a> </td> </tr> <tr> <td> <a href="/software/S0690"> S0690 </a> </td> <td> <a href="/software/S0690"> Green Lambert </a> </td> <td> <a href="/software/S0690">Green Lambert</a> can use <code>uname</code> to identify the operating system name, version, and processor type.<span onclick=scrollToRef('scite-167') id="scite-ref-167-a" class="scite-citeref-number" title="Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022."data-reference="Objective See Green Lambert for OSX Oct 2021"><a href="https://objective-see.com/blog/blog_0x68.html" target="_blank" data-hasqtip="166" aria-describedby="qtip-166">[167]</a><span onclick=scrollToRef('scite-168') id="scite-ref-168-a" class="scite-citeref-number" title="Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved March 21, 2022."data-reference="Glitch-Cat Green Lambert ATTCK Oct 2021"><a href="https://www.glitch-cat.com/blog/green-lambert-and-attack" target="_blank" data-hasqtip="167" aria-describedby="qtip-167">[168]</a> </td> </tr> <tr> <td> <a href="/software/S0417"> S0417 </a> </td> <td> <a href="/software/S0417"> GRIFFON </a> </td> <td> <a href="/software/S0417">GRIFFON</a> has used a reconnaissance module that can be used to retrieve information about a victim's computer, including the resolution of the workstation .<span onclick=scrollToRef('scite-169') id="scite-ref-169-a" class="scite-citeref-number" title="Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig "FIN7" continues its activities. Retrieved October 11, 2019."data-reference="SecureList Griffon May 2019"><a href="https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/" target="_blank" data-hasqtip="168" aria-describedby="qtip-168">[169]</a> </td> </tr> <tr> <td> <a href="/software/S0632"> S0632 </a> </td> <td> <a href="/software/S0632"> GrimAgent </a> </td> <td> <a href="/software/S0632">GrimAgent</a> can collect the OS, and build version on a compromised host.<span onclick=scrollToRef('scite-170') id="scite-ref-170-a" class="scite-citeref-number" title="Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024."data-reference="Group IB GrimAgent July 2021"><a href="https://www.group-ib.com/blog/grimagent/" target="_blank" data-hasqtip="169" aria-describedby="qtip-169">[170]</a> </td> </tr> <tr> <td> <a href="/software/S0151"> S0151 </a> </td> <td> <a href="/software/S0151"> HALFBAKED </a> </td> <td> <a href="/software/S0151">HALFBAKED</a> can obtain information about the OS, processor, and BIOS.<span onclick=scrollToRef('scite-171') id="scite-ref-171-a" class="scite-citeref-number" title="Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017."data-reference="FireEye FIN7 April 2017"><a href="https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html" target="_blank" data-hasqtip="170" aria-describedby="qtip-170">[171]</a> </td> </tr> <tr> <td> <a href="/software/S0214"> S0214 </a> </td> <td> <a href="/software/S0214"> HAPPYWORK </a> </td> <td> can collect system information, including computer name, system manufacturer, IsDebuggerPresent state, and execution path.<span onclick=scrollToRef('scite-172') id="scite-ref-172-a" class="scite-citeref-number" title="FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018."data-reference="FireEye APT37 Feb 2018"><a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" target="_blank" data-hasqtip="171" aria-describedby="qtip-171">[172]</a> </td> </tr> <tr> <td> <a href="/software/S0391"> S0391 </a> </td> <td> <a href="/software/S0391"> HAWKBALL </a> </td> <td> <a href="/software/S0391">HAWKBALL</a> can collect the OS version, architecture information, and computer name.<span onclick=scrollToRef('scite-173') id="scite-ref-173-a" class="scite-citeref-number" title="Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019."data-reference="FireEye HAWKBALL Jun 2019"><a href="https://www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html" target="_blank" data-hasqtip="172" aria-describedby="qtip-172">[173]</a> </td> </tr> <tr> <td> <a href="/software/S0617"> S0617 </a> </td> <td> <a href="/software/S0617"> HELLOKITTY </a> </td> <td> <a href="/software/S0617">HELLOKITTY</a> can enumerate logical drives on a target system.<span onclick=scrollToRef('scite-121') id="scite-ref-121-a" class="scite-citeref-number" title="McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021."data-reference="FireEye FiveHands April 2021"><a href="https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html" target="_blank" data-hasqtip="120" aria-describedby="qtip-120">[121]</a> </td> </tr> <tr> <td> <a href="/software/S0697"> S0697 </a> </td> <td> <a href="/software/S0697"> HermeticWiper </a> </td> <td> <a href="/software/S0697">HermeticWiper</a> can determine the OS version, bitness, and enumerate physical drives on a targeted host.<span onclick=scrollToRef('scite-174') id="scite-ref-174-a" class="scite-citeref-number" title="Guerrero-Saade, J. (2022, February 23). HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine. Retrieved March 25, 2022."data-reference="SentinelOne Hermetic Wiper February 2022"><a href="https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack" target="_blank" data-hasqtip="173" aria-describedby="qtip-173">[174]</a><span onclick=scrollToRef('scite-175') id="scite-ref-175-a" class="scite-citeref-number" title="Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022."data-reference="Crowdstrike DriveSlayer February 2022"><a href="https://www.crowdstrike.com/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/" target="_blank" data-hasqtip="174" aria-describedby="qtip-174">[175]</a><span onclick=scrollToRef('scite-176') id="scite-ref-176-a" class="scite-citeref-number" title="ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022."data-reference="ESET Hermetic Wizard March 2022"><a href="https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine" target="_blank" data-hasqtip="175" aria-describedby="qtip-175">[176]</a><span onclick=scrollToRef('scite-177') id="scite-ref-177-a" class="scite-citeref-number" title="Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022."data-reference="Qualys Hermetic Wiper March 2022"><a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/03/01/ukrainian-targets-hit-by-hermeticwiper-new-datawiper-malware" target="_blank" data-hasqtip="176" aria-describedby="qtip-176">[177]</a> </td> </tr> <tr> <td> <a href="/groups/G1001"> G1001 </a> </td> <td> <a href="/groups/G1001"> HEXANE </a> </td> <td> <a href="/groups/G1001">HEXANE</a> has collected the hostname of a compromised machine.<span onclick=scrollToRef('scite-178') id="scite-ref-178-a" class="scite-citeref-number" title="Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022."data-reference="Kaspersky Lyceum October 2021"><a href="https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf" target="_blank" data-hasqtip="177" aria-describedby="qtip-177">[178]</a> </td> </tr> <tr> <td> <a href="/software/S1027"> S1027 </a> </td> <td> <a href="/software/S1027"> Heyoka Backdoor </a> </td> <td> <a href="/software/S1027">Heyoka Backdoor</a> can enumerate drives on a compromised host.<span onclick=scrollToRef('scite-179') id="scite-ref-179-a" class="scite-citeref-number" title="Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022."data-reference="SentinelOne Aoqin Dragon June 2022"><a href="https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/" target="_blank" data-hasqtip="178" aria-describedby="qtip-178">[179]</a> </td> </tr> <tr> <td> <a href="/groups/G0126"> G0126 </a> </td> <td> <a href="/groups/G0126"> Higaisa </a> </td> <td> <a href="/groups/G0126">Higaisa</a> collected the system volume serial number, GUID, and computer name.<span onclick=scrollToRef('scite-180') id="scite-ref-180-a" class="scite-citeref-number" title="PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021."data-reference="PTSecurity Higaisa 2020"><a href="https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/" target="_blank" data-hasqtip="179" aria-describedby="qtip-179">[180]</a><span onclick=scrollToRef('scite-181') id="scite-ref-181-a" class="scite-citeref-number" title="Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021."data-reference="Malwarebytes Higaisa 2020"><a href="https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/" target="_blank" data-hasqtip="180" aria-describedby="qtip-180">[181]</a> </td> </tr> <tr> <td> <a href="/software/S0601"> S0601 </a> </td> <td> <a href="/software/S0601"> Hildegard </a> </td> <td> <a href="/software/S0601">Hildegard</a> has collected the host's OS, CPU, and memory information.<span onclick=scrollToRef('scite-182') id="scite-ref-182-a" class="scite-citeref-number" title="Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021."data-reference="Unit 42 Hildegard Malware"><a href="https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" target="_blank" data-hasqtip="181" aria-describedby="qtip-181">[182]</a> </td> </tr> <tr> <td> <a href="/software/S0376"> S0376 </a> </td> <td> <a href="/software/S0376"> HOPLIGHT </a> </td> <td> <a href="/software/S0376">HOPLIGHT</a> has been observed collecting victim machine information like OS version, volume information, and more.<span onclick=scrollToRef('scite-183') id="scite-ref-183-a" class="scite-citeref-number" title="US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019."data-reference="US-CERT HOPLIGHT Apr 2019"><a href="https://www.us-cert.gov/ncas/analysis-reports/AR19-100A" target="_blank" data-hasqtip="182" aria-describedby="qtip-182">[183]</a> </td> </tr> <tr> <td> <a href="/software/S0431"> S0431 </a> </td> <td> <a href="/software/S0431"> HotCroissant </a> </td> <td> <a href="/software/S0431">HotCroissant</a> has the ability to determine if the current user is an administrator, Windows product name, processor name, screen resolution, and physical RAM of the infected host.<span onclick=scrollToRef('scite-184') id="scite-ref-184-a" class="scite-citeref-number" title="US-CERT. (2020, February 20). MAR-10271944-1.v1 – North Korean Trojan: HOTCROISSANT. Retrieved May 1, 2020."data-reference="US-CERT HOTCROISSANT February 2020"><a href="https://www.us-cert.gov/ncas/analysis-reports/ar20-045d" target="_blank" data-hasqtip="183" aria-describedby="qtip-183">[184]</a> </td> </tr> <tr> <td> <a href="/software/S0203"> S0203 </a> </td> <td> <a href="/software/S0203"> Hydraq </a> </td> <td> <a href="/software/S0203">Hydraq</a> creates a backdoor through which remote attackers can retrieve information such as computer name, OS version, processor speed, memory size, and CPU speed.<span onclick=scrollToRef('scite-185') id="scite-ref-185-a" class="scite-citeref-number" title="Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018."data-reference="Symantec Hydraq Jan 2010"><a href="https://www.symantec.com/security_response/writeup.jsp?docid=2010-011114-1830-99" target="_blank" data-hasqtip="184" aria-describedby="qtip-184">[185]</a> </td> </tr> <tr> <td> <a href="/software/S1022"> S1022 </a> </td> <td> <a href="/software/S1022"> IceApple </a> </td> <td> The <a href="/software/S1022">IceApple</a> Server Variable Dumper module iterates over all server variables present for the current request and returns them to the adversary.<span onclick=scrollToRef('scite-186') id="scite-ref-186-a" class="scite-citeref-number" title="CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022."data-reference="CrowdStrike IceApple May 2022"><a href="https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework.pdf" target="_blank" data-hasqtip="185" aria-describedby="qtip-185">[186]</a> </td> </tr> <tr> <td> <a href="/software/S0483"> S0483 </a> </td> <td> <a href="/software/S0483"> IcedID </a> </td> <td> <a href="/software/S0483">IcedID</a> has the ability to identify the computer name and OS version on a compromised host.<span onclick=scrollToRef('scite-187') id="scite-ref-187-a" class="scite-citeref-number" title="Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020."data-reference="IBM IcedID November 2017"><a href="https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/" target="_blank" data-hasqtip="186" aria-describedby="qtip-186">[187]</a><a href="https://thedfirreport.com/2022/04/25/quantum-ransomware/" target="_blank" data-hasqtip="187" aria-describedby="qtip-187">[188]</a> </td> </tr> <tr> <td> <a href="/software/S1152"> S1152 </a> </td> <td> <a href="/software/S1152"> IMAPLoader </a> </td> <td> <a href="/software/S1152">IMAPLoader</a> uses WMI queries to gather information about the victim machine.<span onclick=scrollToRef('scite-189') id="scite-ref-189-a" class="scite-citeref-number" title="PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved August 14, 2024."data-reference="PWC Yellow Liderc 2023"><a href="https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html" target="_blank" data-hasqtip="188" aria-describedby="qtip-188">[189]</a> </td> </tr> <tr> <td> <a href="/software/S1139"> S1139 </a> </td> <td> <a href="/software/S1139"> INC Ransomware </a> </td> <td> <a href="/software/S1139">INC Ransomware</a> can discover and mount hidden drives to encrypt them.<span onclick=scrollToRef('scite-190') id="scite-ref-190-a" class="scite-citeref-number" title="Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024."data-reference="Cybereason INC Ransomware November 2023"><a href="https://www.cybereason.com/hubfs/dam/collateral/reports/threat-alert-inc-ransomware.pdf" target="_blank" data-hasqtip="189" aria-describedby="qtip-189">[190]</a> </td> </tr> <tr> <td> <a href="/groups/G0100"> G0100 </a> </td> <td> <a href="/groups/G0100"> Inception </a> </td> <td> <a href="/groups/G0100">Inception</a> has used a reconnaissance module to gather information about the operating system and hardware on the infected host.<span onclick=scrollToRef('scite-191') id="scite-ref-191-a" class="scite-citeref-number" title="Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020."data-reference="Symantec Inception Framework March 2018"><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies" target="_blank" data-hasqtip="190" aria-describedby="qtip-190">[191]</a> </td> </tr> <tr> <td> <a href="/software/S0604"> S0604 </a> </td> <td> <a href="/software/S0604"> Industroyer </a> </td> <td> <a href="/software/S0604">Industroyer</a> collects the victim machine’s Windows GUID.<span onclick=scrollToRef('scite-192') id="scite-ref-192-a" class="scite-citeref-number" title="Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2017"><a href="https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" target="_blank" data-hasqtip="191" aria-describedby="qtip-191">[192]</a> </td> </tr> <tr> <td> <a href="/software/S0259"> S0259 </a> </td> <td> <a href="/software/S0259"> InnaputRAT </a> </td> <td> <a href="/software/S0259">InnaputRAT</a> gathers volume drive information and system information.<span onclick=scrollToRef('scite-193') id="scite-ref-193-a" class="scite-citeref-number" title="ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018."data-reference="ASERT InnaputRAT April 2018"><a href="https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/" target="_blank" data-hasqtip="192" aria-describedby="qtip-192">[193]</a> </td> </tr> <tr> <td> <a href="/software/S0260"> S0260 </a> </td> <td> <a href="/software/S0260"> InvisiMole </a> </td> <td> <a href="/software/S0260">InvisiMole</a> can gather information on the mapped drives, OS version, computer name, DEP policy, memory size, and system volume serial number.<span onclick=scrollToRef('scite-194') id="scite-ref-194-a" class="scite-citeref-number" title="Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018."data-reference="ESET InvisiMole June 2018"><a href="https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" target="_blank" data-hasqtip="193" aria-describedby="qtip-193">[194]</a><span onclick=scrollToRef('scite-195') id="scite-ref-195-a" class="scite-citeref-number" title="Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020."data-reference="ESET InvisiMole June 2020"><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" target="_blank" data-hasqtip="194" aria-describedby="qtip-194">[195]</a> </td> </tr> <tr> <td> <a href="/software/S0015"> S0015 </a> </td> <td> <a href="/software/S0015"> Ixeshe </a> </td> <td> <a href="/software/S0015">Ixeshe</a> collects the computer name of the victim's system during the initial infection.<span onclick=scrollToRef('scite-196') id="scite-ref-196-a" class="scite-citeref-number" title="Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019."data-reference="Trend Micro IXESHE 2012"><a href="https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf" target="_blank" data-hasqtip="195" aria-describedby="qtip-195">[196]</a> </td> </tr> <tr> <td> <a href="/software/S0044"> S0044 </a> </td> <td> <a href="/software/S0044"> JHUHUGIT </a> </td> <td> <a href="/software/S0044">JHUHUGIT</a> obtains a build identifier as well as victim hard drive information from Windows registry key <code>HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum</code>. Another <a href="/software/S0044">JHUHUGIT</a> variant gathers the victim storage volume serial number and the storage device name.<span onclick=scrollToRef('scite-197') id="scite-ref-197-a" class="scite-citeref-number" title="ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016."data-reference="ESET Sednit Part 1"><a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf" target="_blank" data-hasqtip="196" aria-describedby="qtip-196">[197]</a><span onclick=scrollToRef('scite-198') id="scite-ref-198-a" class="scite-citeref-number" title="Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018."data-reference="Unit 42 Sofacy Feb 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/" target="_blank" data-hasqtip="197" aria-describedby="qtip-197">[198]</a> </td> </tr> <tr> <td> <a href="/software/S0201"> S0201 </a> </td> <td> <a href="/software/S0201"> JPIN </a> </td> <td> <a href="/software/S0201">JPIN</a> can obtain system information such as OS version and disk space.<span onclick=scrollToRef('scite-199') id="scite-ref-199-a" class="scite-citeref-number" title="Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018."data-reference="Microsoft PLATINUM April 2016"><a href="https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" target="_blank" data-hasqtip="198" aria-describedby="qtip-198">[199]</a> </td> </tr> <tr> <td> <a href="/software/S0283"> S0283 </a> </td> <td> <a href="/software/S0283"> jRAT </a> </td> <td> <a href="/software/S0283">jRAT</a> collects information about the OS (version, build type, install date) as well as system up-time upon receiving a connection from a backdoor.<span onclick=scrollToRef('scite-200') id="scite-ref-200-a" class="scite-citeref-number" title="Bingham, J. (2013, February 11). Cross-Platform Frutas RAT Builder and Back Door. Retrieved April 23, 2019."data-reference="Symantec Frutas Feb 2013"><a href="https://www.symantec.com/connect/blogs/cross-platform-frutas-rat-builder-and-back-door" target="_blank" data-hasqtip="199" aria-describedby="qtip-199">[200]</a> </td> </tr> <tr> <td> <a href="/software/S0215"> S0215 </a> </td> <td> <a href="/software/S0215"> KARAE </a> </td> <td> <a href="/software/S0215">KARAE</a> can collect system information.<span onclick=scrollToRef('scite-172') id="scite-ref-172-a" class="scite-citeref-number" title="FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018."data-reference="FireEye APT37 Feb 2018"><a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" target="_blank" data-hasqtip="171" aria-describedby="qtip-171">[172]</a> </td> </tr> <tr> <td> <a href="/software/S0088"> S0088 </a> </td> <td> <a href="/software/S0088"> Kasidet </a> </td> <td> <a href="/software/S0088">Kasidet</a> has the ability to obtain a victim's system name and operating system version.<span onclick=scrollToRef('scite-201') id="scite-ref-201-a" class="scite-citeref-number" title="Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016."data-reference="Zscaler Kasidet"><a href="http://research.zscaler.com/2016/01/malicious-office-files-dropping-kasidet.html" target="_blank" data-hasqtip="200" aria-describedby="qtip-200">[201]</a> </td> </tr> <tr> <td> <a href="/software/S0265"> S0265 </a> </td> <td> <a href="/software/S0265"> Kazuar </a> </td> <td> <a href="/software/S0265">Kazuar</a> gathers information on the system and local drives.<span onclick=scrollToRef('scite-202') id="scite-ref-202-a" class="scite-citeref-number" title="Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018."data-reference="Unit 42 Kazuar May 2017"><a href="https://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/" target="_blank" data-hasqtip="201" aria-describedby="qtip-201">[202]</a> </td> </tr> <tr> <td> <a href="/groups/G0004"> G0004 </a> </td> <td> <a href="/groups/G0004"> Ke3chang </a> </td> <td> <a href="/groups/G0004">Ke3chang</a> performs operating system information discovery using <code>systeminfo</code> and has used implants to identify the system language and computer name.<span onclick=scrollToRef('scite-203') id="scite-ref-203-a" class="scite-citeref-number" title="Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION "KE3CHANG": Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014."data-reference="Mandiant Operation Ke3chang November 2014"><a href="https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs" target="_blank" data-hasqtip="202" aria-describedby="qtip-202">[203]</a><span onclick=scrollToRef('scite-204') id="scite-ref-204-a" class="scite-citeref-number" title="Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018."data-reference="NCC Group APT15 Alive and Strong"><a href="https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" target="_blank" data-hasqtip="203" aria-describedby="qtip-203">[204]</a><span onclick=scrollToRef('scite-205') id="scite-ref-205-a" class="scite-citeref-number" title="MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022."data-reference="Microsoft NICKEL December 2021"><a href="https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe" target="_blank" data-hasqtip="204" aria-describedby="qtip-204">[205]</a> </td> </tr> <tr> <td> <a href="/software/S0585"> S0585 </a> </td> <td> <a href="/software/S0585"> Kerrdown </a> </td> <td> <a href="/software/S0585">Kerrdown</a> has the ability to determine if the compromised host is running a 32 or 64 bit OS architecture.<span onclick=scrollToRef('scite-206') id="scite-ref-206-a" class="scite-citeref-number" title="Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021."data-reference="Unit 42 KerrDown February 2019"><a href="https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/" target="_blank" data-hasqtip="205" aria-describedby="qtip-205">[206]</a> </td> </tr> <tr> <td> <a href="/software/S0487"> S0487 </a> </td> <td> <a href="/software/S0487"> Kessel </a> </td> <td> <a href="/software/S0487">Kessel</a> has collected the system architecture, OS version, and MAC address information.<span onclick=scrollToRef('scite-71') id="scite-ref-71-a" class="scite-citeref-number" title="Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020."data-reference="ESET ForSSHe December 2018"><a href="https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" target="_blank" data-hasqtip="70" aria-describedby="qtip-70">[71]</a> </td> </tr> <tr> <td> <a href="/software/S1020"> S1020 </a> </td> <td> <a href="/software/S1020"> Kevin </a> </td> <td> <a href="/software/S1020">Kevin</a> can enumerate the OS version and hostname of a targeted machine.<span onclick=scrollToRef('scite-178') id="scite-ref-178-a" class="scite-citeref-number" title="Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022."data-reference="Kaspersky Lyceum October 2021"><a href="https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf" target="_blank" data-hasqtip="177" aria-describedby="qtip-177">[178]</a> </td> </tr> <tr> <td> <a href="/software/S0387"> S0387 </a> </td> <td> <a href="/software/S0387"> KeyBoy </a> </td> <td> <a href="/software/S0387">KeyBoy</a> can gather extended system information, such as information about the operating system, disks, and memory.<span onclick=scrollToRef('scite-207') id="scite-ref-207-a" class="scite-citeref-number" title="Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019."data-reference="PWC KeyBoys Feb 2017"><a href="https://web.archive.org/web/20211129064701/https://www.pwc.co.uk/issues/cyber-security-services/research/the-keyboys-are-back-in-town.html" target="_blank" data-hasqtip="206" aria-describedby="qtip-206">[207]</a><span onclick=scrollToRef('scite-208') id="scite-ref-208-a" class="scite-citeref-number" title="Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019."data-reference="Rapid7 KeyBoy Jun 2013"><a href="https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/" target="_blank" data-hasqtip="207" aria-describedby="qtip-207">[208]</a> </td> </tr> <tr> <td> <a href="/software/S0271"> S0271 </a> </td> <td> <a href="/software/S0271"> KEYMARBLE </a> </td> <td> <a href="/software/S0271">KEYMARBLE</a> has the capability to collect the computer name, language settings, the OS version, CPU information, disk devices, and time elapsed since system start.<span onclick=scrollToRef('scite-209') id="scite-ref-209-a" class="scite-citeref-number" title="US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018."data-reference="US-CERT KEYMARBLE Aug 2018"><a href="https://www.us-cert.gov/ncas/analysis-reports/AR18-221A" target="_blank" data-hasqtip="208" aria-describedby="qtip-208">[209]</a> </td> </tr> <tr> <td> <a href="/software/S0526"> S0526 </a> </td> <td> <a href="/software/S0526"> KGH_SPY </a> </td> <td> <a href="/software/S0526">KGH_SPY</a> can collect drive information from a compromised host.<span onclick=scrollToRef('scite-210') id="scite-ref-210-a" class="scite-citeref-number" title="Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020."data-reference="Cybereason Kimsuky November 2020"><a href="https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" target="_blank" data-hasqtip="209" aria-describedby="qtip-209">[210]</a> </td> </tr> <tr> <td> <a href="/software/S0607"> S0607 </a> </td> <td> <a href="/software/S0607"> KillDisk </a> </td> <td> <a href="/software/S0607">KillDisk</a> retrieves the hard disk name by calling the <code>CreateFileA to \.\PHYSICALDRIVE0</code> API.<span onclick=scrollToRef('scite-211') id="scite-ref-211-a" class="scite-citeref-number" title="Fernando Merces, Byron Gelera, Martin Co. (2018, June 7). KillDisk Variant Hits Latin American Finance Industry. Retrieved January 12, 2021."data-reference="Trend Micro KillDisk 1"><a href="https://www.trendmicro.com/en_us/research/18/f/new-killdisk-variant-hits-latin-american-financial-organizations-again.html" target="_blank" data-hasqtip="210" aria-describedby="qtip-210">[211]</a> </td> </tr> <tr> <td> <a href="/groups/G0094"> G0094 </a> </td> <td> <a href="/groups/G0094"> Kimsuky </a> </td> <td> <a href="/groups/G0094">Kimsuky</a> has enumerated drives, OS type, OS version, and other information using a script or the "systeminfo" command.<span onclick=scrollToRef('scite-212') id="scite-ref-212-a" class="scite-citeref-number" title="Tarakanov , D.. (2013, September 11). The "Kimsuky" Operation: A North Korean APT?. Retrieved August 13, 2019."data-reference="Securelist Kimsuky Sept 2013"><a href="https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/" target="_blank" data-hasqtip="211" aria-describedby="qtip-211">[212]</a><span onclick=scrollToRef('scite-213') id="scite-ref-213-a" class="scite-citeref-number" title="An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021."data-reference="Talos Kimsuky Nov 2021"><a href="https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html" target="_blank" data-hasqtip="212" aria-describedby="qtip-212">[213]</a> </td> </tr> <tr> <td> <a href="/software/S0250"> S0250 </a> </td> <td> <a href="/software/S0250"> Koadic </a> </td> <td> <a href="/software/S0250">Koadic</a> can obtain the OS version and build, computer name, and processor architecture from a compromised host.<span onclick=scrollToRef('scite-214') id="scite-ref-214-a" class="scite-citeref-number" title="Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021."data-reference="MalwareBytes LazyScripter Feb 2021"><a href="https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf" target="_blank" data-hasqtip="213" aria-describedby="qtip-213">[214]</a> </td> </tr> <tr> <td> <a href="/software/S0641"> S0641 </a> </td> <td> <a href="/software/S0641"> Kobalos </a> </td> <td> <a href="/software/S0641">Kobalos</a> can record the hostname and kernel version of the target machine.<span onclick=scrollToRef('scite-215') id="scite-ref-215-a" class="scite-citeref-number" title="M.Leveille, M., Sanmillan, I. (2021, January). A WILD KOBALOS APPEARS Tricksy Linux malware goes after HPCs. Retrieved August 24, 2021."data-reference="ESET Kobalos Jan 2021"><a href="https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf" target="_blank" data-hasqtip="214" aria-describedby="qtip-214">[215]</a> </td> </tr> <tr> <td> <a href="/software/S0669"> S0669 </a> </td> <td> <a href="/software/S0669"> KOCTOPUS </a> </td> <td> <a href="/software/S0669">KOCTOPUS</a> has checked the OS version using <code>wmic.exe</code> and the <code>find</code> command.<span onclick=scrollToRef('scite-214') id="scite-ref-214-a" class="scite-citeref-number" title="Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021."data-reference="MalwareBytes LazyScripter Feb 2021"><a href="https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf" target="_blank" data-hasqtip="213" aria-describedby="qtip-213">[214]</a> </td> </tr> <tr> <td> <a href="/software/S0156"> S0156 </a> </td> <td> <a href="/software/S0156"> KOMPROGO </a> </td> <td> <a href="/software/S0156">KOMPROGO</a> is capable of retrieving information about the infected system.<span onclick=scrollToRef('scite-216') id="scite-ref-216-a" class="scite-citeref-number" title="Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017."data-reference="FireEye APT32 May 2017"><a href="https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" target="_blank" data-hasqtip="215" aria-describedby="qtip-215">[216]</a> </td> </tr> <tr> <td> <a href="/software/S0356"> S0356 </a> </td> <td> <a href="/software/S0356"> KONNI </a> </td> <td> <a href="/software/S0356">KONNI</a> can gather the OS version, architecture information, connected drives, hostname, RAM size, and disk space information from the victim’s machine and has used <code>cmd /c systeminfo</code> command to get a snapshot of the current system state of the target machine.<span onclick=scrollToRef('scite-217') id="scite-ref-217-a" class="scite-citeref-number" title="Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018."data-reference="Talos Konni May 2017"><a href="https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html" target="_blank" data-hasqtip="216" aria-describedby="qtip-216">[217]</a><span onclick=scrollToRef('scite-218') id="scite-ref-218-a" class="scite-citeref-number" title="Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020."data-reference="Medium KONNI Jan 2020"><a href="https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b" target="_blank" data-hasqtip="217" aria-describedby="qtip-217">[218]</a><span onclick=scrollToRef('scite-219') id="scite-ref-219-a" class="scite-citeref-number" title="Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022."data-reference="Malwarebytes Konni Aug 2021"><a href="https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/" target="_blank" data-hasqtip="218" aria-describedby="qtip-218">[219]</a> </td> </tr> <tr> <td> <a href="/software/S1075"> S1075 </a> </td> <td> <a href="/software/S1075"> KOPILUWAK </a> </td> <td> <a href="/software/S1075">KOPILUWAK</a> can discover logical drive information on compromised hosts.<span onclick=scrollToRef('scite-220') id="scite-ref-220-a" class="scite-citeref-number" title="Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023."data-reference="Mandiant Suspected Turla Campaign February 2023"><a href="https://www.mandiant.com/resources/blog/turla-galaxy-opportunity" target="_blank" data-hasqtip="219" aria-describedby="qtip-219">[220]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0035"> C0035 </a> </td> <td> <a href="/campaigns/C0035"> KV Botnet Activity </a> </td> <td> <a href="https://attack.mitre.org/campaigns/C0035">KV Botnet Activity</a> includes use of native system tools, such as <code>uname</code>, to obtain information about victim device architecture, as well as gathering other system information such as the victim's hosts file and CPU utilization.<span onclick=scrollToRef('scite-221') id="scite-ref-221-a" class="scite-citeref-number" title="Black Lotus Labs. (2023, December 13). Routers Roasting On An Open Firewall: The KV-Botnet Investigation. Retrieved June 10, 2024."data-reference="Lumen KVBotnet 2023"><a href="https://blog.lumen.com/routers-roasting-on-an-open-firewall-the-kv-botnet-investigation/" target="_blank" data-hasqtip="220" aria-describedby="qtip-220">[221]</a> </td> </tr> <tr> <td> <a href="/software/S0236"> S0236 </a> </td> <td> <a href="/software/S0236"> Kwampirs </a> </td> <td> <a href="/software/S0236">Kwampirs</a> collects OS version information such as registered owner details, manufacturer details, processor type, available storage, installed patches, hostname, version info, system date, and other system information by using the commands <code>systeminfo</code>, <code>net config workstation</code>, <code>hostname</code>, <code>ver</code>, <code>set</code>, and <code>date /t</code>.<span onclick=scrollToRef('scite-222') id="scite-ref-222-a" class="scite-citeref-number" title="Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018."data-reference="Symantec Orangeworm April 2018"><a href="https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" target="_blank" data-hasqtip="221" aria-describedby="qtip-221">[222]</a> </td> </tr> <tr> <td> <a href="/software/S1160"> S1160 </a> </td> <td> <a href="/software/S1160"> Latrodectus </a> </td> <td> <a href="/software/S1160">Latrodectus</a> can gather operating system information.<span onclick=scrollToRef('scite-223') id="scite-ref-223-a" class="scite-citeref-number" title="Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024."data-reference="Latrodectus APR 2024"><a href="https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice" target="_blank" data-hasqtip="222" aria-describedby="qtip-222">[223]</a><span onclick=scrollToRef('scite-224') id="scite-ref-224-a" class="scite-citeref-number" title="Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024."data-reference="Elastic Latrodectus May 2024"><a href="https://www.elastic.co/security-labs/spring-cleaning-with-latrodectus" target="_blank" data-hasqtip="223" aria-describedby="qtip-223">[224]</a><span onclick=scrollToRef('scite-224') id="scite-ref-224-a" class="scite-citeref-number" title="Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024."data-reference="Elastic Latrodectus May 2024"><a href="https://www.elastic.co/security-labs/spring-cleaning-with-latrodectus" target="_blank" data-hasqtip="223" aria-describedby="qtip-223">[224]</a><span onclick=scrollToRef('scite-225') id="scite-ref-225-a" class="scite-citeref-number" title="Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024."data-reference="Bitsight Latrodectus June 2024"><a href="https://www.bitsight.com/blog/latrodectus-are-you-coming-back" target="_blank" data-hasqtip="224" aria-describedby="qtip-224">[225]</a> </td> </tr> <tr> <td> <a href="/groups/G0032"> G0032 </a> </td> <td> <a href="/groups/G0032"> Lazarus Group </a> </td> <td> Several <a href="/groups/G0032">Lazarus Group</a> malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information. A Destover-like variant used by <a href="/groups/G0032">Lazarus Group</a> also collects disk space information and sends it to its C2 server.<span onclick=scrollToRef('scite-226') id="scite-ref-226-a" class="scite-citeref-number" title="Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016."data-reference="Novetta Blockbuster"><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" data-hasqtip="225" aria-describedby="qtip-225">[226]</a><span onclick=scrollToRef('scite-227') id="scite-ref-227-a" class="scite-citeref-number" title="Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016."data-reference="Novetta Blockbuster Destructive Malware"><a href="https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf" target="_blank" data-hasqtip="226" aria-describedby="qtip-226">[227]</a><span onclick=scrollToRef('scite-228') id="scite-ref-228-a" class="scite-citeref-number" title="Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016."data-reference="Novetta Blockbuster Loaders"><a href="https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" target="_blank" data-hasqtip="227" aria-describedby="qtip-227">[228]</a><span onclick=scrollToRef('scite-229') id="scite-ref-229-a" class="scite-citeref-number" title="Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018."data-reference="McAfee Lazarus Resurfaces Feb 2018"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/" target="_blank" data-hasqtip="228" aria-describedby="qtip-228">[229]</a><span onclick=scrollToRef('scite-230') id="scite-ref-230-a" class="scite-citeref-number" title="Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018."data-reference="McAfee GhostSecret"><a href="https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" target="_blank" data-hasqtip="229" aria-describedby="qtip-229">[230]</a><span onclick=scrollToRef('scite-231') id="scite-ref-231-a" class="scite-citeref-number" title="Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022."data-reference="Lazarus APT January 2022"><a href="https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/" target="_blank" data-hasqtip="230" aria-describedby="qtip-230">[231]</a> </td> </tr> <tr> <td> <a href="/software/S0395"> S0395 </a> </td> <td> <a href="/software/S0395"> LightNeuron </a> </td> <td> <a href="/software/S0395">LightNeuron</a> gathers the victim computer name using the Win32 API call <code>GetComputerName</code>.<span onclick=scrollToRef('scite-232') id="scite-ref-232-a" class="scite-citeref-number" title="Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019."data-reference="ESET LightNeuron May 2019"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf" target="_blank" data-hasqtip="231" aria-describedby="qtip-231">[232]</a> </td> </tr> <tr> <td> <a href="/software/S0211"> S0211 </a> </td> <td> <a href="/software/S0211"> Linfo </a> </td> <td> <a href="/software/S0211">Linfo</a> creates a backdoor through which remote attackers can retrieve system information.<a href="https://www.symantec.com/security_response/writeup.jsp?docid=2012-051605-2535-99" target="_blank" data-hasqtip="232" aria-describedby="qtip-232">[233]</a> </td> </tr> <tr> <td> <a href="/software/S0513"> S0513 </a> </td> <td> <a href="/software/S0513"> LiteDuke </a> </td> <td> <a href="/software/S0513">LiteDuke</a> can enumerate the CPUID and BIOS version on a compromised system.<span onclick=scrollToRef('scite-144') id="scite-ref-144-a" class="scite-citeref-number" title="Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020."data-reference="ESET Dukes October 2019"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="143" aria-describedby="qtip-143">[144]</a> </td> </tr> <tr> <td> <a href="/software/S0680"> S0680 </a> </td> <td> <a href="/software/S0680"> LitePower </a> </td> <td> <a href="/software/S0680">LitePower</a> has the ability to list local drives and enumerate the OS architecture.<span onclick=scrollToRef('scite-148') id="scite-ref-148-a" class="scite-citeref-number" title="Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022."data-reference="Kaspersky WIRTE November 2021"><a href="https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044" target="_blank" data-hasqtip="147" aria-describedby="qtip-147">[148]</a> </td> </tr> <tr> <td> <a href="/software/S1121"> S1121 </a> </td> <td> <a href="/software/S1121"> LITTLELAMB.WOOLTEA </a> </td> <td> <a href="/software/S1121">LITTLELAMB.WOOLTEA</a> can check the type of Ivanti VPN device it is running on by executing <code>first_run()</code> to identify the first four bytes of the motherboard serial number.<span onclick=scrollToRef('scite-234') id="scite-ref-234-a" class="scite-citeref-number" title="Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024."data-reference="Mandiant Cutting Edge Part 3 February 2024"><a href="https://www.mandiant.com/resources/blog/investigating-ivanti-exploitation-persistence" target="_blank" data-hasqtip="233" aria-describedby="qtip-233">[234]</a> </td> </tr> <tr> <td> <a href="/software/S0681"> S0681 </a> </td> <td> <a href="/software/S0681"> Lizar </a> </td> <td> <a href="/software/S0681">Lizar</a> can collect the computer name from the machine,.<span onclick=scrollToRef('scite-235') id="scite-ref-235-a" class="scite-citeref-number" title="BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022."data-reference="BiZone Lizar May 2021"><a href="https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319" target="_blank" data-hasqtip="234" aria-describedby="qtip-234">[235]</a> </td> </tr> <tr> <td> <a href="/software/S0447"> S0447 </a> </td> <td> <a href="/software/S0447"> Lokibot </a> </td> <td> <a href="/software/S0447">Lokibot</a> has the ability to discover the computer name and Windows product name/version.<span onclick=scrollToRef('scite-236') id="scite-ref-236-a" class="scite-citeref-number" title="Kazem, M. (2019, November 25). Trojan:W32/Lokibot. Retrieved May 15, 2020."data-reference="FSecure Lokibot November 2019"><a href="https://www.f-secure.com/v-descs/trojan_w32_lokibot.shtml" target="_blank" data-hasqtip="235" aria-describedby="qtip-235">[236]</a> </td> </tr> <tr> <td> <a href="/software/S0451"> S0451 </a> </td> <td> <a href="/software/S0451"> LoudMiner </a> </td> <td> <a href="/software/S0451">LoudMiner</a> has monitored CPU usage.<span onclick=scrollToRef('scite-237') id="scite-ref-237-a" class="scite-citeref-number" title="Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020."data-reference="ESET LoudMiner June 2019"><a href="https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/" target="_blank" data-hasqtip="236" aria-describedby="qtip-236">[237]</a> </td> </tr> <tr> <td> <a href="/software/S0532"> S0532 </a> </td> <td> <a href="/software/S0532"> Lucifer </a> </td> <td> <a href="/software/S0532">Lucifer</a> can collect the computer name, system architecture, default language, and processor frequency of a compromised host.<span onclick=scrollToRef('scite-238') id="scite-ref-238-a" class="scite-citeref-number" title="Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020."data-reference="Unit 42 Lucifer June 2020"><a href="https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/" target="_blank" data-hasqtip="237" aria-describedby="qtip-237">[238]</a> </td> </tr> <tr> <td> <a href="/software/S1142"> S1142 </a> </td> <td> <a href="/software/S1142"> LunarMail </a> </td> <td> <a href="/software/S1142">LunarMail</a> can capture environmental variables on compromised hosts.<span onclick=scrollToRef('scite-239') id="scite-ref-239-a" class="scite-citeref-number" title="Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024."data-reference="ESET Turla Lunar toolset May 2024"><a href="https://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/" target="_blank" data-hasqtip="238" aria-describedby="qtip-238">[239]</a> </td> </tr> <tr> <td> <a href="/software/S1141"> S1141 </a> </td> <td> <a href="/software/S1141"> LunarWeb </a> </td> <td> <a href="/software/S1141">LunarWeb</a> can use WMI queries and shell commands such as systeminfo.exe to collect the operating system, BIOS version, and domain name of the targeted system.<span onclick=scrollToRef('scite-239') id="scite-ref-239-a" class="scite-citeref-number" title="Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024."data-reference="ESET Turla Lunar toolset May 2024"><a href="https://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/" target="_blank" data-hasqtip="238" aria-describedby="qtip-238">[239]</a> </td> </tr> <tr> <td> <a href="/software/S0409"> S0409 </a> </td> <td> <a href="/software/S0409"> Machete </a> </td> <td> <a href="/software/S0409">Machete</a> collects the hostname of the target computer.<span onclick=scrollToRef('scite-240') id="scite-ref-240-a" class="scite-citeref-number" title="ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019."data-reference="ESET Machete July 2019"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf" target="_blank" data-hasqtip="239" aria-describedby="qtip-239">[240]</a> </td> </tr> <tr> <td> <a href="/software/S1016"> S1016 </a> </td> <td> <a href="/software/S1016"> MacMa </a> </td> <td> <a href="/software/S1016">MacMa</a> can collect information about a compromised computer, including: Hardware UUID, Mac serial number, macOS version, and disk sizes.<span onclick=scrollToRef('scite-241') id="scite-ref-241-a" class="scite-citeref-number" title="M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022."data-reference="ESET DazzleSpy Jan 2022"><a href="https://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/" target="_blank" data-hasqtip="240" aria-describedby="qtip-240">[241]</a> </td> </tr> <tr> <td> <a href="/software/S1048"> S1048 </a> </td> <td> <a href="/software/S1048"> macOS.OSAMiner </a> </td> <td> <a href="/software/S1048">macOS.OSAMiner</a> can gather the device serial number and has checked to ensure there is enough disk space using the Unix utility <code>df</code>.<span onclick=scrollToRef('scite-242') id="scite-ref-242-a" class="scite-citeref-number" title="Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022."data-reference="SentinelLabs reversing run-only applescripts 2021"><a href="https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/" target="_blank" data-hasqtip="241" aria-describedby="qtip-241">[242]</a> </td> </tr> <tr> <td> <a href="/software/S1060"> S1060 </a> </td> <td> <a href="/software/S1060"> Mafalda </a> </td> <td> <a href="/software/S1060">Mafalda</a> can collect the computer name and enumerate all drives on a compromised host.<span onclick=scrollToRef('scite-243') id="scite-ref-243-a" class="scite-citeref-number" title="Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023."data-reference="SentinelLabs Metador Sept 2022"><a href="https://assets.sentinelone.com/sentinellabs22/metador#page=1" target="_blank" data-hasqtip="242" aria-describedby="qtip-242">[243]</a><span onclick=scrollToRef('scite-244') id="scite-ref-244-a" class="scite-citeref-number" title="SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023."data-reference="SentinelLabs Metador Technical Appendix Sept 2022"><a href="https://docs.google.com/document/d/1e9ZTW9b71YwFWS_18ZwDAxa-cYbV8q1wUefmKZLYVsA/edit#heading=h.lmnbtht1ikzm" target="_blank" data-hasqtip="243" aria-describedby="qtip-243">[244]</a> </td> </tr> <tr> <td> <a href="/groups/G0059"> G0059 </a> </td> <td> <a href="/groups/G0059"> Magic Hound </a> </td> <td> <a href="/groups/G0059">Magic Hound</a> malware has used a PowerShell command to check the victim system architecture to determine if it is an x64 machine. Other malware has obtained the OS version, UUID, and computer/host name to send to the C2 server.<span onclick=scrollToRef('scite-245') id="scite-ref-245-a" class="scite-citeref-number" title="Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017."data-reference="Unit 42 Magic Hound Feb 2017"><a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank" data-hasqtip="244" aria-describedby="qtip-244">[245]</a><span onclick=scrollToRef('scite-246') id="scite-ref-246-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022"><a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="245" aria-describedby="qtip-245">[246]</a><span onclick=scrollToRef('scite-247') id="scite-ref-247-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021"><a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="246" aria-describedby="qtip-246">[247]</a> </td> </tr> <tr> <td> <a href="/groups/G1026"> G1026 </a> </td> <td> <a href="/groups/G1026"> Malteiro </a> </td> <td> <a href="/groups/G1026">Malteiro</a> collects the machine information, system architecture, the OS version, computer name, and Windows product name.<span onclick=scrollToRef('scite-248') id="scite-ref-248-a" class="scite-citeref-number" title="SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024."data-reference="SCILabs Malteiro 2021"><a href="https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/" target="_blank" data-hasqtip="247" aria-describedby="qtip-247">[248]</a> </td> </tr> <tr> <td> <a href="/software/S1156"> S1156 </a> </td> <td> <a href="/software/S1156"> Manjusaka </a> </td> <td> <a href="/software/S1156">Manjusaka</a> performs basic system profiling actions to fingerprint and register the victim system with the C2 controller.<span onclick=scrollToRef('scite-249') id="scite-ref-249-a" class="scite-citeref-number" title="Asheer Malhotra & Vitor Ventura. (2022, August 2). Manjusaka: A Chinese sibling of Sliver and Cobalt Strike. Retrieved September 4, 2024."data-reference="Talos Manjusaka 2022"><a href="https://blog.talosintelligence.com/manjusaka-offensive-framework/" target="_blank" data-hasqtip="248" aria-describedby="qtip-248">[249]</a> </td> </tr> <tr> <td> <a href="/software/S0652"> S0652 </a> </td> <td> <a href="/software/S0652"> MarkiRAT </a> </td> <td> <a href="/software/S0652">MarkiRAT</a> can obtain the computer name from a compromised host.<span onclick=scrollToRef('scite-250') id="scite-ref-250-a" class="scite-citeref-number" title="GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021."data-reference="Kaspersky Ferocious Kitten Jun 2021"><a href="https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/" target="_blank" data-hasqtip="249" aria-describedby="qtip-249">[250]</a> </td> </tr> <tr> <td> <a href="/software/S0449"> S0449 </a> </td> <td> <a href="/software/S0449"> Maze </a> </td> <td> <a href="/software/S0449">Maze</a> has checked the language of the infected system using the "GetUSerDefaultUILanguage" function.<a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/" target="_blank" data-hasqtip="250" aria-describedby="qtip-250">[251]</a> </td> </tr> <tr> <td> <a href="/software/S1059"> S1059 </a> </td> <td> <a href="/software/S1059"> metaMain </a> </td> <td> <a href="/software/S1059">metaMain</a> can collect the computer name from a compromised host.<span onclick=scrollToRef('scite-244') id="scite-ref-244-a" class="scite-citeref-number" title="SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023."data-reference="SentinelLabs Metador Technical Appendix Sept 2022"><a href="https://docs.google.com/document/d/1e9ZTW9b71YwFWS_18ZwDAxa-cYbV8q1wUefmKZLYVsA/edit#heading=h.lmnbtht1ikzm" target="_blank" data-hasqtip="243" aria-describedby="qtip-243">[244]</a> </td> </tr> <tr> <td> <a href="/software/S0455"> S0455 </a> </td> <td> <a href="/software/S0455"> Metamorfo </a> </td> <td> <a href="/software/S0455">Metamorfo</a> has collected the hostname and operating system version from the compromised host.<span onclick=scrollToRef('scite-252') id="scite-ref-252-a" class="scite-citeref-number" title="Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020."data-reference="FireEye Metamorfo Apr 2018"><a href="https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html" target="_blank" data-hasqtip="251" aria-describedby="qtip-251">[252]</a><span onclick=scrollToRef('scite-253') id="scite-ref-253-a" class="scite-citeref-number" title="Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020."data-reference="Fortinet Metamorfo Feb 2020"><a href="https://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions" target="_blank" data-hasqtip="252" aria-describedby="qtip-252">[253]</a><span onclick=scrollToRef('scite-254') id="scite-ref-254-a" class="scite-citeref-number" title="ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021."data-reference="ESET Casbaneiro Oct 2019"><a href="https://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/" target="_blank" data-hasqtip="253" aria-describedby="qtip-253">[254]</a> </td> </tr> <tr> <td> <a href="/software/S0688"> S0688 </a> </td> <td> <a href="/software/S0688"> Meteor </a> </td> <td> <a href="/software/S0688">Meteor</a> has the ability to discover the hostname of a compromised host.<span onclick=scrollToRef('scite-255') id="scite-ref-255-a" class="scite-citeref-number" title="Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022."data-reference="Check Point Meteor Aug 2021"><a href="https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/" target="_blank" data-hasqtip="254" aria-describedby="qtip-254">[255]</a> </td> </tr> <tr> <td> <a href="/software/S0339"> S0339 </a> </td> <td> <a href="/software/S0339"> Micropsia </a> </td> <td> <a href="/software/S0339">Micropsia</a> gathers the hostname and OS version from the victim’s machine.<span onclick=scrollToRef('scite-256') id="scite-ref-256-a" class="scite-citeref-number" title="Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018."data-reference="Talos Micropsia June 2017"><a href="https://blog.talosintelligence.com/2017/06/palestine-delphi.html" target="_blank" data-hasqtip="255" aria-describedby="qtip-255">[256]</a><span onclick=scrollToRef('scite-257') id="scite-ref-257-a" class="scite-citeref-number" title="Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018."data-reference="Radware Micropsia July 2018"><a href="https://www.radware.com/blog/security/2018/07/micropsia-malware/" target="_blank" data-hasqtip="256" aria-describedby="qtip-256">[257]</a> </td> </tr> <tr> <td> <a href="/software/S1015"> S1015 </a> </td> <td> <a href="/software/S1015"> Milan </a> </td> <td> <a href="/software/S1015">Milan</a> can enumerate the targeted machine's name and GUID.<span onclick=scrollToRef('scite-258') id="scite-ref-258-a" class="scite-citeref-number" title="ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By "Siamesekitten" - Lyceum. Retrieved June 6, 2022."data-reference="ClearSky Siamesekitten August 2021"><a href="https://www.clearskysec.com/siamesekitten/" target="_blank" data-hasqtip="257" aria-describedby="qtip-257">[258]</a><span onclick=scrollToRef('scite-259') id="scite-ref-259-a" class="scite-citeref-number" title="Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022."data-reference="Accenture Lyceum Targets November 2021"><a href="https://www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns" target="_blank" data-hasqtip="258" aria-describedby="qtip-258">[259]</a> </td> </tr> <tr> <td> <a href="/software/S0051"> S0051 </a> </td> <td> <a href="/software/S0051"> MiniDuke </a> </td> <td> <a href="/software/S0051">MiniDuke</a> can gather the hostname on a compromised machine.<span onclick=scrollToRef('scite-144') id="scite-ref-144-a" class="scite-citeref-number" title="Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020."data-reference="ESET Dukes October 2019"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="143" aria-describedby="qtip-143">[144]</a> </td> </tr> <tr> <td> <a href="/software/S0280"> S0280 </a> </td> <td> <a href="/software/S0280"> MirageFox </a> </td> <td> <a href="/software/S0280">MirageFox</a> can collect CPU and architecture information from the victim’s machine.<span onclick=scrollToRef('scite-260') id="scite-ref-260-a" class="scite-citeref-number" title="Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018."data-reference="APT15 Intezer June 2018"><a href="https://web.archive.org/web/20180615122133/https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/" target="_blank" data-hasqtip="259" aria-describedby="qtip-259">[260]</a> </td> </tr> <tr> <td> <a href="/software/S0084"> S0084 </a> </td> <td> <a href="/software/S0084"> Mis-Type </a> </td> <td> The initial beacon packet for <a href="/software/S0084">Mis-Type</a> contains the operating system version and file system of the victim.<span onclick=scrollToRef('scite-261') id="scite-ref-261-a" class="scite-citeref-number" title="Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021."data-reference="Cylance Dust Storm"><a href="https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" target="_blank" data-hasqtip="260" aria-describedby="qtip-260">[261]</a> </td> </tr> <tr> <td> <a href="/software/S0083"> S0083 </a> </td> <td> <a href="/software/S0083"> Misdat </a> </td> <td> The initial beacon packet for <a href="/software/S0083">Misdat</a> contains the operating system version of the victim.<span onclick=scrollToRef('scite-261') id="scite-ref-261-a" class="scite-citeref-number" title="Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021."data-reference="Cylance Dust Storm"><a href="https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" target="_blank" data-hasqtip="260" aria-describedby="qtip-260">[261]</a> </td> </tr> <tr> <td> <a href="/software/S1122"> S1122 </a> </td> <td> <a href="/software/S1122"> Mispadu </a> </td> <td> <a href="/software/S1122">Mispadu</a> collects the OS version, computer name, and language ID.<span onclick=scrollToRef('scite-262') id="scite-ref-262-a" class="scite-citeref-number" title="ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024."data-reference="ESET Security Mispadu Facebook Ads 2019"><a href="https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/" target="_blank" data-hasqtip="261" aria-describedby="qtip-261">[262]</a> </td> </tr> <tr> <td> <a href="/software/S0079"> S0079 </a> </td> <td> <a href="/software/S0079"> MobileOrder </a> </td> <td> <a href="/software/S0079">MobileOrder</a> has a command to upload to its C2 server victim mobile device information, including IMEI, IMSI, SIM card serial number, phone number, Android version, and other information.<span onclick=scrollToRef('scite-263') id="scite-ref-263-a" class="scite-citeref-number" title="Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016."data-reference="Scarlet Mimic Jan 2016"><a href="http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" target="_blank" data-hasqtip="262" aria-describedby="qtip-262">[263]</a> </td> </tr> <tr> <td> <a href="/software/S0553"> S0553 </a> </td> <td> <a href="/software/S0553"> MoleNet </a> </td> <td> <a href="/software/S0553">MoleNet</a> can collect information about the about the system.<span onclick=scrollToRef('scite-128') id="scite-ref-128-a" class="scite-citeref-number" title="Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020."data-reference="Cybereason Molerats Dec 2020"><a href="https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf" target="_blank" data-hasqtip="127" aria-describedby="qtip-127">[128]</a> </td> </tr> <tr> <td> <a href="/software/S1026"> S1026 </a> </td> <td> <a href="/software/S1026"> Mongall </a> </td> <td> <a href="/software/S1026">Mongall</a> can identify drives on compromised hosts and retrieve the hostname via <code>gethostbyname</code>.<span onclick=scrollToRef('scite-179') id="scite-ref-179-a" class="scite-citeref-number" title="Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022."data-reference="SentinelOne Aoqin Dragon June 2022"><a href="https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/" target="_blank" data-hasqtip="178" aria-describedby="qtip-178">[179]</a> </td> </tr> <tr> <td> <a href="/groups/G1036"> G1036 </a> </td> <td> <a href="/groups/G1036"> Moonstone Sleet </a> </td> <td> <a href="/groups/G1036">Moonstone Sleet</a> has gathered information on victim systems.<span onclick=scrollToRef('scite-264') id="scite-ref-264-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024."data-reference="Microsoft Moonstone Sleet 2024"><a href="https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/" target="_blank" data-hasqtip="263" aria-describedby="qtip-263">[264]</a> </td> </tr> <tr> <td> <a href="/software/S0149"> S0149 </a> </td> <td> <a href="/software/S0149"> MoonWind </a> </td> <td> <a href="/software/S0149">MoonWind</a> can obtain the victim hostname, Windows version, RAM amount, number of drives, and screen resolution.<span onclick=scrollToRef('scite-265') id="scite-ref-265-a" class="scite-citeref-number" title="Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017."data-reference="Palo Alto MoonWind March 2017"><a href="http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/" target="_blank" data-hasqtip="264" aria-describedby="qtip-264">[265]</a> </td> </tr> <tr> <td> <a href="/software/S0284"> S0284 </a> </td> <td> <a href="/software/S0284"> More_eggs </a> </td> <td> <a href="/software/S0284">More_eggs</a> has the capability to gather the OS version and computer name.<span onclick=scrollToRef('scite-266') id="scite-ref-266-a" class="scite-citeref-number" title="Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018."data-reference="Talos Cobalt Group July 2018"><a href="https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html" target="_blank" data-hasqtip="265" aria-describedby="qtip-265">[266]</a><span onclick=scrollToRef('scite-267') id="scite-ref-267-a" class="scite-citeref-number" title="Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019."data-reference="Security Intelligence More Eggs Aug 2019"><a href="https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/" target="_blank" data-hasqtip="266" aria-describedby="qtip-266">[267]</a> </td> </tr> <tr> <td> <a href="/groups/G1009"> G1009 </a> </td> <td> <a href="/groups/G1009"> Moses Staff </a> </td> <td> <a href="/groups/G1009">Moses Staff</a> collected information about the infected host, including the machine names and OS architecture.<span onclick=scrollToRef('scite-268') id="scite-ref-268-a" class="scite-citeref-number" title="Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022."data-reference="Checkpoint MosesStaff Nov 2021"><a href="https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/" target="_blank" data-hasqtip="267" aria-describedby="qtip-267">[268]</a> </td> </tr> <tr> <td> <a href="/groups/G0069"> G0069 </a> </td> <td> <a href="/groups/G0069"> MuddyWater </a> </td> <td> <a href="/groups/G0069">MuddyWater</a> has used malware that can collect the victim’s OS version and machine name.<span onclick=scrollToRef('scite-269') id="scite-ref-269-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018."data-reference="Securelist MuddyWater Oct 2018"><a href="https://securelist.com/muddywater/88059/" target="_blank" data-hasqtip="268" aria-describedby="qtip-268">[269]</a><span onclick=scrollToRef('scite-270') id="scite-ref-270-a" class="scite-citeref-number" title="Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019."data-reference="Talos MuddyWater May 2019"><a href="https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html" target="_blank" data-hasqtip="269" aria-describedby="qtip-269">[270]</a><span onclick=scrollToRef('scite-271') id="scite-ref-271-a" class="scite-citeref-number" title="Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020."data-reference="Reaqta MuddyWater November 2017"><a href="https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/" target="_blank" data-hasqtip="270" aria-describedby="qtip-270">[271]</a><span onclick=scrollToRef('scite-272') id="scite-ref-272-a" class="scite-citeref-number" title="Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021."data-reference="Trend Micro Muddy Water March 2021"><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" data-hasqtip="271" aria-describedby="qtip-271">[272]</a><span onclick=scrollToRef('scite-273') id="scite-ref-273-a" class="scite-citeref-number" title="Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022."data-reference="Talos MuddyWater Jan 2022"><a href="https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html" target="_blank" data-hasqtip="272" aria-describedby="qtip-272">[273]</a> </td> </tr> <tr> <td> <a href="/software/S0233"> S0233 </a> </td> <td> <a href="/software/S0233"> MURKYTOP </a> </td> <td> <a href="/software/S0233">MURKYTOP</a> has the capability to retrieve information about the OS.<span onclick=scrollToRef('scite-274') id="scite-ref-274-a" class="scite-citeref-number" title="FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018."data-reference="FireEye Periscope March 2018"><a href="https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" target="_blank" data-hasqtip="273" aria-describedby="qtip-273">[274]</a> </td> </tr> <tr> <td> <a href="/groups/G0129"> G0129 </a> </td> <td> <a href="/groups/G0129"> Mustang Panda </a> </td> <td> <a href="/groups/G0129">Mustang Panda</a> has gathered system information using <code>systeminfo</code>.<span onclick=scrollToRef('scite-275') id="scite-ref-275-a" class="scite-citeref-number" title="Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021."data-reference="Avira Mustang Panda January 2020"><a href="https://www.avira.com/en/blog/new-wave-of-plugx-targets-hong-kong" target="_blank" data-hasqtip="274" aria-describedby="qtip-274">[275]</a> </td> </tr> <tr> <td> <a href="/groups/G1020"> G1020 </a> </td> <td> <a href="/groups/G1020"> Mustard Tempest </a> </td> <td> <a href="/groups/G1020">Mustard Tempest</a> has used implants to perform system reconnaissance on targeted systems.<span onclick=scrollToRef('scite-276') id="scite-ref-276-a" class="scite-citeref-number" title="Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023."data-reference="Microsoft Ransomware as a Service"><a href="https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/" target="_blank" data-hasqtip="275" aria-describedby="qtip-275">[276]</a> </td> </tr> <tr> <td> <a href="/software/S0205"> S0205 </a> </td> <td> <a href="/software/S0205"> Naid </a> </td> <td> <a href="/software/S0205">Naid</a> collects a unique identifier (UID) from a compromised host.<span onclick=scrollToRef('scite-277') id="scite-ref-277-a" class="scite-citeref-number" title="Neville, A. (2012, June 15). Trojan.Naid. Retrieved February 22, 2018."data-reference="Symantec Naid June 2012"><a href="https://www.symantec.com/security_response/writeup.jsp?docid=2012-061518-4639-99" target="_blank" data-hasqtip="276" aria-describedby="qtip-276">[277]</a> </td> </tr> <tr> <td> <a href="/software/S0228"> S0228 </a> </td> <td> <a href="/software/S0228"> NanHaiShu </a> </td> <td> <a href="/software/S0228">NanHaiShu</a> can gather the victim computer name and serial number.<span onclick=scrollToRef('scite-278') id="scite-ref-278-a" class="scite-citeref-number" title="Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018."data-reference="Proofpoint Leviathan Oct 2017"><a href="https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets" target="_blank" data-hasqtip="277" aria-describedby="qtip-277">[278]</a> </td> </tr> <tr> <td> <a href="/software/S0247"> S0247 </a> </td> <td> <a href="/software/S0247"> NavRAT </a> </td> <td> <a href="/software/S0247">NavRAT</a> uses <code>systeminfo</code> on a victim’s machine.<span onclick=scrollToRef('scite-279') id="scite-ref-279-a" class="scite-citeref-number" title="Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018."data-reference="Talos NavRAT May 2018"><a href="https://blog.talosintelligence.com/2018/05/navrat.html" target="_blank" data-hasqtip="278" aria-describedby="qtip-278">[279]</a> </td> </tr> <tr> <td> <a href="/software/S0272"> S0272 </a> </td> <td> <a href="/software/S0272"> NDiskMonitor </a> </td> <td> <a href="/software/S0272">NDiskMonitor</a> obtains the victim computer name and encrypts the information to send over its C2 channel.<span onclick=scrollToRef('scite-280') id="scite-ref-280-a" class="scite-citeref-number" title="Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018."data-reference="TrendMicro Patchwork Dec 2017"><a href="https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" target="_blank" data-hasqtip="279" aria-describedby="qtip-279">[280]</a> </td> </tr> <tr> <td> <a href="/software/S0630"> S0630 </a> </td> <td> <a href="/software/S0630"> Nebulae </a> </td> <td> <a href="/software/S0630">Nebulae</a> can discover logical drive information including the drive type, free space, and volume information.<span onclick=scrollToRef('scite-281') id="scite-ref-281-a" class="scite-citeref-number" title="Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021."data-reference="Bitdefender Naikon April 2021"><a href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank" data-hasqtip="280" aria-describedby="qtip-280">[281]</a> </td> </tr> <tr> <td> <a href="/software/S0691"> S0691 </a> </td> <td> <a href="/software/S0691"> Neoichor </a> </td> <td> <a href="/software/S0691">Neoichor</a> can collect the OS version and computer name from a compromised host.<span onclick=scrollToRef('scite-205') id="scite-ref-205-a" class="scite-citeref-number" title="MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022."data-reference="Microsoft NICKEL December 2021"><a href="https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe" target="_blank" data-hasqtip="204" aria-describedby="qtip-204">[205]</a> </td> </tr> <tr> <td> <a href="/software/S0457"> S0457 </a> </td> <td> <a href="/software/S0457"> Netwalker </a> </td> <td> <a href="/software/S0457">Netwalker</a> can determine the system architecture it is running on to choose which version of the DLL to use.<span onclick=scrollToRef('scite-282') id="scite-ref-282-a" class="scite-citeref-number" title="Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020."data-reference="TrendMicro Netwalker May 2020"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/" target="_blank" data-hasqtip="281" aria-describedby="qtip-281">[282]</a> </td> </tr> <tr> <td> <a href="/software/S0198"> S0198 </a> </td> <td> <a href="/software/S0198"> NETWIRE </a> </td> <td> <a href="/software/S0198">NETWIRE</a> can discover and collect victim system information.<span onclick=scrollToRef('scite-283') id="scite-ref-283-a" class="scite-citeref-number" title="McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018."data-reference="McAfee Netwire Mar 2015"><a href="https://securingtomorrow.mcafee.com/mcafee-labs/netwire-rat-behind-recent-targeted-attacks/" target="_blank" data-hasqtip="282" aria-describedby="qtip-282">[283]</a> </td> </tr> <tr> <td> <a href="/software/S1147"> S1147 </a> </td> <td> <a href="/software/S1147"> Nightdoor </a> </td> <td> <a href="/software/S1147">Nightdoor</a> gathers information on the victim system such as CPU and Computer name as well as device drivers. <a href="/software/S1147">Nightdoor</a> can also collect information about disk drives, their total and free space, and file system type.<span onclick=scrollToRef('scite-113') id="scite-ref-113-a" class="scite-citeref-number" title="Ahn Ho, Facundo Muñoz, & Marc-Etienne M.Léveillé. (2024, March 7). Evasive Panda leverages Monlam Festival to target Tibetans. Retrieved July 25, 2024."data-reference="ESET EvasivePanda 2024"><a href="https://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/" target="_blank" data-hasqtip="112" aria-describedby="qtip-112">[113]</a> </td> </tr> <tr> <td> <a href="/software/S1100"> S1100 </a> </td> <td> <a href="/software/S1100"> Ninja </a> </td> <td> <a href="/software/S1100">Ninja</a> can obtain the computer name and information on the OS and physical drives from targeted hosts.<span onclick=scrollToRef('scite-284') id="scite-ref-284-a" class="scite-citeref-number" title="Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024."data-reference="Kaspersky ToddyCat June 2022"><a href="https://securelist.com/toddycat/106799/" target="_blank" data-hasqtip="283" aria-describedby="qtip-283">[284]</a><span onclick=scrollToRef('scite-285') id="scite-ref-285-a" class="scite-citeref-number" title="Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024."data-reference="Kaspersky ToddyCat Check Logs October 2023"><a href="https://securelist.com/toddycat-keep-calm-and-check-logs/110696/" target="_blank" data-hasqtip="284" aria-describedby="qtip-284">[285]</a> </td> </tr> <tr> <td> <a href="/software/S0385"> S0385 </a> </td> <td> <a href="/software/S0385"> njRAT </a> </td> <td> <a href="/software/S0385">njRAT</a> enumerates the victim operating system and computer name during the initial infection.<span onclick=scrollToRef('scite-286') id="scite-ref-286-a" class="scite-citeref-number" title="Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019."data-reference="Fidelis njRAT June 2013"><a href="https://www.threatminer.org/_reports/2013/fta-1009---njrat-uncovered-1.pdf" target="_blank" data-hasqtip="285" aria-describedby="qtip-285">[286]</a> </td> </tr> <tr> <td> <a href="/software/S1107"> S1107 </a> </td> <td> <a href="/software/S1107"> NKAbuse </a> </td> <td> <a href="/software/S1107">NKAbuse</a> conducts multiple system checks and includes these in subsequent "heartbeat" messages to the malware's command and control server.<span onclick=scrollToRef('scite-287') id="scite-ref-287-a" class="scite-citeref-number" title="KASPERSKY GERT. (2023, December 14). Unveiling NKAbuse: a new multiplatform threat abusing the NKN protocol. Retrieved February 8, 2024."data-reference="NKAbuse SL"><a href="https://securelist.com/unveiling-nkabuse/111512/" target="_blank" data-hasqtip="286" aria-describedby="qtip-286">[287]</a> </td> </tr> <tr> <td> <a href="/software/S0353"> S0353 </a> </td> <td> <a href="/software/S0353"> NOKKI </a> </td> <td> <a href="/software/S0353">NOKKI</a> can gather information on drives and the operating system on the victim’s machine.<span onclick=scrollToRef('scite-288') id="scite-ref-288-a" class="scite-citeref-number" title="Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018."data-reference="Unit 42 NOKKI Sept 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/" target="_blank" data-hasqtip="287" aria-describedby="qtip-287">[288]</a> </td> </tr> <tr> <td> <a href="/software/S0644"> S0644 </a> </td> <td> <a href="/software/S0644"> ObliqueRAT </a> </td> <td> <a href="/software/S0644">ObliqueRAT</a> has the ability to check for blocklisted computer names on infected endpoints.<span onclick=scrollToRef('scite-289') id="scite-ref-289-a" class="scite-citeref-number" title="Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021."data-reference="Talos Oblique RAT March 2021"><a href="https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html" target="_blank" data-hasqtip="288" aria-describedby="qtip-288">[289]</a> </td> </tr> <tr> <td> <a href="/software/S0346"> S0346 </a> </td> <td> <a href="/software/S0346"> OceanSalt </a> </td> <td> <a href="/software/S0346">OceanSalt</a> can collect the computer name from the system.<span onclick=scrollToRef('scite-290') id="scite-ref-290-a" class="scite-citeref-number" title="Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018."data-reference="McAfee Oceansalt Oct 2018"><a href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf" target="_blank" data-hasqtip="289" aria-describedby="qtip-289">[290]</a> </td> </tr> <tr> <td> <a href="/software/S0340"> S0340 </a> </td> <td> <a href="/software/S0340"> Octopus </a> </td> <td> <a href="/software/S0340">Octopus</a> can collect system drive information, the computer name, the size of the disk, OS version, and OS architecture information.<span onclick=scrollToRef('scite-291') id="scite-ref-291-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018."data-reference="Securelist Octopus Oct 2018"><a href="https://securelist.com/octopus-infested-seas-of-central-asia/88200/" target="_blank" data-hasqtip="290" aria-describedby="qtip-290">[291]</a> </td> </tr> <tr> <td> <a href="/groups/G0049"> G0049 </a> </td> <td> <a href="/groups/G0049"> OilRig </a> </td> <td> <a href="/groups/G0049">OilRig</a> has run <code>hostname</code> and <code>systeminfo</code> on a victim.<span onclick=scrollToRef('scite-292') id="scite-ref-292-a" class="scite-citeref-number" title="Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017."data-reference="Palo Alto OilRig May 2016"><a href="http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" target="_blank" data-hasqtip="291" aria-describedby="qtip-291">[292]</a><span onclick=scrollToRef('scite-293') id="scite-ref-293-a" class="scite-citeref-number" title="Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017."data-reference="Palo Alto OilRig Oct 2016"><a href="http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/" target="_blank" data-hasqtip="292" aria-describedby="qtip-292">[293]</a><span onclick=scrollToRef('scite-294') id="scite-ref-294-a" class="scite-citeref-number" title="Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019."data-reference="FireEye APT34 July 2019"><a href="https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html" target="_blank" data-hasqtip="293" aria-describedby="qtip-293">[294]</a><span onclick=scrollToRef('scite-295') id="scite-ref-295-a" class="scite-citeref-number" title="Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021."data-reference="Check Point APT34 April 2021"><a href="https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/" target="_blank" data-hasqtip="294" aria-describedby="qtip-294">[295]</a> </td> </tr> <tr> <td> <a href="/software/S0439"> S0439 </a> </td> <td> <a href="/software/S0439"> Okrum </a> </td> <td> <a href="/software/S0439">Okrum</a> can collect computer name, locale information, and information about the OS and architecture.<span onclick=scrollToRef('scite-296') id="scite-ref-296-a" class="scite-citeref-number" title="Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."data-reference="ESET Okrum July 2019"><a href="https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf" target="_blank" data-hasqtip="295" aria-describedby="qtip-295">[296]</a> </td> </tr> <tr> <td> <a href="/software/S0264"> S0264 </a> </td> <td> <a href="/software/S0264"> OopsIE </a> </td> <td> <a href="/software/S0264">OopsIE</a> checks for information on the CPU fan, temperature, mouse, hard disk, and motherboard as part of its anti-VM checks.<span onclick=scrollToRef('scite-297') id="scite-ref-297-a" class="scite-citeref-number" title="Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018."data-reference="Unit 42 OilRig Sept 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/" target="_blank" data-hasqtip="296" aria-describedby="qtip-296">[297]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0012"> C0012 </a> </td> <td> <a href="/campaigns/C0012"> Operation CuckooBees </a> </td> <td> During <a href="https://attack.mitre.org/campaigns/C0012">Operation CuckooBees</a>, the threat actors used the <code>systeminfo</code> command to gather details about a compromised system.<span onclick=scrollToRef('scite-298') id="scite-ref-298-a" class="scite-citeref-number" title="Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022."data-reference="Cybereason OperationCuckooBees May 2022"><a href="https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques" target="_blank" data-hasqtip="297" aria-describedby="qtip-297">[298]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0006"> C0006 </a> </td> <td> <a href="/campaigns/C0006"> Operation Honeybee </a> </td> <td> During <a href="https://attack.mitre.org/campaigns/C0006">Operation Honeybee</a>, the threat actors collected the computer name, OS, and other system information using <code>cmd /c systeminfo > %temp%\ temp.ini</code>.<span onclick=scrollToRef('scite-299') id="scite-ref-299-a" class="scite-citeref-number" title="Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018."data-reference="McAfee Honeybee"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/" target="_blank" data-hasqtip="298" aria-describedby="qtip-298">[299]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0014"> C0014 </a> </td> <td> <a href="/campaigns/C0014"> Operation Wocao </a> </td> <td> During <a href="https://attack.mitre.org/campaigns/C0014">Operation Wocao</a>, threat actors discovered the local disks attached to the system and their hardware information including manufacturer and model, as well as the OS versions of systems connected to a targeted network.<span onclick=scrollToRef('scite-300') id="scite-ref-300-a" class="scite-citeref-number" title="Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020."data-reference="FoxIT Wocao December 2019"><a href="https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf" target="_blank" data-hasqtip="299" aria-describedby="qtip-299">[300]</a> </td> </tr> <tr> <td> <a href="/software/S0229"> S0229 </a> </td> <td> <a href="/software/S0229"> Orz </a> </td> <td> <a href="/software/S0229">Orz</a> can gather the victim OS version and whether it is 64 or 32 bit.<span onclick=scrollToRef('scite-278') id="scite-ref-278-a" class="scite-citeref-number" title="Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018."data-reference="Proofpoint Leviathan Oct 2017"><a href="https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets" target="_blank" data-hasqtip="277" aria-describedby="qtip-277">[278]</a> </td> </tr> <tr> <td> <a href="/software/S0165"> S0165 </a> </td> <td> <a href="/software/S0165"> OSInfo </a> </td> <td> <a href="/software/S0165">OSInfo</a> discovers information about the infected machine.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016."data-reference="Symantec Buckeye"><a href="http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a> </td> </tr> <tr> <td> <a href="/software/S0402"> S0402 </a> </td> <td> <a href="/software/S0402"> OSX/Shlayer </a> </td> <td> <a href="/software/S0402">OSX/Shlayer</a> has collected the IOPlatformUUID, session UID, and the OS version using the command <code>sw_vers -productVersion</code>.<span onclick=scrollToRef('scite-301') id="scite-ref-301-a" class="scite-citeref-number" title="Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019."data-reference="Carbon Black Shlayer Feb 2019"><a href="https://blogs.vmware.com/security/2020/02/vmware-carbon-black-tau-threat-analysis-shlayer-macos.html" target="_blank" data-hasqtip="300" aria-describedby="qtip-300">[301]</a><span onclick=scrollToRef('scite-302') id="scite-ref-302-a" class="scite-citeref-number" title="Phil Stokes. (2020, September 8). Coming Out of Your Shell: From Shlayer to ZShlayer. Retrieved September 13, 2021."data-reference="sentinelone shlayer to zshlayer"><a href="https://www.sentinelone.com/blog/coming-out-of-your-shell-from-shlayer-to-zshlayer/" target="_blank" data-hasqtip="301" aria-describedby="qtip-301">[302]</a> </td> </tr> <tr> <td> <a href="/software/S0352"> S0352 </a> </td> <td> <a href="/software/S0352"> OSX_OCEANLOTUS.D </a> </td> <td> <a href="/software/S0352">OSX_OCEANLOTUS.D</a> collects processor information, memory information, computer name, hardware UUID, serial number, and operating system version. <a href="/software/S0352">OSX_OCEANLOTUS.D</a> has used the <code>ioreg</code> command to gather some of this information.<span onclick=scrollToRef('scite-303') id="scite-ref-303-a" class="scite-citeref-number" title="Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018."data-reference="TrendMicro MacOS April 2018"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/" target="_blank" data-hasqtip="302" aria-describedby="qtip-302">[303]</a><span onclick=scrollToRef('scite-304') id="scite-ref-304-a" class="scite-citeref-number" title="Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020."data-reference="Trend Micro MacOS Backdoor November 2020"><a href="https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html" target="_blank" data-hasqtip="303" aria-describedby="qtip-303">[304]</a><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021."data-reference="20 macOS Common Tools and Techniques"><a href="https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a> </td> </tr> <tr> <td> <a href="/software/S0208"> S0208 </a> </td> <td> <a href="/software/S0208"> Pasam </a> </td> <td> <a href="/software/S0208">Pasam</a> creates a backdoor through which remote attackers can retrieve information such as hostname and free disk space.<span onclick=scrollToRef('scite-305') id="scite-ref-305-a" class="scite-citeref-number" title="Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018."data-reference="Symantec Pasam May 2012"><a href="https://www.symantec.com/security_response/writeup.jsp?docid=2012-050412-4128-99" target="_blank" data-hasqtip="304" aria-describedby="qtip-304">[305]</a> </td> </tr> <tr> <td> <a href="/groups/G0040"> G0040 </a> </td> <td> <a href="/groups/G0040"> Patchwork </a> </td> <td> <a href="/groups/G0040">Patchwork</a> collected the victim computer name, OS version, and architecture type and sent the information to its C2 server. <a href="/groups/G0040">Patchwork</a> also enumerated all available drives on the victim's machine.<span onclick=scrollToRef('scite-306') id="scite-ref-306-a" class="scite-citeref-number" title="Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016."data-reference="Cymmetria Patchwork"><a href="https://web.archive.org/web/20180825085952/https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf" target="_blank" data-hasqtip="305" aria-describedby="qtip-305">[306]</a><span onclick=scrollToRef('scite-280') id="scite-ref-280-a" class="scite-citeref-number" title="Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018."data-reference="TrendMicro Patchwork Dec 2017"><a href="https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" target="_blank" data-hasqtip="279" aria-describedby="qtip-279">[280]</a> </td> </tr> <tr> <td> <a href="/software/S0556"> S0556 </a> </td> <td> <a href="/software/S0556"> Pay2Key </a> </td> <td> <a href="/software/S0556">Pay2Key</a> has the ability to gather the hostname of the victim machine.<span onclick=scrollToRef('scite-307') id="scite-ref-307-a" class="scite-citeref-number" title="Check Point. (2020, November 6). Ransomware Alert: Pay2Key. Retrieved January 4, 2021."data-reference="Check Point Pay2Key November 2020"><a href="https://research.checkpoint.com/2020/ransomware-alert-pay2key/" target="_blank" data-hasqtip="306" aria-describedby="qtip-306">[307]</a> </td> </tr> <tr> <td> <a href="/software/S0587"> S0587 </a> </td> <td> <a href="/software/S0587"> Penquin </a> </td> <td> <a href="/software/S0587">Penquin</a> can report the file system type and disk space of a compromised host to C2.<span onclick=scrollToRef('scite-308') id="scite-ref-308-a" class="scite-citeref-number" title="Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA "Penquin_x64". Retrieved March 11, 2021."data-reference="Leonardo Turla Penquin May 2020"><a href="https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf" target="_blank" data-hasqtip="307" aria-describedby="qtip-307">[308]</a> </td> </tr> <tr> <td> <a href="/software/S1145"> S1145 </a> </td> <td> <a href="/software/S1145"> Pikabot </a> </td> <td> <a href="/software/S1145">Pikabot</a> performs a variety of system checks and gathers system information, including commands such as <code>whoami</code>.<span onclick=scrollToRef('scite-309') id="scite-ref-309-a" class="scite-citeref-number" title="Brett Stone-Gross & Nikolaos Pantazopoulos. (2023, May 24). Technical Analysis of Pikabot. Retrieved July 12, 2024."data-reference="Zscaler Pikabot 2023"><a href="https://www.zscaler.com/blogs/security-research/technical-analysis-pikabot" target="_blank" data-hasqtip="308" aria-describedby="qtip-308">[309]</a><span onclick=scrollToRef('scite-310') id="scite-ref-310-a" class="scite-citeref-number" title="Daniel Stepanic & Salim Bitam. (2024, February 23). PIKABOT, I choose you!. Retrieved July 12, 2024."data-reference="Elastic Pikabot 2024"><a href="https://www.elastic.co/security-labs/pikabot-i-choose-you" target="_blank" data-hasqtip="309" aria-describedby="qtip-309">[310]</a> </td> </tr> <tr> <td> <a href="/software/S0048"> S0048 </a> </td> <td> <a href="/software/S0048"> PinchDuke </a> </td> <td> <a href="/software/S0048">PinchDuke</a> gathers system configuration information.<span onclick=scrollToRef('scite-311') id="scite-ref-311-a" class="scite-citeref-number" title="F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015."data-reference="F-Secure The Dukes"><a href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank" data-hasqtip="310" aria-describedby="qtip-310">[311]</a> </td> </tr> <tr> <td> <a href="/software/S1031"> S1031 </a> </td> <td> <a href="/software/S1031"> PingPull </a> </td> <td> <a href="/software/S1031">PingPull</a> can retrieve the hostname of a compromised host.<span onclick=scrollToRef('scite-312') id="scite-ref-312-a" class="scite-citeref-number" title="Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022."data-reference="Unit 42 PingPull Jun 2022"><a href="https://unit42.paloaltonetworks.com/pingpull-gallium/" target="_blank" data-hasqtip="311" aria-describedby="qtip-311">[312]</a> </td> </tr> <tr> <td> <a href="/software/S0501"> S0501 </a> </td> <td> <a href="/software/S0501"> PipeMon </a> </td> <td> <a href="/software/S0501">PipeMon</a> can collect and send OS version and computer name as a part of its C2 beacon.<span onclick=scrollToRef('scite-313') id="scite-ref-313-a" class="scite-citeref-number" title="Tartare, M. et al. (2020, May 21). No "Game over" for the Winnti Group. Retrieved August 24, 2020."data-reference="ESET PipeMon May 2020"><a href="https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/" target="_blank" data-hasqtip="312" aria-describedby="qtip-312">[313]</a> </td> </tr> <tr> <td> <a href="/software/S0124"> S0124 </a> </td> <td> <a href="/software/S0124"> Pisloader </a> </td> <td> <a href="/software/S0124">Pisloader</a> has a command to collect victim system information, including the system name and OS version.<span onclick=scrollToRef('scite-314') id="scite-ref-314-a" class="scite-citeref-number" title="Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016."data-reference="Palo Alto DNS Requests"><a href="http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" target="_blank" data-hasqtip="313" aria-describedby="qtip-313">[314]</a> </td> </tr> <tr> <td> <a href="/software/S0254"> S0254 </a> </td> <td> <a href="/software/S0254"> PLAINTEE </a> </td> <td> <a href="/software/S0254">PLAINTEE</a> collects general system enumeration data about the infected machine and checks the OS version.<span onclick=scrollToRef('scite-315') id="scite-ref-315-a" class="scite-citeref-number" title="Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018."data-reference="Rancor Unit42 June 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" target="_blank" data-hasqtip="314" aria-describedby="qtip-314">[315]</a> </td> </tr> <tr> <td> <a href="/groups/G1040"> G1040 </a> </td> <td> <a href="/groups/G1040"> Play </a> </td> <td> <a href="/groups/G1040">Play</a> has leveraged tools to enumerate system information.<span onclick=scrollToRef('scite-316') id="scite-ref-316-a" class="scite-citeref-number" title="Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024."data-reference="Trend Micro Ransomware Spotlight Play July 2023"><a href="https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play" target="_blank" data-hasqtip="315" aria-describedby="qtip-315">[316]</a> </td> </tr> <tr> <td> <a href="/software/S0428"> S0428 </a> </td> <td> <a href="/software/S0428"> PoetRAT </a> </td> <td> <a href="/software/S0428">PoetRAT</a> has the ability to gather information about the compromised host.<span onclick=scrollToRef('scite-317') id="scite-ref-317-a" class="scite-citeref-number" title="Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020."data-reference="Talos PoetRAT April 2020"><a href="https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html" target="_blank" data-hasqtip="316" aria-describedby="qtip-316">[317]</a> </td> </tr> <tr> <td> <a href="/software/S0453"> S0453 </a> </td> <td> <a href="/software/S0453"> Pony </a> </td> <td> <a href="/software/S0453">Pony</a> has collected the Service Pack, language, and region information to send to the C2.<span onclick=scrollToRef('scite-318') id="scite-ref-318-a" class="scite-citeref-number" title="hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020."data-reference="Malwarebytes Pony April 2016"><a href="https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/" target="_blank" data-hasqtip="317" aria-describedby="qtip-317">[318]</a> </td> </tr> <tr> <td> <a href="/software/S0216"> S0216 </a> </td> <td> <a href="/software/S0216"> POORAIM </a> </td> <td> <a href="/software/S0216">POORAIM</a> can identify system information, including battery status.<span onclick=scrollToRef('scite-172') id="scite-ref-172-a" class="scite-citeref-number" title="FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018."data-reference="FireEye APT37 Feb 2018"><a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" target="_blank" data-hasqtip="171" aria-describedby="qtip-171">[172]</a> </td> </tr> <tr> <td> <a href="/software/S0378"> S0378 </a> </td> <td> <a href="/software/S0378"> PoshC2 </a> </td> <td> <a href="/software/S0378">PoshC2</a> contains modules, such as <code>Get-ComputerInfo</code>, for enumerating common system information.<a href="https://github.com/nettitude/PoshC2_Python" target="_blank" data-hasqtip="318" aria-describedby="qtip-318">[319]</a> </td> </tr> <tr> <td> <a href="/software/S0139"> S0139 </a> </td> <td> <a href="/software/S0139"> PowerDuke </a> </td> <td> <a href="/software/S0139">PowerDuke</a> has commands to get information about the victim's name, build, version, serial number, and memory usage.<span onclick=scrollToRef('scite-320') id="scite-ref-320-a" class="scite-citeref-number" title="Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017."data-reference="Volexity PowerDuke November 2016"><a href="https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" target="_blank" data-hasqtip="319" aria-describedby="qtip-319">[320]</a> </td> </tr> <tr> <td> <a href="/software/S0441"> S0441 </a> </td> <td> <a href="/software/S0441"> PowerShower </a> </td> <td> <a href="/software/S0441">PowerShower</a> has collected system information on the infected host.<span onclick=scrollToRef('scite-321') id="scite-ref-321-a" class="scite-citeref-number" title="Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020."data-reference="Unit 42 Inception November 2018"><a href="https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/" target="_blank" data-hasqtip="320" aria-describedby="qtip-320">[321]</a> </td> </tr> <tr> <td> <a href="/software/S0223"> S0223 </a> </td> <td> <a href="/software/S0223"> POWERSTATS </a> </td> <td> <a href="/software/S0223">POWERSTATS</a> can retrieve OS name/architecture and computer/domain name information from compromised hosts.<span onclick=scrollToRef('scite-322') id="scite-ref-322-a" class="scite-citeref-number" title="Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018."data-reference="FireEye MuddyWater Mar 2018"><a href="https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" target="_blank" data-hasqtip="321" aria-describedby="qtip-321">[322]</a><span onclick=scrollToRef('scite-323') id="scite-ref-323-a" class="scite-citeref-number" title="Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020."data-reference="TrendMicro POWERSTATS V3 June 2019"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/" target="_blank" data-hasqtip="322" aria-describedby="qtip-322">[323]</a> </td> </tr> <tr> <td> <a href="/software/S0184"> S0184 </a> </td> <td> <a href="/software/S0184"> POWRUNER </a> </td> <td> <a href="/software/S0184">POWRUNER</a> may collect information about the system by running <code>hostname</code> and <code>systeminfo</code> on a victim.<span onclick=scrollToRef('scite-324') id="scite-ref-324-a" class="scite-citeref-number" title="Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017."data-reference="FireEye APT34 Dec 2017"><a href="https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" target="_blank" data-hasqtip="323" aria-describedby="qtip-323">[324]</a> </td> </tr> <tr> <td> <a href="/software/S0113"> S0113 </a> </td> <td> <a href="/software/S0113"> Prikormka </a> </td> <td> A module in <a href="/software/S0113">Prikormka</a> collects information from the victim about Windows OS version, computer name, battery info, and physical memory.<span onclick=scrollToRef('scite-325') id="scite-ref-325-a" class="scite-citeref-number" title="Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016."data-reference="ESET Operation Groundbait"><a href="http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf" target="_blank" data-hasqtip="324" aria-describedby="qtip-324">[325]</a> </td> </tr> <tr> <td> <a href="/software/S0238"> S0238 </a> </td> <td> <a href="/software/S0238"> Proxysvc </a> </td> <td> <a href="/software/S0238">Proxysvc</a> collects the OS version, country name, MAC address, computer name, physical memory statistics, and volume information for all drives on the system.<span onclick=scrollToRef('scite-230') id="scite-ref-230-a" class="scite-citeref-number" title="Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018."data-reference="McAfee GhostSecret"><a href="https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" target="_blank" data-hasqtip="229" aria-describedby="qtip-229">[230]</a> </td> </tr> <tr> <td> <a href="/software/S0196"> S0196 </a> </td> <td> <a href="/software/S0196"> PUNCHBUGGY </a> </td> <td> <a href="/software/S0196">PUNCHBUGGY</a> can gather system information such as computer names.<span onclick=scrollToRef('scite-326') id="scite-ref-326-a" class="scite-citeref-number" title="Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019."data-reference="Morphisec ShellTea June 2019"><a href="http://blog.morphisec.com/security-alert-fin8-is-back" target="_blank" data-hasqtip="325" aria-describedby="qtip-325">[326]</a> </td> </tr> <tr> <td> <a href="/software/S0192"> S0192 </a> </td> <td> <a href="/software/S0192"> Pupy </a> </td> <td> <a href="/software/S0192">Pupy</a> can grab a system’s information including the OS version, architecture, etc.<a href="https://github.com/n1nj4sec/pupy" target="_blank" data-hasqtip="326" aria-describedby="qtip-326">[327]</a> </td> </tr> <tr> <td> <a href="/software/S0650"> S0650 </a> </td> <td> <a href="/software/S0650"> QakBot </a> </td> <td> <a href="/software/S0650">QakBot</a> can collect system information including the OS version and domain on a compromised host.<span onclick=scrollToRef('scite-328') id="scite-ref-328-a" class="scite-citeref-number" title="CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021."data-reference="Crowdstrike Qakbot October 2020"><a href="https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/" target="_blank" data-hasqtip="327" aria-describedby="qtip-327">[328]</a><span onclick=scrollToRef('scite-329') id="scite-ref-329-a" class="scite-citeref-number" title="Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021."data-reference="ATT QakBot April 2021"><a href="https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot" target="_blank" data-hasqtip="328" aria-describedby="qtip-328">[329]</a><span onclick=scrollToRef('scite-330') id="scite-ref-330-a" class="scite-citeref-number" title="Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021."data-reference="Group IB Ransomware September 2020"><a href="https://groupib.pathfactory.com/ransomware-reports/prolock_wp" target="_blank" data-hasqtip="329" aria-describedby="qtip-329">[330]</a><span onclick=scrollToRef('scite-276') id="scite-ref-276-a" class="scite-citeref-number" title="Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023."data-reference="Microsoft Ransomware as a Service"><a href="https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/" target="_blank" data-hasqtip="275" aria-describedby="qtip-275">[276]</a> </td> </tr> <tr> <td> <a href="/software/S0262"> S0262 </a> </td> <td> <a href="/software/S0262"> QuasarRAT </a> </td> <td> <a href="/software/S0262">QuasarRAT</a> can gather system information from the victim’s machine including the OS type.<a href="https://github.com/quasar/QuasarRAT" target="_blank" data-hasqtip="330" aria-describedby="qtip-330">[331]</a> </td> </tr> <tr> <td> <a href="/software/S1148"> S1148 </a> </td> <td> <a href="/software/S1148"> Raccoon Stealer </a> </td> <td> <a href="/software/S1148">Raccoon Stealer</a> gathers information on infected systems such as operating system, processor information, RAM, and display information.<span onclick=scrollToRef('scite-332') id="scite-ref-332-a" class="scite-citeref-number" title="S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024."data-reference="S2W Racoon 2022"><a href="https://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d" target="_blank" data-hasqtip="331" aria-describedby="qtip-331">[332]</a><span onclick=scrollToRef('scite-333') id="scite-ref-333-a" class="scite-citeref-number" title="Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024."data-reference="Sekoia Raccoon2 2022"><a href="https://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/" target="_blank" data-hasqtip="332" aria-describedby="qtip-332">[333]</a> </td> </tr> <tr> <td> <a href="/software/S0458"> S0458 </a> </td> <td> <a href="/software/S0458"> Ramsay </a> </td> <td> <a href="/software/S0458">Ramsay</a> can detect system information--including disk names, total space, and remaining space--to create a hardware profile GUID which acts as a system identifier for operators.<span onclick=scrollToRef('scite-334') id="scite-ref-334-a" class="scite-citeref-number" title="Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020."data-reference="Eset Ramsay May 2020"><a href="https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/" target="_blank" data-hasqtip="333" aria-describedby="qtip-333">[334]</a><span onclick=scrollToRef('scite-335') id="scite-ref-335-a" class="scite-citeref-number" title="Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021."data-reference="Antiy CERT Ramsay April 2020"><a href="https://www.programmersought.com/article/62493896999/" target="_blank" data-hasqtip="334" aria-describedby="qtip-334">[335]</a> </td> </tr> <tr> <td> <a href="/software/S1130"> S1130 </a> </td> <td> <a href="/software/S1130"> Raspberry Robin </a> </td> <td> <a href="/software/S1130">Raspberry Robin</a> performs several system checks as part of anti-analysis mechanisms, including querying the operating system build number, processor vendor and type, video controller, and CPU temperature.<span onclick=scrollToRef('scite-336') id="scite-ref-336-a" class="scite-citeref-number" title="Patrick Schläpfer . (2024, April 10). Raspberry Robin Now Spreading Through Windows Script Files. Retrieved May 17, 2024."data-reference="HP RaspberryRobin 2024"><a href="https://threatresearch.ext.hp.com/raspberry-robin-now-spreading-through-windows-script-files/" target="_blank" data-hasqtip="335" aria-describedby="qtip-335">[336]</a> </td> </tr> <tr> <td> <a href="/software/S0241"> S0241 </a> </td> <td> <a href="/software/S0241"> RATANKBA </a> </td> <td> <a href="/software/S0241">RATANKBA</a> gathers information about the OS architecture, OS name, and OS version/Service pack.<span onclick=scrollToRef('scite-337') id="scite-ref-337-a" class="scite-citeref-number" title="Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018."data-reference="Lazarus RATANKBA"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/" target="_blank" data-hasqtip="336" aria-describedby="qtip-336">[337]</a><span onclick=scrollToRef('scite-338') id="scite-ref-338-a" class="scite-citeref-number" title="Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018."data-reference="RATANKBA"><a href="https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html" target="_blank" data-hasqtip="337" aria-describedby="qtip-337">[338]</a> </td> </tr> <tr> <td> <a href="/software/S0662"> S0662 </a> </td> <td> <a href="/software/S0662"> RCSession </a> </td> <td> <a href="/software/S0662">RCSession</a> can gather system information from a compromised host.<span onclick=scrollToRef('scite-339') id="scite-ref-339-a" class="scite-citeref-number" title="Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021."data-reference="Profero APT27 December 2020"><a href="https://web.archive.org/web/20210104144857/https://shared-public-reports.s3-eu-west-1.amazonaws.com/APT27+turns+to+ransomware.pdf" target="_blank" data-hasqtip="338" aria-describedby="qtip-338">[339]</a> </td> </tr> <tr> <td> <a href="/software/S0172"> S0172 </a> </td> <td> <a href="/software/S0172"> Reaver </a> </td> <td> <a href="/software/S0172">Reaver</a> collects system information from the victim, including CPU speed, computer name, volume serial number, ANSI code page, OEM code page identifier for the OS, Microsoft Windows version, and memory information.<span onclick=scrollToRef('scite-340') id="scite-ref-340-a" class="scite-citeref-number" title="Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017."data-reference="Palo Alto Reaver Nov 2017"><a href="https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/" target="_blank" data-hasqtip="339" aria-describedby="qtip-339">[340]</a> </td> </tr> <tr> <td> <a href="/groups/G1039"> G1039 </a> </td> <td> <a href="/groups/G1039"> RedCurl </a> </td> <td> <a href="/groups/G1039">RedCurl</a> has collected information about the target system, such as system information and list of network connections.<span onclick=scrollToRef('scite-341') id="scite-ref-341-a" class="scite-citeref-number" title="Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024."data-reference="group-ib_redcurl1"><a href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank" data-hasqtip="340" aria-describedby="qtip-340">[341]</a><span onclick=scrollToRef('scite-342') id="scite-ref-342-a" class="scite-citeref-number" title="Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024."data-reference="group-ib_redcurl2"><a href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank" data-hasqtip="341" aria-describedby="qtip-341">[342]</a> </td> </tr> <tr> <td> <a href="/software/S0153"> S0153 </a> </td> <td> <a href="/software/S0153"> RedLeaves </a> </td> <td> <a href="/software/S0153">RedLeaves</a> can gather extended system information including the hostname, OS version number, platform, memory information, time elapsed since system startup, and CPU information.<span onclick=scrollToRef('scite-92') id="scite-ref-92-a" class="scite-citeref-number" title="PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017."data-reference="PWC Cloud Hopper Technical Annex April 2017"><a href="https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf" target="_blank" data-hasqtip="91" aria-describedby="qtip-91">[92]</a><span onclick=scrollToRef('scite-343') id="scite-ref-343-a" class="scite-citeref-number" title="Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018."data-reference="Accenture Hogfish April 2018"><a href="http://web.archive.org/web/20220810112638/https:/www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf" target="_blank" data-hasqtip="342" aria-describedby="qtip-342">[343]</a> </td> </tr> <tr> <td> <a href="/software/S0125"> S0125 </a> </td> <td> <a href="/software/S0125"> Remsec </a> </td> <td> <a href="/software/S0125">Remsec</a> can obtain the OS version information, computer name, processor architecture, machine role, and OS edition.<span onclick=scrollToRef('scite-344') id="scite-ref-344-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016."data-reference="Kaspersky ProjectSauron Technical Analysis"><a href="https://securelist.com/files/2016/07/The-ProjectSauron-APT_Technical_Analysis_KL.pdf" target="_blank" data-hasqtip="343" aria-describedby="qtip-343">[344]</a> </td> </tr> <tr> <td> <a href="/software/S0379"> S0379 </a> </td> <td> <a href="/software/S0379"> Revenge RAT </a> </td> <td> <a href="/software/S0379">Revenge RAT</a> collects the CPU information, OS information, and system language.<span onclick=scrollToRef('scite-345') id="scite-ref-345-a" class="scite-citeref-number" title="Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019."data-reference="Cylance Shaheen Nov 2018"><a href="https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/WhiteCompanyOperationShaheenReport.pdf?_ga=2.161661948.1943296560.1555683782-1066572390.1555511517" target="_blank" data-hasqtip="344" aria-describedby="qtip-344">[345]</a> </td> </tr> <tr> <td> <a href="/software/S0496"> S0496 </a> </td> <td> <a href="/software/S0496"> REvil </a> </td> <td> <a href="/software/S0496">REvil</a> can identify the username, machine name, system language, keyboard layout, OS version, and system drive information on a compromised host.<span onclick=scrollToRef('scite-346') id="scite-ref-346-a" class="scite-citeref-number" title="Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020."data-reference="Kaspersky Sodin July 2019"><a href="https://securelist.com/sodin-ransomware/91473/" target="_blank" data-hasqtip="345" aria-describedby="qtip-345">[346]</a><span onclick=scrollToRef('scite-347') id="scite-ref-347-a" class="scite-citeref-number" title="Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020."data-reference="Cylance Sodinokibi July 2019"><a href="https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html" target="_blank" data-hasqtip="346" aria-describedby="qtip-346">[347]</a><span onclick=scrollToRef('scite-348') id="scite-ref-348-a" class="scite-citeref-number" title="Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020."data-reference="Secureworks GandCrab and REvil September 2019"><a href="https://www.secureworks.com/blog/revil-the-gandcrab-connection" target="_blank" data-hasqtip="347" aria-describedby="qtip-347">[348]</a><span onclick=scrollToRef('scite-349') id="scite-ref-349-a" class="scite-citeref-number" title="McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020."data-reference="McAfee Sodinokibi October 2019"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/" target="_blank" data-hasqtip="348" aria-describedby="qtip-348">[349]</a><span onclick=scrollToRef('scite-349') id="scite-ref-349-a" class="scite-citeref-number" title="McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020."data-reference="McAfee Sodinokibi October 2019"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/" target="_blank" data-hasqtip="348" aria-describedby="qtip-348">[349]</a><span onclick=scrollToRef('scite-350') id="scite-ref-350-a" class="scite-citeref-number" title="Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020."data-reference="Intel 471 REvil March 2020"><a href="https://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/" target="_blank" data-hasqtip="349" aria-describedby="qtip-349">[350]</a><span onclick=scrollToRef('scite-351') id="scite-ref-351-a" class="scite-citeref-number" title="Group IB. (2020, May). Ransomware Uncovered: Attackers’ Latest Methods. Retrieved August 5, 2020."data-reference="Group IB Ransomware May 2020"><a href="https://www.group-ib.com/whitepapers/ransomware-uncovered.html" target="_blank" data-hasqtip="350" aria-describedby="qtip-350">[351]</a><span onclick=scrollToRef('scite-352') id="scite-ref-352-a" class="scite-citeref-number" title="Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020."data-reference="Secureworks REvil September 2019"><a href="https://www.secureworks.com/research/revil-sodinokibi-ransomware" target="_blank" data-hasqtip="351" aria-describedby="qtip-351">[352]</a> </td> </tr> <tr> <td> <a href="/software/S0433"> S0433 </a> </td> <td> <a href="/software/S0433"> Rifdoor </a> </td> <td> <a href="/software/S0433">Rifdoor</a> has the ability to identify the Windows version on the compromised host.<span onclick=scrollToRef('scite-353') id="scite-ref-353-a" class="scite-citeref-number" title="Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020."data-reference="Carbon Black HotCroissant April 2020"><a href="https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/" target="_blank" data-hasqtip="352" aria-describedby="qtip-352">[353]</a> </td> </tr> <tr> <td> <a href="/software/S0448"> S0448 </a> </td> <td> <a href="/software/S0448"> Rising Sun </a> </td> <td> <a href="/software/S0448">Rising Sun</a> can detect the computer name, operating system, and drive information, including drive type, total number of bytes on disk, total number of free bytes on disk, and name of a specified volume.<span onclick=scrollToRef('scite-354') id="scite-ref-354-a" class="scite-citeref-number" title="Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020."data-reference="McAfee Sharpshooter December 2018"><a href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf" target="_blank" data-hasqtip="353" aria-describedby="qtip-353">[354]</a> </td> </tr> <tr> <td> <a href="/software/S1150"> S1150 </a> </td> <td> <a href="/software/S1150"> ROADSWEEP </a> </td> <td> <a href="/software/S1150">ROADSWEEP</a> can enumerate logical drives on targeted devices.<span onclick=scrollToRef('scite-355') id="scite-ref-355-a" class="scite-citeref-number" title="Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024."data-reference="Mandiant ROADSWEEP August 2022"><a href="https://cloud.google.com/blog/topics/threat-intelligence/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against/" target="_blank" data-hasqtip="354" aria-describedby="qtip-354">[355]</a><span onclick=scrollToRef('scite-356') id="scite-ref-356-a" class="scite-citeref-number" title="MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024."data-reference="Microsoft Albanian Government Attacks September 2022"><a href="https://www.microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/" target="_blank" data-hasqtip="355" aria-describedby="qtip-355">[356]</a> </td> </tr> <tr> <td> <a href="/groups/G0106"> G0106 </a> </td> <td> <a href="/groups/G0106"> Rocke </a> </td> <td> <a href="/groups/G0106">Rocke</a> has used uname -m to collect the name and information about the infected system's kernel.<span onclick=scrollToRef('scite-357') id="scite-ref-357-a" class="scite-citeref-number" title="Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019."data-reference="Anomali Rocke March 2019"><a href="https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang" target="_blank" data-hasqtip="356" aria-describedby="qtip-356">[357]</a> </td> </tr> <tr> <td> <a href="/software/S0270"> S0270 </a> </td> <td> <a href="/software/S0270"> RogueRobin </a> </td> <td> <a href="/software/S0270">RogueRobin</a> gathers BIOS versions and manufacturers, the number of CPU cores, the total physical memory, and the computer name.<span onclick=scrollToRef('scite-358') id="scite-ref-358-a" class="scite-citeref-number" title="Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018."data-reference="Unit 42 DarkHydrus July 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" target="_blank" data-hasqtip="357" aria-describedby="qtip-357">[358]</a> </td> </tr> <tr> <td> <a href="/software/S0240"> S0240 </a> </td> <td> <a href="/software/S0240"> ROKRAT </a> </td> <td> <a href="/software/S0240">ROKRAT</a> can gather the hostname and the OS version to ensure it doesn’t run on a Windows XP or Windows Server 2003 systems.<span onclick=scrollToRef('scite-359') id="scite-ref-359-a" class="scite-citeref-number" title="Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018."data-reference="Talos ROKRAT"><a href="https://blog.talosintelligence.com/2017/04/introducing-rokrat.html" target="_blank" data-hasqtip="358" aria-describedby="qtip-358">[359]</a><span onclick=scrollToRef('scite-360') id="scite-ref-360-a" class="scite-citeref-number" title="Mercer, W., Rascagneres, P. (2017, November 28). ROKRAT Reloaded. Retrieved May 21, 2018."data-reference="Talos ROKRAT 2"><a href="https://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html" target="_blank" data-hasqtip="359" aria-describedby="qtip-359">[360]</a><span onclick=scrollToRef('scite-361') id="scite-ref-361-a" class="scite-citeref-number" title="GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019."data-reference="Securelist ScarCruft May 2019"><a href="https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/" target="_blank" data-hasqtip="360" aria-describedby="qtip-360">[361]</a><span onclick=scrollToRef('scite-362') id="scite-ref-362-a" class="scite-citeref-number" title="Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020."data-reference="NCCGroup RokRat Nov 2018"><a href="https://research.nccgroup.com/2018/11/08/rokrat-analysis/" target="_blank" data-hasqtip="361" aria-describedby="qtip-361">[362]</a><span onclick=scrollToRef('scite-363') id="scite-ref-363-a" class="scite-citeref-number" title="Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021."data-reference="Volexity InkySquid RokRAT August 2021"><a href="https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/" target="_blank" data-hasqtip="362" aria-describedby="qtip-362">[363]</a><span onclick=scrollToRef('scite-364') id="scite-ref-364-a" class="scite-citeref-number" title="Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022."data-reference="Malwarebytes RokRAT VBA January 2021"><a href="https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/" target="_blank" data-hasqtip="363" aria-describedby="qtip-363">[364]</a> </td> </tr> <tr> <td> <a href="/software/S1078"> S1078 </a> </td> <td> <a href="/software/S1078"> RotaJakiro </a> </td> <td> <a href="/software/S1078">RotaJakiro</a> executes a set of commands to collect device information, including <code>uname</code>. Another example is the <code>cat /etc/*release | uniq</code> command used to collect the current OS distribution.<span onclick=scrollToRef('scite-365') id="scite-ref-365-a" class="scite-citeref-number" title=" Alex Turing, Hui Wang. (2021, April 28). RotaJakiro: A long live secret backdoor with 0 VT detection. Retrieved June 14, 2023."data-reference="RotaJakiro 2021 netlab360 analysis"><a href="https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/" target="_blank" data-hasqtip="364" aria-describedby="qtip-364">[365]</a> </td> </tr> <tr> <td> <a href="/software/S1073"> S1073 </a> </td> <td> <a href="/software/S1073"> Royal </a> </td> <td> <a href="/software/S1073">Royal</a> can use <code>GetNativeSystemInfo</code> and <code>GetLogicalDrives</code> to enumerate system processors and logical drives.<span onclick=scrollToRef('scite-366') id="scite-ref-366-a" class="scite-citeref-number" title="Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023."data-reference="Cybereason Royal December 2022"><a href="https://www.cybereason.com/blog/royal-ransomware-analysis" target="_blank" data-hasqtip="365" aria-describedby="qtip-365">[366]</a><span onclick=scrollToRef('scite-367') id="scite-ref-367-a" class="scite-citeref-number" title="Morales, N. et al. (2023, February 20). Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers. Retrieved March 30, 2023."data-reference="Trend Micro Royal Linux ESXi February 2023"><a href="https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html" target="_blank" data-hasqtip="366" aria-describedby="qtip-366">[367]</a> </td> </tr> <tr> <td> <a href="/software/S0148"> S0148 </a> </td> <td> <a href="/software/S0148"> RTM </a> </td> <td> <a href="/software/S0148">RTM</a> can obtain the computer name, OS version, and default language identifier.<span onclick=scrollToRef('scite-368') id="scite-ref-368-a" class="scite-citeref-number" title="Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017."data-reference="ESET RTM Feb 2017"><a href="https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf" target="_blank" data-hasqtip="367" aria-describedby="qtip-367">[368]</a> </td> </tr> <tr> <td> <a href="/software/S0253"> S0253 </a> </td> <td> <a href="/software/S0253"> RunningRAT </a> </td> <td> <a href="/software/S0253">RunningRAT</a> gathers the OS version, logical drives information, processor information, and volume information.<span onclick=scrollToRef('scite-73') id="scite-ref-73-a" class="scite-citeref-number" title="Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018."data-reference="McAfee Gold Dragon"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" target="_blank" data-hasqtip="72" aria-describedby="qtip-72">[73]</a> </td> </tr> <tr> <td> <a href="/software/S0446"> S0446 </a> </td> <td> <a href="/software/S0446"> Ryuk </a> </td> <td> <a href="/software/S0446">Ryuk</a> has called <code>GetLogicalDrives</code> to emumerate all mounted drives, and <code>GetDriveTypeW</code> to determine the drive type.<span onclick=scrollToRef('scite-369') id="scite-ref-369-a" class="scite-citeref-number" title="Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020."data-reference="CrowdStrike Ryuk January 2019"><a href="https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" target="_blank" data-hasqtip="368" aria-describedby="qtip-368">[369]</a> </td> </tr> <tr> <td> <a href="/software/S0085"> S0085 </a> </td> <td> <a href="/software/S0085"> S-Type </a> </td> <td> The initial beacon packet for <a href="/software/S0085">S-Type</a> contains the operating system version and file system of the victim.<span onclick=scrollToRef('scite-261') id="scite-ref-261-a" class="scite-citeref-number" title="Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021."data-reference="Cylance Dust Storm"><a href="https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" target="_blank" data-hasqtip="260" aria-describedby="qtip-260">[261]</a> </td> </tr> <tr> <td> <a href="/software/S1018"> S1018 </a> </td> <td> <a href="/software/S1018"> Saint Bot </a> </td> <td> <a href="/software/S1018">Saint Bot</a> can identify the OS version, CPU, and other details from a victim's machine.<span onclick=scrollToRef('scite-370') id="scite-ref-370-a" class="scite-citeref-number" title="Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022."data-reference="Malwarebytes Saint Bot April 2021"><a href="https://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/" target="_blank" data-hasqtip="369" aria-describedby="qtip-369">[370]</a> </td> </tr> <tr> <td> <a href="/groups/G0034"> G0034 </a> </td> <td> <a href="/groups/G0034"> Sandworm Team </a> </td> <td> <a href="/groups/G0034">Sandworm Team</a> used a backdoor to enumerate information about the infected system's operating system.<span onclick=scrollToRef('scite-371') id="scite-ref-371-a" class="scite-citeref-number" title="Cherepanov, A.. (2017, July 4). Analysis of TeleBots’ cunning backdoor . Retrieved June 11, 2020."data-reference="ESET Telebots July 2017"><a href="https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/" target="_blank" data-hasqtip="370" aria-describedby="qtip-370">[371]</a><span onclick=scrollToRef('scite-372') id="scite-ref-372-a" class="scite-citeref-number" title="Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020."data-reference="US District Court Indictment GRU Unit 74455 October 2020"><a href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank" data-hasqtip="371" aria-describedby="qtip-371">[372]</a> </td> </tr> <tr> <td> <a href="/software/S1085"> S1085 </a> </td> <td> <a href="/software/S1085"> Sardonic </a> </td> <td> <a href="/software/S1085">Sardonic</a> has the ability to collect the computer name, CPU manufacturer name, and C:\ drive serial number from a compromised machine. <a href="/software/S1085">Sardonic</a> also has the ability to execute the <code>ver</code> and <code>systeminfo</code> commands.<span onclick=scrollToRef('scite-373') id="scite-ref-373-a" class="scite-citeref-number" title="Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023."data-reference="Bitdefender Sardonic Aug 2021"><a href="https://www.bitdefender.com/files/News/CaseStudies/study/401/Bitdefender-PR-Whitepaper-FIN8-creat5619-en-EN.pdf" target="_blank" data-hasqtip="372" aria-describedby="qtip-372">[373]</a> </td> </tr> <tr> <td> <a href="/software/S0461"> S0461 </a> </td> <td> <a href="/software/S0461"> SDBbot </a> </td> <td> <a href="/software/S0461">SDBbot</a> has the ability to identify the OS version, OS bit information and computer name.<span onclick=scrollToRef('scite-161') id="scite-ref-161-a" class="scite-citeref-number" title="Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020."data-reference="Proofpoint TA505 October 2019"><a href="https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader" target="_blank" data-hasqtip="160" aria-describedby="qtip-160">[161]</a><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022."data-reference="Korean FSI TA505 2020"><a href="https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1382.do?page=1&column=&search=&searchSDate=&searchEDate=&bbsDataCategory=" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a> </td> </tr> <tr> <td> <a href="/software/S0382"> S0382 </a> </td> <td> <a href="/software/S0382"> ServHelper </a> </td> <td> <a href="/software/S0382">ServHelper</a> will attempt to enumerate Windows version and system architecture.<span onclick=scrollToRef('scite-374') id="scite-ref-374-a" class="scite-citeref-number" title="Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019."data-reference="Proofpoint TA505 Jan 2019"><a href="https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505" target="_blank" data-hasqtip="373" aria-describedby="qtip-373">[374]</a> </td> </tr> <tr> <td> <a href="/software/S0596"> S0596 </a> </td> <td> <a href="/software/S0596"> ShadowPad </a> </td> <td> <a href="/software/S0596">ShadowPad</a> has discovered system information including memory status, CPU frequency, OS versions, and volume serial numbers.<span onclick=scrollToRef('scite-375') id="scite-ref-375-a" class="scite-citeref-number" title="Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021."data-reference="Kaspersky ShadowPad Aug 2017"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf" target="_blank" data-hasqtip="374" aria-describedby="qtip-374">[375]</a> </td> </tr> <tr> <td> <a href="/software/S0140"> S0140 </a> </td> <td> <a href="/software/S0140"> Shamoon </a> </td> <td> <a href="/software/S0140">Shamoon</a> obtains the victim's operating system version and keyboard layout and sends the information to the C2 server.<span onclick=scrollToRef('scite-376') id="scite-ref-376-a" class="scite-citeref-number" title="Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017."data-reference="Palo Alto Shamoon Nov 2016"><a href="http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/" target="_blank" data-hasqtip="375" aria-describedby="qtip-375">[376]</a><span onclick=scrollToRef('scite-377') id="scite-ref-377-a" class="scite-citeref-number" title="Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019."data-reference="Unit 42 Shamoon3 2018"><a href="https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/" target="_blank" data-hasqtip="376" aria-describedby="qtip-376">[377]</a> </td> </tr> <tr> <td> <a href="/software/S1019"> S1019 </a> </td> <td> <a href="/software/S1019"> Shark </a> </td> <td> <a href="/software/S1019">Shark</a> can collect the GUID of a targeted machine.<span onclick=scrollToRef('scite-258') id="scite-ref-258-a" class="scite-citeref-number" title="ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By "Siamesekitten" - Lyceum. Retrieved June 6, 2022."data-reference="ClearSky Siamesekitten August 2021"><a href="https://www.clearskysec.com/siamesekitten/" target="_blank" data-hasqtip="257" aria-describedby="qtip-257">[258]</a><span onclick=scrollToRef('scite-259') id="scite-ref-259-a" class="scite-citeref-number" title="Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022."data-reference="Accenture Lyceum Targets November 2021"><a href="https://www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns" target="_blank" data-hasqtip="258" aria-describedby="qtip-258">[259]</a> </td> </tr> <tr> <td> <a href="/software/S1089"> S1089 </a> </td> <td> <a href="/software/S1089"> SharpDisco </a> </td> <td> <a href="/software/S1089">SharpDisco</a> can use a plugin to enumerate system drives.<span onclick=scrollToRef('scite-378') id="scite-ref-378-a" class="scite-citeref-number" title="Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023."data-reference="MoustachedBouncer ESET August 2023"><a href="https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" target="_blank" data-hasqtip="377" aria-describedby="qtip-377">[378]</a> </td> </tr> <tr> <td> <a href="/software/S0546"> S0546 </a> </td> <td> <a href="/software/S0546"> SharpStage </a> </td> <td> <a href="/software/S0546">SharpStage</a> has checked the system settings to see if Arabic is the configured language.<span onclick=scrollToRef('scite-379') id="scite-ref-379-a" class="scite-citeref-number" title="Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020."data-reference="BleepingComputer Molerats Dec 2020"><a href="https://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/" target="_blank" data-hasqtip="378" aria-describedby="qtip-378">[379]</a> </td> </tr> <tr> <td> <a href="/software/S0450"> S0450 </a> </td> <td> <a href="/software/S0450"> SHARPSTATS </a> </td> <td> <a href="/software/S0450">SHARPSTATS</a> has the ability to identify the IP address, machine name, and OS of the compromised host.<span onclick=scrollToRef('scite-323') id="scite-ref-323-a" class="scite-citeref-number" title="Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020."data-reference="TrendMicro POWERSTATS V3 June 2019"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/" target="_blank" data-hasqtip="322" aria-describedby="qtip-322">[323]</a> </td> </tr> <tr> <td> <a href="/software/S0445"> S0445 </a> </td> <td> <a href="/software/S0445"> ShimRatReporter </a> </td> <td> <a href="/software/S0445">ShimRatReporter</a> gathered the operating system name and specific Windows version of an infected machine.<span onclick=scrollToRef('scite-380') id="scite-ref-380-a" class="scite-citeref-number" title="Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."data-reference="FOX-IT May 2016 Mofang"><a href="https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" target="_blank" data-hasqtip="379" aria-describedby="qtip-379">[380]</a> </td> </tr> <tr> <td> <a href="/software/S0217"> S0217 </a> </td> <td> <a href="/software/S0217"> SHUTTERSPEED </a> </td> <td> <a href="/software/S0217">SHUTTERSPEED</a> can collect system information.<span onclick=scrollToRef('scite-172') id="scite-ref-172-a" class="scite-citeref-number" title="FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018."data-reference="FireEye APT37 Feb 2018"><a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" target="_blank" data-hasqtip="171" aria-describedby="qtip-171">[172]</a> </td> </tr> <tr> <td> <a href="/groups/G1008"> G1008 </a> </td> <td> <a href="/groups/G1008"> SideCopy </a> </td> <td> <a href="/groups/G1008">SideCopy</a> has identified the OS version of a compromised host.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022."data-reference="MalwareBytes SideCopy Dec 2021"><a href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a> </td> </tr> <tr> <td> <a href="/software/S0610"> S0610 </a> </td> <td> <a href="/software/S0610"> SideTwist </a> </td> <td> <a href="/software/S0610">SideTwist</a> can collect the computer name of a targeted system.<span onclick=scrollToRef('scite-295') id="scite-ref-295-a" class="scite-citeref-number" title="Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021."data-reference="Check Point APT34 April 2021"><a href="https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/" target="_blank" data-hasqtip="294" aria-describedby="qtip-294">[295]</a> </td> </tr> <tr> <td> <a href="/groups/G0121"> G0121 </a> </td> <td> <a href="/groups/G0121"> Sidewinder </a> </td> <td> <a href="/groups/G0121">Sidewinder</a> has used tools to collect the computer name, OS version, installed hotfixes, as well as information regarding the memory and processor on a compromised host.<span onclick=scrollToRef('scite-381') id="scite-ref-381-a" class="scite-citeref-number" title="Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021."data-reference="ATT Sidewinder January 2021"><a href="https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf" target="_blank" data-hasqtip="380" aria-describedby="qtip-380">[381]</a><span onclick=scrollToRef('scite-382') id="scite-ref-382-a" class="scite-citeref-number" title="Rewterz. (2020, June 22). Analysis on Sidewinder APT Group – COVID-19. Retrieved January 29, 2021."data-reference="Rewterz Sidewinder COVID-19 June 2020"><a href="https://www.rewterz.com/articles/analysis-on-sidewinder-apt-group-covid-19" target="_blank" data-hasqtip="381" aria-describedby="qtip-381">[382]</a> </td> </tr> <tr> <td> <a href="/software/S0692"> S0692 </a> </td> <td> <a href="/software/S0692"> SILENTTRINITY </a> </td> <td> <a href="/software/S0692">SILENTTRINITY</a> can collect information related to a compromised host, including OS version and a list of drives.<span onclick=scrollToRef('scite-383') id="scite-ref-383-a" class="scite-citeref-number" title="Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022."data-reference="GitHub SILENTTRINITY Modules July 2019"><a href="https://github.com/byt3bl33d3r/SILENTTRINITY/tree/master/silenttrinity/core/teamserver/modules/boo" target="_blank" data-hasqtip="382" aria-describedby="qtip-382">[383]</a> </td> </tr> <tr> <td> <a href="/software/S0468"> S0468 </a> </td> <td> <a href="/software/S0468"> Skidmap </a> </td> <td> <a href="/software/S0468">Skidmap</a> has the ability to check whether the infected system’s OS is Debian or RHEL/CentOS to determine which cryptocurrency miner it should use.<span onclick=scrollToRef('scite-384') id="scite-ref-384-a" class="scite-citeref-number" title="Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020."data-reference="Trend Micro Skidmap"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/" target="_blank" data-hasqtip="383" aria-describedby="qtip-383">[384]</a> </td> </tr> <tr> <td> <a href="/software/S0533"> S0533 </a> </td> <td> <a href="/software/S0533"> SLOTHFULMEDIA </a> </td> <td> <a href="/software/S0533">SLOTHFULMEDIA</a> has collected system name, OS version, adapter information, memory usage, and disk information from a victim machine.<span onclick=scrollToRef('scite-385') id="scite-ref-385-a" class="scite-citeref-number" title="DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020."data-reference="CISA MAR SLOTHFULMEDIA October 2020"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a" target="_blank" data-hasqtip="384" aria-describedby="qtip-384">[385]</a> </td> </tr> <tr> <td> <a href="/software/S0218"> S0218 </a> </td> <td> <a href="/software/S0218"> SLOWDRIFT </a> </td> <td> <a href="/software/S0218">SLOWDRIFT</a> collects and sends system information to its C2.<span onclick=scrollToRef('scite-172') id="scite-ref-172-a" class="scite-citeref-number" title="FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018."data-reference="FireEye APT37 Feb 2018"><a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" target="_blank" data-hasqtip="171" aria-describedby="qtip-171">[172]</a> </td> </tr> <tr> <td> <a href="/software/S0649"> S0649 </a> </td> <td> <a href="/software/S0649"> SMOKEDHAM </a> </td> <td> <a href="/software/S0649">SMOKEDHAM</a> has used the <code>systeminfo</code> command on a compromised host.<span onclick=scrollToRef('scite-386') id="scite-ref-386-a" class="scite-citeref-number" title="FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021."data-reference="FireEye SMOKEDHAM June 2021"><a href="https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html" target="_blank" data-hasqtip="385" aria-describedby="qtip-385">[386]</a> </td> </tr> <tr> <td> <a href="/software/S1086"> S1086 </a> </td> <td> <a href="/software/S1086"> Snip3 </a> </td> <td> <a href="/software/S1086">Snip3</a> has the ability to query <code>Win32_ComputerSystem</code> for system information. <span onclick=scrollToRef('scite-387') id="scite-ref-387-a" class="scite-citeref-number" title="Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023."data-reference="Morphisec Snip3 May 2021"><a href="https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader" target="_blank" data-hasqtip="386" aria-describedby="qtip-386">[387]</a> </td> </tr> <tr> <td> <a href="/software/S1124"> S1124 </a> </td> <td> <a href="/software/S1124"> SocGholish </a> </td> <td> <a href="/software/S1124">SocGholish</a> has the ability to enumerate system information including the victim computer name.<span onclick=scrollToRef('scite-388') id="scite-ref-388-a" class="scite-citeref-number" title="Andrew Northern. (2022, November 22). SocGholish, a very real threat from a very fake update. Retrieved February 13, 2024."data-reference="SocGholish-update"><a href="https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update" target="_blank" data-hasqtip="387" aria-describedby="qtip-387">[388]</a><span onclick=scrollToRef('scite-389') id="scite-ref-389-a" class="scite-citeref-number" title="Red Canary. (2024, March). Red Canary 2024 Threat Detection Report: SocGholish. Retrieved March 22, 2024."data-reference="Red Canary SocGholish March 2024"><a href="https://redcanary.com/threat-detection-report/threats/socgholish/" target="_blank" data-hasqtip="388" aria-describedby="qtip-388">[389]</a><span onclick=scrollToRef('scite-390') id="scite-ref-390-a" class="scite-citeref-number" title="Secureworks. (n.d.). GOLD PRELUDE . Retrieved March 22, 2024."data-reference="Secureworks Gold Prelude Profile"><a href="https://www.secureworks.com/research/threat-profiles/gold-prelude" target="_blank" data-hasqtip="389" aria-describedby="qtip-389">[390]</a> </td> </tr> <tr> <td> <a href="/software/S0627"> S0627 </a> </td> <td> <a href="/software/S0627"> SodaMaster </a> </td> <td> <a href="/software/S0627">SodaMaster</a> can enumerate the host name and OS version on a target system.<span onclick=scrollToRef('scite-391') id="scite-ref-391-a" class="scite-citeref-number" title="GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021."data-reference="Securelist APT10 March 2021"><a href="https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/" target="_blank" data-hasqtip="390" aria-describedby="qtip-390">[391]</a> </td> </tr> <tr> <td> <a href="/campaigns/C0024"> C0024 </a> </td> <td> <a href="/campaigns/C0024"> SolarWinds Compromise </a> </td> <td> During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/groups/G0016">APT29</a> used <code>fsutil</code> to check available free space before executing actions that might create large files on disk.<span onclick=scrollToRef('scite-392') id="scite-ref-392-a" class="scite-citeref-number" title="MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021."data-reference="Microsoft Deep Dive Solorigate January 2021"><a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" data-hasqtip="391" aria-describedby="qtip-391">[392]</a> </td> </tr> <tr> <td> <a href="/software/S0615"> S0615 </a> </td> <td> <a href="/software/S0615"> SombRAT </a> </td> <td> <a href="/software/S0615">SombRAT</a> can execute <code>getinfo</code> to enumerate the computer name and OS version of a compromised system.<span onclick=scrollToRef('scite-393') id="scite-ref-393-a" class="scite-citeref-number" title="The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021."data-reference="BlackBerry CostaRicto November 2020"><a href="https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced" target="_blank" data-hasqtip="392" aria-describedby="qtip-392">[393]</a> </td> </tr> <tr> <td> <a href="/software/S0516"> S0516 </a> </td> <td> <a href="/software/S0516"> SoreFang </a> </td> <td> <a href="/software/S0516">SoreFang</a> can collect the hostname, operating system configuration, product ID, and disk space on victim machines by executing <a href="/software/S0096">Systeminfo</a>.<span onclick=scrollToRef('scite-394') id="scite-ref-394-a" class="scite-citeref-number" title="CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020."data-reference="CISA SoreFang July 2016"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a" target="_blank" data-hasqtip="393" aria-describedby="qtip-393">[394]</a> </td> </tr> <tr> <td> <a href="/software/S0157"> S0157 </a> </td> <td> <a href="/software/S0157"> SOUNDBITE </a> </td> <td> <a href="/software/S0157">SOUNDBITE</a> is capable of gathering system information.<span onclick=scrollToRef('scite-216') id="scite-ref-216-a" class="scite-citeref-number" title="Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017."data-reference="FireEye APT32 May 2017"><a href="https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" target="_blank" data-hasqtip="215" aria-describedby="qtip-215">[216]</a> </td> </tr> <tr> <td> <a href="/groups/G0054"> G0054 </a> </td> <td> <a href="/groups/G0054"> Sowbug </a> </td> <td> <a href="/groups/G0054">Sowbug</a> obtained OS version and hardware configuration from a victim.<span onclick=scrollToRef('scite-395') id="scite-ref-395-a" class="scite-citeref-number" title="Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017."data-reference="Symantec Sowbug Nov 2017"><a href="https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" target="_blank" data-hasqtip="394" aria-describedby="qtip-394">[395]</a> </td> </tr> <tr> <td> <a href="/software/S0543"> S0543 </a> </td> <td> <a href="/software/S0543"> Spark </a> </td> <td> <a href="/software/S0543">Spark</a> can collect the hostname, keyboard layout, and language from the system.<span onclick=scrollToRef('scite-396') id="scite-ref-396-a" class="scite-citeref-number" title="Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020."data-reference="Unit42 Molerat Mar 2020"><a href="https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/" target="_blank" data-hasqtip="395" aria-describedby="qtip-395">[396]</a> </td> </tr> <tr> <td> <a href="/software/S0374"> S0374 </a> </td> <td> <a href="/software/S0374"> SpeakUp </a> </td> <td> <a href="/software/S0374">SpeakUp</a> uses the <code>cat /proc/cpuinfo | grep -c "cpu family" 2>&1</code> command to gather system information. <span onclick=scrollToRef('scite-397') id="scite-ref-397-a" class="scite-citeref-number" title="Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019."data-reference="CheckPoint SpeakUp Feb 2019"><a href="https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/" target="_blank" data-hasqtip="396" aria-describedby="qtip-396">[397]</a> </td> </tr> <tr> <td> <a href="/software/S0646"> S0646 </a> </td> <td> <a href="/software/S0646"> SpicyOmelette </a> </td> <td> <a href="/software/S0646">SpicyOmelette</a> can identify the system name of a compromised host.<span onclick=scrollToRef('scite-398') id="scite-ref-398-a" class="scite-citeref-number" title="CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021."data-reference="Secureworks GOLD KINGSWOOD September 2018"><a href="https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish" target="_blank" data-hasqtip="397" aria-describedby="qtip-397">[398]</a> </td> </tr> <tr> <td> <a href="/software/S1030"> S1030 </a> </td> <td> <a href="/software/S1030"> Squirrelwaffle </a> </td> <td> <a href="/software/S1030">Squirrelwaffle</a> has gathered victim computer information and configurations.<span onclick=scrollToRef('scite-399') id="scite-ref-399-a" class="scite-citeref-number" title="Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022."data-reference="ZScaler Squirrelwaffle Sep 2021"><a href="https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike" target="_blank" data-hasqtip="398" aria-describedby="qtip-398">[399]</a> </td> </tr> <tr> <td> <a href="/software/S0058"> S0058 </a> </td> <td> <a href="/software/S0058"> SslMM </a> </td> <td> <a href="/software/S0058">SslMM</a> sends information to its hard-coded C2, including OS version, service pack information, processor speed, system name, and OS install date.<span onclick=scrollToRef('scite-400') id="scite-ref-400-a" class="scite-citeref-number" title="Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019."data-reference="Baumgartner Naikon 2015"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" target="_blank" data-hasqtip="399" aria-describedby="qtip-399">[400]</a> </td> </tr> <tr> <td> <a href="/software/S1037"> S1037 </a> </td> <td> <a href="/software/S1037"> STARWHALE </a> </td> <td> <a href="/software/S1037">STARWHALE</a> can gather the computer name of an infected host.<span onclick=scrollToRef('scite-401') id="scite-ref-401-a" class="scite-citeref-number" title="Tomcik, R. et al. (2022, February 24). Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity. Retrieved August 18, 2022."data-reference="Mandiant UNC3313 Feb 2022"><a href="https://www.mandiant.com/resources/telegram-malware-iranian-espionage" target="_blank" data-hasqtip="400" aria-describedby="qtip-400">[401]</a><span onclick=scrollToRef('scite-402') id="scite-ref-402-a" class="scite-citeref-number" title="FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022."data-reference="DHS CISA AA22-055A MuddyWater February 2022"><a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" target="_blank" data-hasqtip="401" aria-describedby="qtip-401">[402]</a> </td> </tr> <tr> <td> <a href="/groups/G0038"> G0038 </a> </td> <td> <a href="/groups/G0038"> Stealth Falcon </a> </td> <td> <a href="/groups/G0038">Stealth Falcon</a> malware gathers system information via WMI, including the system directory, build number, serial number, version, manufacturer, model, and total physical memory.<span onclick=scrollToRef('scite-403') id="scite-ref-403-a" class="scite-citeref-number" title="Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016."data-reference="Citizen Lab Stealth Falcon May 2016"><a href="https://citizenlab.org/2016/05/stealth-falcon/" target="_blank" data-hasqtip="402" aria-describedby="qtip-402">[403]</a> </td> </tr> <tr> <td> <a href="/software/S0380"> S0380 </a> </td> <td> <a href="/software/S0380"> StoneDrill </a> </td> <td> <a href="/software/S0380">StoneDrill</a> has the capability to discover the system OS, Windows version, architecture and environment.<span onclick=scrollToRef('scite-404') id="scite-ref-404-a" class="scite-citeref-number" title="Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019."data-reference="Kaspersky StoneDrill 2017"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf" target="_blank" data-hasqtip="403" aria-describedby="qtip-403">[404]</a> </td> </tr> <tr> <td> <a href="/software/S0142"> S0142 </a> </td> <td> <a href="/software/S0142"> StreamEx </a> </td> <td> <a href="/software/S0142">StreamEx</a> has the ability to enumerate system information.<span onclick=scrollToRef('scite-405') id="scite-ref-405-a" class="scite-citeref-number" title="Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017."data-reference="Cylance Shell Crew Feb 2017"><a href="https://www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar" target="_blank" data-hasqtip="404" aria-describedby="qtip-404">[405]</a> </td> </tr> <tr> <td> <a href="/software/S1034"> S1034 </a> </td> <td> <a href="/software/S1034"> StrifeWater </a> </td> <td> <a href="/software/S1034">StrifeWater</a> can collect the OS version, architecture, and machine name to create a unique token for the infected host.<span onclick=scrollToRef('scite-406') id="scite-ref-406-a" class="scite-citeref-number" title="Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022."data-reference="Cybereason StrifeWater Feb 2022"><a href="https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations" target="_blank" data-hasqtip="405" aria-describedby="qtip-405">[406]</a> </td> </tr> <tr> <td> <a href="/software/S0491"> S0491 </a> </td> <td> <a href="/software/S0491"> StrongPity </a> </td> <td> <a href="/software/S0491">StrongPity</a> can identify the hard disk volume serial number on a compromised host.<span onclick=scrollToRef('scite-407') id="scite-ref-407-a" class="scite-citeref-number" title="Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020."data-reference="Talos Promethium June 2020"><a href="https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html" target="_blank" data-hasqtip="406" aria-describedby="qtip-406">[407]</a> </td> </tr> <tr> <td> <a href="/software/S0603"> S0603 </a> </td> <td> <a href="/software/S0603"> Stuxnet </a> </td> <td> <a href="/software/S0603">Stuxnet</a> collects system information including computer and domain names, OS version, and S7P paths.<span onclick=scrollToRef('scite-408') id="scite-ref-408-a" class="scite-citeref-number" title="Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 "data-reference="Nicolas Falliere, Liam O Murchu, Eric Chien February 2011"><a href="https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" target="_blank" data-hasqtip="407" aria-describedby="qtip-407">[408]</a> </td> </tr> <tr> <td> <a href="/software/S0559"> S0559 </a> </td> <td> <a href="/software/S0559"> SUNBURST </a> </td> <td> <a href="/software/S0559">SUNBURST</a> collected hostname and OS version.<span onclick=scrollToRef('scite-409') id="scite-ref-409-a" class="scite-citeref-number" title="FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021."data-reference="FireEye SUNBURST Backdoor December 2020"><a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" data-hasqtip="408" aria-describedby="qtip-408">[409]</a><span onclick=scrollToRef('scite-410') id="scite-ref-410-a" class="scite-citeref-number" title="MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021."data-reference="Microsoft Analyzing Solorigate Dec 2020"><a href="https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/" target="_blank" data-hasqtip="409" aria-describedby="qtip-409">[410]</a> </td> </tr> <tr> <td> <a href="/software/S1064"> S1064 </a> </td> <td> <a href="/software/S1064"> SVCReady </a> </td> <td> <a href="/software/S1064">SVCReady</a> has the ability to collect information such as computer name, computer manufacturer, BIOS, operating system, and firmware, including through the use of <code>systeminfo.exe</code>.<span onclick=scrollToRef('scite-411') id="scite-ref-411-a" class="scite-citeref-number" title="Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022."data-reference="HP SVCReady Jun 2022"><a href="https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/" target="_blank" data-hasqtip="410" aria-describedby="qtip-410">[411]</a> </td> </tr> <tr> <td> <a href="/software/S0242"> S0242 </a> </td> <td> <a href="/software/S0242"> SynAck </a> </td> <td> <a href="/software/S0242">SynAck</a> gathers computer names, OS version info, and also checks installed keyboard layouts to estimate if it has been launched from a certain list of countries.<span onclick=scrollToRef('scite-412') id="scite-ref-412-a" class="scite-citeref-number" title="Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018."data-reference="SecureList SynAck Doppelgänging May 2018"><a href="https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/" target="_blank" data-hasqtip="411" aria-describedby="qtip-411">[412]</a> </td> </tr> <tr> <td> <a href="/software/S0060"> S0060 </a> </td> <td> <a href="/software/S0060"> Sys10 </a> </td> <td> <a href="/software/S0060">Sys10</a> collects the computer name, OS versioning information, and OS install date and sends the information to the C2.<span onclick=scrollToRef('scite-400') id="scite-ref-400-a" class="scite-citeref-number" title="Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019."data-reference="Baumgartner Naikon 2015"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" target="_blank" data-hasqtip="399" aria-describedby="qtip-399">[400]</a> </td> </tr> <tr> <td> <a href="/software/S0464"> S0464 </a> </td> <td> <a href="/software/S0464"> SYSCON </a> </td> <td> <a href="/software/S0464">SYSCON</a> has the ability to use <a href="/software/S0096">Systeminfo</a> to identify system information.<span onclick=scrollToRef('scite-87') id="scite-ref-87-a" class="scite-citeref-number" title="McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020."data-reference="Unit 42 CARROTBAT January 2020"><a href="https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/" target="_blank" data-hasqtip="86" aria-describedby="qtip-86">[87]</a> </td> </tr> <tr> <td> <a href="/software/S0096"> S0096 </a> </td> <td> <a href="/software/S0096"> Systeminfo </a> </td> <td> <a href="/software/S0096">Systeminfo</a> can be used to gather information about the operating system.<a href="https://technet.microsoft.com/en-us/library/bb491007.aspx" target="_blank" data-hasqtip="412" aria-describedby="qtip-412">[413]</a> </td> </tr> <tr> <td> <a href="/software/S0663"> S0663 </a> </td> <td> <a href="/software/S0663"> SysUpdate </a> </td> <td> <a href="/software/S0663">SysUpdate</a> can collect a system's architecture, operating system version, hostname, and drive information.<span onclick=scrollToRef('scite-414') id="scite-ref-414-a" class="scite-citeref-number" title="Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021."data-reference="Trend Micro Iron Tiger April 2021"><a href="https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html" target="_blank" data-hasqtip="413" aria-describedby="qtip-413">[414]</a><span onclick=scrollToRef('scite-415') id="scite-ref-415-a" class="scite-citeref-number" title="Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023."data-reference="Lunghi Iron Tiger Linux"><a href="https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html" target="_blank" data-hasqtip="414" aria-describedby="qtip-414">[415]</a> </td> </tr> <tr> <td> <a href="/software/S0098"> S0098 </a> </td> <td> <a href="/software/S0098"> T9000 </a> </td> <td> <a href="/software/S0098">T9000</a> gathers and beacons the operating system build number and CPU Architecture (32-bit/64-bit) during installation.<span onclick=scrollToRef('scite-416') id="scite-ref-416-a" class="scite-citeref-number" title="Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016."data-reference="Palo Alto T9000 Feb 2016"><a href="http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/" target="_blank" data-hasqtip="415" aria-describedby="qtip-415">[416]</a> </td> </tr> <tr> <td> <a href="/groups/G1018"> G1018 </a> </td> <td> <a href="/groups/G1018"> TA2541 </a> </td> <td> <a href="/groups/G1018">TA2541</a> has collected system information prior to downloading malware on the targeted host.<span onclick=scrollToRef('scite-417') id="scite-ref-417-a" class="scite-citeref-number" title="Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023."data-reference="Proofpoint TA2541 February 2022"><a href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank" data-hasqtip="416" aria-describedby="qtip-416">[417]</a> </td> </tr> <tr> <td> <a href="/software/S0586"> S0586 </a> </td> <td> <a href="/software/S0586"> TAINTEDSCRIBE </a> </td> <td> <a href="/software/S0586">TAINTEDSCRIBE</a> can use <code>DriveList</code> to retrieve drive information.<span onclick=scrollToRef('scite-418') id="scite-ref-418-a" class="scite-citeref-number" title="USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021."data-reference="CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-133b" target="_blank" data-hasqtip="417" aria-describedby="qtip-417">[418]</a> </td> </tr> <tr> <td> <a href="/software/S0467"> S0467 </a> </td> <td> <a href="/software/S0467"> TajMahal </a> </td> <td> <a href="/software/S0467">TajMahal</a> has the ability to identify hardware information, the computer name, and OS information on an infected host.<span onclick=scrollToRef('scite-419') id="scite-ref-419-a" class="scite-citeref-number" title="GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019."data-reference="Kaspersky TajMahal April 2019"><a href="https://securelist.com/project-tajmahal/90240/" target="_blank" data-hasqtip="418" aria-describedby="qtip-418">[419]</a> </td> </tr> <tr> <td> <a href="/groups/G0139"> G0139 </a> </td> <td> <a href="/groups/G0139"> TeamTNT </a> </td> <td> <a href="/groups/G0139">TeamTNT</a> has searched for system version, architecture, disk partition, logical volume, and hostname information.<span onclick=scrollToRef('scite-420') id="scite-ref-420-a" class="scite-citeref-number" title="AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021."data-reference="ATT TeamTNT Chimaera September 2020"><a href="https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera" target="_blank" data-hasqtip="419" aria-describedby="qtip-419">[420]</a><span onclick=scrollToRef('scite-421') id="scite-ref-421-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022."data-reference="Cisco Talos Intelligence Group"><a href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank" data-hasqtip="420" aria-describedby="qtip-420">[421]</a> </td> </tr> <tr> <td> <a href="/software/S0665"> S0665 </a> </td> <td> <a href="/software/S0665"> ThreatNeedle </a> </td> <td> <a href="/software/S0665">ThreatNeedle</a> can collect system profile information from a compromised host.<span onclick=scrollToRef('scite-422') id="scite-ref-422-a" class="scite-citeref-number" title="Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021."data-reference="Kaspersky ThreatNeedle Feb 2021"><a href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank" data-hasqtip="421" aria-describedby="qtip-421">[422]</a> </td> </tr> <tr> <td> <a href="/groups/G1022"> G1022 </a> </td> <td> <a href="/groups/G1022"> ToddyCat </a> </td> <td> <a href="/groups/G1022">ToddyCat</a> has collected information on bootable drives including model, vendor, and serial numbers.<span onclick=scrollToRef('scite-285') id="scite-ref-285-a" class="scite-citeref-number" title="Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024."data-reference="Kaspersky ToddyCat Check Logs October 2023"><a href="https://securelist.com/toddycat-keep-calm-and-check-logs/110696/" target="_blank" data-hasqtip="284" aria-describedby="qtip-284">[285]</a> </td> </tr> <tr> <td> <a href="/software/S0678"> S0678 </a> </td> <td> <a href="/software/S0678"> Torisma </a> </td> <td> <a href="/software/S0678">Torisma</a> can use <code>GetlogicalDrives</code> to get a bitmask of all drives available on a compromised system. It can also use <code>GetDriveType</code> to determine if a new drive is a CD-ROM drive.<span onclick=scrollToRef('scite-423') id="scite-ref-423-a" class="scite-citeref-number" title="Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021."data-reference="McAfee Lazarus Nov 2020"><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/" target="_blank" data-hasqtip="422" aria-describedby="qtip-422">[423]</a> </td> </tr> <tr> <td> <a href="/software/S0266"> S0266 </a> </td> <td> <a href="/software/S0266"> TrickBot </a> </td> <td> <a href="/software/S0266">TrickBot</a> gathers the OS version, machine name, CPU type, amount of RAM available, and UEFI/BIOS firmware information from the victim’s machine.<span onclick=scrollToRef('scite-424') id="scite-ref-424-a" class="scite-citeref-number" title="Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018."data-reference="S2 Grupo TrickBot June 2017"><a href="https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf" target="_blank" data-hasqtip="423" aria-describedby="qtip-423">[424]</a><span onclick=scrollToRef('scite-425') id="scite-ref-425-a" class="scite-citeref-number" title="Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018."data-reference="Fidelis TrickBot Oct 2016"><a href="https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre" target="_blank" data-hasqtip="424" aria-describedby="qtip-424">[425]</a><span onclick=scrollToRef('scite-426') id="scite-ref-426-a" class="scite-citeref-number" title="Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020."data-reference="Cyberreason Anchor December 2019"><a href="https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" target="_blank" data-hasqtip="425" aria-describedby="qtip-425">[426]</a><span onclick=scrollToRef('scite-427') id="scite-ref-427-a" class="scite-citeref-number" title="Eclypsium, Advanced Intelligence. (2020, December 1). TRICKBOT NOW OFFERS ‘TRICKBOOT’: PERSIST, BRICK, PROFIT. Retrieved March 15, 2021."data-reference="Eclypsium Trickboot December 2020"><a href="https://eclypsium.com/wp-content/uploads/2020/12/TrickBot-Now-Offers-TrickBoot-Persist-Brick-Profit.pdf" target="_blank" data-hasqtip="426" aria-describedby="qtip-426">[427]</a> </td> </tr> <tr> <td> <a href="/software/S0094"> S0094 </a> </td> <td> <a href="/software/S0094"> Trojan.Karagany </a> </td> <td> <a href="/software/S0094">Trojan.Karagany</a> can capture information regarding the victim's OS, security, and hardware configuration.<span onclick=scrollToRef('scite-428') id="scite-ref-428-a" class="scite-citeref-number" title="Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020."data-reference="Secureworks Karagany July 2019"><a href="https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" target="_blank" data-hasqtip="427" aria-describedby="qtip-427">[428]</a> </td> </tr> <tr> <td> <a href="/groups/G0081"> G0081 </a> </td> <td> <a href="/groups/G0081"> Tropic Trooper </a> </td> <td> <a href="/groups/G0081">Tropic Trooper</a> has detected a target system’s OS version and system volume information.<span onclick=scrollToRef('scite-429') id="scite-ref-429-a" class="scite-citeref-number" title="Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019."data-reference="TrendMicro TropicTrooper 2015"><a href="https://documents.trendmicro.com/assets/wp/wp-operation-tropic-trooper.pdf" target="_blank" data-hasqtip="428" aria-describedby="qtip-428">[429]</a><span onclick=scrollToRef('scite-430') id="scite-ref-430-a" class="scite-citeref-number" title="Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020."data-reference="TrendMicro Tropic Trooper May 2020"><a href="https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf" target="_blank" data-hasqtip="429" aria-describedby="qtip-429">[430]</a> </td> </tr> <tr> <td> <a href="/software/S0647"> S0647 </a> </td> <td> <a href="/software/S0647"> Turian </a> </td> <td> <a href="/software/S0647">Turian</a> can retrieve system information including OS version, memory usage, local hostname, and system adapter information.<span onclick=scrollToRef('scite-431') id="scite-ref-431-a" class="scite-citeref-number" title="Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021"data-reference="ESET BackdoorDiplomacy Jun 2021"><a href="https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/" target="_blank" data-hasqtip="430" aria-describedby="qtip-430">[431]</a> </td> </tr> <tr> <td> <a href="/groups/G0010"> G0010 </a> </td> <td> <a href="/groups/G0010"> Turla </a> </td> <td> <a href="/groups/G0010">Turla</a> surveys a system upon check-in to discover operating system configuration details using the <code>systeminfo</code> and <code>set</code> commands.<span onclick=scrollToRef('scite-432') id="scite-ref-432-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014."data-reference="Kaspersky Turla"><a href="https://securelist.com/the-epic-turla-operation/65545/" target="_blank" data-hasqtip="431" aria-describedby="qtip-431">[432]</a><span onclick=scrollToRef('scite-433') id="scite-ref-433-a" class="scite-citeref-number" title="Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."data-reference="ESET ComRAT May 2020"><a href="https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf" target="_blank" data-hasqtip="432" aria-describedby="qtip-432">[433]</a> </td> </tr> <tr> <td> <a href="/software/S0199"> S0199 </a> </td> <td> <a href="/software/S0199"> TURNEDUP </a> </td> <td> <a href="/software/S0199">TURNEDUP</a> is capable of gathering system information.<span onclick=scrollToRef('scite-434') id="scite-ref-434-a" class="scite-citeref-number" title="O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018."data-reference="FireEye APT33 Sept 2017"><a href="https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" target="_blank" data-hasqtip="433" aria-describedby="qtip-433">[434]</a> </td> </tr> <tr> <td> <a href="/software/S0263"> S0263 </a> </td> <td> <a href="/software/S0263"> TYPEFRAME </a> </td> <td> <a href="/software/S0263">TYPEFRAME</a> can gather the disk volume information.<span onclick=scrollToRef('scite-435') id="scite-ref-435-a" class="scite-citeref-number" title="US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018."data-reference="US-CERT TYPEFRAME June 2018"><a href="https://www.us-cert.gov/ncas/analysis-reports/AR18-165A" target="_blank" data-hasqtip="434" aria-describedby="qtip-434">[435]</a> </td> </tr> <tr> <td> <a href="/software/S0130"> S0130 </a> </td> <td> <a href="/software/S0130"> Unknown Logger </a> </td> <td> <a href="/software/S0130">Unknown Logger</a> can obtain information about the victim computer name, physical memory, country, and date.<span onclick=scrollToRef('scite-436') id="scite-ref-436-a" class="scite-citeref-number" title="Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016."data-reference="Forcepoint Monsoon"><a href="https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" target="_blank" data-hasqtip="435" aria-describedby="qtip-435">[436]</a> </td> </tr> <tr> <td> <a href="/software/S0275"> S0275 </a> </td> <td> <a href="/software/S0275"> UPPERCUT </a> </td> <td> <a href="/software/S0275">UPPERCUT</a> has the capability to gather the system’s hostname and OS version.<span onclick=scrollToRef('scite-437') id="scite-ref-437-a" class="scite-citeref-number" title="Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018."data-reference="FireEye APT10 Sept 2018"><a href="https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html" target="_blank" data-hasqtip="436" aria-describedby="qtip-436">[437]</a> </td> </tr> <tr> <td> <a href="/software/S0022"> S0022 </a> </td> <td> <a href="/software/S0022"> Uroburos </a> </td> <td> <a href="/software/S0022">Uroburos</a> has the ability to gather basic system information and run the POSIX API <code>gethostbyname</code>.<span onclick=scrollToRef('scite-438') id="scite-ref-438-a" class="scite-citeref-number" title="FBI et al. (2023, May 9). Hunting Russian Intelligence "Snake" Malware. Retrieved June 8, 2023."data-reference="Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023"><a href="https://www.cisa.gov/sites/default/files/2023-05/aa23-129a_snake_malware_2.pdf" target="_blank" data-hasqtip="437" aria-describedby="qtip-437">[438]</a> </td> </tr> <tr> <td> <a href="/software/S0386"> S0386 </a> </td> <td> <a href="/software/S0386"> Ursnif </a> </td> <td> <a href="/software/S0386">Ursnif</a> has used <a href="/software/S0096">Systeminfo</a> to gather system information.<span onclick=scrollToRef('scite-439') id="scite-ref-439-a" class="scite-citeref-number" title="Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019."data-reference="TrendMicro Ursnif Mar 2015"><a href="https://web.archive.org/web/20210719165945/https://www.trendmicro.com/en_us/research/15/c/ursnif-the-multifaceted-malware.html?_ga=2.165628854.808042651.1508120821-744063452.1505819992" target="_blank" data-hasqtip="438" aria-describedby="qtip-438">[439]</a> </td> </tr> <tr> <td> <a href="/software/S0476"> S0476 </a> </td> <td> <a href="/software/S0476"> Valak </a> </td> <td> <a href="/software/S0476">Valak</a> can determine the Windows version and computer name on a compromised host.<span onclick=scrollToRef('scite-440') id="scite-ref-440-a" class="scite-citeref-number" title="Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020."data-reference="Cybereason Valak May 2020"><a href="https://www.cybereason.com/blog/valak-more-than-meets-the-eye" target="_blank" data-hasqtip="439" aria-describedby="qtip-439">[440]</a><span onclick=scrollToRef('scite-441') id="scite-ref-441-a" class="scite-citeref-number" title="Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020."data-reference="SentinelOne Valak June 2020"><a href="https://assets.sentinelone.com/labs/sentinel-one-valak-i" target="_blank" data-hasqtip="440" aria-describedby="qtip-440">[441]</a> </td> </tr> <tr> <td> <a href="/software/S0257"> S0257 </a> </td> <td> <a href="/software/S0257"> VERMIN </a> </td> <td> <a href="/software/S0257">VERMIN</a> collects the OS name, machine name, and architecture information.<span onclick=scrollToRef('scite-442') id="scite-ref-442-a" class="scite-citeref-number" title="Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018."data-reference="Unit 42 VERMIN Jan 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/" target="_blank" data-hasqtip="441" aria-describedby="qtip-441">[442]</a> </td> </tr> <tr> <td> <a href="/software/S0180"> S0180 </a> </td> <td> <a href="/software/S0180"> Volgmer </a> </td> <td> <a href="/software/S0180">Volgmer</a> can gather system information, the computer name, OS version, drive and serial information from the victim's machine.<span onclick=scrollToRef('scite-443') id="scite-ref-443-a" class="scite-citeref-number" title="US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017."data-reference="US-CERT Volgmer Nov 2017"><a href="https://www.us-cert.gov/ncas/alerts/TA17-318B" target="_blank" data-hasqtip="442" aria-describedby="qtip-442">[443]</a><span onclick=scrollToRef('scite-444') id="scite-ref-444-a" class="scite-citeref-number" title="US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018."data-reference="US-CERT Volgmer 2 Nov 2017"><a href="https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-D_WHITE_S508C.PDF" target="_blank" data-hasqtip="443" aria-describedby="qtip-443">[444]</a><span onclick=scrollToRef('scite-445') id="scite-ref-445-a" class="scite-citeref-number" title="Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018."data-reference="Symantec Volgmer Aug 2014"><a href="https://web.archive.org/web/20181126143456/https://www.symantec.com/security-center/writeup/2014-081811-3237-99?tabid=2" target="_blank" data-hasqtip="444" aria-describedby="qtip-444">[445]</a> </td> </tr> <tr> <td> <a href="/groups/G1017"> G1017 </a> </td> <td> <a href="/groups/G1017"> Volt Typhoon </a> </td> <td> <a href="/groups/G1017">Volt Typhoon</a> has discovered file system types, drive names, size, and free space on compromised systems.<span onclick=scrollToRef('scite-446') id="scite-ref-446-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023."data-reference="Microsoft Volt Typhoon May 2023"><a href="https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/" target="_blank" data-hasqtip="445" aria-describedby="qtip-445">[446]</a><span onclick=scrollToRef('scite-447') id="scite-ref-447-a" class="scite-citeref-number" title="NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023."data-reference="Joint Cybersecurity Advisory Volt Typhoon June 2023"><a href="https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF" target="_blank" data-hasqtip="446" aria-describedby="qtip-446">[447]</a><span onclick=scrollToRef('scite-448') id="scite-ref-448-a" class="scite-citeref-number" title="Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023."data-reference="Secureworks BRONZE SILHOUETTE May 2023"><a href="https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations" target="_blank" data-hasqtip="447" aria-describedby="qtip-447">[448]</a><span onclick=scrollToRef('scite-449') id="scite-ref-449-a" class="scite-citeref-number" title="CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024."data-reference="CISA AA24-038A PRC Critical Infrastructure February 2024"><a href="https://www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf" target="_blank" data-hasqtip="448" aria-describedby="qtip-448">[449]</a> </td> </tr> <tr> <td> <a href="/software/S0670"> S0670 </a> </td> <td> <a href="/software/S0670"> WarzoneRAT </a> </td> <td> <a href="/software/S0670">WarzoneRAT</a> can collect compromised host information, including OS version, PC name, RAM size, and CPU details.<span onclick=scrollToRef('scite-450') id="scite-ref-450-a" class="scite-citeref-number" title="Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021."data-reference="Check Point Warzone Feb 2020"><a href="https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/" target="_blank" data-hasqtip="449" aria-describedby="qtip-449">[450]</a> </td> </tr> <tr> <td> <a href="/software/S0514"> S0514 </a> </td> <td> <a href="/software/S0514"> WellMess </a> </td> <td> <a href="/software/S0514">WellMess</a> can identify the computer name of a compromised host.<span onclick=scrollToRef('scite-451') id="scite-ref-451-a" class="scite-citeref-number" title="PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020."data-reference="PWC WellMess July 2020"><a href="https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html" target="_blank" data-hasqtip="450" aria-describedby="qtip-450">[451]</a><span onclick=scrollToRef('scite-452') id="scite-ref-452-a" class="scite-citeref-number" title="CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020."data-reference="CISA WellMess July 2020"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b" target="_blank" data-hasqtip="451" aria-describedby="qtip-451">[452]</a> </td> </tr> <tr> <td> <a href="/software/S0689"> S0689 </a> </td> <td> <a href="/software/S0689"> WhisperGate </a> </td> <td> <a href="/software/S0689">WhisperGate</a> has the ability to enumerate fixed logical drives on a targeted system.<span onclick=scrollToRef('scite-453') id="scite-ref-453-a" class="scite-citeref-number" title="Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022."data-reference="Cisco Ukraine Wipers January 2022"><a href="https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html" target="_blank" data-hasqtip="452" aria-describedby="qtip-452">[453]</a> </td> </tr> <tr> <td> <a href="/groups/G0124"> G0124 </a> </td> <td> <a href="/groups/G0124"> Windigo </a> </td> <td> <a href="/groups/G0124">Windigo</a> has used a script to detect which Linux distribution and version is currently installed on the system.<span onclick=scrollToRef('scite-71') id="scite-ref-71-a" class="scite-citeref-number" title="Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020."data-reference="ESET ForSSHe December 2018"><a href="https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" target="_blank" data-hasqtip="70" aria-describedby="qtip-70">[71]</a> </td> </tr> <tr> <td> <a href="/software/S0155"> S0155 </a> </td> <td> <a href="/software/S0155"> WINDSHIELD </a> </td> <td> <a href="/software/S0155">WINDSHIELD</a> can gather the victim computer name.<span onclick=scrollToRef('scite-216') id="scite-ref-216-a" class="scite-citeref-number" title="Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017."data-reference="FireEye APT32 May 2017"><a href="https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" target="_blank" data-hasqtip="215" aria-describedby="qtip-215">[216]</a> </td> </tr> <tr> <td> <a href="/groups/G0112"> G0112 </a> </td> <td> <a href="/groups/G0112"> Windshift </a> </td> <td> <a href="/groups/G0112">Windshift</a> has used malware to identify the computer name of a compromised host.<span onclick=scrollToRef('scite-454') id="scite-ref-454-a" class="scite-citeref-number" title="The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021."data-reference="BlackBerry Bahamut"><a href="https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf" target="_blank" data-hasqtip="453" aria-describedby="qtip-453">[454]</a> </td> </tr> <tr> <td> <a href="/software/S0219"> S0219 </a> </td> <td> <a href="/software/S0219"> WINERACK </a> </td> <td> <a href="/software/S0219">WINERACK</a> can gather information about the host.<span onclick=scrollToRef('scite-172') id="scite-ref-172-a" class="scite-citeref-number" title="FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018."data-reference="FireEye APT37 Feb 2018"><a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" target="_blank" data-hasqtip="171" aria-describedby="qtip-171">[172]</a> </td> </tr> <tr> <td> <a href="/software/S0176"> S0176 </a> </td> <td> <a href="/software/S0176"> Wingbird </a> </td> <td> <a href="/software/S0176">Wingbird</a> checks the victim OS version after executing to determine where to drop files based on whether the victim is 32-bit or 64-bit.<span onclick=scrollToRef('scite-455') id="scite-ref-455-a" class="scite-citeref-number" title="Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017."data-reference="Microsoft SIR Vol 21"><a href="http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf" target="_blank" data-hasqtip="454" aria-describedby="qtip-454">[455]</a> </td> </tr> <tr> <td> <a href="/software/S0059"> S0059 </a> </td> <td> <a href="/software/S0059"> WinMM </a> </td> <td> <a href="/software/S0059">WinMM</a> collects the system name, OS version including service pack, and system install date and sends the information to the C2 server.<span onclick=scrollToRef('scite-400') id="scite-ref-400-a" class="scite-citeref-number" title="Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019."data-reference="Baumgartner Naikon 2015"><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" target="_blank" data-hasqtip="399" aria-describedby="qtip-399">[400]</a> </td> </tr> <tr> <td> <a href="/software/S0141"> S0141 </a> </td> <td> <a href="/software/S0141"> Winnti for Windows </a> </td> <td> <a href="/software/S0141">Winnti for Windows</a> can determine if the OS on a compromised host is newer than Windows XP.<span onclick=scrollToRef('scite-456') id="scite-ref-456-a" class="scite-citeref-number" title="Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017."data-reference="Novetta Winnti April 2015"><a href="https://web.archive.org/web/20150412223949/http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf" target="_blank" data-hasqtip="455" aria-describedby="qtip-455">[456]</a> </td> </tr> <tr> <td> <a href="/groups/G1035"> G1035 </a> </td> <td> <a href="/groups/G1035"> Winter Vivern </a> </td> <td> <a href="/groups/G1035">Winter Vivern</a> script execution includes basic victim information gathering steps which are then transmitted to command and control servers.<span onclick=scrollToRef('scite-457') id="scite-ref-457-a" class="scite-citeref-number" title="Chad Anderson. (2021, April 27). Winter Vivern: A Look At Re-Crafted Government MalDocs Targeting Multiple Languages. Retrieved July 29, 2024."data-reference="DomainTools WinterVivern 2021"><a href="https://www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs/" target="_blank" data-hasqtip="456" aria-describedby="qtip-456">[457]</a> </td> </tr> <tr> <td> <a href="/groups/G0102"> G0102 </a> </td> <td> <a href="/groups/G0102"> Wizard Spider </a> </td> <td> <a href="/groups/G0102">Wizard Spider</a> has used <a href="/software/S0096">Systeminfo</a> and similar commands to acquire detailed configuration information of a victim's machine. <a href="/groups/G0102">Wizard Spider</a> has also utilized the PowerShell cmdlet <code>Get-ADComputer</code> to collect DNS hostnames, last logon dates, and operating system information from Active Directory.<span onclick=scrollToRef('scite-458') id="scite-ref-458-a" class="scite-citeref-number" title="The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020."data-reference="DFIR Ryuk's Return October 2020"><a href="https://thedfirreport.com/2020/10/08/ryuks-return/" target="_blank" data-hasqtip="457" aria-describedby="qtip-457">[458]</a><span onclick=scrollToRef('scite-459') id="scite-ref-459-a" class="scite-citeref-number" title="Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023."data-reference="Mandiant FIN12 Oct 2021"><a href="https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf" target="_blank" data-hasqtip="458" aria-describedby="qtip-458">[459]</a> </td> </tr> <tr> <td> <a href="/software/S1065"> S1065 </a> </td> <td> <a href="/software/S1065"> Woody RAT </a> </td> <td> <a href="/software/S1065">Woody RAT</a> can retrieve the following information from an infected machine: OS, architecture, computer name, OS build version, environment variables, and storage drives.<span onclick=scrollToRef('scite-460') id="scite-ref-460-a" class="scite-citeref-number" title="MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022."data-reference="MalwareBytes WoodyRAT Aug 2022"><a href="https://www.malwarebytes.com/blog/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild" target="_blank" data-hasqtip="459" aria-describedby="qtip-459">[460]</a> </td> </tr> <tr> <td> <a href="/software/S0161"> S0161 </a> </td> <td> <a href="/software/S0161"> XAgentOSX </a> </td> <td> <a href="/software/S0161">XAgentOSX</a> contains the getInstalledAPP function to run <code>ls -la /Applications</code> to gather what applications are installed.<span onclick=scrollToRef('scite-461') id="scite-ref-461-a" class="scite-citeref-number" title="Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017."data-reference="XAgentOSX 2017"><a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/" target="_blank" data-hasqtip="460" aria-describedby="qtip-460">[461]</a> </td> </tr> <tr> <td> <a href="/software/S0658"> S0658 </a> </td> <td> <a href="/software/S0658"> XCSSET </a> </td> <td> <a href="/software/S0658">XCSSET</a> identifies the macOS version and uses <code>ioreg</code> to determine serial number.<span onclick=scrollToRef('scite-462') id="scite-ref-462-a" class="scite-citeref-number" title="Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021."data-reference="trendmicro xcsset xcode project 2020"><a href="https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf" target="_blank" data-hasqtip="461" aria-describedby="qtip-461">[462]</a> </td> </tr> <tr> <td> <a href="/software/S0388"> S0388 </a> </td> <td> <a href="/software/S0388"> YAHOYAH </a> </td> <td> <a href="/software/S0388">YAHOYAH</a> checks for the system’s Windows OS version and hostname.<span onclick=scrollToRef('scite-429') id="scite-ref-429-a" class="scite-citeref-number" title="Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019."data-reference="TrendMicro TropicTrooper 2015"><a href="https://documents.trendmicro.com/assets/wp/wp-operation-tropic-trooper.pdf" target="_blank" data-hasqtip="428" aria-describedby="qtip-428">[429]</a> </td> </tr> <tr> <td> <a href="/software/S0248"> S0248 </a> </td> <td> <a href="/software/S0248"> yty </a> </td> <td> <a href="/software/S0248">yty</a> gathers the computer name, the serial number of the main disk volume, CPU information, Microsoft Windows version, and runs the command <code>systeminfo</code>.<span onclick=scrollToRef('scite-463') id="scite-ref-463-a" class="scite-citeref-number" title="Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018."data-reference="ASERT Donot March 2018"><a href="https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/" target="_blank" data-hasqtip="462" aria-describedby="qtip-462">[463]</a> </td> </tr> <tr> <td> <a href="/software/S0251"> S0251 </a> </td> <td> <a href="/software/S0251"> Zebrocy </a> </td> <td> <a href="/software/S0251">Zebrocy</a> collects the OS version, computer name and serial number for the storage volume C:. <a href="/software/S0251">Zebrocy</a> also runs the <code>systeminfo</code> command to gather system information. <span onclick=scrollToRef('scite-464') id="scite-ref-464-a" class="scite-citeref-number" title="Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018."data-reference="Palo Alto Sofacy 06-2018"><a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" target="_blank" data-hasqtip="463" aria-describedby="qtip-463">[464]</a><span onclick=scrollToRef('scite-82') id="scite-ref-82-a" class="scite-citeref-number" title="Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018."data-reference="Unit42 Cannon Nov 2018"><a href="https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/" target="_blank" data-hasqtip="81" aria-describedby="qtip-81">[82]</a><span onclick=scrollToRef('scite-465') id="scite-ref-465-a" class="scite-citeref-number" title="ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019."data-reference="ESET Zebrocy Nov 2018"><a href="https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/" target="_blank" data-hasqtip="464" aria-describedby="qtip-464">[465]</a><span onclick=scrollToRef('scite-83') id="scite-ref-83-a" class="scite-citeref-number" title="Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019."data-reference="Unit42 Sofacy Dec 2018"><a href="https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/" target="_blank" data-hasqtip="82" aria-describedby="qtip-82">[83]</a><span onclick=scrollToRef('scite-466') id="scite-ref-466-a" class="scite-citeref-number" title="ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019."data-reference="ESET Zebrocy May 2019"><a href="https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" target="_blank" data-hasqtip="465" aria-describedby="qtip-465">[466]</a><span onclick=scrollToRef('scite-467') id="scite-ref-467-a" class="scite-citeref-number" title="Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019."data-reference="Accenture SNAKEMACKEREL Nov 2018"><a href="https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" target="_blank" data-hasqtip="466" aria-describedby="qtip-466">[467]</a><span onclick=scrollToRef('scite-468') id="scite-ref-468-a" class="scite-citeref-number" title="CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020."data-reference="CISA Zebrocy Oct 2020"><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b" target="_blank" data-hasqtip="467" aria-describedby="qtip-467">[468]</a> </td> </tr> <tr> <td> <a href="/software/S1151"> S1151 </a> </td> <td> <a href="/software/S1151"> ZeroCleare </a> </td> <td> <a href="/software/S1151">ZeroCleare</a> can use the <code>IOCTL_DISK_GET_DRIVE_GEOMETRY_EX</code>, <code>IOCTL_DISK_GET_DRIVE_GEOMETRY</code>, and <code>IOCTL_DISK_GET_LENGTH_INFO</code> system calls to compute disk size.<span onclick=scrollToRef('scite-355') id="scite-ref-355-a" class="scite-citeref-number" title="Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024."data-reference="Mandiant ROADSWEEP August 2022"><a href="https://cloud.google.com/blog/topics/threat-intelligence/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against/" target="_blank" data-hasqtip="354" aria-describedby="qtip-354">[355]</a> </td> </tr> <tr> <td> <a href="/software/S0230"> S0230 </a> </td> <td> <a href="/software/S0230"> ZeroT </a> </td> <td> <a href="/software/S0230">ZeroT</a> gathers the victim's computer name, Windows version, and system language, and then sends it to its C2 server.<span onclick=scrollToRef('scite-469') id="scite-ref-469-a" class="scite-citeref-number" title="Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018."data-reference="Proofpoint ZeroT Feb 2017"><a href="https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" target="_blank" data-hasqtip="468" aria-describedby="qtip-468">[469]</a> </td> </tr> <tr> <td> <a href="/software/S0330"> S0330 </a> </td> <td> <a href="/software/S0330"> Zeus Panda </a> </td> <td> <a href="/software/S0330">Zeus Panda</a> collects the OS version, system architecture, computer name, product ID, install date, and information on the keyboard mapping to determine the language used on the system.<span onclick=scrollToRef('scite-470') id="scite-ref-470-a" class="scite-citeref-number" title="Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018."data-reference="Talos Zeus Panda Nov 2017"><a href="https://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html#More" target="_blank" data-hasqtip="469" aria-describedby="qtip-469">[470]</a><span onclick=scrollToRef('scite-471') id="scite-ref-471-a" class="scite-citeref-number" title="Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018."data-reference="GDATA Zeus Panda June 2017"><a href="https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf" target="_blank" data-hasqtip="470" aria-describedby="qtip-470">[471]</a> </td> </tr> <tr> <td> <a href="/groups/G0128"> G0128 </a> </td> <td> <a href="/groups/G0128"> ZIRCONIUM </a> </td> <td> <a href="/groups/G0128">ZIRCONIUM</a> has used a tool to capture the processor architecture of a compromised host in order to register it with C2.<span onclick=scrollToRef('scite-472') id="scite-ref-472-a" class="scite-citeref-number" title="Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021."data-reference="Zscaler APT31 Covid-19 October 2020"><a href="https://www.zscaler.com/blogs/security-research/apt-31-leverages-covid-19-vaccine-theme-and-abuses-legitimate-online" target="_blank" data-hasqtip="471" aria-describedby="qtip-471">[472]</a> </td> </tr> <tr> <td> <a href="/software/S0086"> S0086 </a> </td> <td> <a href="/software/S0086"> ZLib </a> </td> <td> <a href="/software/S0086">ZLib</a> has the ability to enumerate system information.<span onclick=scrollToRef('scite-261') id="scite-ref-261-a" class="scite-citeref-number" title="Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021."data-reference="Cylance Dust Storm"><a href="https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" target="_blank" data-hasqtip="260" aria-describedby="qtip-260">[261]</a> </td> </tr> <tr> <td> <a href="/software/S0672"> S0672 </a> </td> <td> <a href="/software/S0672"> Zox </a> </td> <td> <a href="/software/S0672">Zox</a> can enumerate attached drives.<span onclick=scrollToRef('scite-473') id="scite-ref-473-a" class="scite-citeref-number" title="Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014."data-reference="Novetta-Axiom"><a href="https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf" target="_blank" data-hasqtip="472" aria-describedby="qtip-472">[473]</a> </td> </tr> <tr> <td> <a href="/software/S0350"> S0350 </a> </td> <td> <a href="/software/S0350"> zwShell </a> </td> <td> <a href="/software/S0350">zwShell</a> can obtain the victim PC name and OS version.<span onclick=scrollToRef('scite-474') id="scite-ref-474-a" class="scite-citeref-number" title="McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: "Night Dragon". Retrieved February 19, 2018."data-reference="McAfee Night Dragon"><a href="https://scadahacker.com/library/Documents/Cyber_Events/McAfee%20-%20Night%20Dragon%20-%20Global%20Energy%20Cyberattacks.pdf" target="_blank" data-hasqtip="473" aria-describedby="qtip-473">[474]</a> </td> </tr> <tr> <td> <a href="/software/S0412"> S0412 </a> </td> <td> <a href="/software/S0412"> ZxShell </a> </td> <td> <a href="/software/S0412">ZxShell</a> can collect the local hostname, operating system details, CPU speed, and total physical memory.<span onclick=scrollToRef('scite-475') id="scite-ref-475-a" class="scite-citeref-number" title="Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019."data-reference="Talos ZxShell Oct 2014"><a href="https://blogs.cisco.com/security/talos/opening-zxshell" target="_blank" data-hasqtip="474" aria-describedby="qtip-474">[475]</a> </td> </tr> <tr> <td> <a href="/software/S1013"> S1013 </a> </td> <td> <a href="/software/S1013"> ZxxZ </a> </td> <td> <a href="/software/S1013">ZxxZ</a> has collected the host name and operating system product name from a compromised machine.<span onclick=scrollToRef('scite-476') id="scite-ref-476-a" class="scite-citeref-number" title="Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022."data-reference="Cisco Talos Bitter Bangladesh May 2022"><a href="https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html" target="_blank" data-hasqtip="475" aria-describedby="qtip-475">[476]</a> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id ="mitigations">Mitigations</h2> This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features. <h2 class="pt-3" id="detection">Detection</h2> <div class="tables-mobile"> <table class="table datasources-table table-bordered"> <thead> <tr> <th class="p-2" scope="col">ID</th> <th class="p-2 nowrap" scope="col">Data Source</th> <th class="p-2 nowrap" scope="col">Data Component</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="datasource" id="uses-DS0017"> <td> <a href="/datasources/DS0017">DS0017</a> </td> <td class="nowrap"> <a href="/datasources/DS0017">Command</a> </td>  <td> <a href="/datasources/DS0017/#Command%20Execution">Command Execution</a> </td> <td> Monitor executed commands and arguments that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users. </td> </tr> <tr class="datasource" id="uses-DS0009"> <td> <a href="/datasources/DS0009">DS0009</a> </td> <td class="nowrap"> <a href="/datasources/DS0009">Process</a> </td>  <td> <a href="/datasources/DS0009/#OS%20API%20Execution">OS API Execution</a> </td> <td> Monitor for API calls that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as <a href="/techniques/T1047">Windows Management Instrumentation</a> and <a href="/techniques/T1059/001">PowerShell</a>. In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations. </td> </tr> <tr class="datacomponent datasource" id="uses-DS0009-Process Creation"> <td></td> <td></td> <td> <a href="/datasources/DS0009/#Process%20Creation">Process Creation</a> </td> <td> Monitor newly executed processes that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <a rel="nofollow" class="external text" name="scite-1" href="https://www.us-cert.gov/ncas/alerts/TA18-106A" target="_blank"> US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-2" href="https://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/" target="_blank"> Phile Stokes. (2018, September 20). On the Trail of OSX.FairyTale | Adware Playing at Malware. Retrieved August 24, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-3" href="https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/" target="_blank"> Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-4" href="https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html" target="_blank"> Amazon. (n.d.). describe-instance-information. Retrieved March 3, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-5" href="https://cloud.google.com/compute/docs/reference/rest/v1/instances" target="_blank"> Google. (n.d.). Rest Resource: instance. Retrieved March 3, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-6" href="https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/get" target="_blank"> Microsoft. (2019, March 1). Virtual Machines - Get. Retrieved October 8, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-7" href="http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf" target="_blank"> Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-8" href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank"> Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-9" href="https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" target="_blank"> FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-10" href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" target="_blank"> ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-11" href="https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" target="_blank"> Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-12" href="https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html" target="_blank"> Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-13" href="https://www.fortinet.com/blog/threat-research/in-depth-analysis-of-net-malware-javaupdtr.html" target="_blank"> Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-14" href="https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/" target="_blank"> Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-15" href="https://www.trellix.com/blogs/research/akira-ransomware/" target="_blank"> Max Kersten & Alexandre Mundo. (2023, November 29). Akira Ransomware. Retrieved April 4, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-16" href="https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1382.do?page=1&column=&search=&searchSDate=&searchEDate=&bbsDataCategory=" target="_blank"> Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-17" href="https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot" target="_blank"> Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-18" href="https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30" target="_blank"> Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-19" href="https://us-cert.cisa.gov/ncas/alerts/aa21-048a" target="_blank"> Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-20" href="https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/" target="_blank"> Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-21" href="https://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" target="_blank"> Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-22" href="https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html" target="_blank"> Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-23" href="https://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/" target="_blank"> Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-24" href="http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" target="_blank"> Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-25" href="https://recon.cx/2017/montreal/resources/slides/RECON-MTL-2017-evolution_of_pirpi.pdf" target="_blank"> Yates, M. (2017, June 18). APT3 Uncovered: The code evolution of Pirpi. Retrieved September 28, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-26" href="https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/" target="_blank"> Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-27" href="https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/" target="_blank"> Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-28" href="https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/" target="_blank"> Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-29" href="https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html" target="_blank"> Henderson, S., et al. (2020, April 22). Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage. Retrieved April 28, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-30" href="https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" target="_blank"> Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-31" href="https://us-cert.cisa.gov/ncas/alerts/aa20-239a" target="_blank"> DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-32" href="https://www.group-ib.com/blog/apt41-world-tour-2021/" target="_blank"> Nikita Rostovcev. (2022, August 18). APT41 World Tour 2021 on a tight schedule. Retrieved February 22, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-33" href="https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/" target="_blank"> Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-34" href="https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/" target="_blank"> CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-35" href="https://web.archive.org/web/20200302071436/https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/" target="_blank"> Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved September 25, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-36" href="https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research" target="_blank"> Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-37" href="https://telefonicatech.com/blog/snip3-investigacion-malware" target="_blank"> Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-38" href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf" target="_blank"> Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-39" href="https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" target="_blank"> Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-40" href="https://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/" target="_blank"> Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-41" href="https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" target="_blank"> Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-42" href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-ransomware.pdf" target="_blank"> Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-43" href="https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/" target="_blank"> Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-44" href="https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/" target="_blank"> Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-45" href="https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" target="_blank"> Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-46" href="https://vblocalhost.com/uploads/VB2021-Slowik.pdf" target="_blank"> Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-47" href="https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" target="_blank"> FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-48" href="https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-G.PDF" target="_blank"> US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-49" href="https://www.accenture.com/us-en/blogs/cyber-defense/mudcarps-focus-on-submarine-technologies" target="_blank"> Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-50" href="https://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/" target="_blank"> Savelesky, K., et al. (2019, July 23). ABADBABE 8BADFOOD: Discovering BADHATCH and a Detailed Look at FIN8's Tooling. Retrieved September 8, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-51" href="https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf" target="_blank"> Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-52" href="https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/" target="_blank"> Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-53" href="https://research.checkpoint.com/2020/bandook-signed-delivered/" target="_blank"> Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-54" href="https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/" target="_blank"> Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-55" href="https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF" target="_blank"> US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-56" href="https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles" target="_blank"> Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-57" href="https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/" target="_blank"> Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-58" href="https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" target="_blank"> Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-59" href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/" target="_blank"> Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-60" href="https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/" target="_blank"> Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-61" href="https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html" target="_blank"> Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-62" href="https://minerva-labs.com/blog/new-black-basta-ransomware-hijacks-windows-fax-service/" target="_blank"> Zargarov, N. (2022, May 2). New Black Basta Ransomware Hijacks Windows Fax Service. Retrieved March 7, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-63" href="https://blog.cyble.com/2022/05/06/black-basta-ransomware/" target="_blank"> Cyble. (2022, May 6). New ransomware variant targeting high-value organizations. Retrieved March 7, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-64" href="https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/" target="_blank"> Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-65" href="https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf" target="_blank"> F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-66" href="https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/" target="_blank"> Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-67" href="https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/" target="_blank"> MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-68" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a" target="_blank"> US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-69" href="https://redcanary.com/blog/blue-mockingbird-cryptominer/" target="_blank"> Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-70" href="https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/" target="_blank"> Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-71" href="https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" target="_blank"> Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-72" href="https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" target="_blank"> MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-73" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" target="_blank"> Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-74" href="https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/" target="_blank"> Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-75" href="https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming" target="_blank"> Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-76" href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime" target="_blank"> Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-77" href="https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/" target="_blank"> Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-78" href="https://www.mandiant.com/resources/apt41-us-state-governments" target="_blank"> Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-79" href="https://blog.talosintelligence.com/2022/03/threat-advisory-caddywiper.html" target="_blank"> Malhotra, A. (2022, March 15). Threat Advisory: CaddyWiper. Retrieved March 23, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-80" href="https://blog.malwarebytes.com/threat-intelligence/2022/03/double-header-isaacwiper-and-caddywiper/" target="_blank"> Threat Intelligence Team. (2022, March 18). Double header: IsaacWiper and CaddyWiper . Retrieved April 11, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-81" href="https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets" target="_blank"> Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-82" href="https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/" target="_blank"> Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-83" href="https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/" target="_blank"> Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-84" href="https://web.archive.org/web/20231227000328/http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf" target="_blank"> Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved September 12, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-85" href="https://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/" target="_blank"> Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-86" href="https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/" target="_blank"> Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-87" href="https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/" target="_blank"> McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-88" href="https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf" target="_blank"> ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-89" href="https://www.cybereason.com/hubfs/dam/collateral/reports/11-2020-Chaes-e-commerce-malware-research.pdf" target="_blank"> Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-90" href="https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/" target="_blank"> Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-91" href="http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/" target="_blank"> Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-92" href="https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf" target="_blank"> PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-93" href="https://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/" target="_blank"> Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-94" href="https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf" target="_blank"> Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-95" href="https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf" target="_blank"> Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-96" href="https://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/" target="_blank"> Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-97" href="https://technet.microsoft.com/en-us/library/cc755121.aspx" target="_blank"> Microsoft. (n.d.). Dir. Retrieved April 18, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-98" href="https://researchcenter.paloaltonetworks.com/2018/01/unit42-comnie-continues-target-organizations-east-asia/" target="_blank"> Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-99" href="https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html" target="_blank"> Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-100" href="https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank"> FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-101" href="https://github.com/cobbr/Covenant" target="_blank"> cobbr. (2021, April 21). Covenant. Retrieved September 4, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-102" href="https://www.f-secure.com/documents/996508/1030745/CozyDuke" target="_blank"> F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-103" href="https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference" target="_blank"> byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-104" href="https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf" target="_blank"> Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-105" href="https://securelist.com/transparent-tribe-part-1/98127/" target="_blank"> Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-106" href="https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html" target="_blank"> N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-107" href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf" target="_blank"> Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-108" href="https://www.kandji.io/blog/malware-cuckoo-infostealer-spyware" target="_blank"> Kohler, A. and Lopez, C. (2024, April 30). Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware. Retrieved August 20, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-109" href="https://www.sentinelone.com/blog/macos-cuckoo-stealer-ensuring-detection-and-defense-as-new-samples-rapidly-emerge/" target="_blank"> Stokes, P. (2024, May 9). macOS Cuckoo Stealer | Ensuring Detection and Defense as New Samples Rapidly Emerge. Retrieved August 20, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-110" href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain" target="_blank"> Symantec Threat Hunter Team. (2019, September 18). Tortoiseshell Group Targets IT Providers in Saudi Arabia in Probable Supply Chain Attacks. Retrieved May 20, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-111" href="https://www.mandiant.com/resources/blog/investigating-ivanti-zero-day-exploitation" target="_blank"> Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-112" href="https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf" target="_blank"> NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-113" href="https://www.welivesecurity.com/en/eset-research/evasive-panda-leverages-monlam-festival-target-tibetans/" target="_blank"> Ahn Ho, Facundo Muñoz, & Marc-Etienne M.Léveillé. (2024, March 7). Evasive Panda leverages Monlam Festival to target Tibetans. Retrieved July 25, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-114" href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/DARKCOMET" target="_blank"> TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-115" href="https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/" target="_blank"> Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-116" href="https://www.fortinet.com/blog/threat-research/enter-the-darkgate-new-cryptocurrency-mining-and-ransomware-campaign" target="_blank"> Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-117" href="https://securelist.com/darkhotels-attacks-in-2015/71713/" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-118" href="https://www.microsoft.com/security/blog/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/" target="_blank"> Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-119" href="https://www.secureworks.com/research/darktortilla-malware-analysis" target="_blank"> Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-120" href="https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/" target="_blank"> Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-121" href="https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html" target="_blank"> McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-122" href="https://securelist.com/use-of-dns-tunneling-for-cc-communications/78203/" target="_blank"> Shulmin, A., Yunakovsky, S. (2017, April 28). Use of DNS Tunneling for C&C Communications. Retrieved November 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-123" href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank"> Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-124" href="https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2016/2016.02.29.Turbo_Campaign_Derusbi/TA_Fidelis_Turbo_1602_0.pdf" target="_blank"> Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-125" href="https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider" target="_blank"> Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-126" href="http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf" target="_blank"> ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-127" href="https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/" target="_blank"> Check Point Research. (2021, January 4). Stopping Serial Killer: Catching the Next Strike. Retrieved September 7, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-128" href="https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf" target="_blank"> Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-129" href="https://securelist.com/my-name-is-dtrack/93338/" target="_blank"> Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-130" href="https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/" target="_blank"> Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-131" href="https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust" target="_blank"> Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-132" href="https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf" target="_blank"> ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-133" href="https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/" target="_blank"> hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-134" href="https://www.joesandbox.com/analysis/318027/0/html" target="_blank"> Joe Security. (n.d.). Analysis Report fasm.dll. Retrieved January 6, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-135" href="https://digital.nhs.uk/cyber-alerts/2020/cc-3681#summary" target="_blank"> NHS Digital. (2020, November 26). Egregor Ransomware The RaaS successor to Maze. Retrieved December 29, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-136" href="https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html" target="_blank"> Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-137" href="http://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/" target="_blank"> Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-138" href="https://github.com/PowerShellEmpire/Empire" target="_blank"> Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-139" href="https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html" target="_blank"> Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-140" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08080105/KL_Epic_Turla_Technical_Appendix_20140806.pdf" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-141" href="https://www.prevailion.com/phantom-in-the-command-shell-2/" target="_blank"> Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-142" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf" target="_blank"> Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-143" href="https://www.us-cert.gov/ncas/alerts/TA17-318A" target="_blank"> US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-144" href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank"> Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-145" href="https://blogs.forcepoint.com/security-labs/playing-cat-mouse-introducing-felismus-malware" target="_blank"> Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-146" href="https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html" target="_blank"> Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-147" href="https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf" target="_blank"> Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-148" href="https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044" target="_blank"> Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-149" href="https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico" target="_blank"> Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-150" href="https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf?__hstc=147695848.3e8f1a482c8f8d4531507747318e660b.1680005306711.1680005306711.1680005306711.1&__hssc=147695848.1.1680005306711&__hsfp=3000179024&hsCtaTracking=189ec409-ae2d-4909-8bf1-62dcdd694372%7Cca91d317-8f10-4a38-9f80-367f551ad64d" target="_blank"> Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-151" href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor" target="_blank"> Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-152" href="https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/" target="_blank"> Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-153" href="https://web.archive.org/web/20171222050934/http://www.finfisher.com/FinFisher/index.html" target="_blank"> FinFisher. (n.d.). Retrieved September 12, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-154" href="https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/" target="_blank"> Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-155" href="https://www.proofpoint.com/us/threat-insight/post/leaked-ammyy-admin-source-code-turned-malware" target="_blank"> Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-156" href="https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" target="_blank"> Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-157" href="https://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/" target="_blank"> Bryan Lee and Rob Downs. (2016, February 12). A Look Into Fysbis: Sofacy’s Linux Backdoor. Retrieved September 10, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-158" href="https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/" target="_blank"> Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-159" href="https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/" target="_blank"> Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-160" href="https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf" target="_blank"> CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-161" href="https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader" target="_blank"> Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-162" href="https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant" target="_blank"> Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-163" href="https://www.trustwave.com/en-us/resources/library/documents/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/" target="_blank"> Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-164" href="https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/" target="_blank"> Szappanos, G. & Brandt, A. (2021, March 1). “Gootloader” expands its payload delivery options. Retrieved September 30, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-165" href="https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/" target="_blank"> ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-166" href="https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html" target="_blank"> Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-167" href="https://objective-see.com/blog/blog_0x68.html" target="_blank"> Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-168" href="https://www.glitch-cat.com/blog/green-lambert-and-attack" target="_blank"> Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved March 21, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-169" href="https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/" target="_blank"> Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-170" href="https://www.group-ib.com/blog/grimagent/" target="_blank"> Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-171" href="https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html" target="_blank"> Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-172" href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" target="_blank"> FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-173" href="https://www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html" target="_blank"> Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-174" href="https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack" target="_blank"> Guerrero-Saade, J. (2022, February 23). HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine. Retrieved March 25, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-175" href="https://www.crowdstrike.com/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/" target="_blank"> Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-176" href="https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine" target="_blank"> ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-177" href="https://blog.qualys.com/vulnerabilities-threat-research/2022/03/01/ukrainian-targets-hit-by-hermeticwiper-new-datawiper-malware" target="_blank"> Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-178" href="https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf" target="_blank"> Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-179" href="https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/" target="_blank"> Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-180" href="https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/" target="_blank"> PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-181" href="https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/" target="_blank"> Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-182" href="https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" target="_blank"> Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-183" href="https://www.us-cert.gov/ncas/analysis-reports/AR19-100A" target="_blank"> US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-184" href="https://www.us-cert.gov/ncas/analysis-reports/ar20-045d" target="_blank"> US-CERT. (2020, February 20). MAR-10271944-1.v1 – North Korean Trojan: HOTCROISSANT. Retrieved May 1, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-185" href="https://www.symantec.com/security_response/writeup.jsp?docid=2010-011114-1830-99" target="_blank"> Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-186" href="https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework.pdf" target="_blank"> CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-187" href="https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/" target="_blank"> Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-188" href="https://thedfirreport.com/2022/04/25/quantum-ransomware/" target="_blank"> DFIR. (2022, April 25). Quantum Ransomware. Retrieved July 26, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-189" href="https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html" target="_blank"> PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved August 14, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-190" href="https://www.cybereason.com/hubfs/dam/collateral/reports/threat-alert-inc-ransomware.pdf" target="_blank"> Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-191" href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies" target="_blank"> Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-192" href="https://dragos.com/blog/crashoverride/CrashOverride-01.pdf" target="_blank"> Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-193" href="https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/" target="_blank"> ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-194" href="https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" target="_blank"> Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-195" href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" target="_blank"> Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-196" href="https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf" target="_blank"> Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-197" href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf" target="_blank"> ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-198" href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/" target="_blank"> Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-199" href="https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" target="_blank"> Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-200" href="https://www.symantec.com/connect/blogs/cross-platform-frutas-rat-builder-and-back-door" target="_blank"> Bingham, J. (2013, February 11). Cross-Platform Frutas RAT Builder and Back Door. Retrieved April 23, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-201" href="http://research.zscaler.com/2016/01/malicious-office-files-dropping-kasidet.html" target="_blank"> Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-202" href="https://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/" target="_blank"> Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-203" href="https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs" target="_blank"> Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-204" href="https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" target="_blank"> Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-205" href="https://www.microsoft.com/security/blog/2021/12/06/nickel-targeting-government-organizations-across-latin-america-and-europe" target="_blank"> MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-206" href="https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/" target="_blank"> Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-207" href="https://web.archive.org/web/20211129064701/https://www.pwc.co.uk/issues/cyber-security-services/research/the-keyboys-are-back-in-town.html" target="_blank"> Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-208" href="https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/" target="_blank"> Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-209" href="https://www.us-cert.gov/ncas/analysis-reports/AR18-221A" target="_blank"> US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-210" href="https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" target="_blank"> Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-211" href="https://www.trendmicro.com/en_us/research/18/f/new-killdisk-variant-hits-latin-american-financial-organizations-again.html" target="_blank"> Fernando Merces, Byron Gelera, Martin Co. (2018, June 7). KillDisk Variant Hits Latin American Finance Industry. Retrieved January 12, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-212" href="https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/" target="_blank"> Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-213" href="https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html" target="_blank"> An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-214" href="https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf" target="_blank"> Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-215" href="https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf" target="_blank"> M.Leveille, M., Sanmillan, I. (2021, January). A WILD KOBALOS APPEARS Tricksy Linux malware goes after HPCs. Retrieved August 24, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-216" href="https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" target="_blank"> Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-217" href="https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html" target="_blank"> Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-218" href="https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b" target="_blank"> Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-219" href="https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/" target="_blank"> Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-220" href="https://www.mandiant.com/resources/blog/turla-galaxy-opportunity" target="_blank"> Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-221" href="https://blog.lumen.com/routers-roasting-on-an-open-firewall-the-kv-botnet-investigation/" target="_blank"> Black Lotus Labs. (2023, December 13). Routers Roasting On An Open Firewall: The KV-Botnet Investigation. Retrieved June 10, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-222" href="https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" target="_blank"> Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-223" href="https://www.proofpoint.com/us/blog/threat-insight/latrodectus-spider-bytes-ice" target="_blank"> Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-224" href="https://www.elastic.co/security-labs/spring-cleaning-with-latrodectus" target="_blank"> Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-225" href="https://www.bitsight.com/blog/latrodectus-are-you-coming-back" target="_blank"> Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-226" href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank"> Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-227" href="https://web.archive.org/web/20160303200515/https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf" target="_blank"> Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-228" href="https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" target="_blank"> Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-229" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/" target="_blank"> Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-230" href="https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" target="_blank"> Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-231" href="https://blog.malwarebytes.com/threat-intelligence/2022/01/north-koreas-lazarus-apt-leverages-windows-update-client-github-in-latest-campaign/" target="_blank"> Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-232" href="https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf" target="_blank"> Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-233" href="https://www.symantec.com/security_response/writeup.jsp?docid=2012-051605-2535-99" target="_blank"> Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-234" href="https://www.mandiant.com/resources/blog/investigating-ivanti-exploitation-persistence" target="_blank"> Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-235" href="https://bi-zone.medium.com/from-pentest-to-apt-attack-cybercriminal-group-fin7-disguises-its-malware-as-an-ethical-hackers-c23c9a75e319" target="_blank"> BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-236" href="https://www.f-secure.com/v-descs/trojan_w32_lokibot.shtml" target="_blank"> Kazem, M. (2019, November 25). Trojan:W32/Lokibot. Retrieved May 15, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-237" href="https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/" target="_blank"> Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-238" href="https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/" target="_blank"> Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020. </a> </li> </ol> </div> <div class="col"> <ol start="239.0"> <li> <a rel="nofollow" class="external text" name="scite-239" href="https://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/" target="_blank"> Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-240" href="https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf" target="_blank"> ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-241" href="https://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/" target="_blank"> M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-242" href="https://www.sentinelone.com/labs/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/" target="_blank"> Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-243" href="https://assets.sentinelone.com/sentinellabs22/metador#page=1" target="_blank"> Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-244" href="https://docs.google.com/document/d/1e9ZTW9b71YwFWS_18ZwDAxa-cYbV8q1wUefmKZLYVsA/edit#heading=h.lmnbtht1ikzm" target="_blank"> SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-245" href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank"> Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-246" href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank"> DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-247" href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank"> DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-248" href="https://blog.scilabs.mx/en/cyber-threat-profile-malteiro/" target="_blank"> SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-249" href="https://blog.talosintelligence.com/manjusaka-offensive-framework/" target="_blank"> Asheer Malhotra & Vitor Ventura. (2022, August 2). Manjusaka: A Chinese sibling of Sliver and Cobalt Strike. Retrieved September 4, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-250" href="https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/" target="_blank"> GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-251" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/" target="_blank"> Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-252" href="https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html" target="_blank"> Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-253" href="https://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions" target="_blank"> Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-254" href="https://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/" target="_blank"> ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-255" href="https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/" target="_blank"> Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-256" href="https://blog.talosintelligence.com/2017/06/palestine-delphi.html" target="_blank"> Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-257" href="https://www.radware.com/blog/security/2018/07/micropsia-malware/" target="_blank"> Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-258" href="https://www.clearskysec.com/siamesekitten/" target="_blank"> ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-259" href="https://www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns" target="_blank"> Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-260" href="https://web.archive.org/web/20180615122133/https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/" target="_blank"> Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-261" href="https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" target="_blank"> Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-262" href="https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/" target="_blank"> ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-263" href="http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" target="_blank"> Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-264" href="https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/" target="_blank"> Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-265" href="http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/" target="_blank"> Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-266" href="https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html" target="_blank"> Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-267" href="https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/" target="_blank"> Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-268" href="https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/" target="_blank"> Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-269" href="https://securelist.com/muddywater/88059/" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-270" href="https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html" target="_blank"> Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-271" href="https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/" target="_blank"> Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-272" href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank"> Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-273" href="https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html" target="_blank"> Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-274" href="https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" target="_blank"> FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-275" href="https://www.avira.com/en/blog/new-wave-of-plugx-targets-hong-kong" target="_blank"> Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-276" href="https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/" target="_blank"> Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-277" href="https://www.symantec.com/security_response/writeup.jsp?docid=2012-061518-4639-99" target="_blank"> Neville, A. (2012, June 15). Trojan.Naid. Retrieved February 22, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-278" href="https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets" target="_blank"> Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-279" href="https://blog.talosintelligence.com/2018/05/navrat.html" target="_blank"> Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-280" href="https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" target="_blank"> Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-281" href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank"> Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-282" href="https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/" target="_blank"> Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-283" href="https://securingtomorrow.mcafee.com/mcafee-labs/netwire-rat-behind-recent-targeted-attacks/" target="_blank"> McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-284" href="https://securelist.com/toddycat/106799/" target="_blank"> Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-285" href="https://securelist.com/toddycat-keep-calm-and-check-logs/110696/" target="_blank"> Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-286" href="https://www.threatminer.org/_reports/2013/fta-1009---njrat-uncovered-1.pdf" target="_blank"> Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-287" href="https://securelist.com/unveiling-nkabuse/111512/" target="_blank"> KASPERSKY GERT. (2023, December 14). Unveiling NKAbuse: a new multiplatform threat abusing the NKN protocol. Retrieved February 8, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-288" href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/" target="_blank"> Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-289" href="https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html" target="_blank"> Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-290" href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf" target="_blank"> Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-291" href="https://securelist.com/octopus-infested-seas-of-central-asia/88200/" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-292" href="http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" target="_blank"> Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-293" href="http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/" target="_blank"> Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-294" href="https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html" target="_blank"> Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-295" href="https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/" target="_blank"> Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-296" href="https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf" target="_blank"> Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-297" href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/" target="_blank"> Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-298" href="https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques" target="_blank"> Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-299" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/" target="_blank"> Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-300" href="https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf" target="_blank"> Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-301" href="https://blogs.vmware.com/security/2020/02/vmware-carbon-black-tau-threat-analysis-shlayer-macos.html" target="_blank"> Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-302" href="https://www.sentinelone.com/blog/coming-out-of-your-shell-from-shlayer-to-zshlayer/" target="_blank"> Phil Stokes. (2020, September 8). Coming Out of Your Shell: From Shlayer to ZShlayer. Retrieved September 13, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-303" href="https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/" target="_blank"> Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-304" href="https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html" target="_blank"> Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-305" href="https://www.symantec.com/security_response/writeup.jsp?docid=2012-050412-4128-99" target="_blank"> Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-306" href="https://web.archive.org/web/20180825085952/https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf" target="_blank"> Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-307" href="https://research.checkpoint.com/2020/ransomware-alert-pay2key/" target="_blank"> Check Point. (2020, November 6). Ransomware Alert: Pay2Key. Retrieved January 4, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-308" href="https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf" target="_blank"> Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-309" href="https://www.zscaler.com/blogs/security-research/technical-analysis-pikabot" target="_blank"> Brett Stone-Gross & Nikolaos Pantazopoulos. (2023, May 24). Technical Analysis of Pikabot. Retrieved July 12, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-310" href="https://www.elastic.co/security-labs/pikabot-i-choose-you" target="_blank"> Daniel Stepanic & Salim Bitam. (2024, February 23). PIKABOT, I choose you!. Retrieved July 12, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-311" href="https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf" target="_blank"> F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-312" href="https://unit42.paloaltonetworks.com/pingpull-gallium/" target="_blank"> Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-313" href="https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/" target="_blank"> Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-314" href="http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" target="_blank"> Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-315" href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" target="_blank"> Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-316" href="https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play" target="_blank"> Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-317" href="https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html" target="_blank"> Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-318" href="https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/" target="_blank"> hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-319" href="https://github.com/nettitude/PoshC2_Python" target="_blank"> Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-320" href="https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" target="_blank"> Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-321" href="https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/" target="_blank"> Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-322" href="https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" target="_blank"> Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-323" href="https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/" target="_blank"> Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-324" href="https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" target="_blank"> Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-325" href="http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf" target="_blank"> Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-326" href="http://blog.morphisec.com/security-alert-fin8-is-back" target="_blank"> Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-327" href="https://github.com/n1nj4sec/pupy" target="_blank"> Nicolas Verdier. (n.d.). Retrieved January 29, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-328" href="https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/" target="_blank"> CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-329" href="https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot" target="_blank"> Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-330" href="https://groupib.pathfactory.com/ransomware-reports/prolock_wp" target="_blank"> Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-331" href="https://github.com/quasar/QuasarRAT" target="_blank"> MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-332" href="https://medium.com/s2wblog/raccoon-stealer-is-back-with-a-new-version-5f436e04b20d" target="_blank"> S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-333" href="https://blog.sekoia.io/raccoon-stealer-v2-part-2-in-depth-analysis/" target="_blank"> Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-334" href="https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/" target="_blank"> Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-335" href="https://www.programmersought.com/article/62493896999/" target="_blank"> Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-336" href="https://threatresearch.ext.hp.com/raspberry-robin-now-spreading-through-windows-script-files/" target="_blank"> Patrick Schläpfer . (2024, April 10). Raspberry Robin Now Spreading Through Windows Script Files. Retrieved May 17, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-337" href="https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/" target="_blank"> Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-338" href="https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html" target="_blank"> Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-339" href="https://web.archive.org/web/20210104144857/https://shared-public-reports.s3-eu-west-1.amazonaws.com/APT27+turns+to+ransomware.pdf" target="_blank"> Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-340" href="https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/" target="_blank"> Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-341" href="https://www.group-ib.com/resources/research-hub/red-curl/" target="_blank"> Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-342" href="https://www.group-ib.com/resources/research-hub/red-curl-2/" target="_blank"> Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-343" href="http://web.archive.org/web/20220810112638/https:/www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf" target="_blank"> Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-344" href="https://securelist.com/files/2016/07/The-ProjectSauron-APT_Technical_Analysis_KL.pdf" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-345" href="https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/WhiteCompanyOperationShaheenReport.pdf?_ga=2.161661948.1943296560.1555683782-1066572390.1555511517" target="_blank"> Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-346" href="https://securelist.com/sodin-ransomware/91473/" target="_blank"> Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-347" href="https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html" target="_blank"> Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-348" href="https://www.secureworks.com/blog/revil-the-gandcrab-connection" target="_blank"> Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-349" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/" target="_blank"> McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-350" href="https://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/" target="_blank"> Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-351" href="https://www.group-ib.com/whitepapers/ransomware-uncovered.html" target="_blank"> Group IB. (2020, May). Ransomware Uncovered: Attackers’ Latest Methods. Retrieved August 5, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-352" href="https://www.secureworks.com/research/revil-sodinokibi-ransomware" target="_blank"> Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-353" href="https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/" target="_blank"> Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-354" href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf" target="_blank"> Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-355" href="https://cloud.google.com/blog/topics/threat-intelligence/likely-iranian-threat-actor-conducts-politically-motivated-disruptive-activity-against/" target="_blank"> Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-356" href="https://www.microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/" target="_blank"> MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-357" href="https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang" target="_blank"> Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-358" href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" target="_blank"> Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-359" href="https://blog.talosintelligence.com/2017/04/introducing-rokrat.html" target="_blank"> Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-360" href="https://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html" target="_blank"> Mercer, W., Rascagneres, P. (2017, November 28). ROKRAT Reloaded. Retrieved May 21, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-361" href="https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/" target="_blank"> GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-362" href="https://research.nccgroup.com/2018/11/08/rokrat-analysis/" target="_blank"> Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-363" href="https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/" target="_blank"> Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-364" href="https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/" target="_blank"> Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-365" href="https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/" target="_blank"> Alex Turing, Hui Wang. (2021, April 28). RotaJakiro: A long live secret backdoor with 0 VT detection. Retrieved June 14, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-366" href="https://www.cybereason.com/blog/royal-ransomware-analysis" target="_blank"> Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-367" href="https://www.trendmicro.com/en_us/research/23/b/royal-ransomware-expands-attacks-by-targeting-linux-esxi-servers.html" target="_blank"> Morales, N. et al. (2023, February 20). Royal Ransomware Expands Attacks by Targeting Linux ESXi Servers. Retrieved March 30, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-368" href="https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf" target="_blank"> Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-369" href="https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" target="_blank"> Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-370" href="https://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/" target="_blank"> Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-371" href="https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/" target="_blank"> Cherepanov, A.. (2017, July 4). Analysis of TeleBots’ cunning backdoor . Retrieved June 11, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-372" href="https://www.justice.gov/opa/press-release/file/1328521/download" target="_blank"> Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-373" href="https://www.bitdefender.com/files/News/CaseStudies/study/401/Bitdefender-PR-Whitepaper-FIN8-creat5619-en-EN.pdf" target="_blank"> Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-374" href="https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505" target="_blank"> Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-375" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf" target="_blank"> Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-376" href="http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/" target="_blank"> Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-377" href="https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/" target="_blank"> Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-378" href="https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" target="_blank"> Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-379" href="https://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/" target="_blank"> Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-380" href="https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" target="_blank"> Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-381" href="https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf" target="_blank"> Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-382" href="https://www.rewterz.com/articles/analysis-on-sidewinder-apt-group-covid-19" target="_blank"> Rewterz. (2020, June 22). Analysis on Sidewinder APT Group – COVID-19. Retrieved January 29, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-383" href="https://github.com/byt3bl33d3r/SILENTTRINITY/tree/master/silenttrinity/core/teamserver/modules/boo" target="_blank"> Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-384" href="https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/" target="_blank"> Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-385" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a" target="_blank"> DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-386" href="https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html" target="_blank"> FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-387" href="https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader" target="_blank"> Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-388" href="https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update" target="_blank"> Andrew Northern. (2022, November 22). SocGholish, a very real threat from a very fake update. Retrieved February 13, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-389" href="https://redcanary.com/threat-detection-report/threats/socgholish/" target="_blank"> Red Canary. (2024, March). Red Canary 2024 Threat Detection Report: SocGholish. Retrieved March 22, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-390" href="https://www.secureworks.com/research/threat-profiles/gold-prelude" target="_blank"> Secureworks. (n.d.). GOLD PRELUDE . Retrieved March 22, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-391" href="https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/" target="_blank"> GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-392" href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank"> MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-393" href="https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced" target="_blank"> The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-394" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a" target="_blank"> CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-395" href="https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" target="_blank"> Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-396" href="https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/" target="_blank"> Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-397" href="https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/" target="_blank"> Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-398" href="https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish" target="_blank"> CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-399" href="https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike" target="_blank"> Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-400" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" target="_blank"> Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-401" href="https://www.mandiant.com/resources/telegram-malware-iranian-espionage" target="_blank"> Tomcik, R. et al. (2022, February 24). Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity. Retrieved August 18, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-402" href="https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" target="_blank"> FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-403" href="https://citizenlab.org/2016/05/stealth-falcon/" target="_blank"> Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-404" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf" target="_blank"> Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-405" href="https://www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar" target="_blank"> Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-406" href="https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations" target="_blank"> Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-407" href="https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html" target="_blank"> Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-408" href="https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" target="_blank"> Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 </a> </li> <li> <a rel="nofollow" class="external text" name="scite-409" href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank"> FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-410" href="https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/" target="_blank"> MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-411" href="https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/" target="_blank"> Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-412" href="https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/" target="_blank"> Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-413" href="https://technet.microsoft.com/en-us/library/bb491007.aspx" target="_blank"> Microsoft. (n.d.). Systeminfo. Retrieved April 8, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-414" href="https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html" target="_blank"> Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-415" href="https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html" target="_blank"> Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-416" href="http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/" target="_blank"> Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-417" href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank"> Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-418" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-133b" target="_blank"> USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-419" href="https://securelist.com/project-tajmahal/90240/" target="_blank"> GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-420" href="https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera" target="_blank"> AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-421" href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank"> Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-422" href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank"> Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-423" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/" target="_blank"> Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-424" href="https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf" target="_blank"> Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-425" href="https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre" target="_blank"> Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-426" href="https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" target="_blank"> Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-427" href="https://eclypsium.com/wp-content/uploads/2020/12/TrickBot-Now-Offers-TrickBoot-Persist-Brick-Profit.pdf" target="_blank"> Eclypsium, Advanced Intelligence. (2020, December 1). TRICKBOT NOW OFFERS ‘TRICKBOOT’: PERSIST, BRICK, PROFIT. Retrieved March 15, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-428" href="https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" target="_blank"> Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-429" href="https://documents.trendmicro.com/assets/wp/wp-operation-tropic-trooper.pdf" target="_blank"> Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-430" href="https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf" target="_blank"> Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-431" href="https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/" target="_blank"> Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021 </a> </li> <li> <a rel="nofollow" class="external text" name="scite-432" href="https://securelist.com/the-epic-turla-operation/65545/" target="_blank"> Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-433" href="https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf" target="_blank"> Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-434" href="https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" target="_blank"> O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-435" href="https://www.us-cert.gov/ncas/analysis-reports/AR18-165A" target="_blank"> US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-436" href="https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" target="_blank"> Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-437" href="https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html" target="_blank"> Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-438" href="https://www.cisa.gov/sites/default/files/2023-05/aa23-129a_snake_malware_2.pdf" target="_blank"> FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-439" href="https://web.archive.org/web/20210719165945/https://www.trendmicro.com/en_us/research/15/c/ursnif-the-multifaceted-malware.html?_ga=2.165628854.808042651.1508120821-744063452.1505819992" target="_blank"> Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-440" href="https://www.cybereason.com/blog/valak-more-than-meets-the-eye" target="_blank"> Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-441" href="https://assets.sentinelone.com/labs/sentinel-one-valak-i" target="_blank"> Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-442" href="https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/" target="_blank"> Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-443" href="https://www.us-cert.gov/ncas/alerts/TA17-318B" target="_blank"> US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-444" href="https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-D_WHITE_S508C.PDF" target="_blank"> US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-445" href="https://web.archive.org/web/20181126143456/https://www.symantec.com/security-center/writeup/2014-081811-3237-99?tabid=2" target="_blank"> Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-446" href="https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/" target="_blank"> Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-447" href="https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF" target="_blank"> NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-448" href="https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations" target="_blank"> Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-449" href="https://www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf" target="_blank"> CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-450" href="https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/" target="_blank"> Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-451" href="https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html" target="_blank"> PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-452" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b" target="_blank"> CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-453" href="https://blog.talosintelligence.com/2022/01/ukraine-campaign-delivers-defacement.html" target="_blank"> Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-454" href="https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf" target="_blank"> The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-455" href="http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf" target="_blank"> Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-456" href="https://web.archive.org/web/20150412223949/http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf" target="_blank"> Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-457" href="https://www.domaintools.com/resources/blog/winter-vivern-a-look-at-re-crafted-government-maldocs/" target="_blank"> Chad Anderson. (2021, April 27). Winter Vivern: A Look At Re-Crafted Government MalDocs Targeting Multiple Languages. Retrieved July 29, 2024. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-458" href="https://thedfirreport.com/2020/10/08/ryuks-return/" target="_blank"> The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-459" href="https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf" target="_blank"> Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-460" href="https://www.malwarebytes.com/blog/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild" target="_blank"> MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-461" href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/" target="_blank"> Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-462" href="https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf" target="_blank"> Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-463" href="https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/" target="_blank"> Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-464" href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" target="_blank"> Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-465" href="https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/" target="_blank"> ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-466" href="https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" target="_blank"> ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-467" href="https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" target="_blank"> Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-468" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b" target="_blank"> CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-469" href="https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" target="_blank"> Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-470" href="https://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html#More" target="_blank"> Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-471" href="https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf" target="_blank"> Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-472" href="https://www.zscaler.com/blogs/security-research/apt-31-leverages-covid-19-vaccine-theme-and-abuses-legitimate-online" target="_blank"> Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-473" href="https://web.archive.org/web/20230115144216/http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf" target="_blank"> Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-474" href="https://scadahacker.com/library/Documents/Cyber_Events/McAfee%20-%20Night%20Dragon%20-%20Global%20Energy%20Cyberattacks.pdf" target="_blank"> McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-475" href="https://blogs.cisco.com/security/talos/opening-zxshell" target="_blank"> Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019. </a> </li> <li> <a rel="nofollow" class="external text" name="scite-476" href="https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html" target="_blank"> Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022. </a> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div>   <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner">  <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">×</div> </div> </div>  <div id="search-body" class="search-body"> <div class="results" id="search-results">  </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1">  <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a> </div> <div class="px-3 col-footer"> <a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a> </div> <div class="px-3 col-footer"> <a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a> </div> <div class="px-3"> <a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&CK content v16.1Website v4.2.1">Website Changelog</a> </div> </div> <div class="row"> © 2015 - 2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div>  </div>  <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script>  <script src="/theme/scripts/resizer.js"></script>  <script src="/theme/scripts/bootstrap-tourist.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/tour/tour-techniques.js"></script> <script src="/theme/scripts/sidebar-load-all.js"></script> </body> </html>

CINXE.COM

System Information Discovery, Technique T1082 - Enterprise | MITRE ATT&CK®