<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>Magic Hound, TA453, COBALT ILLUSION, Charming Kitten, ITG18, Phosphorus, Newscaster, APT35, Mint Sandstorm, Group G0059 | MITRE ATT&CK&reg;</title> <!-- USWDS CSS --> <!-- Bootstrap CSS --> <link rel='stylesheet' href='/theme/style/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-select.min.css' /> <!-- Fontawesome CSS --> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1"> <!-- header elements --> <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- banner elements --> <div class="col px-0"> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <!-- !versions banner! --> <div class="container-fluid banner-message"> ATT&CKcon 6.0 returns October 14-15, 2025 in McLean, VA. More details about tickets and our CFP can be found <a href='https://na.eventscloud.com/attackcon6'>here</a> </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0"> <!-- main content elements --> <!--start-indexing-for-search--> <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div> <!--stop-indexing-for-search--> <div id="sidebars"></div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/groups/">Groups</a></li> <li class="breadcrumb-item">Magic Hound</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> Magic Hound </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p><a href="/groups/G0059">Magic Hound</a> is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018."data-reference="FireEye APT35 2018">^{<a href="https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021."data-reference="ClearSky Kittens Back 3 August 2020">^{<a href="https://www.clearskysec.com/wp-content/uploads/2020/08/The-Kittens-are-Back-in-Town-3.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Certfa Labs. (2021, January 8). Charming Kitten’s Christmas Gift. Retrieved May 3, 2021."data-reference="Certfa Charming Kitten January 2021">^{<a href="https://blog.certfa.com/posts/charming-kitten-christmas-gift/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Secureworks. (n.d.). COBALT ILLUSION Threat Profile. Retrieved April 14, 2021."data-reference="Secureworks COBALT ILLUSION Threat Profile">^{<a href="https://www.secureworks.com/research/threat-profiles/cobalt-illusion" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Miller, J. et al. (2021, July 13). Operation SpoofedScholars: A Conversation with TA453. Retrieved August 18, 2021."data-reference="Proofpoint TA453 July2021">^{<a href="https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span></p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div id="card-id" class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID:&nbsp;</span>G0059 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="Names that have overlapping reference to a group entry and may refer to the same or similar group in threat intelligence reporting">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Associated Groups</span>: TA453, COBALT ILLUSION, Charming Kitten, ITG18, Phosphorus, Newscaster, APT35, Mint Sandstorm </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Contributors</span>: Anastasios Pingios; Bryan Lee; Daniyal Naeem, BT Security </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version</span>: 6.1 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created:&nbsp;</span>16 January 2018 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified:&nbsp;</span>10 July 2024 </div> </div> </div> </div> <div class="text-center pt-2 version-button live"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of G0059" href="/versions/v16/groups/G0059/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of G0059" href="/versions/v16/groups/G0059/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <h2 class="pt-3" id ="aliasDescription">Associated Group Descriptions</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> TA453 </td> <td> <p><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Miller, J. et al. (2021, March 30). BadBlood: TA453 Targets US and Israeli Medical Research Personnel in Credential Phishing Campaigns. Retrieved May 4, 2021."data-reference="Proofpoint TA453 March 2021">^{<a href="https://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Miller, J. et al. (2021, July 13). Operation SpoofedScholars: A Conversation with TA453. Retrieved August 18, 2021."data-reference="Proofpoint TA453 July2021">^{<a href="https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022."data-reference="Check Point APT35 CharmPower January 2022">^{<a href="https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr> <td> COBALT ILLUSION </td> <td> <p><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Secureworks. (n.d.). COBALT ILLUSION Threat Profile. Retrieved April 14, 2021."data-reference="Secureworks COBALT ILLUSION Threat Profile">^{<a href="https://www.secureworks.com/research/threat-profiles/cobalt-illusion" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span></p> </td> </tr> <tr> <td> Charming Kitten </td> <td> <p><span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017."data-reference="ClearSky Charming Kitten Dec 2017">^{<a href="http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span><span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Kerner, S. (2014, May 29). Newscaster Threat Uses Social Media for Intelligence Gathering. Retrieved April 14, 2021."data-reference="Eweek Newscaster and Charming Kitten May 2014">^{<a href="https://www.eweek.com/security/newscaster-threat-uses-social-media-for-intelligence-gathering" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="ClearSky Research Team. (2019, October 1). The Kittens Are Back in Town2 - Charming Kitten Campaign KeepsGoing on, Using New Impersonation Methods. Retrieved April 21, 2021."data-reference="ClearSky Kittens Back 2 Oct 2019">^{<a href="https://www.clearskysec.com/wp-content/uploads/2019/10/The-Kittens-Are-Back-in-Town-2-1.pdf" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021."data-reference="ClearSky Kittens Back 3 August 2020">^{<a href="https://www.clearskysec.com/wp-content/uploads/2020/08/The-Kittens-are-Back-in-Town-3.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Miller, J. et al. (2021, March 30). BadBlood: TA453 Targets US and Israeli Medical Research Personnel in Credential Phishing Campaigns. Retrieved May 4, 2021."data-reference="Proofpoint TA453 March 2021">^{<a href="https://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022."data-reference="Check Point APT35 CharmPower January 2022">^{<a href="https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr> <td> ITG18 </td> <td> <p><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Wikoff, A. Emerson, R. (2020, July 16). New Research Exposes Iranian Threat Group Operations. Retrieved March 8, 2021."data-reference="IBM ITG18 2020">^{<a href="https://securityintelligence.com/posts/new-research-exposes-iranian-threat-group-operations/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span></p> </td> </tr> <tr> <td> Phosphorus </td> <td> <p><span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Burt, T. (2019, March 27). New steps to protect customers from hacking. Retrieved May 27, 2020."data-reference="Microsoft Phosphorus Mar 2019">^{<a href="https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Burt, T. (2020, October 28). Cyberattacks target international conference attendees. Retrieved March 8, 2021."data-reference="Microsoft Phosphorus Oct 2020">^{<a href="https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="US District Court of DC. (2019, March 14). MICROSOFT CORPORATION v. JOHN DOES 1-2, CONTROLLING A COMPUTER NETWORK AND THEREBY INJURING PLAINTIFF AND ITS CUSTOMERS. Retrieved March 8, 2021."data-reference="US District Court of DC Phosphorus Complaint 2019">^{<a href="https://noticeofpleadings.com/phosphorus/files/Complaint.pdf" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Certfa Labs. (2021, January 8). Charming Kitten’s Christmas Gift. Retrieved May 3, 2021."data-reference="Certfa Charming Kitten January 2021">^{<a href="https://blog.certfa.com/posts/charming-kitten-christmas-gift/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Miller, J. et al. (2021, March 30). BadBlood: TA453 Targets US and Israeli Medical Research Personnel in Credential Phishing Campaigns. Retrieved May 4, 2021."data-reference="Proofpoint TA453 March 2021">^{<a href="https://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022."data-reference="Check Point APT35 CharmPower January 2022">^{<a href="https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr> <td> Newscaster </td> <td> <p>Link analysis of infrastructure and tools revealed a potential relationship between Magic Hound and the older attack campaign called Newscaster (aka Newscasters).<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017."data-reference="Unit 42 Magic Hound Feb 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018."data-reference="FireEye APT35 2018">^{<a href="https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr> <td> APT35 </td> <td> <p><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018."data-reference="FireEye APT35 2018">^{<a href="https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Certfa Labs. (2021, January 8). Charming Kitten’s Christmas Gift. Retrieved May 3, 2021."data-reference="Certfa Charming Kitten January 2021">^{<a href="https://blog.certfa.com/posts/charming-kitten-christmas-gift/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022."data-reference="Check Point APT35 CharmPower January 2022">^{<a href="https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr> <td> Mint Sandstorm </td> <td> <p><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023."data-reference="Microsoft Threat Actor Naming July 2023">^{<a href="https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span></p> </td> </tr> </tbody> </table> </div> <!--stop-indexing-for-search--> <div class="dropdown h3 mt-3 float-right"> <button class="btn btn-navy dropdown-toggle" type="button" id="dropdownMenuButton" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>ATT&amp;CK^&reg; Navigator Layers</b> </button> <div class="dropdown-menu" aria-labelledby="dropdownMenuButton"> <h6 class="dropdown-header">Enterprise Layer</h6> <a class="dropdown-item" href="/groups/G0059/G0059-enterprise-layer.json" download target="_blank">download</a> <!-- only show view on navigator link if layer link is defined --> <a class="dropdown-item" href="#" id="view-layer-on-navigator-enterprise" target="_blank">view <img width="10" src="/theme/images/external-site-dark.jpeg"></a> <script src="/theme/scripts/settings.js"></script> <script> if (window.location.protocol == "https:") { //view on navigator only works when this site is hosted on HTTPS var layerURL = window.location.protocol + "//" + window.location.host + base_url + "groups/G0059/G0059-enterprise-layer.json"; document.getElementById("view-layer-on-navigator-enterprise").href = "https://mitre-attack.github.io/attack-navigator//#layerURL=" + encodeURIComponent(layerURL); } else { //hide button document.getElementById("view-layer-on-navigator-enterprise").classList.add("d-none"); } </script> </div> </div> <!--start-indexing-for-search--> <h2 class="pt-3 mb-2" id="techniques">Techniques Used</h2> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Use</th> </tr> </thead> <tbody> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1087">T1087</a> </td> <td> <a href="/techniques/T1087/003">.003</a> </td> <td> <a href="/techniques/T1087">Account Discovery</a>: <a href="/techniques/T1087/003">Email Account</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has used Powershell to discover email accounts.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022">^{<a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1098">T1098</a> </td> <td> <a href="/techniques/T1098/002">.002</a> </td> <td> <a href="/techniques/T1098">Account Manipulation</a>: <a href="/techniques/T1098/002">Additional Email Delegate Permissions</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> granted compromised email accounts read access to the email boxes of additional targeted accounts. The group then was able to authenticate to the intended victim's OWA (Outlook Web Access) portal and read hundreds of email communications for information on Middle East organizations.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018."data-reference="FireEye APT35 2018">^{<a href="https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span> </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1098/007">.007</a> </td> <td> <a href="/techniques/T1098">Account Manipulation</a>: <a href="/techniques/T1098/007">Additional Local or Domain Groups</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has added a user named DefaultAccount to the Administrators and Remote Desktop Users groups.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022">^{<a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1583">T1583</a> </td> <td> <a href="/techniques/T1583/001">.001</a> </td> <td> <a href="/techniques/T1583">Acquire Infrastructure</a>: <a href="/techniques/T1583/001">Domains</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has registered fraudulent domains such as "mail-newyorker.com" and "news12.com.recover-session-service.site" to target specific victims with phishing attacks.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Certfa Labs. (2021, January 8). Charming Kitten’s Christmas Gift. Retrieved May 3, 2021."data-reference="Certfa Charming Kitten January 2021">^{<a href="https://blog.certfa.com/posts/charming-kitten-christmas-gift/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1583/006">.006</a> </td> <td> <a href="/techniques/T1583">Acquire Infrastructure</a>: <a href="/techniques/T1583/006">Web Services</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has acquired Amazon S3 buckets to use in C2.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022."data-reference="Check Point APT35 CharmPower January 2022">^{<a href="https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1595">T1595</a> </td> <td> <a href="/techniques/T1595/002">.002</a> </td> <td> <a href="/techniques/T1595">Active Scanning</a>: <a href="/techniques/T1595/002">Vulnerability Scanning</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has conducted widespread scanning to identify public-facing systems vulnerable to CVE-2021-44228 in Log4j and ProxyShell vulnerabilities; CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 in on-premises MS Exchange Servers; and CVE-2018-13379 in Fortinet FortiOS SSL VPNs.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022."data-reference="Check Point APT35 CharmPower January 2022">^{<a href="https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023."data-reference="Microsoft Iranian Threat Actor Trends November 2021">^{<a href="https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1071">T1071</a> </td> <td> <a href="/techniques/T1071">Application Layer Protocol</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> malware has used IRC for C2.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017."data-reference="Unit 42 Magic Hound Feb 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1071/001">.001</a> </td> <td> <a href="/techniques/T1071/001">Web Protocols</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has used HTTP for C2.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017."data-reference="Unit 42 Magic Hound Feb 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022">^{<a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1560">T1560</a> </td> <td> <a href="/techniques/T1560/001">.001</a> </td> <td> <a href="/techniques/T1560">Archive Collected Data</a>: <a href="/techniques/T1560/001">Archive via Utility</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has used gzip to archive dumped LSASS process memory and RAR to stage and compress local folders.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018."data-reference="FireEye APT35 2018">^{<a href="https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022">^{<a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1547">T1547</a> </td> <td> <a href="/techniques/T1547/001">.001</a> </td> <td> <a href="/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/techniques/T1547/001">Registry Run Keys / Startup Folder</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> malware has used Registry Run keys to establish persistence.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017."data-reference="Unit 42 Magic Hound Feb 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023."data-reference="Microsoft Iranian Threat Actor Trends November 2021">^{<a href="https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1059">T1059</a> </td> <td> <a href="/techniques/T1059/001">.001</a> </td> <td> <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/001">PowerShell</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has used PowerShell for execution and privilege escalation.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017."data-reference="Unit 42 Magic Hound Feb 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018."data-reference="FireEye APT35 2018">^{<a href="https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022">^{<a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023."data-reference="Microsoft Iranian Threat Actor Trends November 2021">^{<a href="https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1059/003">.003</a> </td> <td> <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/003">Windows Command Shell</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has used the command-line interface for code execution.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017."data-reference="Unit 42 Magic Hound Feb 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022">^{<a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1059/005">.005</a> </td> <td> <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/005">Visual Basic</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> malware has used VBS scripts for execution.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017."data-reference="Unit 42 Magic Hound Feb 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1586">T1586</a> </td> <td> <a href="/techniques/T1586/002">.002</a> </td> <td> <a href="/techniques/T1586">Compromise Accounts</a>: <a href="/techniques/T1586/002">Email Accounts</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has compromised personal email accounts through the use of legitimate credentials and gathered additional victim information.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Wikoff, A. Emerson, R. (2020, July 16). New Research Exposes Iranian Threat Group Operations. Retrieved March 8, 2021."data-reference="IBM ITG18 2020">^{<a href="https://securityintelligence.com/posts/new-research-exposes-iranian-threat-group-operations/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1584">T1584</a> </td> <td> <a href="/techniques/T1584/001">.001</a> </td> <td> <a href="/techniques/T1584">Compromise Infrastructure</a>: <a href="/techniques/T1584/001">Domains</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has used compromised domains to host links targeted to specific phishing victims.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021."data-reference="ClearSky Kittens Back 3 August 2020">^{<a href="https://www.clearskysec.com/wp-content/uploads/2020/08/The-Kittens-are-Back-in-Town-3.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Miller, J. et al. (2021, July 13). Operation SpoofedScholars: A Conversation with TA453. Retrieved August 18, 2021."data-reference="Proofpoint TA453 July2021">^{<a href="https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Certfa Labs. (2021, January 8). Charming Kitten’s Christmas Gift. Retrieved May 3, 2021."data-reference="Certfa Charming Kitten January 2021">^{<a href="https://blog.certfa.com/posts/charming-kitten-christmas-gift/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Bash, A. (2021, October 14). Countering threats from Iran. Retrieved January 4, 2023."data-reference="Google Iran Threats October 2021">^{<a href="https://blog.google/threat-analysis-group/countering-threats-iran/" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1136">T1136</a> </td> <td> <a href="/techniques/T1136/001">.001</a> </td> <td> <a href="/techniques/T1136">Create Account</a>: <a href="/techniques/T1136/001">Local Account</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has created local accounts named <code>help</code> and <code>DefaultAccount</code> on compromised machines.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022">^{<a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023."data-reference="Microsoft Iranian Threat Actor Trends November 2021">^{<a href="https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1486">T1486</a> </td> <td> <a href="/techniques/T1486">Data Encrypted for Impact</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has used BitLocker and DiskCryptor to encrypt targeted workstations. <span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023."data-reference="Microsoft Iranian Threat Actor Trends November 2021">^{<a href="https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1005">T1005</a> </td> <td> <a href="/techniques/T1005">Data from Local System</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has used a web shell to exfiltrate a ZIP file containing a dump of LSASS memory on a compromised machine.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022">^{<a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1482">T1482</a> </td> <td> <a href="/techniques/T1482">Domain Trust Discovery</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has used a web shell to execute <code>nltest /trusted_domains</code> to identify trust relationships.<span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1189">T1189</a> </td> <td> <a href="/techniques/T1189">Drive-by Compromise</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has conducted watering-hole attacks through media and magazine websites.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021."data-reference="ClearSky Kittens Back 3 August 2020">^{<a href="https://www.clearskysec.com/wp-content/uploads/2020/08/The-Kittens-are-Back-in-Town-3.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1114">T1114</a> </td> <td> <a href="/techniques/T1114">Email Collection</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has compromised email credentials in order to steal sensitive data.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Certfa Labs. (2021, January 8). Charming Kitten’s Christmas Gift. Retrieved May 3, 2021."data-reference="Certfa Charming Kitten January 2021">^{<a href="https://blog.certfa.com/posts/charming-kitten-christmas-gift/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1114/001">.001</a> </td> <td> <a href="/techniques/T1114/001">Local Email Collection</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has collected .PST archives.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018."data-reference="FireEye APT35 2018">^{<a href="https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1114/002">.002</a> </td> <td> <a href="/techniques/T1114/002">Remote Email Collection</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has exported emails from compromised Exchange servers including through use of the cmdlet <code>New-MailboxExportRequest.</code><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022">^{<a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1573">T1573</a> </td> <td> <a href="/techniques/T1573">Encrypted Channel</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has used an encrypted http proxy in C2 communications.<span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1585">T1585</a> </td> <td> <a href="/techniques/T1585/001">.001</a> </td> <td> <a href="/techniques/T1585">Establish Accounts</a>: <a href="/techniques/T1585/001">Social Media Accounts</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has created fake LinkedIn and other social media accounts to contact targets and convince them--through messages and voice communications--to open malicious links.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021."data-reference="ClearSky Kittens Back 3 August 2020">^{<a href="https://www.clearskysec.com/wp-content/uploads/2020/08/The-Kittens-are-Back-in-Town-3.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1585/002">.002</a> </td> <td> <a href="/techniques/T1585">Establish Accounts</a>: <a href="/techniques/T1585/002">Email Accounts</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has established email accounts using fake personas for spearphishing operations.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Wikoff, A. Emerson, R. (2020, July 16). New Research Exposes Iranian Threat Group Operations. Retrieved March 8, 2021."data-reference="IBM ITG18 2020">^{<a href="https://securityintelligence.com/posts/new-research-exposes-iranian-threat-group-operations/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Miller, J. et al. (2021, March 30). BadBlood: TA453 Targets US and Israeli Medical Research Personnel in Credential Phishing Campaigns. Retrieved May 4, 2021."data-reference="Proofpoint TA453 March 2021">^{<a href="https://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1567">T1567</a> </td> <td> <a href="/techniques/T1567">Exfiltration Over Web Service</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has used the Telegram API <code>sendMessage</code> to relay data on compromised devices.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Bash, A. (2021, October 14). Countering threats from Iran. Retrieved January 4, 2023."data-reference="Google Iran Threats October 2021">^{<a href="https://blog.google/threat-analysis-group/countering-threats-iran/" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1190">T1190</a> </td> <td> <a href="/techniques/T1190">Exploit Public-Facing Application</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has exploited the Log4j utility (CVE-2021-44228), on-premises MS Exchange servers via "ProxyShell" (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207), and Fortios SSL VPNs (CVE-2018-13379).<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022."data-reference="Check Point APT35 CharmPower January 2022">^{<a href="https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022">^{<a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022."data-reference="Cybereason PowerLess February 2022">^{<a href="https://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023."data-reference="Microsoft Iranian Threat Actor Trends November 2021">^{<a href="https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span><span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2021, December 11). Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability. Retrieved December 7, 2023."data-reference="Microsoft Log4j Vulnerability Exploitation December 2021">^{<a href="https://www.microsoft.com/en-us/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1083">T1083</a> </td> <td> <a href="/techniques/T1083">File and Directory Discovery</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> malware can list a victim's logical drives and the type, as well the total/free space of the fixed devices. Other malware can list a directory's contents.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017."data-reference="Unit 42 Magic Hound Feb 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1592">T1592</a> </td> <td> <a href="/techniques/T1592/002">.002</a> </td> <td> <a href="/techniques/T1592">Gather Victim Host Information</a>: <a href="/techniques/T1592/002">Software</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has captured the user-agent strings from visitors to their phishing sites.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Bash, A. (2021, October 14). Countering threats from Iran. Retrieved January 4, 2023."data-reference="Google Iran Threats October 2021">^{<a href="https://blog.google/threat-analysis-group/countering-threats-iran/" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1589">T1589</a> </td> <td> <a href="/techniques/T1589">Gather Victim Identity Information</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has acquired mobile phone numbers of potential targets, possibly for mobile malware or additional phishing operations.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Miller, J. et al. (2021, July 13). Operation SpoofedScholars: A Conversation with TA453. Retrieved August 18, 2021."data-reference="Proofpoint TA453 July2021">^{<a href="https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1589/001">.001</a> </td> <td> <a href="/techniques/T1589/001">Credentials</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> gathered credentials from two victims that they then attempted to validate across 75 different websites. <a href="/groups/G0059">Magic Hound</a> has also collected credentials from over 900 Fortinet VPN servers in the US, Europe, and Israel.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Wikoff, A. Emerson, R. (2020, July 16). New Research Exposes Iranian Threat Group Operations. Retrieved March 8, 2021."data-reference="IBM ITG18 2020">^{<a href="https://securityintelligence.com/posts/new-research-exposes-iranian-threat-group-operations/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023."data-reference="Microsoft Iranian Threat Actor Trends November 2021">^{<a href="https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1589/002">.002</a> </td> <td> <a href="/techniques/T1589/002">Email Addresses</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has identified high-value email accounts in academia, journalism, NGO's, foreign policy, and national security for targeting.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Miller, J. et al. (2021, July 13). Operation SpoofedScholars: A Conversation with TA453. Retrieved August 18, 2021."data-reference="Proofpoint TA453 July2021">^{<a href="https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Bash, A. (2021, October 14). Countering threats from Iran. Retrieved January 4, 2023."data-reference="Google Iran Threats October 2021">^{<a href="https://blog.google/threat-analysis-group/countering-threats-iran/" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1590">T1590</a> </td> <td> <a href="/techniques/T1590/005">.005</a> </td> <td> <a href="/techniques/T1590">Gather Victim Network Information</a>: <a href="/techniques/T1590/005">IP Addresses</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has captured the IP addresses of visitors to their phishing sites.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Bash, A. (2021, October 14). Countering threats from Iran. Retrieved January 4, 2023."data-reference="Google Iran Threats October 2021">^{<a href="https://blog.google/threat-analysis-group/countering-threats-iran/" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1591">T1591</a> </td> <td> <a href="/techniques/T1591/001">.001</a> </td> <td> <a href="/techniques/T1591">Gather Victim Org Information</a>: <a href="/techniques/T1591/001">Determine Physical Locations</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has collected location information from visitors to their phishing sites.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Bash, A. (2021, October 14). Countering threats from Iran. Retrieved January 4, 2023."data-reference="Google Iran Threats October 2021">^{<a href="https://blog.google/threat-analysis-group/countering-threats-iran/" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1564">T1564</a> </td> <td> <a href="/techniques/T1564/003">.003</a> </td> <td> <a href="/techniques/T1564">Hide Artifacts</a>: <a href="/techniques/T1564/003">Hidden Window</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> malware has a function to determine whether the C2 server wishes to execute the newly dropped file in a hidden window.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017."data-reference="Unit 42 Magic Hound Feb 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1562">T1562</a> </td> <td> <a href="/techniques/T1562">Impair Defenses</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has disabled LSA protection on compromised hosts using <code>"reg" add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f</code>.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022">^{<a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1562/001">.001</a> </td> <td> <a href="/techniques/T1562/001">Disable or Modify Tools</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has disabled antivirus services on targeted systems in order to upload malicious payloads.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022">^{<a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1562/002">.002</a> </td> <td> <a href="/techniques/T1562/002">Disable Windows Event Logging</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has executed scripts to disable the event log service.<span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1562/004">.004</a> </td> <td> <a href="/techniques/T1562/004">Disable or Modify System Firewall</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has added the following rule to a victim's Windows firewall to allow RDP traffic - <code>"netsh" advfirewall firewall add rule name="Terminal Server" dir=in action=allow protocol=TCP localport=3389</code>.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022">^{<a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1070">T1070</a> </td> <td> <a href="/techniques/T1070/003">.003</a> </td> <td> <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/003">Clear Command History</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has removed mailbox export requests from compromised Exchange servers.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022">^{<a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1070/004">.004</a> </td> <td> <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/004">File Deletion</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has deleted and overwrote files to cover tracks.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017."data-reference="Unit 42 Magic Hound Feb 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018."data-reference="FireEye APT35 2018">^{<a href="https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1105">T1105</a> </td> <td> <a href="/techniques/T1105">Ingress Tool Transfer</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has downloaded additional code and files from servers onto victims.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017."data-reference="Unit 42 Magic Hound Feb 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022">^{<a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023."data-reference="Microsoft Iranian Threat Actor Trends November 2021">^{<a href="https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1056">T1056</a> </td> <td> <a href="/techniques/T1056/001">.001</a> </td> <td> <a href="/techniques/T1056">Input Capture</a>: <a href="/techniques/T1056/001">Keylogging</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> malware is capable of keylogging.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017."data-reference="Unit 42 Magic Hound Feb 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1570">T1570</a> </td> <td> <a href="/techniques/T1570">Lateral Tool Transfer</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has copied tools within a compromised network using RDP.<span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1036">T1036</a> </td> <td> <a href="/techniques/T1036/004">.004</a> </td> <td> <a href="/techniques/T1036">Masquerading</a>: <a href="/techniques/T1036/004">Masquerade Task or Service</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has named a malicious script CacheTask.bat to mimic a legitimate task.<span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1036/005">.005</a> </td> <td> <a href="/techniques/T1036">Masquerading</a>: <a href="/techniques/T1036/005">Match Legitimate Name or Location</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has used <code>dllhost.exe</code> to mask Fast Reverse Proxy (FRP) and <code>MicrosoftOutLookUpdater.exe</code> for Plink.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022">^{<a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023."data-reference="Microsoft Iranian Threat Actor Trends November 2021">^{<a href="https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1036/010">.010</a> </td> <td> <a href="/techniques/T1036">Masquerading</a>: <a href="/techniques/T1036/010">Masquerade Account Name</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has created local accounts named <code>help</code> and <code>DefaultAccount</code> on compromised machines.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022">^{<a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023."data-reference="Microsoft Iranian Threat Actor Trends November 2021">^{<a href="https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1112">T1112</a> </td> <td> <a href="/techniques/T1112">Modify Registry</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has modified Registry settings for security tools.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022">^{<a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1046">T1046</a> </td> <td> <a href="/techniques/T1046">Network Service Discovery</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has used KPortScan 3.0 to perform SMB, RDP, and LDAP scanning.<span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1571">T1571</a> </td> <td> <a href="/techniques/T1571">Non-Standard Port</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> malware has communicated with its C2 server over TCP ports 4443 and 10151 using HTTP.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017."data-reference="Unit 42 Magic Hound Feb 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1027">T1027</a> </td> <td> <a href="/techniques/T1027/010">.010</a> </td> <td> <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/010">Command Obfuscation</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has used base64-encoded commands.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017."data-reference="Unit 42 Magic Hound Feb 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023."data-reference="Microsoft Iranian Threat Actor Trends November 2021">^{<a href="https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1027/013">.013</a> </td> <td> <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/013">Encrypted/Encoded File</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> malware has used base64-encoded files and has also encrypted embedded strings with AES.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017."data-reference="Unit 42 Magic Hound Feb 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023."data-reference="Microsoft Iranian Threat Actor Trends November 2021">^{<a href="https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1588">T1588</a> </td> <td> <a href="/techniques/T1588/002">.002</a> </td> <td> <a href="/techniques/T1588">Obtain Capabilities</a>: <a href="/techniques/T1588/002">Tool</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has obtained and used tools like <a href="/software/S0224">Havij</a>, <a href="/software/S0225">sqlmap</a>, Metasploit, <a href="/software/S0002">Mimikatz</a>, and Plink.<span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018."data-reference="Check Point Rocket Kitten">^{<a href="https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018."data-reference="FireEye APT35 2018">^{<a href="https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022."data-reference="Check Point APT35 CharmPower January 2022">^{<a href="https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023."data-reference="Microsoft Iranian Threat Actor Trends November 2021">^{<a href="https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1003">T1003</a> </td> <td> <a href="/techniques/T1003/001">.001</a> </td> <td> <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/001">LSASS Memory</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has stolen domain credentials by dumping LSASS process memory using Task Manager, comsvcs.dll, and from a Microsoft Active Directory Domain Controller using <a href="/software/S0002">Mimikatz</a>.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018."data-reference="FireEye APT35 2018">^{<a href="https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022">^{<a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023."data-reference="Microsoft Iranian Threat Actor Trends November 2021">^{<a href="https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1566">T1566</a> </td> <td> <a href="/techniques/T1566/002">.002</a> </td> <td> <a href="/techniques/T1566">Phishing</a>: <a href="/techniques/T1566/002">Spearphishing Link</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has sent malicious URL links through email to victims. In some cases the URLs were shortened or linked to Word documents with malicious macros that executed PowerShells scripts to download <a href="/software/S0192">Pupy</a>.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Counter Threat Unit Research Team. (2017, February 15). Iranian PupyRAT Bites Middle Eastern Organizations. Retrieved December 27, 2017."data-reference="Secureworks Cobalt Gypsy Feb 2017">^{<a href="https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021."data-reference="ClearSky Kittens Back 3 August 2020">^{<a href="https://www.clearskysec.com/wp-content/uploads/2020/08/The-Kittens-are-Back-in-Town-3.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Certfa Labs. (2021, January 8). Charming Kitten’s Christmas Gift. Retrieved May 3, 2021."data-reference="Certfa Charming Kitten January 2021">^{<a href="https://blog.certfa.com/posts/charming-kitten-christmas-gift/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023."data-reference="Microsoft Iranian Threat Actor Trends November 2021">^{<a href="https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1566/003">.003</a> </td> <td> <a href="/techniques/T1566">Phishing</a>: <a href="/techniques/T1566/003">Spearphishing via Service</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> used various social media channels (such as LinkedIn) as well as messaging services (such as WhatsApp) to spearphish victims.<span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="Counter Threat Unit Research Team. (2017, July 27). The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets. Retrieved February 26, 2018."data-reference="SecureWorks Mia Ash July 2017">^{<a href="https://www.secureworks.com/research/the-curious-case-of-mia-ash" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a>}</span><span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Burt, T. (2019, March 27). New steps to protect customers from hacking. Retrieved May 27, 2020."data-reference="Microsoft Phosphorus Mar 2019">^{<a href="https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021."data-reference="ClearSky Kittens Back 3 August 2020">^{<a href="https://www.clearskysec.com/wp-content/uploads/2020/08/The-Kittens-are-Back-in-Town-3.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1598">T1598</a> </td> <td> <a href="/techniques/T1598/003">.003</a> </td> <td> <a href="/techniques/T1598">Phishing for Information</a>: <a href="/techniques/T1598/003">Spearphishing Link</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has used SMS and email messages with links designed to steal credentials or track victims.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Certfa Labs. (2021, January 8). Charming Kitten’s Christmas Gift. Retrieved May 3, 2021."data-reference="Certfa Charming Kitten January 2021">^{<a href="https://blog.certfa.com/posts/charming-kitten-christmas-gift/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021."data-reference="ClearSky Kittens Back 3 August 2020">^{<a href="https://www.clearskysec.com/wp-content/uploads/2020/08/The-Kittens-are-Back-in-Town-3.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Miller, J. et al. (2021, March 30). BadBlood: TA453 Targets US and Israeli Medical Research Personnel in Credential Phishing Campaigns. Retrieved May 4, 2021."data-reference="Proofpoint TA453 March 2021">^{<a href="https://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Miller, J. et al. (2021, July 13). Operation SpoofedScholars: A Conversation with TA453. Retrieved August 18, 2021."data-reference="Proofpoint TA453 July2021">^{<a href="https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Bash, A. (2021, October 14). Countering threats from Iran. Retrieved January 4, 2023."data-reference="Google Iran Threats October 2021">^{<a href="https://blog.google/threat-analysis-group/countering-threats-iran/" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023."data-reference="Microsoft Iranian Threat Actor Trends November 2021">^{<a href="https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1057">T1057</a> </td> <td> <a href="/techniques/T1057">Process Discovery</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> malware can list running processes.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017."data-reference="Unit 42 Magic Hound Feb 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1572">T1572</a> </td> <td> <a href="/techniques/T1572">Protocol Tunneling</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has used Plink to tunnel RDP over SSH.<span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1090">T1090</a> </td> <td> <a href="/techniques/T1090">Proxy</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has used Fast Reverse Proxy (FRP) for RDP traffic.<span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1021">T1021</a> </td> <td> <a href="/techniques/T1021/001">.001</a> </td> <td> <a href="/techniques/T1021">Remote Services</a>: <a href="/techniques/T1021/001">Remote Desktop Protocol</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has used Remote Desktop Services to copy tools on targeted systems.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022">^{<a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1018">T1018</a> </td> <td> <a href="/techniques/T1018">Remote System Discovery</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has used <a href="/software/S0097">Ping</a> for discovery on targeted networks.<span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1053">T1053</a> </td> <td> <a href="/techniques/T1053/005">.005</a> </td> <td> <a href="/techniques/T1053">Scheduled Task/Job</a>: <a href="/techniques/T1053/005">Scheduled Task</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has used scheduled tasks to establish persistence and execution.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022">^{<a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1113">T1113</a> </td> <td> <a href="/techniques/T1113">Screen Capture</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> malware can take a screenshot and upload the file to its C2 server.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017."data-reference="Unit 42 Magic Hound Feb 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1505">T1505</a> </td> <td> <a href="/techniques/T1505/003">.003</a> </td> <td> <a href="/techniques/T1505">Server Software Component</a>: <a href="/techniques/T1505/003">Web Shell</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has used multiple web shells to gain execution.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022">^{<a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1218">T1218</a> </td> <td> <a href="/techniques/T1218/011">.011</a> </td> <td> <a href="/techniques/T1218">System Binary Proxy Execution</a>: <a href="/techniques/T1218/011">Rundll32</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has used rundll32.exe to execute MiniDump from comsvcs.dll when dumping LSASS memory.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022">^{<a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1082">T1082</a> </td> <td> <a href="/techniques/T1082">System Information Discovery</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> malware has used a PowerShell command to check the victim system architecture to determine if it is an x64 machine. Other malware has obtained the OS version, UUID, and computer/host name to send to the C2 server.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017."data-reference="Unit 42 Magic Hound Feb 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022">^{<a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1016">T1016</a> </td> <td> <a href="/techniques/T1016">System Network Configuration Discovery</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> malware gathers the victim's local IP address, MAC address, and external IP address.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017."data-reference="Unit 42 Magic Hound Feb 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022">^{<a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1016/001">.001</a> </td> <td> <a href="/techniques/T1016/001">Internet Connection Discovery</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has conducted a network call out to a specific website as part of their initial discovery activity.<span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span> </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1016/002">.002</a> </td> <td> <a href="/techniques/T1016/002">Wi-Fi Discovery</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has collected names and passwords of all Wi-Fi networks to which a device has previously connected.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022."data-reference="Check Point APT35 CharmPower January 2022">^{<a href="https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1049">T1049</a> </td> <td> <a href="/techniques/T1049">System Network Connections Discovery</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has used quser.exe to identify existing RDP connections.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022">^{<a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1033">T1033</a> </td> <td> <a href="/techniques/T1033">System Owner/User Discovery</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> malware has obtained the victim username and sent it to the C2 server.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017."data-reference="Unit 42 Magic Hound Feb 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022">^{<a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1204">T1204</a> </td> <td> <a href="/techniques/T1204/001">.001</a> </td> <td> <a href="/techniques/T1204">User Execution</a>: <a href="/techniques/T1204/001">Malicious Link</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has attempted to lure victims into opening malicious links embedded in emails.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021."data-reference="ClearSky Kittens Back 3 August 2020">^{<a href="https://www.clearskysec.com/wp-content/uploads/2020/08/The-Kittens-are-Back-in-Town-3.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Certfa Labs. (2021, January 8). Charming Kitten’s Christmas Gift. Retrieved May 3, 2021."data-reference="Certfa Charming Kitten January 2021">^{<a href="https://blog.certfa.com/posts/charming-kitten-christmas-gift/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1204/002">.002</a> </td> <td> <a href="/techniques/T1204">User Execution</a>: <a href="/techniques/T1204/002">Malicious File</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has attempted to lure victims into opening malicious email attachments.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021."data-reference="ClearSky Kittens Back 3 August 2020">^{<a href="https://www.clearskysec.com/wp-content/uploads/2020/08/The-Kittens-are-Back-in-Town-3.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1078">T1078</a> </td> <td> <a href="/techniques/T1078/001">.001</a> </td> <td> <a href="/techniques/T1078">Valid Accounts</a>: <a href="/techniques/T1078/001">Default Accounts</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> enabled and used the default system managed account, DefaultAccount, via <code>"powershell.exe" /c net user DefaultAccount /active:yes</code> to connect to a targeted Exchange server over RDP.<span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1078/002">.002</a> </td> <td> <a href="/techniques/T1078">Valid Accounts</a>: <a href="/techniques/T1078/002">Domain Accounts</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has used domain administrator accounts after dumping LSASS process memory.<span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1102">T1102</a> </td> <td> <a href="/techniques/T1102/002">.002</a> </td> <td> <a href="/techniques/T1102">Web Service</a>: <a href="/techniques/T1102/002">Bidirectional Communication</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> malware can use a SOAP Web service to communicate with its C2 server.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017."data-reference="Unit 42 Magic Hound Feb 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1047">T1047</a> </td> <td> <a href="/techniques/T1047">Windows Management Instrumentation</a> </td> <td> <p><a href="/groups/G0059">Magic Hound</a> has used a tool to run <code>cmd /c wmic computersystem get domain</code> for discovery.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022">^{<a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="software">Software</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">References</th> <th scope="col">Techniques</th> </tr> </thead> <tbody> <tr> <td> <a href="/software/S0674">S0674</a> </td> <td> <a href="/software/S0674">CharmPower</a> </td> <td> <span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022."data-reference="Check Point APT35 CharmPower January 2022">^{<a href="https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span> </td> <td> <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/001">PowerShell</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/003">Windows Command Shell</a>, <a href="/techniques/T1132">Data Encoding</a>: <a href="/techniques/T1132/001">Standard Encoding</a>, <a href="/techniques/T1005">Data from Local System</a>, <a href="/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/techniques/T1573">Encrypted Channel</a>: <a href="/techniques/T1573/001">Symmetric Cryptography</a>, <a href="/techniques/T1048">Exfiltration Over Alternative Protocol</a>: <a href="/techniques/T1048/003">Exfiltration Over Unencrypted Non-C2 Protocol</a>, <a href="/techniques/T1041">Exfiltration Over C2 Channel</a>, <a href="/techniques/T1008">Fallback Channels</a>, <a href="/techniques/T1083">File and Directory Discovery</a>, <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/004">File Deletion</a>, <a href="/techniques/T1105">Ingress Tool Transfer</a>, <a href="/techniques/T1112">Modify Registry</a>, <a href="/techniques/T1057">Process Discovery</a>, <a href="/techniques/T1012">Query Registry</a>, <a href="/techniques/T1113">Screen Capture</a>, <a href="/techniques/T1518">Software Discovery</a>, <a href="/techniques/T1082">System Information Discovery</a>, <a href="/techniques/T1016">System Network Configuration Discovery</a>, <a href="/techniques/T1049">System Network Connections Discovery</a>, <a href="/techniques/T1102">Web Service</a>: <a href="/techniques/T1102/001">Dead Drop Resolver</a>, <a href="/techniques/T1102">Web Service</a>, <a href="/techniques/T1047">Windows Management Instrumentation</a> </td> </tr> <tr> <td> <a href="/software/S0186">S0186</a> </td> <td> <a href="/software/S0186">DownPaper</a> </td> <td> <span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017."data-reference="ClearSky Charming Kitten Dec 2017">^{<a href="http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span> </td> <td> <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a>, <a href="/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/001">PowerShell</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/003">Windows Command Shell</a>, <a href="/techniques/T1012">Query Registry</a>, <a href="/techniques/T1082">System Information Discovery</a>, <a href="/techniques/T1033">System Owner/User Discovery</a> </td> </tr> <tr> <td> <a href="/software/S1144">S1144</a> </td> <td> <a href="/software/S1144">FRP</a> </td> <td> <span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span> </td> <td> <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/007">JavaScript</a>, <a href="/techniques/T1573">Encrypted Channel</a>: <a href="/techniques/T1573/002">Asymmetric Cryptography</a>, <a href="/techniques/T1573">Encrypted Channel</a>: <a href="/techniques/T1573/001">Symmetric Cryptography</a>, <a href="/techniques/T1046">Network Service Discovery</a>, <a href="/techniques/T1095">Non-Application Layer Protocol</a>, <a href="/techniques/T1572">Protocol Tunneling</a>, <a href="/techniques/T1090">Proxy</a>, <a href="/techniques/T1090">Proxy</a>: <a href="/techniques/T1090/003">Multi-hop Proxy</a>, <a href="/techniques/T1049">System Network Connections Discovery</a> </td> </tr> <tr> <td> <a href="/software/S0357">S0357</a> </td> <td> <a href="/software/S0357">Impacket</a> </td> <td> <span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span> </td> <td> <a href="/techniques/T1557">Adversary-in-the-Middle</a>: <a href="/techniques/T1557/001">LLMNR/NBT-NS Poisoning and SMB Relay</a>, <a href="/techniques/T1040">Network Sniffing</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/003">NTDS</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/001">LSASS Memory</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/002">Security Account Manager</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/004">LSA Secrets</a>, <a href="/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/techniques/T1558/003">Kerberoasting</a>, <a href="/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/techniques/T1558/005">Ccache Files</a>, <a href="/techniques/T1569">System Services</a>: <a href="/techniques/T1569/002">Service Execution</a>, <a href="/techniques/T1047">Windows Management Instrumentation</a> </td> </tr> <tr> <td> <a href="/software/S0100">S0100</a> </td> <td> <a href="/software/S0100">ipconfig</a> </td> <td> <span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022">^{<a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span> </td> <td> <a href="/techniques/T1016">System Network Configuration Discovery</a> </td> </tr> <tr> <td> <a href="/software/S0002">S0002</a> </td> <td> <a href="/software/S0002">Mimikatz</a> </td> <td> <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018."data-reference="FireEye APT35 2018">^{<a href="https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span> </td> <td> <a href="/techniques/T1134">Access Token Manipulation</a>: <a href="/techniques/T1134/005">SID-History Injection</a>, <a href="/techniques/T1098">Account Manipulation</a>, <a href="/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/techniques/T1547/005">Security Support Provider</a>, <a href="/techniques/T1555">Credentials from Password Stores</a>, <a href="/techniques/T1555">Credentials from Password Stores</a>: <a href="/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/techniques/T1555">Credentials from Password Stores</a>: <a href="/techniques/T1555/004">Windows Credential Manager</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/006">DCSync</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/002">Security Account Manager</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/001">LSASS Memory</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/004">LSA Secrets</a>, <a href="/techniques/T1207">Rogue Domain Controller</a>, <a href="/techniques/T1649">Steal or Forge Authentication Certificates</a>, <a href="/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/techniques/T1558/001">Golden Ticket</a>, <a href="/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/techniques/T1558/002">Silver Ticket</a>, <a href="/techniques/T1552">Unsecured Credentials</a>: <a href="/techniques/T1552/004">Private Keys</a>, <a href="/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/techniques/T1550/002">Pass the Hash</a>, <a href="/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/techniques/T1550/003">Pass the Ticket</a> </td> </tr> <tr> <td> <a href="/software/S0039">S0039</a> </td> <td> <a href="/software/S0039">Net</a> </td> <td> <span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022">^{<a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span> </td> <td> <a href="/techniques/T1087">Account Discovery</a>: <a href="/techniques/T1087/002">Domain Account</a>, <a href="/techniques/T1087">Account Discovery</a>: <a href="/techniques/T1087/001">Local Account</a>, <a href="/techniques/T1098">Account Manipulation</a>: <a href="/techniques/T1098/007">Additional Local or Domain Groups</a>, <a href="/techniques/T1136">Create Account</a>: <a href="/techniques/T1136/001">Local Account</a>, <a href="/techniques/T1136">Create Account</a>: <a href="/techniques/T1136/002">Domain Account</a>, <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/005">Network Share Connection Removal</a>, <a href="/techniques/T1135">Network Share Discovery</a>, <a href="/techniques/T1201">Password Policy Discovery</a>, <a href="/techniques/T1069">Permission Groups Discovery</a>: <a href="/techniques/T1069/002">Domain Groups</a>, <a href="/techniques/T1069">Permission Groups Discovery</a>: <a href="/techniques/T1069/001">Local Groups</a>, <a href="/techniques/T1021">Remote Services</a>: <a href="/techniques/T1021/002">SMB/Windows Admin Shares</a>, <a href="/techniques/T1018">Remote System Discovery</a>, <a href="/techniques/T1049">System Network Connections Discovery</a>, <a href="/techniques/T1007">System Service Discovery</a>, <a href="/techniques/T1569">System Services</a>: <a href="/techniques/T1569/002">Service Execution</a>, <a href="/techniques/T1124">System Time Discovery</a> </td> </tr> <tr> <td> <a href="/software/S0108">S0108</a> </td> <td> <a href="/software/S0108">netsh</a> </td> <td> <span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022">^{<a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span> </td> <td> <a href="/techniques/T1546">Event Triggered Execution</a>: <a href="/techniques/T1546/007">Netsh Helper DLL</a>, <a href="/techniques/T1562">Impair Defenses</a>: <a href="/techniques/T1562/004">Disable or Modify System Firewall</a>, <a href="/techniques/T1090">Proxy</a>, <a href="/techniques/T1518">Software Discovery</a>: <a href="/techniques/T1518/001">Security Software Discovery</a> </td> </tr> <tr> <td> <a href="/software/S0097">S0097</a> </td> <td> <a href="/software/S0097">Ping</a> </td> <td> <span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span> </td> <td> <a href="/techniques/T1018">Remote System Discovery</a> </td> </tr> <tr> <td> <a href="/software/S1012">S1012</a> </td> <td> <a href="/software/S1012">PowerLess</a> </td> <td> <span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022."data-reference="Cybereason PowerLess February 2022">^{<a href="https://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span> </td> <td> <a href="/techniques/T1560">Archive Collected Data</a>, <a href="/techniques/T1217">Browser Information Discovery</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/001">PowerShell</a>, <a href="/techniques/T1005">Data from Local System</a>, <a href="/techniques/T1074">Data Staged</a>: <a href="/techniques/T1074/001">Local Data Staging</a>, <a href="/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/techniques/T1573">Encrypted Channel</a>, <a href="/techniques/T1105">Ingress Tool Transfer</a>, <a href="/techniques/T1056">Input Capture</a>: <a href="/techniques/T1056/001">Keylogging</a> </td> </tr> <tr> <td> <a href="/software/S0029">S0029</a> </td> <td> <a href="/software/S0029">PsExec</a> </td> <td> <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018."data-reference="FireEye APT35 2018">^{<a href="https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span> </td> <td> <a href="/techniques/T1136">Create Account</a>: <a href="/techniques/T1136/002">Domain Account</a>, <a href="/techniques/T1543">Create or Modify System Process</a>: <a href="/techniques/T1543/003">Windows Service</a>, <a href="/techniques/T1570">Lateral Tool Transfer</a>, <a href="/techniques/T1021">Remote Services</a>: <a href="/techniques/T1021/002">SMB/Windows Admin Shares</a>, <a href="/techniques/T1569">System Services</a>: <a href="/techniques/T1569/002">Service Execution</a> </td> </tr> <tr> <td> <a href="/software/S0192">S0192</a> </td> <td> <a href="/software/S0192">Pupy</a> </td> <td> <span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017."data-reference="Unit 42 Magic Hound Feb 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018."data-reference="FireEye APT35 2018">^{<a href="https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Counter Threat Unit Research Team. (2017, February 15). Iranian PupyRAT Bites Middle Eastern Organizations. Retrieved December 27, 2017."data-reference="Secureworks Cobalt Gypsy Feb 2017">^{<a href="https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span> </td> <td> <a href="/techniques/T1548">Abuse Elevation Control Mechanism</a>: <a href="/techniques/T1548/002">Bypass User Account Control</a>, <a href="/techniques/T1134">Access Token Manipulation</a>: <a href="/techniques/T1134/001">Token Impersonation/Theft</a>, <a href="/techniques/T1087">Account Discovery</a>: <a href="/techniques/T1087/001">Local Account</a>, <a href="/techniques/T1557">Adversary-in-the-Middle</a>: <a href="/techniques/T1557/001">LLMNR/NBT-NS Poisoning and SMB Relay</a>, <a href="/techniques/T1071">Application Layer Protocol</a>: <a href="/techniques/T1071/001">Web Protocols</a>, <a href="/techniques/T1560">Archive Collected Data</a>: <a href="/techniques/T1560/001">Archive via Utility</a>, <a href="/techniques/T1123">Audio Capture</a>, <a href="/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/techniques/T1547/013">XDG Autostart Entries</a>, <a href="/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/001">PowerShell</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/006">Python</a>, <a href="/techniques/T1136">Create Account</a>: <a href="/techniques/T1136/002">Domain Account</a>, <a href="/techniques/T1136">Create Account</a>: <a href="/techniques/T1136/001">Local Account</a>, <a href="/techniques/T1543">Create or Modify System Process</a>: <a href="/techniques/T1543/002">Systemd Service</a>, <a href="/techniques/T1555">Credentials from Password Stores</a>: <a href="/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/techniques/T1555">Credentials from Password Stores</a>, <a href="/techniques/T1114">Email Collection</a>: <a href="/techniques/T1114/001">Local Email Collection</a>, <a href="/techniques/T1573">Encrypted Channel</a>: <a href="/techniques/T1573/002">Asymmetric Cryptography</a>, <a href="/techniques/T1041">Exfiltration Over C2 Channel</a>, <a href="/techniques/T1083">File and Directory Discovery</a>, <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/001">Clear Windows Event Logs</a>, <a href="/techniques/T1105">Ingress Tool Transfer</a>, <a href="/techniques/T1056">Input Capture</a>: <a href="/techniques/T1056/001">Keylogging</a>, <a href="/techniques/T1046">Network Service Discovery</a>, <a href="/techniques/T1135">Network Share Discovery</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/001">LSASS Memory</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/005">Cached Domain Credentials</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/004">LSA Secrets</a>, <a href="/techniques/T1057">Process Discovery</a>, <a href="/techniques/T1055">Process Injection</a>: <a href="/techniques/T1055/001">Dynamic-link Library Injection</a>, <a href="/techniques/T1021">Remote Services</a>: <a href="/techniques/T1021/001">Remote Desktop Protocol</a>, <a href="/techniques/T1113">Screen Capture</a>, <a href="/techniques/T1082">System Information Discovery</a>, <a href="/techniques/T1016">System Network Configuration Discovery</a>, <a href="/techniques/T1049">System Network Connections Discovery</a>, <a href="/techniques/T1033">System Owner/User Discovery</a>, <a href="/techniques/T1569">System Services</a>: <a href="/techniques/T1569/002">Service Execution</a>, <a href="/techniques/T1552">Unsecured Credentials</a>: <a href="/techniques/T1552/001">Credentials In Files</a>, <a href="/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/techniques/T1550/003">Pass the Ticket</a>, <a href="/techniques/T1125">Video Capture</a>, <a href="/techniques/T1497">Virtualization/Sandbox Evasion</a>: <a href="/techniques/T1497/001">System Checks</a> </td> </tr> <tr> <td> <a href="/software/S0096">S0096</a> </td> <td> <a href="/software/S0096">Systeminfo</a> </td> <td> <span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span> </td> <td> <a href="/techniques/T1082">System Information Discovery</a> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf" target="_blank"> Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://www.clearskysec.com/wp-content/uploads/2020/08/The-Kittens-are-Back-in-Town-3.pdf" target="_blank"> ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://blog.certfa.com/posts/charming-kitten-christmas-gift/" target="_blank"> Certfa Labs. (2021, January 8). Charming Kitten’s Christmas Gift. Retrieved May 3, 2021. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://www.secureworks.com/research/threat-profiles/cobalt-illusion" target="_blank"> Secureworks. (n.d.). COBALT ILLUSION Threat Profile. Retrieved April 14, 2021. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453" target="_blank"> Miller, J. et al. (2021, July 13). Operation SpoofedScholars: A Conversation with TA453. Retrieved August 18, 2021. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential" target="_blank"> Miller, J. et al. (2021, March 30). BadBlood: TA453 Targets US and Israeli Medical Research Personnel in Credential Phishing Campaigns. Retrieved May 4, 2021. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/" target="_blank"> Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf" target="_blank"> ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://www.eweek.com/security/newscaster-threat-uses-social-media-for-intelligence-gathering" target="_blank"> Kerner, S. (2014, May 29). Newscaster Threat Uses Social Media for Intelligence Gathering. Retrieved April 14, 2021. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://www.clearskysec.com/wp-content/uploads/2019/10/The-Kittens-Are-Back-in-Town-2-1.pdf" target="_blank"> ClearSky Research Team. (2019, October 1). The Kittens Are Back in Town2 - Charming Kitten Campaign KeepsGoing on, Using New Impersonation Methods. Retrieved April 21, 2021. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://securityintelligence.com/posts/new-research-exposes-iranian-threat-group-operations/" target="_blank"> Wikoff, A. Emerson, R. (2020, July 16). New Research Exposes Iranian Threat Group Operations. Retrieved March 8, 2021. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/" target="_blank"> Burt, T. (2019, March 27). New steps to protect customers from hacking. Retrieved May 27, 2020. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/" target="_blank"> Burt, T. (2020, October 28). Cyberattacks target international conference attendees. Retrieved March 8, 2021. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="14.0"> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="https://noticeofpleadings.com/phosphorus/files/Complaint.pdf" target="_blank"> US District Court of DC. (2019, March 14). MICROSOFT CORPORATION v. JOHN DOES 1-2, CONTROLLING A COMPUTER NETWORK AND THEREBY INJURING PLAINTIFF AND ITS CUSTOMERS. Retrieved March 8, 2021. </a> </span> </span> </li> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank"> Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017. </a> </span> </span> </li> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" target="_blank"> Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank"> DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021" target="_blank"> MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023. </a> </span> </span> </li> <li> <span id="scite-19" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-19" href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank"> DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023. </a> </span> </span> </li> <li> <span id="scite-20" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-20" href="https://blog.google/threat-analysis-group/countering-threats-iran/" target="_blank"> Bash, A. (2021, October 14). Countering threats from Iran. Retrieved January 4, 2023. </a> </span> </span> </li> <li> <span id="scite-21" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-21" href="https://www.cybereason.com/blog/research/powerless-trojan-iranian-apt-phosphorus-adds-new-powershell-backdoor-for-espionage" target="_blank"> Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022. </a> </span> </span> </li> <li> <span id="scite-22" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-22" href="https://www.microsoft.com/en-us/security/blog/2021/12/11/guidance-for-preventing-detecting-and-hunting-for-cve-2021-44228-log4j-2-exploitation/" target="_blank"> Microsoft Threat Intelligence. (2021, December 11). Guidance for preventing, detecting, and hunting for exploitation of the Log4j 2 vulnerability. Retrieved December 7, 2023. </a> </span> </span> </li> <li> <span id="scite-23" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-23" href="https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf" target="_blank"> Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018. </a> </span> </span> </li> <li> <span id="scite-24" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-24" href="https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations" target="_blank"> Counter Threat Unit Research Team. (2017, February 15). Iranian PupyRAT Bites Middle Eastern Organizations. Retrieved December 27, 2017. </a> </span> </span> </li> <li> <span id="scite-25" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-25" href="https://www.secureworks.com/research/the-curious-case-of-mia-ash" target="_blank"> Counter Threat Unit Research Team. (2017, July 27). The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets. Retrieved February 26, 2018. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <!-- search overlay for entire page -- not displayed inline --> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- footer elements --> <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&amp;CK content v16.1&#013;Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> &copy;&nbsp;2015&nbsp;-&nbsp;2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div> <!--stopindex--> </div> <!--SCRIPTS--> <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script> <!--SCRIPTS--> <script src="/theme/scripts/resizer.js"></script> <!--SCRIPTS--> <script src="/theme/scripts/sidebar-load-all.js"></script> <script src="/theme/scripts/bootstrap-tourist.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/tour/tour-relationships.js"></script> </body> </html>