<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v16/theme/favicon.ico" type='image/x-icon'> <title>Obfuscated Files or Information: Software Packing, Sub-technique T1027.002 - Enterprise | MITRE ATT&CK&reg;</title> <!-- USWDS CSS --> <!-- Bootstrap CSS --> <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap-tourist.css" /> <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap-select.min.css" /> <!-- Fontawesome CSS --> <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/versions/v16/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1"> <!-- header elements --> <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href="/versions/v16/"><img src="/versions/v16/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/versions/v16/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/versions/v16/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/groups">Groups</a> <a class="dropdown-item" href="/versions/v16/software">Software</a> <a class="dropdown-item" href="/versions/v16/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/resources/">Get Started</a> <a class="dropdown-item" href="/versions/v16/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/versions/v16/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v16/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/versions/v16/resources/faq/">FAQ</a> <a class="dropdown-item" href="/versions/v16/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/versions/v16/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/versions/v16/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/versions/v16/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- banner elements --> <div class="col px-0"> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v16/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v16.1" target="_blank">ATT&CK v16.1</a> which is the current version of ATT&CK. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> <div class="container-fluid d-none"> Reminder: the TAXII 2.0 server will be <a href='https://medium.com/mitre-attack/introducing-taxii-2-1-and-a-fond-farewell-to-taxii-2-0-d9fca6ce4c58'>retiring on December 18</a>. Please switch to the <a href='https://github.com/mitre-attack/attack-workbench-taxii-server/blob/main/docs/USAGE.md'>TAXII 2.1 server</a> to ensure uninterrupted service. </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0"> <!-- main content elements --> <!--start-indexing-for-search--> <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div> <!--stop-indexing-for-search--> <div id="sidebars"></div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v16/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v16/techniques/enterprise">Techniques</a></li> <li class="breadcrumb-item"><a href="/versions/v16/techniques/enterprise">Enterprise</a></li> <li class="breadcrumb-item"><a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a></li> <li class="breadcrumb-item">Software Packing</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1 id=""> <span id="subtechnique-parent-name">Obfuscated Files or Information:</span> Software Packing </h1> <div class="row"> <div class="col-md-8"> <!--stop-indexing-for-search--> <div class="card-block pb-2"> <div class="card"> <div class="card-header collapsed" id="subtechniques-card-header" data-toggle="collapse" data-target="#subtechniques-card-body" aria-expanded="false" aria-controls="subtechniques-card-body"> <h5 class="mb-0" id ="sub-techniques">Other sub-techniques of Obfuscated Files or Information (14)</h5> </div> <div id="subtechniques-card-body" class="card-body p-0 collapse" aria-labelledby="subtechniques-card-header"> <table class="table table-bordered"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v16/techniques/T1027/001/" class="subtechnique-table-item" data-subtechnique_id="T1027.001"> T1027.001 </a> </td> <td> <a href="/versions/v16/techniques/T1027/001/" class="subtechnique-table-item" data-subtechnique_id="T1027.001"> Binary Padding </a> </td> </tr> <tr> <td class="active"> T1027.002 </td> <td class="active"> Software Packing </td> </tr> <tr> <td> <a href="/versions/v16/techniques/T1027/003/" class="subtechnique-table-item" data-subtechnique_id="T1027.003"> T1027.003 </a> </td> <td> <a href="/versions/v16/techniques/T1027/003/" class="subtechnique-table-item" data-subtechnique_id="T1027.003"> Steganography </a> </td> </tr> <tr> <td> <a href="/versions/v16/techniques/T1027/004/" class="subtechnique-table-item" data-subtechnique_id="T1027.004"> T1027.004 </a> </td> <td> <a href="/versions/v16/techniques/T1027/004/" class="subtechnique-table-item" data-subtechnique_id="T1027.004"> Compile After Delivery </a> </td> </tr> <tr> <td> <a href="/versions/v16/techniques/T1027/005/" class="subtechnique-table-item" data-subtechnique_id="T1027.005"> T1027.005 </a> </td> <td> <a href="/versions/v16/techniques/T1027/005/" class="subtechnique-table-item" data-subtechnique_id="T1027.005"> Indicator Removal from Tools </a> </td> </tr> <tr> <td> <a href="/versions/v16/techniques/T1027/006/" class="subtechnique-table-item" data-subtechnique_id="T1027.006"> T1027.006 </a> </td> <td> <a href="/versions/v16/techniques/T1027/006/" class="subtechnique-table-item" data-subtechnique_id="T1027.006"> HTML Smuggling </a> </td> </tr> <tr> <td> <a href="/versions/v16/techniques/T1027/007/" class="subtechnique-table-item" data-subtechnique_id="T1027.007"> T1027.007 </a> </td> <td> <a href="/versions/v16/techniques/T1027/007/" class="subtechnique-table-item" data-subtechnique_id="T1027.007"> Dynamic API Resolution </a> </td> </tr> <tr> <td> <a href="/versions/v16/techniques/T1027/008/" class="subtechnique-table-item" data-subtechnique_id="T1027.008"> T1027.008 </a> </td> <td> <a href="/versions/v16/techniques/T1027/008/" class="subtechnique-table-item" data-subtechnique_id="T1027.008"> Stripped Payloads </a> </td> </tr> <tr> <td> <a href="/versions/v16/techniques/T1027/009/" class="subtechnique-table-item" data-subtechnique_id="T1027.009"> T1027.009 </a> </td> <td> <a href="/versions/v16/techniques/T1027/009/" class="subtechnique-table-item" data-subtechnique_id="T1027.009"> Embedded Payloads </a> </td> </tr> <tr> <td> <a href="/versions/v16/techniques/T1027/010/" class="subtechnique-table-item" data-subtechnique_id="T1027.010"> T1027.010 </a> </td> <td> <a href="/versions/v16/techniques/T1027/010/" class="subtechnique-table-item" data-subtechnique_id="T1027.010"> Command Obfuscation </a> </td> </tr> <tr> <td> <a href="/versions/v16/techniques/T1027/011/" class="subtechnique-table-item" data-subtechnique_id="T1027.011"> T1027.011 </a> </td> <td> <a href="/versions/v16/techniques/T1027/011/" class="subtechnique-table-item" data-subtechnique_id="T1027.011"> Fileless Storage </a> </td> </tr> <tr> <td> <a href="/versions/v16/techniques/T1027/012/" class="subtechnique-table-item" data-subtechnique_id="T1027.012"> T1027.012 </a> </td> <td> <a href="/versions/v16/techniques/T1027/012/" class="subtechnique-table-item" data-subtechnique_id="T1027.012"> LNK Icon Smuggling </a> </td> </tr> <tr> <td> <a href="/versions/v16/techniques/T1027/013/" class="subtechnique-table-item" data-subtechnique_id="T1027.013"> T1027.013 </a> </td> <td> <a href="/versions/v16/techniques/T1027/013/" class="subtechnique-table-item" data-subtechnique_id="T1027.013"> Encrypted/Encoded File </a> </td> </tr> <tr> <td> <a href="/versions/v16/techniques/T1027/014/" class="subtechnique-table-item" data-subtechnique_id="T1027.014"> T1027.014 </a> </td> <td> <a href="/versions/v16/techniques/T1027/014/" class="subtechnique-table-item" data-subtechnique_id="T1027.014"> Polymorphic Code </a> </td> </tr> </tbody> </table> </div> </div> </div> <!--start-indexing-for-search--> <div class="description-body"> <p>Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Kafka, F. (2018, January). ESET's Guide to Deobfuscating and Devirtualizing FinFisher. Retrieved August 12, 2019."data-reference="ESET FinFisher Jan 2018">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span> </p><p>Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Alexandre D'Hondt. (n.d.). Awesome Executable Packing. Retrieved March 11, 2022."data-reference="Awesome Executable Packing">^{<a href="https://github.com/dhondta/awesome-executable-packing" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span> </p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data" id="card-id"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID:&nbsp;</span>T1027.002 </div> </div> <!--stop-indexing-for-search--> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Sub-technique of:&nbsp;</span> <a href="/versions/v16/techniques/T1027">T1027</a> </div> </div> <!--start-indexing-for-search--> <div id="card-tactics" class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The tactic objectives that the (sub-)technique can be used to accomplish">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Tactic:</span> <a href="/versions/v16/tactics/TA0005">Defense Evasion</a> </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Platforms:&nbsp;</span>Linux, Windows, macOS </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="If the (sub-)technique can be used to bypass or evade a particular defensive tool, methodology, or process">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Defense Bypassed:&nbsp;</span>Anti-virus, Heuristic detection, Signature-based detection </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Contributors:&nbsp;</span>Filip Kafka, ESET </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version:&nbsp;</span>1.2 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created:&nbsp;</span>05 February 2020 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified:&nbsp;</span>30 March 2023 </div> </div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of T1027.002" href="/versions/v16/techniques/T1027/002/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of T1027.002" href="/techniques/T1027/002/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <h2 class="pt-3" id ="examples">Procedure Examples</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v16/campaigns/C0025"> C0025 </a> </td> <td> <a href="/versions/v16/campaigns/C0025"> 2016 Ukraine Electric Power Attack </a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0025">2016 Ukraine Electric Power Attack</a>, <a href="/versions/v16/groups/G0034">Sandworm Team</a> used UPX to pack a copy of <a href="/versions/v16/software/S0002">Mimikatz</a>.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0504"> S0504 </a> </td> <td> <a href="/versions/v16/software/S0504"> Anchor </a> </td> <td> <p><a href="/versions/v16/software/S0504">Anchor</a> has come with a packed payload.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020."data-reference="Cyberreason Anchor December 2019">^{<a href="https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G1007"> G1007 </a> </td> <td> <a href="/versions/v16/groups/G1007"> Aoqin Dragon </a> </td> <td> <p><a href="/versions/v16/groups/G1007">Aoqin Dragon</a> has used the Themida packer to obfuscate malicious payloads.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022."data-reference="SentinelOne Aoqin Dragon June 2022">^{<a href="https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0622"> S0622 </a> </td> <td> <a href="/versions/v16/software/S0622"> AppleSeed </a> </td> <td> <p><a href="/versions/v16/software/S0622">AppleSeed</a> has used UPX packers for its payload DLL.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021."data-reference="Malwarebytes Kimsuky June 2021">^{<a href="https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0016"> G0016 </a> </td> <td> <a href="/versions/v16/groups/G0016"> APT29 </a> </td> <td> <p><a href="/versions/v16/groups/G0016">APT29</a> used UPX to pack files.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024."data-reference="Mandiant No Easy Breach">^{<a href="https://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0022"> G0022 </a> </td> <td> <a href="/versions/v16/groups/G0022"> APT3 </a> </td> <td> <p><a href="/versions/v16/groups/G0022">APT3</a> has been known to pack their tools.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Korban, C, et al. (2017, September). APT3 Adversary Emulation Plan. Retrieved January 16, 2018."data-reference="APT3 Adversary Emulation Plan">^{<a href="https://attack.mitre.org/docs/APT3_Adversary_Emulation_Plan.pdf" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span><span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016."data-reference="FireEye Clandestine Wolf">^{<a href="https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0082"> G0082 </a> </td> <td> <a href="/versions/v16/groups/G0082"> APT38 </a> </td> <td> <p><a href="/versions/v16/groups/G0082">APT38</a> has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium, to pack their implants.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018."data-reference="FireEye APT38 Oct 2018">^{<a href="https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0087"> G0087 </a> </td> <td> <a href="/versions/v16/groups/G0087"> APT39 </a> </td> <td> <p><a href="/versions/v16/groups/G0087">APT39</a> has packed tools with UPX, and has repacked a modified version of <a href="/versions/v16/software/S0002">Mimikatz</a> to thwart anti-virus detection.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019."data-reference="FireEye APT39 Jan 2019">^{<a href="https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span><span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020."data-reference="BitDefender Chafer May 2020">^{<a href="https://www.bitdefender.com/blog/labs/iranian-chafer-apt-targeted-air-transportation-and-government-in-kuwait-and-saudi-arabia/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0096"> G0096 </a> </td> <td> <a href="/versions/v16/groups/G0096"> APT41 </a> </td> <td> <p><a href="/versions/v16/groups/G0096">APT41</a> uses packers such as Themida to obfuscate malicious files.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Nikita Rostovcev. (2022, August 18). APT41 World Tour 2021 on a tight schedule. Retrieved February 22, 2024."data-reference="Rostovcev APT41 2021">^{<a href="https://www.group-ib.com/blog/apt41-world-tour-2021/" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0373"> S0373 </a> </td> <td> <a href="/versions/v16/software/S0373"> Astaroth </a> </td> <td> <p><a href="/versions/v16/software/S0373">Astaroth</a> uses a software packer called Pe123\RPolyCryptor.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019."data-reference="Cybereason Astaroth Feb 2019">^{<a href="https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0638"> S0638 </a> </td> <td> <a href="/versions/v16/software/S0638"> Babuk </a> </td> <td> <p>Versions of <a href="/versions/v16/software/S0638">Babuk</a> have been packed.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Sogeti. (2021, March). Babuk Ransomware. Retrieved August 11, 2021."data-reference="Sogeti CERT ESEC Babuk March 2021">^{<a href="https://www.sogeti.com/globalassets/reports/cybersecchronicles_-_babuk.pdf" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021."data-reference="McAfee Babuk February 2021">^{<a href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-ransomware.pdf" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Sebdraven. (2021, February 8). Babuk is distributed packed. Retrieved August 11, 2021."data-reference="Medium Babuk February 2021">^{<a href="https://sebdraven.medium.com/babuk-is-distributed-packed-78e2f5dd2e62" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0534"> S0534 </a> </td> <td> <a href="/versions/v16/software/S0534"> Bazar </a> </td> <td> <p><a href="/versions/v16/software/S0534">Bazar</a> has a variant with a packed payload.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020."data-reference="Cybereason Bazar July 2020">^{<a href="https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020."data-reference="Zscaler Bazar September 2020">^{<a href="https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0268"> S0268 </a> </td> <td> <a href="/versions/v16/software/S0268"> Bisonal </a> </td> <td> <p><a href="/versions/v16/software/S0268">Bisonal</a> has used the MPRESS packer and similar tools for obfuscation.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022."data-reference="Talos Bisonal Mar 2020">^{<a href="https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0520"> S0520 </a> </td> <td> <a href="/versions/v16/software/S0520"> BLINDINGCAN </a> </td> <td> <p><a href="/versions/v16/software/S0520">BLINDINGCAN</a> has been packed with the UPX packer.<span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020."data-reference="US-CERT BLINDINGCAN Aug 2020">^{<a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/campaigns/C0017"> C0017 </a> </td> <td> <a href="/versions/v16/campaigns/C0017"> C0017 </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0017">C0017</a>, <a href="/versions/v16/groups/G0096">APT41</a> used VMProtect to slow the reverse engineering of malicious binaries.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022."data-reference="Mandiant APT41">^{<a href="https://www.mandiant.com/resources/apt41-us-state-governments" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0020"> S0020 </a> </td> <td> <a href="/versions/v16/software/S0020"> China Chopper </a> </td> <td> <p><a href="/versions/v16/software/S0020">China Chopper</a>'s client component is packed with UPX.<span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015."data-reference="Lee 2013">^{<a href="https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0611"> S0611 </a> </td> <td> <a href="/versions/v16/software/S0611"> Clop </a> </td> <td> <p><a href="/versions/v16/software/S0611">Clop</a> has been packed to help avoid detection.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021."data-reference="Mcafee Clop Aug 2019">^{<a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clop-ransomware/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span><span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021."data-reference="Cybereason Clop Dec 2020">^{<a href="https://www.cybereason.com/blog/cybereason-vs.-clop-ransomware" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1105"> S1105 </a> </td> <td> <a href="/versions/v16/software/S1105"> COATHANGER </a> </td> <td> <p>The first stage of <a href="/versions/v16/software/S1105">COATHANGER</a> is delivered as a packed file.<span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Dutch Military Intelligence and Security Service (MIVD) & Dutch General Intelligence and Security Service (AIVD). (2024, February 6). Ministry of Defense of the Netherlands uncovers COATHANGER, a stealthy Chinese FortiGate RAT. Retrieved February 7, 2024."data-reference="NCSC-NL COATHANGER Feb 2024">^{<a href="https://www.ncsc.nl/binaries/ncsc/documenten/publicaties/2024/februari/6/mivd-aivd-advisory-coathanger-tlp-clear/TLP-CLEAR+MIVD+AIVD+Advisory+COATHANGER.pdf" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0614"> S0614 </a> </td> <td> <a href="/versions/v16/software/S0614"> CostaBricks </a> </td> <td> <p><a href="/versions/v16/software/S0614">CostaBricks</a> can implement a custom-built virtual machine mechanism to obfuscate its code.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021."data-reference="BlackBerry CostaRicto November 2020">^{<a href="https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0527"> S0527 </a> </td> <td> <a href="/versions/v16/software/S0527"> CSPY Downloader </a> </td> <td> <p><a href="/versions/v16/software/S0527">CSPY Downloader</a> has been packed with UPX.<span onclick=scrollToRef('scite-28') id="scite-ref-28-a" class="scite-citeref-number" title="Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020."data-reference="Cybereason Kimsuky November 2020">^{<a href="https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0625"> S0625 </a> </td> <td> <a href="/versions/v16/software/S0625"> Cuba </a> </td> <td> <p><a href="/versions/v16/software/S0625">Cuba</a> has a packed payload when delivered.<span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" title="Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021."data-reference="McAfee Cuba April 2021">^{<a href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0070"> G0070 </a> </td> <td> <a href="/versions/v16/groups/G0070"> Dark Caracal </a> </td> <td> <p><a href="/versions/v16/groups/G0070">Dark Caracal</a> has used UPX to pack <a href="/versions/v16/software/S0234">Bandook</a>.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018."data-reference="Lookout Dark Caracal Jan 2018">^{<a href="https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0334"> S0334 </a> </td> <td> <a href="/versions/v16/software/S0334"> DarkComet </a> </td> <td> <p><a href="/versions/v16/software/S0334">DarkComet</a> has the option to compress its payload using UPX or MPRESS.<span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018."data-reference="Malwarebytes DarkComet March 2018">^{<a href="https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0187"> S0187 </a> </td> <td> <a href="/versions/v16/software/S0187"> Daserf </a> </td> <td> <p>A version of <a href="/versions/v16/software/S0187">Daserf</a> uses the MPRESS packer.<span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" title="Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017."data-reference="Trend Micro Daserf Nov 2017">^{<a href="http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0281"> S0281 </a> </td> <td> <a href="/versions/v16/software/S0281"> Dok </a> </td> <td> <p><a href="/versions/v16/software/S0281">Dok</a> is packed with an UPX executable packer.<span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="fluffybunny. (2019, July 9). OSX.Dok Analysis. Retrieved October 4, 2021."data-reference="hexed osx.dok analysis 2019">^{<a href="http://www.hexed.in/2019/07/osxdok-analysis.html" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0695"> S0695 </a> </td> <td> <a href="/versions/v16/software/S0695"> Donut </a> </td> <td> <p><a href="/versions/v16/software/S0695">Donut</a> can generate packed code modules.<span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" title="TheWover. (2019, May 9). donut. Retrieved March 25, 2022."data-reference="Donut Github">^{<a href="https://github.com/TheWover/donut" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0694"> S0694 </a> </td> <td> <a href="/versions/v16/software/S0694"> DRATzarus </a> </td> <td> <p><a href="/versions/v16/software/S0694">DRATzarus</a>'s dropper can be packed with UPX.<span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021."data-reference="ClearSky Lazarus Aug 2020">^{<a href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0024"> S0024 </a> </td> <td> <a href="/versions/v16/software/S0024"> Dyre </a> </td> <td> <p><a href="/versions/v16/software/S0024">Dyre</a> has been delivered with encrypted resources and must be unpacked for execution.<span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" title="hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020."data-reference="Malwarebytes Dyreza November 2015">^{<a href="https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0554"> S0554 </a> </td> <td> <a href="/versions/v16/software/S0554"> Egregor </a> </td> <td> <p><a href="/versions/v16/software/S0554">Egregor</a>'s payloads are custom-packed, archived and encrypted to prevent analysis.<span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="NHS Digital. (2020, November 26). Egregor Ransomware The RaaS successor to Maze. Retrieved December 29, 2020."data-reference="NHS Digital Egregor Nov 2020">^{<a href="https://digital.nhs.uk/cyber-alerts/2020/cc-3681#summary" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a>}</span><span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" title="Cybleinc. (2020, October 31). Egregor Ransomware – A Deep Dive Into Its Activities and Techniques. Retrieved December 29, 2020."data-reference="Cyble Egregor Oct 2020">^{<a href="https://cybleinc.com/2020/10/31/egregor-ransomware-a-deep-dive-into-its-activities-and-techniques/" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0066"> G0066 </a> </td> <td> <a href="/versions/v16/groups/G0066"> Elderwood </a> </td> <td> <p><a href="/versions/v16/groups/G0066">Elderwood</a> has packed malware payloads before delivery to victims.<span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018."data-reference="Symantec Elderwood Sept 2012">^{<a href="https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0367"> S0367 </a> </td> <td> <a href="/versions/v16/software/S0367"> Emotet </a> </td> <td> <p><a href="/versions/v16/software/S0367">Emotet</a> has used custom packers to protect its payloads.<span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" title="Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019."data-reference="Trend Micro Emotet Jan 2019">^{<a href="https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0512"> S0512 </a> </td> <td> <a href="/versions/v16/software/S0512"> FatDuke </a> </td> <td> <p><a href="/versions/v16/software/S0512">FatDuke</a> has been regularly repacked by its operators to create large binaries and evade detection.<span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" title="Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020."data-reference="ESET Dukes October 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0182"> S0182 </a> </td> <td> <a href="/versions/v16/software/S0182"> FinFisher </a> </td> <td> <p>A <a href="/versions/v16/software/S0182">FinFisher</a> variant uses a custom packer.<span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" title="FinFisher. (n.d.). Retrieved September 12, 2024."data-reference="FinFisher Citation">^{<a href="https://web.archive.org/web/20171222050934/http://www.finfisher.com/FinFisher/index.html" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a>}</span><span onclick=scrollToRef('scite-43') id="scite-ref-43-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018."data-reference="Securelist BlackOasis Oct 2017">^{<a href="https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/" target="_blank" data-hasqtip="42" aria-describedby="qtip-42">[43]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0628"> S0628 </a> </td> <td> <a href="/versions/v16/software/S0628"> FYAnti </a> </td> <td> <p><a href="/versions/v16/software/S0628">FYAnti</a> has used ConfuserEx to pack its .NET module.<span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021."data-reference="Securelist APT10 March 2021">^{<a href="https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0093"> G0093 </a> </td> <td> <a href="/versions/v16/groups/G0093"> GALLIUM </a> </td> <td> <p><a href="/versions/v16/groups/G0093">GALLIUM</a> packed some payloads using different types of packers, both known and custom.<span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" title="Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019."data-reference="Cybereason Soft Cell June 2019">^{<a href="https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0588"> S0588 </a> </td> <td> <a href="/versions/v16/software/S0588"> GoldMax </a> </td> <td> <p><a href="/versions/v16/software/S0588">GoldMax</a> has been packed for obfuscation.<span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" title="Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021."data-reference="FireEye SUNSHUTTLE Mar 2021">^{<a href="https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0342"> S0342 </a> </td> <td> <a href="/versions/v16/software/S0342"> GreyEnergy </a> </td> <td> <p><a href="/versions/v16/software/S0342">GreyEnergy</a> is packed for obfuscation.<span onclick=scrollToRef('scite-47') id="scite-ref-47-a" class="scite-citeref-number" title="Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018."data-reference="ESET GreyEnergy Oct 2018">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf" target="_blank" data-hasqtip="46" aria-describedby="qtip-46">[47]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0132"> S0132 </a> </td> <td> <a href="/versions/v16/software/S0132"> H1N1 </a> </td> <td> <p><a href="/versions/v16/software/S0132">H1N1</a> uses a custom packing algorithm.<span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" title="Reynolds, J.. (2016, September 13). H1N1: Technical analysis reveals new capabilities. Retrieved September 26, 2016."data-reference="Cisco H1N1 Part 1">^{<a href="http://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0601"> S0601 </a> </td> <td> <a href="/versions/v16/software/S0601"> Hildegard </a> </td> <td> <p><a href="/versions/v16/software/S0601">Hildegard</a> has packed ELF files into other binaries.<span onclick=scrollToRef('scite-49') id="scite-ref-49-a" class="scite-citeref-number" title="Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021."data-reference="Unit 42 Hildegard Malware">^{<a href="https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" target="_blank" data-hasqtip="48" aria-describedby="qtip-48">[49]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0431"> S0431 </a> </td> <td> <a href="/versions/v16/software/S0431"> HotCroissant </a> </td> <td> <p><a href="/versions/v16/software/S0431">HotCroissant</a> has used the open source UPX executable packer.<span onclick=scrollToRef('scite-50') id="scite-ref-50-a" class="scite-citeref-number" title="Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020."data-reference="Carbon Black HotCroissant April 2020">^{<a href="https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/" target="_blank" data-hasqtip="49" aria-describedby="qtip-49">[50]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0398"> S0398 </a> </td> <td> <a href="/versions/v16/software/S0398"> HyperBro </a> </td> <td> <p><a href="/versions/v16/software/S0398">HyperBro</a> has the ability to pack its payload.<span onclick=scrollToRef('scite-51') id="scite-ref-51-a" class="scite-citeref-number" title="Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021."data-reference="Trend Micro Iron Tiger April 2021">^{<a href="https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html" target="_blank" data-hasqtip="50" aria-describedby="qtip-50">[51]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0483"> S0483 </a> </td> <td> <a href="/versions/v16/software/S0483"> IcedID </a> </td> <td> <p><a href="/versions/v16/software/S0483">IcedID</a> has packed and encrypted its loader module.<span onclick=scrollToRef('scite-52') id="scite-ref-52-a" class="scite-citeref-number" title="Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020."data-reference="Juniper IcedID June 2020">^{<a href="https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware" target="_blank" data-hasqtip="51" aria-describedby="qtip-51">[52]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0283"> S0283 </a> </td> <td> <a href="/versions/v16/software/S0283"> jRAT </a> </td> <td> <p><a href="/versions/v16/software/S0283">jRAT</a> payloads have been packed.<span onclick=scrollToRef('scite-53') id="scite-ref-53-a" class="scite-citeref-number" title="Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019."data-reference="Kaspersky Adwind Feb 2016">^{<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07195002/KL_AdwindPublicReport_2016.pdf" target="_blank" data-hasqtip="52" aria-describedby="qtip-52">[53]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0094"> G0094 </a> </td> <td> <a href="/versions/v16/groups/G0094"> Kimsuky </a> </td> <td> <p><a href="/versions/v16/groups/G0094">Kimsuky</a> has packed malware with UPX.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021."data-reference="Malwarebytes Kimsuky June 2021">^{<a href="https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0356"> S0356 </a> </td> <td> <a href="/versions/v16/software/S0356"> KONNI </a> </td> <td> <p><a href="/versions/v16/software/S0356">KONNI</a> has been packed for obfuscation.<span onclick=scrollToRef('scite-54') id="scite-ref-54-a" class="scite-citeref-number" title="Santos, R. (2022, January 26). KONNI evolves into stealthier RAT. Retrieved April 13, 2022."data-reference="Malwarebytes KONNI Evolves Jan 2022">^{<a href="https://blog.malwarebytes.com/threat-intelligence/2022/01/konni-evolves-into-stealthier-rat/" target="_blank" data-hasqtip="53" aria-describedby="qtip-53">[54]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1160"> S1160 </a> </td> <td> <a href="/versions/v16/software/S1160"> Latrodectus </a> </td> <td> <p>The <a href="/versions/v16/software/S1160">Latrodectus</a> payload has been packed for obfuscation.<span onclick=scrollToRef('scite-55') id="scite-ref-55-a" class="scite-citeref-number" title="Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024."data-reference="Elastic Latrodectus May 2024">^{<a href="https://www.elastic.co/security-labs/spring-cleaning-with-latrodectus" target="_blank" data-hasqtip="54" aria-describedby="qtip-54">[55]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0513"> S0513 </a> </td> <td> <a href="/versions/v16/software/S0513"> LiteDuke </a> </td> <td> <p><a href="/versions/v16/software/S0513">LiteDuke</a> has been packed with multiple layers of encryption.<span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" title="Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020."data-reference="ESET Dukes October 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0447"> S0447 </a> </td> <td> <a href="/versions/v16/software/S0447"> Lokibot </a> </td> <td> <p><a href="/versions/v16/software/S0447">Lokibot</a> has used several packing methods for obfuscation.<span onclick=scrollToRef('scite-56') id="scite-ref-56-a" class="scite-citeref-number" title="Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020."data-reference="Infoblox Lokibot January 2019">^{<a href="https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--22" target="_blank" data-hasqtip="55" aria-describedby="qtip-55">[56]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0532"> S0532 </a> </td> <td> <a href="/versions/v16/software/S0532"> Lucifer </a> </td> <td> <p><a href="/versions/v16/software/S0532">Lucifer</a> has used UPX packed binaries.<span onclick=scrollToRef('scite-57') id="scite-ref-57-a" class="scite-citeref-number" title="Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020."data-reference="Unit 42 Lucifer June 2020">^{<a href="https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/" target="_blank" data-hasqtip="56" aria-describedby="qtip-56">[57]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0409"> S0409 </a> </td> <td> <a href="/versions/v16/software/S0409"> Machete </a> </td> <td> <p><a href="/versions/v16/software/S0409">Machete</a> has been packed with NSIS.<span onclick=scrollToRef('scite-58') id="scite-ref-58-a" class="scite-citeref-number" title="ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019."data-reference="ESET Machete July 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf" target="_blank" data-hasqtip="57" aria-describedby="qtip-57">[58]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0530"> S0530 </a> </td> <td> <a href="/versions/v16/software/S0530"> Melcoz </a> </td> <td> <p><a href="/versions/v16/software/S0530">Melcoz</a> has been packed with VMProtect and Themida.<span onclick=scrollToRef('scite-59') id="scite-ref-59-a" class="scite-citeref-number" title="GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020."data-reference="Securelist Brazilian Banking Malware July 2020">^{<a href="https://securelist.com/the-tetrade-brazilian-banking-malware/97779/" target="_blank" data-hasqtip="58" aria-describedby="qtip-58">[59]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0455"> S0455 </a> </td> <td> <a href="/versions/v16/software/S0455"> Metamorfo </a> </td> <td> <p><a href="/versions/v16/software/S0455">Metamorfo</a> has used VMProtect to pack and protect files.<span onclick=scrollToRef('scite-60') id="scite-ref-60-a" class="scite-citeref-number" title="Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020."data-reference="Fortinet Metamorfo Feb 2020">^{<a href="https://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions" target="_blank" data-hasqtip="59" aria-describedby="qtip-59">[60]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0083"> S0083 </a> </td> <td> <a href="/versions/v16/software/S0083"> Misdat </a> </td> <td> <p><a href="/versions/v16/software/S0083">Misdat</a> was typically packed using UPX.<span onclick=scrollToRef('scite-61') id="scite-ref-61-a" class="scite-citeref-number" title="Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021."data-reference="Cylance Dust Storm">^{<a href="https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" target="_blank" data-hasqtip="60" aria-describedby="qtip-60">[61]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1026"> S1026 </a> </td> <td> <a href="/versions/v16/software/S1026"> Mongall </a> </td> <td> <p><a href="/versions/v16/software/S1026">Mongall</a> has been packed with Themida.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022."data-reference="SentinelOne Aoqin Dragon June 2022">^{<a href="https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G1019"> G1019 </a> </td> <td> <a href="/versions/v16/groups/G1019"> MoustachedBouncer </a> </td> <td> <p><a href="/versions/v16/groups/G1019">MoustachedBouncer</a> has used malware plugins packed with Themida.<span onclick=scrollToRef('scite-62') id="scite-ref-62-a" class="scite-citeref-number" title="Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023."data-reference="MoustachedBouncer ESET August 2023">^{<a href="https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" target="_blank" data-hasqtip="61" aria-describedby="qtip-61">[62]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0198"> S0198 </a> </td> <td> <a href="/versions/v16/software/S0198"> NETWIRE </a> </td> <td> <p><a href="/versions/v16/software/S0198">NETWIRE</a> has used .NET packer tools to evade detection.<span onclick=scrollToRef('scite-63') id="scite-ref-63-a" class="scite-citeref-number" title="Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021."data-reference="Red Canary NETWIRE January 2020">^{<a href="https://redcanary.com/blog/netwire-remote-access-trojan-on-linux/" target="_blank" data-hasqtip="62" aria-describedby="qtip-62">[63]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/campaigns/C0002"> C0002 </a> </td> <td> <a href="/versions/v16/campaigns/C0002"> Night Dragon </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0002">Night Dragon</a>, threat actors used software packing in its tools.<span onclick=scrollToRef('scite-64') id="scite-ref-64-a" class="scite-citeref-number" title="McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: "Night Dragon". Retrieved February 19, 2018."data-reference="McAfee Night Dragon">^{<a href="https://scadahacker.com/library/Documents/Cyber_Events/McAfee%20-%20Night%20Dragon%20-%20Global%20Energy%20Cyberattacks.pdf" target="_blank" data-hasqtip="63" aria-describedby="qtip-63">[64]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0264"> S0264 </a> </td> <td> <a href="/versions/v16/software/S0264"> OopsIE </a> </td> <td> <p><a href="/versions/v16/software/S0264">OopsIE</a> uses the SmartAssembly obfuscator to pack an embedded .Net Framework assembly used for C2.<span onclick=scrollToRef('scite-65') id="scite-ref-65-a" class="scite-citeref-number" title="Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018."data-reference="Unit 42 OopsIE! Feb 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/" target="_blank" data-hasqtip="64" aria-describedby="qtip-64">[65]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/campaigns/C0022"> C0022 </a> </td> <td> <a href="/versions/v16/campaigns/C0022"> Operation Dream Job </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0022">Operation Dream Job</a>, <a href="/versions/v16/groups/G0032">Lazarus Group</a> packed malicious .db files with Themida to evade detection.<span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021."data-reference="ClearSky Lazarus Aug 2020">^{<a href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span><span onclick=scrollToRef('scite-66') id="scite-ref-66-a" class="scite-citeref-number" title="Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021."data-reference="McAfee Lazarus Jul 2020">^{<a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/?hilite=%27Operation%27%2C%27North%27%2C%27Star%27" target="_blank" data-hasqtip="65" aria-describedby="qtip-65">[66]</a>}</span><span onclick=scrollToRef('scite-67') id="scite-ref-67-a" class="scite-citeref-number" title="Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021."data-reference="McAfee Lazarus Nov 2020">^{<a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/" target="_blank" data-hasqtip="66" aria-describedby="qtip-66">[67]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/campaigns/C0016"> C0016 </a> </td> <td> <a href="/versions/v16/campaigns/C0016"> Operation Dust Storm </a> </td> <td> <p>For <a href="https://attack.mitre.org/campaigns/C0016">Operation Dust Storm</a>, the threat actors used UPX to pack some payloads.<span onclick=scrollToRef('scite-61') id="scite-ref-61-a" class="scite-citeref-number" title="Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021."data-reference="Cylance Dust Storm">^{<a href="https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" target="_blank" data-hasqtip="60" aria-describedby="qtip-60">[61]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/campaigns/C0005"> C0005 </a> </td> <td> <a href="/versions/v16/campaigns/C0005"> Operation Spalax </a> </td> <td> <p>For <a href="https://attack.mitre.org/campaigns/C0005">Operation Spalax</a>, the threat actors used a variety of packers, including CyaX, to obfuscate malicious executables.<span onclick=scrollToRef('scite-68') id="scite-ref-68-a" class="scite-citeref-number" title="M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022."data-reference="ESET Operation Spalax Jan 2021">^{<a href="https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/" target="_blank" data-hasqtip="67" aria-describedby="qtip-67">[68]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0352"> S0352 </a> </td> <td> <a href="/versions/v16/software/S0352"> OSX_OCEANLOTUS.D </a> </td> <td> <p><a href="/versions/v16/software/S0352">OSX_OCEANLOTUS.D</a> has a variant that is packed with UPX.<span onclick=scrollToRef('scite-69') id="scite-ref-69-a" class="scite-citeref-number" title="Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019."data-reference="ESET OceanLotus macOS April 2019">^{<a href="https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/" target="_blank" data-hasqtip="68" aria-describedby="qtip-68">[69]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0040"> G0040 </a> </td> <td> <a href="/versions/v16/groups/G0040"> Patchwork </a> </td> <td> <p>A <a href="/versions/v16/groups/G0040">Patchwork</a> payload was packed with UPX.<span onclick=scrollToRef('scite-70') id="scite-ref-70-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016."data-reference="Securelist Dropping Elephant">^{<a href="https://securelist.com/the-dropping-elephant-actor/75328/" target="_blank" data-hasqtip="69" aria-describedby="qtip-69">[70]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0650"> S0650 </a> </td> <td> <a href="/versions/v16/software/S0650"> QakBot </a> </td> <td> <p><a href="/versions/v16/software/S0650">QakBot</a> can encrypt and pack malicious payloads.<span onclick=scrollToRef('scite-71') id="scite-ref-71-a" class="scite-citeref-number" title="Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021."data-reference="Cyberint Qakbot May 2021">^{<a href="https://blog.cyberint.com/qakbot-banking-trojan" target="_blank" data-hasqtip="70" aria-describedby="qtip-70">[71]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0565"> S0565 </a> </td> <td> <a href="/versions/v16/software/S0565"> Raindrop </a> </td> <td> <p><a href="/versions/v16/software/S0565">Raindrop</a> used a custom packer for its <a href="/versions/v16/software/S0154">Cobalt Strike</a> payload, which was compressed using the LZMA algorithm.<span onclick=scrollToRef('scite-72') id="scite-ref-72-a" class="scite-citeref-number" title="Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021."data-reference="Symantec RAINDROP January 2021">^{<a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware" target="_blank" data-hasqtip="71" aria-describedby="qtip-71">[72]</a>}</span><span onclick=scrollToRef('scite-73') id="scite-ref-73-a" class="scite-citeref-number" title="MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021."data-reference="Microsoft Deep Dive Solorigate January 2021">^{<a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" data-hasqtip="72" aria-describedby="qtip-72">[73]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1130"> S1130 </a> </td> <td> <a href="/versions/v16/software/S1130"> Raspberry Robin </a> </td> <td> <p><a href="/versions/v16/software/S1130">Raspberry Robin</a> contains multiple payloads that are packed for defense evasion purposes and unpacked on runtime.<span onclick=scrollToRef('scite-74') id="scite-ref-74-a" class="scite-citeref-number" title="Christopher So. (2022, December 20). Raspberry Robin Malware Targets Telecom, Governments. Retrieved May 17, 2024."data-reference="TrendMicro RaspberryRobin 2022">^{<a href="https://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targets-telecom-governments.html" target="_blank" data-hasqtip="73" aria-describedby="qtip-73">[74]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0106"> G0106 </a> </td> <td> <a href="/versions/v16/groups/G0106"> Rocke </a> </td> <td> <p><a href="/versions/v16/groups/G0106">Rocke</a>'s miner has created UPX-packed files in the Windows Start Menu Folder.<span onclick=scrollToRef('scite-75') id="scite-ref-75-a" class="scite-citeref-number" title="Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020."data-reference="Talos Rocke August 2018">^{<a href="https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html" target="_blank" data-hasqtip="74" aria-describedby="qtip-74">[75]</a>}</span><span onclick=scrollToRef('scite-76') id="scite-ref-76-a" class="scite-citeref-number" title="Xingyu, J.. (2019, January 17). Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products. Retrieved May 26, 2020."data-reference="Unit 42 Rocke January 2019">^{<a href="https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/" target="_blank" data-hasqtip="75" aria-describedby="qtip-75">[76]</a>}</span><span onclick=scrollToRef('scite-77') id="scite-ref-77-a" class="scite-citeref-number" title="Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019."data-reference="Anomali Rocke March 2019">^{<a href="https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang" target="_blank" data-hasqtip="76" aria-describedby="qtip-76">[77]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0085"> S0085 </a> </td> <td> <a href="/versions/v16/software/S0085"> S-Type </a> </td> <td> <p>Some <a href="/versions/v16/software/S0085">S-Type</a> samples have been packed with UPX.<span onclick=scrollToRef('scite-61') id="scite-ref-61-a" class="scite-citeref-number" title="Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021."data-reference="Cylance Dust Storm">^{<a href="https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" target="_blank" data-hasqtip="60" aria-describedby="qtip-60">[61]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G1031"> G1031 </a> </td> <td> <a href="/versions/v16/groups/G1031"> Saint Bear </a> </td> <td> <p><a href="/versions/v16/groups/G1031">Saint Bear</a> clones .NET assemblies from other .NET binaries as well as cloning code signing certificates from other software to obfuscate the initial loader payload.<span onclick=scrollToRef('scite-78') id="scite-ref-78-a" class="scite-citeref-number" title="Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022."data-reference="Palo Alto Unit 42 OutSteel SaintBot February 2022 ">^{<a href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank" data-hasqtip="77" aria-describedby="qtip-77">[78]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1018"> S1018 </a> </td> <td> <a href="/versions/v16/software/S1018"> Saint Bot </a> </td> <td> <p><a href="/versions/v16/software/S1018">Saint Bot</a> has been packed using a dark market crypter.<span onclick=scrollToRef('scite-79') id="scite-ref-79-a" class="scite-citeref-number" title="Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022."data-reference="Malwarebytes Saint Bot April 2021">^{<a href="https://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/" target="_blank" data-hasqtip="78" aria-describedby="qtip-78">[79]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0461"> S0461 </a> </td> <td> <a href="/versions/v16/software/S0461"> SDBbot </a> </td> <td> <p><a href="/versions/v16/software/S0461">SDBbot</a> has used a packed installer file.<span onclick=scrollToRef('scite-80') id="scite-ref-80-a" class="scite-citeref-number" title="Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020."data-reference="IBM TA505 April 2020">^{<a href="https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/" target="_blank" data-hasqtip="79" aria-describedby="qtip-79">[80]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0053"> S0053 </a> </td> <td> <a href="/versions/v16/software/S0053"> SeaDuke </a> </td> <td> <p><a href="/versions/v16/software/S0053">SeaDuke</a> has been packed with the UPX packer.<span onclick=scrollToRef('scite-81') id="scite-ref-81-a" class="scite-citeref-number" title="Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016."data-reference="Unit 42 SeaDuke 2015">^{<a href="http://researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seaduke/" target="_blank" data-hasqtip="80" aria-describedby="qtip-80">[81]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0444"> S0444 </a> </td> <td> <a href="/versions/v16/software/S0444"> ShimRat </a> </td> <td> <p><a href="/versions/v16/software/S0444">ShimRat</a>'s loader has been packed with the compressed <a href="/versions/v16/software/S0444">ShimRat</a> core DLL and the legitimate DLL for it to hijack.<span onclick=scrollToRef('scite-82') id="scite-ref-82-a" class="scite-citeref-number" title="Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020."data-reference="FOX-IT May 2016 Mofang">^{<a href="https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" target="_blank" data-hasqtip="81" aria-describedby="qtip-81">[82]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0543"> S0543 </a> </td> <td> <a href="/versions/v16/software/S0543"> Spark </a> </td> <td> <p><a href="/versions/v16/software/S0543">Spark</a> has been packed with Enigma Protector to obfuscate its contents.<span onclick=scrollToRef('scite-83') id="scite-ref-83-a" class="scite-citeref-number" title="Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020."data-reference="Unit42 Molerat Mar 2020">^{<a href="https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/" target="_blank" data-hasqtip="82" aria-describedby="qtip-82">[83]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1030"> S1030 </a> </td> <td> <a href="/versions/v16/software/S1030"> Squirrelwaffle </a> </td> <td> <p><a href="/versions/v16/software/S1030">Squirrelwaffle</a> has been packed with a custom packer to hide payloads.<span onclick=scrollToRef('scite-84') id="scite-ref-84-a" class="scite-citeref-number" title="Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022."data-reference="ZScaler Squirrelwaffle Sep 2021">^{<a href="https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike" target="_blank" data-hasqtip="83" aria-describedby="qtip-83">[84]</a>}</span><span onclick=scrollToRef('scite-85') id="scite-ref-85-a" class="scite-citeref-number" title="Palazolo, G. (2021, October 7). SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot. Retrieved August 9, 2022."data-reference="Netskope Squirrelwaffle Oct 2021">^{<a href="https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot" target="_blank" data-hasqtip="84" aria-describedby="qtip-84">[85]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0663"> S0663 </a> </td> <td> <a href="/versions/v16/software/S0663"> SysUpdate </a> </td> <td> <p><a href="/versions/v16/software/S0663">SysUpdate</a> has been packed with VMProtect.<span onclick=scrollToRef('scite-51') id="scite-ref-51-a" class="scite-citeref-number" title="Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021."data-reference="Trend Micro Iron Tiger April 2021">^{<a href="https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html" target="_blank" data-hasqtip="50" aria-describedby="qtip-50">[51]</a>}</span><span onclick=scrollToRef('scite-86') id="scite-ref-86-a" class="scite-citeref-number" title="Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023."data-reference="Lunghi Iron Tiger Linux">^{<a href="https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html" target="_blank" data-hasqtip="85" aria-describedby="qtip-85">[86]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G1018"> G1018 </a> </td> <td> <a href="/versions/v16/groups/G1018"> TA2541 </a> </td> <td> <p><a href="/versions/v16/groups/G1018">TA2541</a> has used a .NET packer to obfuscate malicious files.<span onclick=scrollToRef('scite-87') id="scite-ref-87-a" class="scite-citeref-number" title="Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023."data-reference="Cisco Operation Layover September 2021">^{<a href="https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/" target="_blank" data-hasqtip="86" aria-describedby="qtip-86">[87]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0092"> G0092 </a> </td> <td> <a href="/versions/v16/groups/G0092"> TA505 </a> </td> <td> <p><a href="/versions/v16/groups/G0092">TA505</a> has used UPX to obscure malicious code.<span onclick=scrollToRef('scite-80') id="scite-ref-80-a" class="scite-citeref-number" title="Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020."data-reference="IBM TA505 April 2020">^{<a href="https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/" target="_blank" data-hasqtip="79" aria-describedby="qtip-79">[80]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0139"> G0139 </a> </td> <td> <a href="/versions/v16/groups/G0139"> TeamTNT </a> </td> <td> <p><a href="/versions/v16/groups/G0139">TeamTNT</a> has used UPX and Ezuri packer to pack its binaries.<span onclick=scrollToRef('scite-88') id="scite-ref-88-a" class="scite-citeref-number" title="Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021."data-reference="Trend Micro TeamTNT">^{<a href="https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf" target="_blank" data-hasqtip="87" aria-describedby="qtip-87">[88]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0089"> G0089 </a> </td> <td> <a href="/versions/v16/groups/G0089"> The White Company </a> </td> <td> <p><a href="/versions/v16/groups/G0089">The White Company</a> has obfuscated their payloads through packing.<span onclick=scrollToRef('scite-89') id="scite-ref-89-a" class="scite-citeref-number" title="Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019."data-reference="Cylance Shaheen Nov 2018">^{<a href="https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/WhiteCompanyOperationShaheenReport.pdf?_ga=2.161661948.1943296560.1555683782-1066572390.1555511517" target="_blank" data-hasqtip="88" aria-describedby="qtip-88">[89]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0027"> G0027 </a> </td> <td> <a href="/versions/v16/groups/G0027"> Threat Group-3390 </a> </td> <td> <p><a href="/versions/v16/groups/G0027">Threat Group-3390</a> has packed malware and tools, including using VMProtect.<span onclick=scrollToRef('scite-90') id="scite-ref-90-a" class="scite-citeref-number" title="Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021."data-reference="Trend Micro DRBControl February 2020">^{<a href="https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf" target="_blank" data-hasqtip="89" aria-describedby="qtip-89">[90]</a>}</span><span onclick=scrollToRef('scite-51') id="scite-ref-51-a" class="scite-citeref-number" title="Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021."data-reference="Trend Micro Iron Tiger April 2021">^{<a href="https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html" target="_blank" data-hasqtip="50" aria-describedby="qtip-50">[51]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0671"> S0671 </a> </td> <td> <a href="/versions/v16/software/S0671"> Tomiris </a> </td> <td> <p><a href="/versions/v16/software/S0671">Tomiris</a> has been packed with UPX.<span onclick=scrollToRef('scite-91') id="scite-ref-91-a" class="scite-citeref-number" title="Kwiatkoswki, I. and Delcher, P. (2021, September 29). DarkHalo After SolarWinds: the Tomiris connection. Retrieved December 27, 2021."data-reference="Kaspersky Tomiris Sep 2021">^{<a href="https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/" target="_blank" data-hasqtip="90" aria-describedby="qtip-90">[91]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0678"> S0678 </a> </td> <td> <a href="/versions/v16/software/S0678"> Torisma </a> </td> <td> <p><a href="/versions/v16/software/S0678">Torisma</a> has been packed with Iz4 compression.<span onclick=scrollToRef('scite-67') id="scite-ref-67-a" class="scite-citeref-number" title="Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021."data-reference="McAfee Lazarus Nov 2020">^{<a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/" target="_blank" data-hasqtip="66" aria-describedby="qtip-66">[67]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0266"> S0266 </a> </td> <td> <a href="/versions/v16/software/S0266"> TrickBot </a> </td> <td> <p><a href="/versions/v16/software/S0266">TrickBot</a> leverages a custom packer to obfuscate its functionality.<span onclick=scrollToRef('scite-92') id="scite-ref-92-a" class="scite-citeref-number" title="Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018."data-reference="S2 Grupo TrickBot June 2017">^{<a href="https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf" target="_blank" data-hasqtip="91" aria-describedby="qtip-91">[92]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0094"> S0094 </a> </td> <td> <a href="/versions/v16/software/S0094"> Trojan.Karagany </a> </td> <td> <p><a href="/versions/v16/software/S0094">Trojan.Karagany</a> samples sometimes use common binary packers such as UPX and Aspack on top of a custom Delphi binary packer.<span onclick=scrollToRef('scite-93') id="scite-ref-93-a" class="scite-citeref-number" title="Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016."data-reference="Symantec Dragonfly">^{<a href="https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" target="_blank" data-hasqtip="92" aria-describedby="qtip-92">[93]</a>}</span><span onclick=scrollToRef('scite-94') id="scite-ref-94-a" class="scite-citeref-number" title="Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020."data-reference="Secureworks Karagany July 2019">^{<a href="https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" target="_blank" data-hasqtip="93" aria-describedby="qtip-93">[94]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0022"> S0022 </a> </td> <td> <a href="/versions/v16/software/S0022"> Uroburos </a> </td> <td> <p><a href="/versions/v16/software/S0022">Uroburos</a> uses a custom packer.<span onclick=scrollToRef('scite-95') id="scite-ref-95-a" class="scite-citeref-number" title="Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015."data-reference="Symantec Waterbug">^{<a href="https://www.threatminer.org/report.php?q=waterbug-attack-group.pdf&y=2015#gsc.tab=0&gsc.q=waterbug-attack-group.pdf&gsc.page=1" target="_blank" data-hasqtip="94" aria-describedby="qtip-94">[95]</a>}</span><span onclick=scrollToRef('scite-96') id="scite-ref-96-a" class="scite-citeref-number" title="FBI et al. (2023, May 9). Hunting Russian Intelligence "Snake" Malware. Retrieved June 8, 2023."data-reference="Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023">^{<a href="https://www.cisa.gov/sites/default/files/2023-05/aa23-129a_snake_malware_2.pdf" target="_blank" data-hasqtip="95" aria-describedby="qtip-95">[96]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0476"> S0476 </a> </td> <td> <a href="/versions/v16/software/S0476"> Valak </a> </td> <td> <p><a href="/versions/v16/software/S0476">Valak</a> has used packed DLL payloads.<span onclick=scrollToRef('scite-97') id="scite-ref-97-a" class="scite-citeref-number" title="Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020."data-reference="SentinelOne Valak June 2020">^{<a href="https://assets.sentinelone.com/labs/sentinel-one-valak-i" target="_blank" data-hasqtip="96" aria-describedby="qtip-96">[97]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0257"> S0257 </a> </td> <td> <a href="/versions/v16/software/S0257"> VERMIN </a> </td> <td> <p><a href="/versions/v16/software/S0257">VERMIN</a> is initially packed.<span onclick=scrollToRef('scite-98') id="scite-ref-98-a" class="scite-citeref-number" title="Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018."data-reference="Unit 42 VERMIN Jan 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/" target="_blank" data-hasqtip="97" aria-describedby="qtip-97">[98]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G1017"> G1017 </a> </td> <td> <a href="/versions/v16/groups/G1017"> Volt Typhoon </a> </td> <td> <p><a href="/versions/v16/groups/G1017">Volt Typhoon</a> has used the Ultimate Packer for Executables (UPX) to obfuscate the FRP client files BrightmetricAgent.exe and SMSvcService.ex) and the port scanning utility ScanLine.<span onclick=scrollToRef('scite-99') id="scite-ref-99-a" class="scite-citeref-number" title="CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024."data-reference="CISA AA24-038A PRC Critical Infrastructure February 2024">^{<a href="https://www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf" target="_blank" data-hasqtip="98" aria-describedby="qtip-98">[99]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0248"> S0248 </a> </td> <td> <a href="/versions/v16/software/S0248"> yty </a> </td> <td> <p><a href="/versions/v16/software/S0248">yty</a> packs a plugin with UPX.<span onclick=scrollToRef('scite-100') id="scite-ref-100-a" class="scite-citeref-number" title="Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018."data-reference="ASERT Donot March 2018">^{<a href="https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/" target="_blank" data-hasqtip="99" aria-describedby="qtip-99">[100]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0251"> S0251 </a> </td> <td> <a href="/versions/v16/software/S0251"> Zebrocy </a> </td> <td> <p><a href="/versions/v16/software/S0251">Zebrocy</a>'s Delphi variant was packed with UPX.<span onclick=scrollToRef('scite-101') id="scite-ref-101-a" class="scite-citeref-number" title="Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019."data-reference="Unit42 Sofacy Dec 2018">^{<a href="https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/" target="_blank" data-hasqtip="100" aria-describedby="qtip-100">[101]</a>}</span><span onclick=scrollToRef('scite-102') id="scite-ref-102-a" class="scite-citeref-number" title="Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019."data-reference="Accenture SNAKEMACKEREL Nov 2018">^{<a href="https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" target="_blank" data-hasqtip="101" aria-describedby="qtip-101">[102]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0230"> S0230 </a> </td> <td> <a href="/versions/v16/software/S0230"> ZeroT </a> </td> <td> <p>Some <a href="/versions/v16/software/S0230">ZeroT</a> DLL files have been packed with UPX.<span onclick=scrollToRef('scite-103') id="scite-ref-103-a" class="scite-citeref-number" title="Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018."data-reference="Proofpoint ZeroT Feb 2017">^{<a href="https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" target="_blank" data-hasqtip="102" aria-describedby="qtip-102">[103]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0128"> G0128 </a> </td> <td> <a href="/versions/v16/groups/G0128"> ZIRCONIUM </a> </td> <td> <p><a href="/versions/v16/groups/G0128">ZIRCONIUM</a> has used multi-stage packers for exploit code.<span onclick=scrollToRef('scite-104') id="scite-ref-104-a" class="scite-citeref-number" title="Itkin, E. and Cohen, I. (2021, February 22). The Story of Jian – How APT31 Stole and Used an Unknown Equation Group 0-Day. Retrieved March 24, 2021."data-reference="Check Point APT31 February 2021">^{<a href="https://research.checkpoint.com/2021/the-story-of-jian/" target="_blank" data-hasqtip="103" aria-describedby="qtip-103">[104]</a>}</span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id ="mitigations">Mitigations</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Mitigation</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v16/mitigations/M1049"> M1049 </a> </td> <td> <a href="/versions/v16/mitigations/M1049"> Antivirus/Antimalware </a> </td> <td> <p>Employ heuristic-based malware detection. Ensure updated virus definitions and create custom signatures for observed malware. </p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="detection">Detection</h2> <div class="tables-mobile"> <table class="table datasources-table table-bordered"> <thead> <tr> <th class="p-2" scope="col">ID</th> <th class="p-2 nowrap" scope="col">Data Source</th> <th class="p-2 nowrap" scope="col">Data Component</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="datasource" id="uses-DS0022"> <td> <a href="/versions/v16/datasources/DS0022">DS0022</a> </td> <td class="nowrap"> <a href="/versions/v16/datasources/DS0022">File</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0022/#File%20Metadata">File Metadata</a> </td> <td> <p>Use file scanning to look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because legitimate software may use packing techniques to reduce binary size or to protect proprietary code.</p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf" target="_blank"> Kafka, F. (2018, January). ESET's Guide to Deobfuscating and Devirtualizing FinFisher. Retrieved August 12, 2019. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://github.com/dhondta/awesome-executable-packing" target="_blank"> Alexandre D'Hondt. (n.d.). Awesome Executable Packing. Retrieved March 11, 2022. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank"> Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" target="_blank"> Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/" target="_blank"> Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/" target="_blank"> Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908" target="_blank"> Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://attack.mitre.org/docs/APT3_Adversary_Emulation_Plan.pdf" target="_blank"> Korban, C, et al. (2017, September). APT3 Adversary Emulation Plan. Retrieved January 16, 2018. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html" target="_blank"> Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf" target="_blank"> FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html" target="_blank"> Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://www.bitdefender.com/blog/labs/iranian-chafer-apt-targeted-air-transportation-and-government-in-kuwait-and-saudi-arabia/" target="_blank"> Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://www.group-ib.com/blog/apt41-world-tour-2021/" target="_blank"> Nikita Rostovcev. (2022, August 18). APT41 World Tour 2021 on a tight schedule. Retrieved February 22, 2024. </a> </span> </span> </li> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research" target="_blank"> Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019. </a> </span> </span> </li> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="https://www.sogeti.com/globalassets/reports/cybersecchronicles_-_babuk.pdf" target="_blank"> Sogeti. (2021, March). Babuk Ransomware. Retrieved August 11, 2021. </a> </span> </span> </li> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-ransomware.pdf" target="_blank"> Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="https://sebdraven.medium.com/babuk-is-distributed-packed-78e2f5dd2e62" target="_blank"> Sebdraven. (2021, February 8). Babuk is distributed packed. Retrieved August 11, 2021. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles" target="_blank"> Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. </a> </span> </span> </li> <li> <span id="scite-19" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-19" href="https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware" target="_blank"> Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020. </a> </span> </span> </li> <li> <span id="scite-20" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-20" href="https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html" target="_blank"> Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022. </a> </span> </span> </li> <li> <span id="scite-21" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-21" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a" target="_blank"> US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020. </a> </span> </span> </li> <li> <span id="scite-22" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-22" href="https://www.mandiant.com/resources/apt41-us-state-governments" target="_blank"> Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022. </a> </span> </span> </li> <li> <span id="scite-23" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-23" href="https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html" target="_blank"> Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015. </a> </span> </span> </li> <li> <span id="scite-24" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-24" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clop-ransomware/" target="_blank"> Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021. </a> </span> </span> </li> <li> <span id="scite-25" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-25" href="https://www.cybereason.com/blog/cybereason-vs.-clop-ransomware" target="_blank"> Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021. </a> </span> </span> </li> <li> <span id="scite-26" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-26" href="https://www.ncsc.nl/binaries/ncsc/documenten/publicaties/2024/februari/6/mivd-aivd-advisory-coathanger-tlp-clear/TLP-CLEAR+MIVD+AIVD+Advisory+COATHANGER.pdf" target="_blank"> Dutch Military Intelligence and Security Service (MIVD) & Dutch General Intelligence and Security Service (AIVD). (2024, February 6). Ministry of Defense of the Netherlands uncovers COATHANGER, a stealthy Chinese FortiGate RAT. Retrieved February 7, 2024. </a> </span> </span> </li> <li> <span id="scite-27" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-27" href="https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced" target="_blank"> The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. </a> </span> </span> </li> <li> <span id="scite-28" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-28" href="https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" target="_blank"> Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. </a> </span> </span> </li> <li> <span id="scite-29" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-29" href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf" target="_blank"> Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021. </a> </span> </span> </li> <li> <span id="scite-30" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-30" href="https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" target="_blank"> Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018. </a> </span> </span> </li> <li> <span id="scite-31" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-31" href="https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/" target="_blank"> Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018. </a> </span> </span> </li> <li> <span id="scite-32" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-32" href="http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/" target="_blank"> Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017. </a> </span> </span> </li> <li> <span id="scite-33" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-33" href="http://www.hexed.in/2019/07/osxdok-analysis.html" target="_blank"> fluffybunny. (2019, July 9). OSX.Dok Analysis. Retrieved October 4, 2021. </a> </span> </span> </li> <li> <span id="scite-34" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-34" href="https://github.com/TheWover/donut" target="_blank"> TheWover. (2019, May 9). donut. Retrieved March 25, 2022. </a> </span> </span> </li> <li> <span id="scite-35" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-35" href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank"> ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021. </a> </span> </span> </li> <li> <span id="scite-36" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-36" href="https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/" target="_blank"> hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020. </a> </span> </span> </li> <li> <span id="scite-37" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-37" href="https://digital.nhs.uk/cyber-alerts/2020/cc-3681#summary" target="_blank"> NHS Digital. (2020, November 26). Egregor Ransomware The RaaS successor to Maze. Retrieved December 29, 2020. </a> </span> </span> </li> <li> <span id="scite-38" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-38" href="https://cybleinc.com/2020/10/31/egregor-ransomware-a-deep-dive-into-its-activities-and-techniques/" target="_blank"> Cybleinc. (2020, October 31). Egregor Ransomware – A Deep Dive Into Its Activities and Techniques. Retrieved December 29, 2020. </a> </span> </span> </li> <li> <span id="scite-39" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-39" href="https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf" target="_blank"> O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018. </a> </span> </span> </li> <li> <span id="scite-40" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-40" href="https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf" target="_blank"> Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019. </a> </span> </span> </li> <li> <span id="scite-41" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-41" href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank"> Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. </a> </span> </span> </li> <li> <span id="scite-42" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-42" href="https://web.archive.org/web/20171222050934/http://www.finfisher.com/FinFisher/index.html" target="_blank"> FinFisher. (n.d.). Retrieved September 12, 2024. </a> </span> </span> </li> <li> <span id="scite-43" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-43" href="https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018. </a> </span> </span> </li> <li> <span id="scite-44" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-44" href="https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/" target="_blank"> GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021. </a> </span> </span> </li> <li> <span id="scite-45" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-45" href="https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" target="_blank"> Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. </a> </span> </span> </li> <li> <span id="scite-46" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-46" href="https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html" target="_blank"> Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021. </a> </span> </span> </li> <li> <span id="scite-47" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-47" href="https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf" target="_blank"> Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018. </a> </span> </span> </li> <li> <span id="scite-48" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-48" href="http://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities" target="_blank"> Reynolds, J.. (2016, September 13). H1N1: Technical analysis reveals new capabilities. Retrieved September 26, 2016. </a> </span> </span> </li> <li> <span id="scite-49" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-49" href="https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" target="_blank"> Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021. </a> </span> </span> </li> <li> <span id="scite-50" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-50" href="https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/" target="_blank"> Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020. </a> </span> </span> </li> <li> <span id="scite-51" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-51" href="https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html" target="_blank"> Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021. </a> </span> </span> </li> <li> <span id="scite-52" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-52" href="https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware" target="_blank"> Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="53.0"> <li> <span id="scite-53" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-53" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07195002/KL_AdwindPublicReport_2016.pdf" target="_blank"> Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019. </a> </span> </span> </li> <li> <span id="scite-54" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-54" href="https://blog.malwarebytes.com/threat-intelligence/2022/01/konni-evolves-into-stealthier-rat/" target="_blank"> Santos, R. (2022, January 26). KONNI evolves into stealthier RAT. Retrieved April 13, 2022. </a> </span> </span> </li> <li> <span id="scite-55" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-55" href="https://www.elastic.co/security-labs/spring-cleaning-with-latrodectus" target="_blank"> Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024. </a> </span> </span> </li> <li> <span id="scite-56" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-56" href="https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--22" target="_blank"> Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020. </a> </span> </span> </li> <li> <span id="scite-57" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-57" href="https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/" target="_blank"> Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020. </a> </span> </span> </li> <li> <span id="scite-58" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-58" href="https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf" target="_blank"> ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. </a> </span> </span> </li> <li> <span id="scite-59" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-59" href="https://securelist.com/the-tetrade-brazilian-banking-malware/97779/" target="_blank"> GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020. </a> </span> </span> </li> <li> <span id="scite-60" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-60" href="https://www.fortinet.com/blog/threat-research/another-metamorfo-variant-targeting-customers-of-financial-institutions" target="_blank"> Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020. </a> </span> </span> </li> <li> <span id="scite-61" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-61" href="https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" target="_blank"> Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. </a> </span> </span> </li> <li> <span id="scite-62" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-62" href="https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" target="_blank"> Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023. </a> </span> </span> </li> <li> <span id="scite-63" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-63" href="https://redcanary.com/blog/netwire-remote-access-trojan-on-linux/" target="_blank"> Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021. </a> </span> </span> </li> <li> <span id="scite-64" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-64" href="https://scadahacker.com/library/Documents/Cyber_Events/McAfee%20-%20Night%20Dragon%20-%20Global%20Energy%20Cyberattacks.pdf" target="_blank"> McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. </a> </span> </span> </li> <li> <span id="scite-65" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-65" href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/" target="_blank"> Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018. </a> </span> </span> </li> <li> <span id="scite-66" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-66" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-a-job-offer-thats-too-good-to-be-true/?hilite=%27Operation%27%2C%27North%27%2C%27Star%27" target="_blank"> Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021. </a> </span> </span> </li> <li> <span id="scite-67" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-67" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/" target="_blank"> Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021. </a> </span> </span> </li> <li> <span id="scite-68" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-68" href="https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/" target="_blank"> M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022. </a> </span> </span> </li> <li> <span id="scite-69" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-69" href="https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/" target="_blank"> Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019. </a> </span> </span> </li> <li> <span id="scite-70" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-70" href="https://securelist.com/the-dropping-elephant-actor/75328/" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016. </a> </span> </span> </li> <li> <span id="scite-71" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-71" href="https://blog.cyberint.com/qakbot-banking-trojan" target="_blank"> Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021. </a> </span> </span> </li> <li> <span id="scite-72" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-72" href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware" target="_blank"> Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021. </a> </span> </span> </li> <li> <span id="scite-73" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-73" href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank"> MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021. </a> </span> </span> </li> <li> <span id="scite-74" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-74" href="https://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targets-telecom-governments.html" target="_blank"> Christopher So. (2022, December 20). Raspberry Robin Malware Targets Telecom, Governments. Retrieved May 17, 2024. </a> </span> </span> </li> <li> <span id="scite-75" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-75" href="https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html" target="_blank"> Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020. </a> </span> </span> </li> <li> <span id="scite-76" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-76" href="https://unit42.paloaltonetworks.com/malware-used-by-rocke-group-evolves-to-evade-detection-by-cloud-security-products/" target="_blank"> Xingyu, J.. (2019, January 17). Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products. Retrieved May 26, 2020. </a> </span> </span> </li> <li> <span id="scite-77" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-77" href="https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang" target="_blank"> Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019. </a> </span> </span> </li> <li> <span id="scite-78" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-78" href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank"> Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022. </a> </span> </span> </li> <li> <span id="scite-79" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-79" href="https://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/" target="_blank"> Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022. </a> </span> </span> </li> <li> <span id="scite-80" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-80" href="https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/" target="_blank"> Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020. </a> </span> </span> </li> <li> <span id="scite-81" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-81" href="http://researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seaduke/" target="_blank"> Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016. </a> </span> </span> </li> <li> <span id="scite-82" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-82" href="https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" target="_blank"> Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. </a> </span> </span> </li> <li> <span id="scite-83" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-83" href="https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/" target="_blank"> Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020. </a> </span> </span> </li> <li> <span id="scite-84" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-84" href="https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike" target="_blank"> Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022. </a> </span> </span> </li> <li> <span id="scite-85" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-85" href="https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot" target="_blank"> Palazolo, G. (2021, October 7). SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot. Retrieved August 9, 2022. </a> </span> </span> </li> <li> <span id="scite-86" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-86" href="https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html" target="_blank"> Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023. </a> </span> </span> </li> <li> <span id="scite-87" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-87" href="https://blog.talosintelligence.com/operation-layover-how-we-tracked-attack/" target="_blank"> Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023. </a> </span> </span> </li> <li> <span id="scite-88" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-88" href="https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf" target="_blank"> Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021. </a> </span> </span> </li> <li> <span id="scite-89" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-89" href="https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/WhiteCompanyOperationShaheenReport.pdf?_ga=2.161661948.1943296560.1555683782-1066572390.1555511517" target="_blank"> Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019. </a> </span> </span> </li> <li> <span id="scite-90" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-90" href="https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf" target="_blank"> Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. </a> </span> </span> </li> <li> <span id="scite-91" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-91" href="https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/" target="_blank"> Kwiatkoswki, I. and Delcher, P. (2021, September 29). DarkHalo After SolarWinds: the Tomiris connection. Retrieved December 27, 2021. </a> </span> </span> </li> <li> <span id="scite-92" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-92" href="https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf" target="_blank"> Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018. </a> </span> </span> </li> <li> <span id="scite-93" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-93" href="https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7382dce7-0260-4782-84cc-890971ed3f17&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments" target="_blank"> Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016. </a> </span> </span> </li> <li> <span id="scite-94" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-94" href="https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" target="_blank"> Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020. </a> </span> </span> </li> <li> <span id="scite-95" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-95" href="https://www.threatminer.org/report.php?q=waterbug-attack-group.pdf&y=2015#gsc.tab=0&gsc.q=waterbug-attack-group.pdf&gsc.page=1" target="_blank"> Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015. </a> </span> </span> </li> <li> <span id="scite-96" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-96" href="https://www.cisa.gov/sites/default/files/2023-05/aa23-129a_snake_malware_2.pdf" target="_blank"> FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023. </a> </span> </span> </li> <li> <span id="scite-97" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-97" href="https://assets.sentinelone.com/labs/sentinel-one-valak-i" target="_blank"> Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020. </a> </span> </span> </li> <li> <span id="scite-98" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-98" href="https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/" target="_blank"> Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018. </a> </span> </span> </li> <li> <span id="scite-99" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-99" href="https://www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf" target="_blank"> CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024. </a> </span> </span> </li> <li> <span id="scite-100" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-100" href="https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/" target="_blank"> Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018. </a> </span> </span> </li> <li> <span id="scite-101" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-101" href="https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/" target="_blank"> Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019. </a> </span> </span> </li> <li> <span id="scite-102" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-102" href="https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" target="_blank"> Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019. </a> </span> </span> </li> <li> <span id="scite-103" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-103" href="https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" target="_blank"> Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018. </a> </span> </span> </li> <li> <span id="scite-104" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-104" href="https://research.checkpoint.com/2021/the-story-of-jian/" target="_blank"> Itkin, E. and Cohen, I. (2021, February 22). The Story of Jian – How APT31 Stole and Used an Unknown Equation Group 0-Day. Retrieved March 24, 2021. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <!-- search overlay for entire page -- not displayed inline --> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- footer elements --> <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v16/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/versions/v16/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&amp;CK content v16.1&#013;Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> &copy;&nbsp;2015&nbsp;-&nbsp;2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div> <!--stopindex--> </div> <!--SCRIPTS--> <script src="/versions/v16/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v16/theme/scripts/popper.min.js"></script> <script src="/versions/v16/theme/scripts/bootstrap-select.min.js"></script> <script src="/versions/v16/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v16/theme/scripts/site.js"></script> <script src="/versions/v16/theme/scripts/settings.js"></script> <script src="/versions/v16/theme/scripts/search_bundle.js"></script> <!--SCRIPTS--> <script src="/versions/v16/theme/scripts/resizer.js"></script> <!--SCRIPTS--> <script src="/versions/v16/theme/scripts/bootstrap-tourist.js"></script> <script src="/versions/v16/theme/scripts/settings.js"></script> <script src="/versions/v16/theme/scripts/tour/tour-subtechniques.js"></script> <script src="/versions/v16/theme/scripts/sidebar-load-all.js"></script> </body> </html>