Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Technique Data from Local System
RU
Риски
Каталоги
MITRE ATT&CK
Техника
Data from Local System
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Data from Local System

Adversaries may search local system sources, such as file systems, configuration files, local databases, or virtual machine files, to find files of interest and sensitive data prior to Exfiltration. Adversaries may do this using a Command and Scripting Interpreter, such as cmd as well as a Network Device CLI, which have functionality to interact with the file system to gather information.(Citation: show_run_config_cmd_cisco) Adversaries may also use Automated Collection on the local system.

ID: T1005
Tactic(s): Collection
Platforms: ESXi, Linux, Network Devices, Windows, macOS
Data Sources: Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Version: 1.7
Created: 31 May 2017
Last Modified: 15 Apr 2025

Procedure Examples
Name Description
TrickBot

TrickBot collects local files and information from the victim’s local machine.(Citation: S2 Grupo TrickBot June 2017)
BLINDINGCAN

BLINDINGCAN has uploaded files from victim machines.(Citation: US-CERT BLINDINGCAN Aug 2020)
RCSession

RCSession can collect data from a compromised host.(Citation: Profero APT27 December 2020)(Citation: Trend Micro DRBControl February 2020)
QuietSieve

QuietSieve can collect files from a compromised host.(Citation: Microsoft Actinium February 2022)
Bumblebee

Bumblebee can capture and compress stolen credentials from the Registry and volume shadow copies.(Citation: Cybereason Bumblebee August 2022)
Amadey

Amadey can collect information from a compromised host.(Citation: BlackBerry Amadey 2020)
NPPSPY

NPPSPY records data entered from the local system logon at Winlogon to capture credentials in cleartext.(Citation: Huntress NPPSPY 2022)
Proxysvc

Proxysvc searches the local system and gathers data.(Citation: McAfee GhostSecret)
yty

yty collects files with the following extensions: .ppt, .pptx, .pdf, .doc, .docx, .xls, .xlsx, .docm, .rtf, .inp, .xlsm, .csv, .odt, .pps, .vcf and sends them back to the C2 server.(Citation: ASERT Donot March 2018)
KOPILUWAK

KOPILUWAK can gather information from compromised hosts.(Citation: Mandiant Suspected Turla Campaign February 2023)
Sardonic

Sardonic has the ability to collect data from a compromised machine to deliver to the attacker.(Citation: Symantec FIN8 Jul 2023)

Misdat

Misdat has collected files and data from a compromised host.(Citation: Cylance Dust Storm)
PowerSploit

PowerSploit contains a collection of Exfiltration modules that can access data from local files, volumes, and processes.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)
Ursnif

Ursnif has collected files from victim machines, including certificates and cookies.(Citation: TrendMicro BKDR_URSNIF.SM)
ThreatNeedle

ThreatNeedle can collect data and files from a compromised host.(Citation: Kaspersky ThreatNeedle Feb 2021)
FrameworkPOS

FrameworkPOS can collect elements related to credit card data from process memory.(Citation: SentinelOne FrameworkPOS September 2019)
GravityRAT

GravityRAT steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf.(Citation: Talos GravityRAT)
Bankshot

Bankshot collects files from the local system.(Citation: McAfee Bankshot)
SharpDisco

SharpDisco has dropped a recent-files stealer plugin to `C:\Users\Public\WinSrcNT\It11.exe`.(Citation: MoustachedBouncer ESET August 2023)
xCaon

xCaon has uploaded files from victims' machines.(Citation: Checkpoint IndigoZebra July 2021)
Nebulae

Nebulae has the capability to upload collected files to C2.(Citation: Bitdefender Naikon April 2021)
RainyDay

RainyDay can use a file exfiltration tool to collect recently changed files on a compromised host.(Citation: Bitdefender Naikon April 2021)
AppleSeed

AppleSeed can collect data on a compromised host.(Citation: Malwarebytes Kimsuky June 2021)(Citation: KISA Operation Muzabi)
TinyTurla

TinyTurla can upload files from a compromised host.(Citation: Talos TinyTurla September 2021)
CosmicDuke

CosmicDuke steals user files from local hard drives with file extensions that match a predefined list.(Citation: F-Secure Cosmicduke)
EnvyScout

EnvyScout can collect sensitive NTLM material from a compromised host.(Citation: MSTIC Nobelium Toolset May 2021)
Crimson

Crimson can collect information from a compromised host.(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022)
Tomiris

Tomiris has the ability to collect recent files matching a hardcoded list of extensions prior to exfiltration.(Citation: Kaspersky Tomiris Sep 2021)
DUSTTRAP

DUSTTRAP can gather data from infected systems.(Citation: Google Cloud APT41 2024)
Machete

Machete searches the File system for files of interest.(Citation: ESET Machete July 2019)

PowerLess

PowerLess has the ability to exfiltrate data, including Chrome and Edge browser database files, from compromised machines.(Citation: Cybereason PowerLess February 2022)

Action RAT

Action RAT can collect local data from an infected machine.(Citation: MalwareBytes SideCopy Dec 2021)
PingPull

PingPull can collect data from a compromised host.(Citation: Unit 42 PingPull Jun 2022)
WellMess

WellMess can send files from the victim machine to C2.(Citation: PWC WellMess July 2020)(Citation: CISA WellMess July 2020)
PcShare

PcShare can collect files and information from a compromised host.(Citation: Bitdefender FunnyDream Campaign November 2020)
Woody RAT

Woody RAT can collect information from a compromised host.(Citation: MalwareBytes WoodyRAT Aug 2022)
Mafalda

Mafalda can collect files and information from a compromised host.(Citation: SentinelLabs Metador Sept 2022)
AuTo Stealer

AuTo Stealer can collect data such as PowerPoint files, Word documents, Excel files, PDF files, text files, database files, and image files from an infected machine.(Citation: MalwareBytes SideCopy Dec 2021)
SombRAT

SombRAT has collected data and files from a compromised host.(Citation: BlackBerry CostaRicto November 2020)(Citation: CISA AR21-126A FIVEHANDS May 2021)
FLASHFLOOD

FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on the local system. FLASHFLOOD will scan the My Recent Documents, Desktop, Temporary Internet Files, and TEMP directories. FLASHFLOOD also collects information stored in the Windows Address Book.(Citation: FireEye APT30)
FlawedAmmyy

FlawedAmmyy has collected information and files from a compromised machine.(Citation: Korean FSI TA505 2020)
LoFiSe

LoFiSe can collect files of interest from targeted systems.(Citation: Kaspersky ToddyCat Check Logs October 2023)
MobileOrder

MobileOrder exfiltrates data collected from the victim mobile device.(Citation: Scarlet Mimic Jan 2016)
InvisiMole

InvisiMole can collect data from the system, and can monitor changes in specified directories.(Citation: ESET InvisiMole June 2018)
P.A.S. Webshell

P.A.S. Webshell has the ability to copy files on a compromised host.(Citation: ANSSI Sandworm January 2021)
Neoichor

Neoichor can upload files from a victim's machine.(Citation: Microsoft NICKEL December 2021)
MarkiRAT

MarkiRAT can upload data from the victim's machine to the C2 server.(Citation: Kaspersky Ferocious Kitten Jun 2021)
Kazuar

Kazuar uploads files from a specified directory to the C2 server.(Citation: Unit 42 Kazuar May 2017)
CHIMNEYSWEEP

CHIMNEYSWEEP can collect files from compromised hosts.(Citation: Mandiant ROADSWEEP August 2022)
FatDuke

FatDuke can copy files and directories from a compromised host.(Citation: ESET Dukes October 2019)
DRATzarus

DRATzarus can collect information from a compromised host.(Citation: ClearSky Lazarus Aug 2020)
Rising Sun

Rising Sun has collected data and files from a compromised host.(Citation: McAfee Sharpshooter December 2018)
ShimRat

ShimRat has the capability to upload collected files to a C2.(Citation: FOX-IT May 2016 Mofang)

Chrommme

Chrommme can collect data from a local system.(Citation: ESET Gelsemium June 2021)
BADFLICK

BADFLICK has uploaded files from victims' machines.(Citation: Accenture MUDCARP March 2019)
Flagpro

Flagpro can collect data from a compromised host, including Windows authentication information.(Citation: NTT Security Flagpro new December 2021)
SpicyOmelette

SpicyOmelette has collected data and other information from a compromised host.(Citation: Secureworks GOLD KINGSWOOD September 2018)
Green Lambert

Green Lambert can collect data from a compromised host.(Citation: Objective See Green Lambert for OSX Oct 2021)
China Chopper

China Chopper's server component can upload local files.(Citation: FireEye Periscope March 2018)(Citation: Lee 2013)(Citation: NCSC Joint Report Public Tools)(Citation: Rapid7 HAFNIUM Mar 2021)
ROKRAT

ROKRAT can collect host data and specific file types.(Citation: NCCGroup RokRat Nov 2018)(Citation: Volexity InkySquid RokRAT August 2021)(Citation: Malwarebytes RokRAT VBA January 2021)
DarkWatchman

DarkWatchman can collect files from a compromised host.(Citation: Prevailion DarkWatchman 2021)
BlackMould

BlackMould can copy files on a compromised host.(Citation: Microsoft GALLIUM December 2019)
Bisonal

Bisonal has collected information from a compromised host.(Citation: Talos Bisonal Mar 2020)

Rover

Rover searches for files on local drives based on a predefined list of file extensions.(Citation: Palo Alto Rover)
LightNeuron

LightNeuron can collect files from a local system.(Citation: ESET LightNeuron May 2019)
Clambling

Clambling can collect information from a compromised host.(Citation: Trend Micro DRBControl February 2020)
DarkGate

DarkGate has stolen `sitemanager.xml` and `recentservers.xml` from `%APPDATA%\FileZilla\` if present.(Citation: Rapid7 BlackBasta 2024)

Mongall

Mongall has the ability to upload files from victim's machines.(Citation: SentinelOne Aoqin Dragon June 2022)
SVCReady

SVCReady can collect data from an infected host.(Citation: HP SVCReady Jun 2022)
FoggyWeb

FoggyWeb can retrieve configuration data from a compromised AD FS server.(Citation: MSTIC FoggyWeb September 2021)
Hydraq

Hydraq creates a backdoor through which remote attackers can read data from files.(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: Symantec Hydraq Jan 2010)
CreepyDrive

CreepyDrive can upload files to C2 from victim machines.(Citation: Microsoft POLONIUM June 2022)
Caterpillar WebShell

Caterpillar WebShell has a module to collect information from the local database.(Citation: ClearSky Lebanese Cedar Jan 2021)

USBferry

USBferry can collect information from an air-gapped host machine.(Citation: TrendMicro Tropic Trooper May 2020)

Brute Ratel C4

Brute Ratel C4 has the ability to upload files from a compromised system.(Citation: Palo Alto Brute Ratel July 2022)
Latrodectus

Latrodectus can collect data from a compromised host using a stealer module.(Citation: Bitsight Latrodectus June 2024)
Saint Bot

Saint Bot can collect files and information from a compromised host.(Citation: Malwarebytes Saint Bot April 2021)
CharmPower

CharmPower can collect data and files from a compromised host.(Citation: Check Point APT35 CharmPower January 2022)
Uroburos

Uroburos can use its `Get` command to exfiltrate specified files from the compromised system.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)
Out1

Out1 can copy files and Registry data from compromised hosts.(Citation: Trend Micro Muddy Water March 2021)
Bandook

Bandook can collect local files from the system .(Citation: CheckPoint Bandook Nov 2020)

KONNI

KONNI has stored collected information and discovered processes in a tmp file.(Citation: Malwarebytes Konni Aug 2021)
RAPIDPULSE

RAPIDPULSE retrieves files from the victim system via encrypted commands sent to the web shell.(Citation: Mandiant Pulse Secure Update May 2021)
DnsSystem

DnsSystem can upload files from infected machines after receiving a command with `uploaddd` in the string.(Citation: Zscaler Lyceum DnsSystem June 2022)
KGH_SPY

KGH_SPY can send a file containing victim system information to C2.(Citation: Cybereason Kimsuky November 2020)
Ixeshe

Ixeshe can collect data from a local system.(Citation: Trend Micro IXESHE 2012)
Forfiles

Forfiles can be used to act on (ex: copy, move, etc.) files/directories in a system during (ex: copy files into a staging area before).(Citation: Überwachung APT28 Forfiles June 2015)
BoxCaon

BoxCaon can upload files from a compromised host.(Citation: Checkpoint IndigoZebra July 2021)
NightClub

NightClub can use a file monitor to steal specific files from targeted systems.(Citation: MoustachedBouncer ESET August 2023)
Crutch

Crutch can exfiltrate files from compromised systems.(Citation: ESET Crutch December 2020)
SDBbot

SDBbot has the ability to access the file system on a compromised host.(Citation: Proofpoint TA505 October 2019)
Hikit

Hikit can upload files from compromised machines.(Citation: Novetta-Axiom)
WellMail

WellMail can exfiltrate files from the victim machine.(Citation: CISA WellMail July 2020)
RawPOS

RawPOS dumps memory from specific processes on a victim system, parses the dumped files, and scrapes them for credit card data.(Citation: Kroll RawPOS Jan 2017)(Citation: TrendMicro RawPOS April 2015)(Citation: Mandiant FIN5 GrrCON Oct 2016)
MCMD

MCMD has the ability to upload files from an infected device.(Citation: Secureworks MCMD July 2019)
ZxxZ

ZxxZ can collect data from a compromised host.(Citation: Cisco Talos Bitter Bangladesh May 2022)
Drovorub

Drovorub can transfer files from the victim machine.(Citation: NSA/FBI Drovorub August 2020)
Shark

Shark can upload files to its C2.(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)
Bazar

Bazar can retrieve information from the infected machine.(Citation: Cybereason Bazar July 2020)
BadPatch

BadPatch collects files from the local system that have the following extensions, then prepares them for exfiltration: .xls, .xlsx, .pdf, .mdb, .rar, .zip, .doc, .docx.(Citation: Unit 42 BadPatch Oct 2017)
Cryptoistic

Cryptoistic can retrieve files from the local file system.(Citation: SentinelOne Lazarus macOS July 2020)
MgBot

MgBot includes modules for collecting files from local systems based on a given set of properties and filenames.(Citation: ESET EvasivePanda 2023)
ccf32

ccf32 can collect files from a compromised host.(Citation: Bitdefender FunnyDream Campaign November 2020)
Cobalt Strike

Cobalt Strike can collect data from a local system.(Citation: Cobalt Strike TTPs Dec 2017)
Cobalt Strike

Cobalt Strike can collect data from a local system.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: Cobalt Strike Manual 4.3 November 2020)
SUNBURST

SUNBURST collected information from a compromised host.(Citation: Microsoft Analyzing Solorigate Dec 2020)(Citation: FireEye SUNBURST Backdoor December 2020)
Samurai

Samurai can leverage an exfiltration module to download arbitrary files from compromised machines.(Citation: Kaspersky ToddyCat June 2022)
PinchDuke

PinchDuke collects user files from the compromised host based on predefined file extensions.(Citation: F-Secure The Dukes)
Milan

Milan can upload files from a compromised host.(Citation: ClearSky Siamesekitten August 2021)
OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D has the ability to upload files from a compromised host.(Citation: Trend Micro MacOS Backdoor November 2020)
Taidoor

Taidoor can upload data and files from a victim's machine.(Citation: TrendMicro Taidoor)
Cyclops Blink

Cyclops Blink can upload files from a compromised host.(Citation: NCSC Cyclops Blink February 2022)
PoisonIvy

PoisonIvy creates a backdoor through which remote attackers can steal system information.(Citation: Symantec Darkmoon Aug 2005)
TajMahal

TajMahal has the ability to steal documents from the local system including the print spooler queue.(Citation: Kaspersky TajMahal April 2019)
Pasam

Pasam creates a backdoor through which remote attackers can retrieve files.(Citation: Symantec Pasam May 2012)
Raccoon Stealer

Raccoon Stealer collects data from victim machines based on configuration information received from command and control nodes.(Citation: S2W Racoon 2022)(Citation: Sekoia Raccoon2 2022)
IPsec Helper

IPsec Helper can identify specific files and folders for follow-on exfiltration.(Citation: SentinelOne Agrius 2021)
DanBot

DanBot can upload files from compromised hosts.(Citation: SecureWorks August 2019)
Calisto

Calisto can collect data from user directories.(Citation: Securelist Calisto July 2018)
Ramsay

Ramsay can collect Microsoft Word documents from the target's file system, as well as .txt, .doc, and .xls files from the Internet Explorer cache.(Citation: Eset Ramsay May 2020)(Citation: Antiy CERT Ramsay April 2020)

Pillowmint

Pillowmint has collected credit card data using native API functions.(Citation: Trustwave Pillowmint June 2020)
MacMa

MacMa can collect then exfiltrate files from the compromised system.(Citation: ESET DazzleSpy Jan 2022)
FunnyDream

FunnyDream can upload files from victims' machines.(Citation: Bitdefender FunnyDream Campaign November 2020)(Citation: Kaspersky APT Trends Q1 2020)
SysUpdate

SysUpdate can collect information and files from a compromised host.(Citation: Lunghi Iron Tiger Linux)
OutSteel

OutSteel can collect information from a compromised host.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
esentutl

esentutl can be used to collect data from local file systems.(Citation: Red Canary 2021 Threat Detection Report March 2021)
PUNCHTRACK

PUNCHTRACK scrapes memory for properly formatted payment card data.(Citation: FireEye Fin8 May 2016)(Citation: FireEye Know Your Enemy FIN8 Aug 2016)
Koadic

Koadic can download files off the target system to send back to the server.(Citation: Github Koadic)(Citation: MalwareBytes LazyScripter Feb 2021)
GrimAgent

GrimAgent can collect data and files from a compromised host.(Citation: Group IB GrimAgent July 2021)
StealBit

StealBit can upload data and files to the LockBit victim-shaming site.(Citation: FBI Lockbit 2.0 FEB 2022)(Citation: Cybereason StealBit Exfiltration Tool)
ZxShell

ZxShell can transfer files from a compromised host.(Citation: Talos ZxShell Oct 2014)
SLIGHTPULSE

SLIGHTPULSE can read files specified on the local system.(Citation: Mandiant Pulse Secure Zero-Day April 2021)
Troll Stealer

Troll Stealer gathers information from infected systems such as SSH information from the victim's `.ssh` directory.(Citation: Symantec Troll Stealer 2024) Troll Stealer collects information from local FileZilla installations and Microsoft Sticky Note.(Citation: S2W Troll Stealer 2024)
njRAT

njRAT can collect data from a local system.(Citation: Fidelis njRAT June 2013)
QuasarRAT

QuasarRAT can retrieve files from compromised client machines.(Citation: CISA AR18-352A Quasar RAT December 2018)
POWERSTATS

POWERSTATS can upload files from compromised hosts.(Citation: FireEye MuddyWater Mar 2018)
IceApple

IceApple can collect files, passwords, and other data from a compromised host.(Citation: CrowdStrike IceApple May 2022)
metaMain

metaMain can collect files and system information from a compromised host.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022)
SideTwist

SideTwist has the ability to upload files from a compromised host.(Citation: Check Point APT34 April 2021)
Mis-Type

Mis-Type has collected files and data from a compromised host.(Citation: Cylance Dust Storm)
XCSSET

XCSSET collects contacts and application data from files in Desktop, Documents, Downloads, Dropbox, and WeChat folders.(Citation: trendmicro xcsset xcode project 2020)
Octopus

Octopus can exfiltrate files from the system using a documents collector tool.(Citation: ESET Nomadic Octopus 2018)
STARWHALE

STARWHALE can collect data from an infected local host.(Citation: DHS CISA AA22-055A MuddyWater February 2022)
Pcexter

Pcexter can upload files from targeted systems.(Citation: Kaspersky ToddyCat Check Logs October 2023)
Kevin

Kevin can upload logs and other data from a compromised host.(Citation: Kaspersky Lyceum October 2021)
BADNEWS

When it first starts, BADNEWS crawls the victim's local drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt.(Citation: Forcepoint Monsoon)(Citation: PaloAlto Patchwork Mar 2018)
Linfo

Linfo creates a backdoor through which remote attackers can obtain data from local systems.(Citation: Symantec Linfo May 2012)
Goopy

Goopy has the ability to exfiltrate documents from infected systems.(Citation: Cybereason Cobalt Kitty 2017)

QakBot

QakBot can use a variety of commands, including esentutl.exe to steal sensitive data from Internet Explorer and Microsoft Edge, to acquire information that is subsequently exfiltrated.(Citation: Red Canary Qbot)(Citation: Kaspersky QakBot September 2021)
CookieMiner

CookieMiner has retrieved iPhone text messages from iTunes phone backup files.(Citation: Unit42 CookieMiner Jan 2019)
Gelsemium

Gelsemium can collect data from a compromised host.(Citation: ESET Gelsemium June 2021)
Dtrack

Dtrack can collect a variety of information from victim machines.(Citation: CyberBit Dtrack)
Wevtutil

Wevtutil can be used to export events from a specific log.(Citation: Wevtutil Microsoft Documentation)(Citation: F-Secure Lazarus Cryptocurrency Aug 2020)
Zox

Zox has the ability to upload files from a targeted system.(Citation: Novetta-Axiom)
StrifeWater

StrifeWater can collect data from a compromised host.(Citation: Cybereason StrifeWater Feb 2022)
WarzoneRAT

WarzoneRAT can collect data from a compromised host.(Citation: Check Point Warzone Feb 2020)
SLOTHFULMEDIA

SLOTHFULMEDIA has uploaded files and information from victim machines.(Citation: CISA MAR SLOTHFULMEDIA October 2020)
Frankenstein

Frankenstein has enumerated hosts via Empire, gathering various local system information.(Citation: Talos Frankenstein June 2019)
APT28

APT28 has retrieved internal documents from machines inside victim environments, including by using Forfiles to stage documents before exfiltration.(Citation: Überwachung APT28 Forfiles June 2015)(Citation: DOJ GRU Indictment Jul 2018)(Citation: TrendMicro Pawn Storm 2019)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)
Turla

Turla RPC backdoors can upload files from victim machines.(Citation: ESET Turla PowerShell May 2019)
Operation Wocao

Operation Wocao has exfiltrated files and directories of interest from the targeted system.(Citation: FoxIT Wocao December 2019)
Fox Kitten

Fox Kitten has searched local system resources to access sensitive documents.(Citation: CISA AA20-259A Iran-Based Actor September 2020)
Lazarus Group

Lazarus Group has collected data and files from compromised networks.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster RATs)(Citation: Kaspersky ThreatNeedle Feb 2021)
Gamaredon Group

Gamaredon Group has collected files from infected systems and uploaded them to a C2 server.(Citation: ESET Gamaredon June 2020)
APT29

APT29 has extracted files from compromised networks.(Citation: Volexity SolarWinds)

APT29

APT29 has stolen data from compromised hosts.(Citation: Mandiant APT29 Eye Spy Email Nov 22)
APT1

APT1 has collected files from a local victim.(Citation: Mandiant APT1)
APT39

APT39 has used various tools to steal files from the compromised host.(Citation: Symantec Chafer February 2018)(Citation: FBI FLASH APT39 September 2020)
APT38

APT38 has collected data from a compromised host.(Citation: CISA AA20-239A BeagleBoyz August 2020)
Dragonfly 2.0

Dragonfly 2.0 collected data from local victim systems.(Citation: US-CERT TA18-074A)
Aquatic Panda

Aquatic Panda captured local Windows security event log data from victim machines using the wevtutil utility to extract contents to an evtx output file.(Citation: Crowdstrike HuntReport 2022)
BRONZE BUTLER

BRONZE BUTLER has exfiltrated files stolen from local systems.(Citation: Secureworks BRONZE BUTLER Oct 2017)
Honeybee

Honeybee collects data from the local victim system.(Citation: McAfee Honeybee)
Wizard Spider

Wizard Spider has collected data from a compromised host prior to exfiltration.(Citation: Mandiant FIN12 Oct 2021)
Threat Group-3390

Threat Group-3390 ran a command to compile an archive of file types of interest from the victim user's directories.(Citation: SecureWorks BRONZE UNION June 2017)
Dragonfly

Dragonfly has collected data from local victim systems.(Citation: US-CERT TA18-074A)
OilRig

OilRig has used PowerShell to upload files from compromised systems.(Citation: Trend Micro Earth Simnavaz October 2024)
LuminousMoth

LuminousMoth has collected files and data from compromised machines.(Citation: Kaspersky LuminousMoth July 2021)(Citation: Bitdefender LuminousMoth July 2021)
APT37

APT37 has collected data from victims' local systems.(Citation: FireEye APT37 Feb 2018)
Inception

Inception used a file hunting plugin to collect .txt, .pdf, .xls or .doc files from the infected host.(Citation: Kaspersky Cloud Atlas August 2019)
Andariel

Andariel has collected large numbers of files from compromised network systems for later extraction.(Citation: FSI Andariel Campaign Rifle July 2017)
FIN7

FIN7 has collected files and other sensitive information from a compromised network.(Citation: CrowdStrike Carbon Spider August 2021)
Volt Typhoon

Volt Typhoon has stolen files from a sensitive file server and the Active Directory database from targeted environments, and used Wevtutil to extract event log information.(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: Secureworks BRONZE SILHOUETTE May 2023)(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)
FIN13

FIN13 has gathered stolen credentials, sensitive data such as point-of-sale (POS), and ATM data from a compromised network before exfiltration.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022)
Axiom

Axiom has collected data from a compromised network.(Citation: Novetta-Axiom)
Kimsuky

Kimsuky has collected Office, PDF, and HWP documents from its victims.(Citation: Securelist Kimsuky Sept 2013)(Citation: Talos Kimsuky Nov 2021)
Dust Storm

Dust Storm has used Android backdoors capable of exfiltrating specific files directly from the infected devices.(Citation: Cylance Dust Storm)
Sandworm Team

Sandworm Team has exfiltrated internal documents, files, and other data from compromised hosts.(Citation: US District Court Indictment GRU Unit 74455 October 2020)
Magic Hound

Magic Hound has used a web shell to exfiltrate a ZIP file containing a dump of LSASS memory on a compromised machine.(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: DFIR Phosphorus November 2021)
menuPass

menuPass has collected various files from the compromised computers.(Citation: DOJ APT10 Dec 2018)(Citation: Symantec Cicada November 2020)

Windigo

Windigo has used a script to gather credentials in files left on disk by OpenSSH backdoors.(Citation: ESET ForSSHe December 2018)
ToddyCat

ToddyCat has run scripts to collect documents from targeted hosts.(Citation: Kaspersky ToddyCat Check Logs October 2023)
Ke3chang

Ke3chang gathered information and files from local directories for exfiltration.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: Microsoft NICKEL December 2021)
Patchwork

Patchwork collected and exfiltrated files from the infected system.(Citation: Cymmetria Patchwork)
Ember Bear

Ember Bear gathers victim system information such as enumerating the volume of a given device or extracting system and security event logs for analysis.(Citation: Cadet Blizzard emerges as novel threat actor)(Citation: CISA GRU29155 2024)
RedCurl

RedCurl has collected data from the local disk of compromised hosts.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2)
APT3

APT3 will identify Microsoft Office documents on the victim's computer.(Citation: aptsim)
Agrius

Agrius gathered data from database and other critical servers in victim environments, then used wiping mechanisms as an anti-analysis and anti-forensics mechanism.(Citation: Unit42 Agrius 2023)
CURIUM

CURIUM has exfiltrated data from a compromised machine.(Citation: Microsoft Iranian Threat Actor Trends November 2021)
GALLIUM

GALLIUM collected data from the victim's local system, including password hashes from the SAM hive in the Registry.(Citation: Cybereason Soft Cell June 2019)
FIN6

FIN6 has collected and exfiltrated payment card data from compromised systems.(Citation: Trend Micro FIN6 October 2019)(Citation: RiskIQ British Airways September 2018)(Citation: RiskIQ Newegg September 2018)
APT41

APT41 has uploaded files and data from a compromised host.(Citation: Group IB APT 41 June 2021)
LAPSUS$

LAPSUS$ uploaded sensitive files, information, and credentials from a targeted organization for extortion or public release.(Citation: MSTIC DEV-0537 Mar 2022)
Dark Caracal

Dark Caracal collected complete contents of the 'Pictures' folder from compromised Windows systems.(Citation: Lookout Dark Caracal Jan 2018)
UNC2452

UNC2452 extracted files from compromised networks.(Citation: Volexity SolarWinds)

HAFNIUM

HAFNIUM has collected data and files from a compromised machine.(Citation: Rapid7 HAFNIUM Mar 2021)(Citation: Microsoft Silk Typhoon MAR 2025)
Stealth Falcon

Stealth Falcon malware gathers data from the local victim system.(Citation: Citizen Lab Stealth Falcon May 2016)

Mitigations
Mitigation Description
Data from Local System Mitigation

Identify unnecessary system utilities or potentially malicious software that may be used to collect data from the local system, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)
Data Loss Prevention

Data Loss Prevention (DLP) involves implementing strategies and technologies to identify, categorize, monitor, and control the movement of sensitive data within an organization. This includes protecting data formats indicative of Personally Identifiable Information (PII), intellectual property, or financial data from unauthorized access, transmission, or exfiltration. DLP solutions integrate with network, endpoint, and cloud platforms to enforce security policies and prevent accidental or malicious data leaks. (Citation: PurpleSec Data Loss Prevention) This mitigation can be implemented through the following measures: Sensitive Data Categorization: - Use Case: Identify and classify data based on sensitivity (e.g., PII, financial data, trade secrets). - Implementation: Use DLP solutions to scan and tag files containing sensitive information using predefined patterns, such as Social Security Numbers or credit card details. Exfiltration Restrictions: - Use Case: Prevent unauthorized transmission of sensitive data. - Implementation: Enforce policies to block unapproved email attachments, unauthorized USB usage, or unencrypted data uploads to cloud storage. Data-in-Transit Monitoring: - Use Case: Detect and prevent the transmission of sensitive data over unapproved channels. - Implementation: Deploy network-based DLP tools to inspect outbound traffic for sensitive content (e.g., financial records or PII) and block unapproved transmissions. Endpoint Data Protection: - Use Case: Monitor and control sensitive data usage on endpoints. - Implementation: Use endpoint-based DLP agents to block copy-paste actions of sensitive data and unauthorized printing or file sharing. Cloud Data Security: - Use Case: Protect data stored in cloud platforms. - Implementation: Integrate DLP with cloud storage platforms like Google Drive, OneDrive, or AWS to monitor and restrict sensitive data sharing or downloads.

Detection

Monitor processes and command-line arguments for actions that could be taken to collect files from a system. Remote access tools with built-in features may interact directly with the Windows API to gather data. Further, Network Device CLI commands may also be used to collect files such as configuration files with built-in features native to the network device platform.(Citation: Mandiant APT41 Global Intrusion )(Citation: US-CERT-TA18-106A) Monitor CLI activity for unexpected or unauthorized use commands being run by non-standard users from non-standard locations. Data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. For network infrastructure devices, collect AAA logging to monitor `show` commands that view configuration files.

References

  1. FBI. (2022, February 4). Indicators of Compromise Associated with LockBit 2.0 Ransomware. Retrieved January 24, 2025.
  2. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
  3. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
  4. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
  5. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.
  6. Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022.
  7. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  8. CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022.
  9. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  10. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  11. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  12. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
  13. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
  14. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  15. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  16. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.
  17. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
  18. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  19. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  20. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  21. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  22. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  23. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  24. ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.
  25. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
  26. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved November 17, 2024.
  27. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  28. Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022.
  29. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
  30. NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023.
  31. Dray Agha. (2022, August 16). Cleartext Shenanigans: Gifting User Passwords to Adversaries With NPPSPY. Retrieved May 17, 2024.
  32. Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022.
  33. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
  34. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
  35. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  36. N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022.
  37. CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.
  38. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021.
  39. CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020.
  40. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  41. Nesbit, B. and Ackerman, D. (2017, January). Malware Analysis Report - RawPOS Malware: Deconstructing an Intruder’s Toolkit. Retrieved October 4, 2017.
  42. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  43. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  44. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  45. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  46. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.
  47. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
  48. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
  49. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  50. Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023.
  51. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  52. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  53. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  54. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  55. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  56. Kwiatkoswki, I. and Delcher, P. (2021, September 29). DarkHalo After SolarWinds: the Tomiris connection. Retrieved December 27, 2021.
  57. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017.
  58. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  59. United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019.
  60. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.
  61. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
  62. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
  63. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  64. Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024.
  65. Cisco. (2022, August 16). show running-config - Cisco IOS Configuration Fundamentals Command Reference . Retrieved July 13, 2022.
  66. NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.
  67. Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018.
  68. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
  69. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
  70. Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.
  71. Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018.
  72. MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.
  73. Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022.
  74. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
  75. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
  76. Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.
  77. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
  78. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.
  79. Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.
  80. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.
  81. Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
  82. Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
  83. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
  84. Microsoft Threat Intelligence . (2025, March 5). Silk Typhoon targeting IT supply chain. Retrieved March 20, 2025.
  85. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  86. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
  87. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
  88. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
  89. Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024.
  90. Volexity Threat Research. (2024, April 12). Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400). Retrieved November 20, 2024.
  91. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
  92. Klijnsma, Y. (2018, September 19). Another Victim of the Magecart Assault Emerges: Newegg. Retrieved September 9, 2020.
  93. Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.
  94. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
  95. Gyler, C.,Perez D.,Jones, S.,Miller, S.. (2021, February 25). This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved February 17, 2022.
  96. Or Chechik, Tom Fakterman, Daniel Frank & Assaf Dahan. (2023, November 6). Agonizing Serpens (Aka Agrius) Targeting the Israeli Higher Education and Tech Sectors. Retrieved May 22, 2024.
  97. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  98. Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.
  99. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  100. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
  101. Eoin Miller. (2021, March 23). Defending Against the Zero Day: Analyzing Attacker Behavior Post-Exploitation of Microsoft Exchange. Retrieved October 27, 2022.
  102. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  103. NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.
  104. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
  105. Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023.
  106. Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.
  107. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.
  108. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  109. MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022.
  110. Klijnsma, Y. (2018, September 11). Inside the Magecart Breach of British Airways: How 22 Lines of Code Claimed 380,000 Victims. Retrieved September 9, 2020.
  111. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.
  112. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  113. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024.
  114. Symantec Threat Hunter Team. (2024, May 16). Springtail: New Linux Backdoor Added to Toolkit. Retrieved January 17, 2025.
  115. Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024.
  116. Rainey, K. (n.d.). Qbot. Retrieved September 27, 2021.
  117. Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024.
  118. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  119. Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.
  120. Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023.
  121. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  122. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
  123. Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023.
  124. Microsoft. (n.d.). wevtutil. Retrieved September 14, 2021.
  125. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
  126. Chen, J. (2019, October 10). Magecart Card Skimmers Injected Into Online Shops. Retrieved September 9, 2020.
  127. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  128. Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014.
  129. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.
  130. MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.
  131. Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022.
  132. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
  133. Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024.
  134. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
  135. Kremez, V. (2019, September 19). FIN6 “FrameworkPOS”: Point-of-Sale Malware Analysis & Internals. Retrieved September 8, 2020.
  136. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.
  137. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
  138. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  139. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
  140. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
  141. Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020.
  142. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
  143. Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019.
  144. Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023.
  145. valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017.
  146. Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022.
  147. S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024.
  148. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
  149. CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021.
  150. Shivtarkar, N. and Kumar, A. (2022, June 9). Lyceum .NET DNS Backdoor. Retrieved June 23, 2022.
  151. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
  152. Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020.
  153. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  154. Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018.
  155. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  156. Fahmy, M. et al. (2024, October 11). Earth Simnavaz (aka APT34) Levies Advanced Cyberattacks Against Middle East. Retrieved November 27, 2024.
  157. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
  158. Hacquebord, F. (n.d.). Pawn Storm in 2019 A Year of Scanning and Credential Phishing on High-Profile Targets. Retrieved December 29, 2020.
  159. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  160. Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020.
  161. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  162. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
  163. Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022.
  164. Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.
  165. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
  166. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.
  167. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  168. Jiho Kim & Sebin Lee, S2W. (2024, February 7). Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.). Retrieved January 17, 2025.
  169. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  170. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.
  171. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.
  172. McGraw, T. (2024, December 4). Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware. Retrieved December 9, 2024.
  173. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
  174. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
  175. Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024.
  176. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  177. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.
  178. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  179. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved November 17, 2024.
  180. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  181. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  182. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  183. Red Canary. (2021, March 31). 2021 Threat Detection Report. Retrieved August 31, 2021.
  184. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  185. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
  186. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  187. US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.
  188. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  189. F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020.
  190. Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022.
  191. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021.
  192. CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022.
  193. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved November 17, 2024.
  194. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
  195. FSI. (2017, July 27). Campaign Rifle - Andariel, the Maiden of Anguish. Retrieved September 12, 2024.
  196. CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024.
  197. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  198. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
  199. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  200. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved November 17, 2024.
  201. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  202. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.
  203. Magius, J., et al. (2017, July 19). Koadic. Retrieved September 27, 2024.
  204. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
  205. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  206. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  207. Global Research and Analysis Team. (2020, April 30). APT trends report Q1 2020. Retrieved September 19, 2022.
  208. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  209. Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
  210. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  211. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024.
  212. Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022.
  213. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  214. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.
  215. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  216. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
  217. Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022.
  218. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
  219. Cybereason Global SOC Team. (n.d.). THREAT ANALYSIS REPORT: Inside the LockBit Arsenal - The StealBit Exfiltration Tool. Retrieved January 29, 2025.
  220. Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022.
  221. Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
  222. Facundo Muñoz. (2023, April 26). Evasive Panda APT group delivers malware via updates for popular Chinese software. Retrieved July 25, 2024.
  223. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  224. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
  225. Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024.
  226. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.
  227. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
  228. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.
  229. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  230. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  231. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved November 17, 2024.
  232. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
  233. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
  234. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
  235. CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020.
  236. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
  237. Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.
  238. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved November 17, 2024.
  239. Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022.
  240. Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022.
  241. Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.
  242. Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023.
  243. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.
  244. TrendLabs Security Intelligence Blog. (2015, April). RawPOS Technical Brief. Retrieved October 4, 2017.
  245. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.