Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Technique Non-Application Layer Protocol
Сертификаты СЗИ
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
RU
Риски
Каталоги
MITRE ATT&CK
Техника
Non-Application Layer Protocol
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Non-Application Layer Protocol

Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL). ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts.(Citation: Microsoft ICMP) However, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications. In ESXi environments, adversaries may leverage the Virtual Machine Communication Interface (VMCI) for communication between guest virtual machines and the ESXi host. This traffic is similar to client-server communications on traditional network sockets but is localized to the physical machine running the ESXi host, meaning it does not traverse external networks (routers, switches). This results in communications that are invisible to external monitoring and standard networking tools like tcpdump, netstat, nmap, and Wireshark. By adding a VMCI backdoor to a compromised ESXi host, adversaries may persistently regain access from any guest VM to the compromised ESXi host’s backdoor, regardless of network segmentation or firewall rules in place.(Citation: Google Cloud Threat Intelligence VMWare ESXi Zero-Day 2023)

ID: T1095
Tactic(s): Command and Control
Platforms: ESXi, Linux, macOS, Network Devices, Windows
Data Sources: Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Version: 2.4
Created: 31 May 2017
Last Modified: 15 Apr 2025

Procedure Examples
Name Description
FRP

FRP can communicate over TCP, TCP stream multiplexing, KERN Communications Protocol (KCP), QUIC, and UDP.(Citation: FRP GitHub)
OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D has used a custom binary protocol over port 443 for C2 traffic.(Citation: Unit42 OceanLotus 2017)
Anchor

Anchor has used ICMP in C2 communications.(Citation: Cyberreason Anchor December 2019)
FakeM

Some variants of FakeM use SSL to communicate with C2 servers.(Citation: Scarlet Mimic Jan 2016)
Aria-body

Aria-body has used TCP in C2 communications.(Citation: CheckPoint Naikon May 2020)
Clambling

Clambling has the ability to use TCP and UDP for communication.(Citation: Trend Micro DRBControl February 2020)
MacMa

MacMa has used a custom JSON-based protocol for its C&C communications.(Citation: ESET DazzleSpy Jan 2022)
WINDSHIELD

WINDSHIELD C2 traffic can communicate via TCP raw sockets.(Citation: FireEye APT32 May 2017)
Gelsemium

Gelsemium has the ability to use TCP and UDP in C2 communications.(Citation: ESET Gelsemium June 2021)
cd00r

cd00r can monitor incoming C2 communications sent over TCP to the compromised host.(Citation: Hartrell cd00r 2002)(Citation: Lumen J-Magic JAN 2025)
TSCookie

TSCookie can use ICMP to receive information on the destination server.(Citation: JPCert BlackTech Malware September 2019)
Ninja

Ninja can forward TCP packets between the C2 and a remote host.(Citation: Kaspersky ToddyCat June 2022)(Citation: Kaspersky ToddyCat Check Logs October 2023)
J-magic

J-magic can monitor incoming C2 communications sent over TCP to the compromised host.(Citation: Lumen J-Magic JAN 2025)
PlugX

PlugX can be configured to use raw TCP or UDP for command and control.(Citation: Dell TG-3390)
AuTo Stealer

AuTo Stealer can use TCP to communicate with command and control servers.(Citation: MalwareBytes SideCopy Dec 2021)
COATHANGER

COATHANGER uses ICMP for transmitting configuration information to and from its command and control server.(Citation: NCSC-NL COATHANGER Feb 2024)
LITTLELAMB.WOOLTEA

LITTLELAMB.WOOLTEA can function as a stand-alone backdoor communicating over the `/tmp/clientsDownload.sock` socket.(Citation: Mandiant Cutting Edge Part 3 February 2024)
Neo-reGeorg

Neo-reGeorg can create multiple TCP connections for a single session.(Citation: GitHub Neo-reGeorg 2019)
RARSTONE

RARSTONE uses SSL to encrypt its communication with its C2 server.(Citation: Aquino RARSTONE)
Uroburos

Uroburos can communicate through custom methodologies for UDP, ICMP, and TCP that use distinct sessions to ride over the legitimate protocols.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)
Drovorub

Drovorub can use TCP to communicate between its agent and client modules.(Citation: NSA/FBI Drovorub August 2020)
InvisiMole

InvisiMole has used TCP to download additional modules.(Citation: ESET InvisiMole June 2020)

Mustang Panda communicated over TCP 5000 from adversary administrative servers to adversary command and control nodes during RedDelta Modified PlugX Infection Chain Operations.(Citation: Recorded Future RedDelta 2025)
Mafalda

Mafalda can use raw TCP for C2.(Citation: SentinelLabs Metador Sept 2022)
Winnti for Linux

Winnti for Linux has used ICMP, custom TCP, and UDP in outbound communications.(Citation: Chronicle Winnti for Linux May 2019)
Ember Bear

Ember Bear uses socket-based tunneling utilities for command and control purposes such as NetCat and Go Simple Tunnel (GOST). These tunnels are used to push interactive command prompts over the created sockets.(Citation: Cadet Blizzard emerges as novel threat actor) Ember Bear has also used reverse TCP connections from Meterpreter installations to communicate back with C2 infrastructure.(Citation: CISA GRU29155 2024)
ZIPLINE

ZIPLINE can communicate with C2 using a custom binary protocol.(Citation: Mandiant Cutting Edge Part 2 January 2024)
metaMain

metaMain can establish an indirect and raw TCP socket-based connection to the C2 server.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022)
Operation Wocao

Operation Wocao has used a custom protocol for command and control.(Citation: FoxIT Wocao December 2019)
Nebulae

Nebulae can use TCP in C2 communications.(Citation: Bitdefender Naikon April 2021)
Metamorfo

Metamorfo has used raw TCP for C2.(Citation: FireEye Metamorfo Apr 2018)

Remsec

Remsec is capable of using ICMP, TCP, and UDP for C2.(Citation: Symantec Remsec IOCs)(Citation: Kaspersky ProjectSauron Full Report)
Winnti for Windows

Winnti for Windows can communicate using custom TCP.(Citation: Novetta Winnti April 2015)
MoonWind

MoonWind completes network communication via raw sockets.(Citation: Palo Alto MoonWind March 2017)
HiddenWasp

HiddenWasp communicates with a simple network protocol over TCP.(Citation: Intezer HiddenWasp Map 2019)

During Cutting Edge, threat actors used the Unix socket and a reverse TCP shell for C2 communications.(Citation: Mandiant Cutting Edge Part 3 February 2024)

During the 2022 Ukraine Electric Power Attack, Sandworm Team proxied C2 communications within a TLS-based tunnel.(Citation: Mandiant-Sandworm-Ukraine-2022)
WellMail

WellMail can use TCP for C2 communications.(Citation: CISA WellMail July 2020)
Mythic

Mythic supports WebSocket and TCP-based C2 profiles.(Citation: Mythc Documentation)

Misdat

Misdat network traffic communicates over a raw socket.(Citation: Cylance Dust Storm)
QUIETEXIT

QUIETEXIT can establish a TCP connection as part of its initial connection to the C2.(Citation: Mandiant APT29 Eye Spy Email Nov 22)
Pay2Key

Pay2Key has sent its public key to the C2 server over TCP.(Citation: Check Point Pay2Key November 2020)
Reaver

Some Reaver variants use raw TCP for C2.(Citation: Palo Alto Reaver Nov 2017)
SombRAT

SombRAT has the ability to use TCP sockets to send data and ICMP to ping the C2 server.(Citation: BlackBerry CostaRicto November 2020)(Citation: FireEye FiveHands April 2021)
Samurai

Samurai can use a proxy module to forward TCP packets to external hosts.(Citation: Kaspersky ToddyCat June 2022)

During C0021, the threat actors used TCP for some C2 communications.(Citation: FireEye APT29 Nov 2018)
ToddyCat

ToddyCat has used a passive backdoor that receives commands with UDP packets.(Citation: Kaspersky ToddyCat Check Logs October 2023)
PipeMon

The PipeMon communication module can use a custom protocol based on TLS over TCP.(Citation: ESET PipeMon May 2020)
Bandook

Bandook has a command built in to use a raw TCP socket.(Citation: CheckPoint Bandook Nov 2020)

QuasarRAT

QuasarRAT can use TCP for C2 communication.(Citation: CISA AR18-352A Quasar RAT December 2018)
APT29

APT29 has used TCP for C2 communications.(Citation: FireEye APT29 Nov 2018)

KV Botnet Activity command and control traffic uses a non-standard, likely custom protocol for communication.(Citation: Lumen KVBotnet 2023)
gh0st RAT

gh0st RAT has used an encrypted protocol within TCP segments to communicate with the C2.(Citation: Gh0stRAT ATT March 2019)
ShadowPad

ShadowPad has used UDP for C2 communications.(Citation: Kaspersky ShadowPad Aug 2017)
SDBbot

SDBbot has the ability to communicate with C2 with TCP over port 443.(Citation: Proofpoint TA505 October 2019)
PingPull

PingPull variants have the ability to communicate with C2 servers using ICMP or TCP.(Citation: Unit 42 PingPull Jun 2022)
Carbon

Carbon uses TCP and UDP for C2.(Citation: ESET Carbon Mar 2017)
RainyDay

RainyDay can use TCP in C2 communications.(Citation: Bitdefender Naikon April 2021)
NETEAGLE

If NETEAGLE does not detect a proxy configured on the infected machine, it will send beacons via UDP/6000. Also, after retrieving a C2 IP address and Port Number, NETEAGLE will initiate a TCP connection to this socket. The ensuing connection is a plaintext C2 channel in which commands are specified by DWORDs.(Citation: FireEye APT30)
LookBack

LookBack uses a custom binary protocol over sockets for C2 communications.(Citation: Proofpoint LookBack Malware Aug 2019)
Bisonal

Bisonal has used raw sockets for network communication.(Citation: Talos Bisonal Mar 2020)
QakBot

QakBot has the ability use TCP to send or receive C2 packets.(Citation: Kaspersky QakBot September 2021)
Cuckoo Stealer

Cuckoo Stealer can use sockets for communications to its C2 server.(Citation: Kandji Cuckoo April 2024)
RotaJakiro

RotaJakiro uses a custom binary protocol using a type, length, value format over TCP.(Citation: netlab360 rotajakiro vs oceanlotus)
LunarMail

LunarMail can ping a specific C2 URL with the ID of a victim machine in the subdomain.(Citation: ESET Turla Lunar toolset May 2024)
BUBBLEWRAP

BUBBLEWRAP can communicate using SOCKS.(Citation: FireEye admin@338)
SnappyTCP

SnappyTCP spawns a reverse TCP shell following an HTTP-based negotiation.(Citation: PWC Sea Turtle 2023)
Umbreon

Umbreon provides access to the system via SSH or any other protocol that uses PAM to authenticate.(Citation: Umbreon Trend Micro)
Derusbi

Derusbi binds to a raw socket on a random source port between 31800 and 31900 for C2.(Citation: Fidelis Turbo)
Metador

Metador has used TCP for C2.(Citation: SentinelLabs Metador Sept 2022)
PLATINUM

PLATINUM has used the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel for command and control.(Citation: Microsoft PLATINUM June 2017)
Cobalt Strike

Cobalt Strike can be configured to use TCP, ICMP, and UDP for C2 communications.(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)
StealBit

StealBit can use the Windows Socket networking library to communicate with attacker-controlled endpoints.(Citation: Cybereason StealBit Exfiltration Tool)

RCSession

RCSession has the ability to use TCP and UDP in C2 communications.(Citation: Trend Micro DRBControl February 2020)(Citation: Profero APT27 December 2020)

During Operation Wocao, threat actors used a custom protocol for command and control.(Citation: FoxIT Wocao December 2019)
Penquin

The Penquin C2 mechanism is based on TCP and UDP packets.(Citation: Kaspersky Turla Penquin December 2014)(Citation: Leonardo Turla Penquin May 2020)
Mis-Type

Mis-Type network traffic can communicate over a raw socket.(Citation: Cylance Dust Storm)
WarzoneRAT

WarzoneRAT can communicate with its C2 server via TCP over port 5200.(Citation: Check Point Warzone Feb 2020)
Brute Ratel C4

Brute Ratel C4 has the ability to use TCP for external C2.(Citation: Palo Alto Brute Ratel July 2022)
Crimson

Crimson uses a custom TCP protocol for C2.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)

FIN6

FIN6 has used Metasploit Bind and Reverse TCP stagers.(Citation: Trend Micro FIN6 October 2019)
BackdoorDiplomacy

BackdoorDiplomacy has used EarthWorm for network tunneling with a SOCKS5 server and port transfer functionalities.(Citation: ESET BackdoorDiplomacy Jun 2021)
Royal

Royal establishes a TCP socket for C2 communication using the API `WSASocketW`.(Citation: Cybereason Royal December 2022)
Spica

Spica can use JSON over WebSockets for C2 communications.(Citation: Google TAG COLDRIVER January 2024)
Cryptoistic

Cryptoistic can use TCP in communications with C2.(Citation: SentinelOne Lazarus macOS July 2020)
APT3

An APT3 downloader establishes SOCKS5 connections for its initial C2.(Citation: FireEye Operation Double Tap)
Regin

The Regin malware platform can use ICMP to communicate between infected computers.(Citation: Kaspersky Regin)
BITTER

BITTER has used TCP for C2 communications.(Citation: Forcepoint BITTER Pakistan Oct 2016)
reGeorg

reGeorg can tunnel TCP sessions into targeted networks.(Citation: Fortinet reGeorg MAR 2019)

Versa Director Zero Day Exploitation used a non-standard TCP session to initialize communication prior to establishing HTTPS command and control.(Citation: Lumen Versa 2024)
KEYPLUG

KEYPLUG can use TCP and KCP (KERN Communications Protocol) over UDP for C2 communication.(Citation: Mandiant APT41)
NETWIRE

NETWIRE can use TCP in C2 communications.(Citation: Red Canary NETWIRE January 2020)(Citation: Unit 42 NETWIRE April 2020)
HAFNIUM

HAFNIUM has used TCP for C2.(Citation: Microsoft HAFNIUM March 2020)
FunnyDream

FunnyDream can communicate with C2 over TCP and UDP.(Citation: Bitdefender FunnyDream Campaign November 2020)
PHOREAL

PHOREAL communicates via ICMP for C2.(Citation: FireEye APT32 May 2017)
SUGARUSH

SUGARUSH has used TCP for C2.(Citation: Mandiant UNC3890 Aug 2022)
Taidoor

Taidoor can use TCP for C2 communications.(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021)
Sardonic

Sardonic can communicate with actor-controlled C2 servers by using a custom little-endian binary protocol.(Citation: Bitdefender Sardonic Aug 2021)

Mitigations
Mitigation Description
Network Intrusion Prevention

Use intrusion detection signatures to block traffic at network boundaries.
Audit

Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements. The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures. Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.This mitigation can be implemented through the following measures: System Audit: - Use Case: Regularly assess system configurations to ensure compliance with organizational security policies. - Implementation: Use tools to scan for deviations from established benchmarks. Permission Audits: - Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation. - Implementation: Run access reviews to identify users or groups with excessive permissions. Software Audits: - Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector. - Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives. Configuration Audits: - Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA). - Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems. Network Audits: - Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections. - Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.
Filter Network Traffic

Employ network appliances and endpoint software to filter ingress, egress, and lateral network traffic. This includes protocol-based filtering, enforcing firewall rules, and blocking or restricting traffic based on predefined conditions to limit adversary movement and data exfiltration. This mitigation can be implemented through the following measures: Ingress Traffic Filtering: - Use Case: Configure network firewalls to allow traffic only from authorized IP addresses to public-facing servers. - Implementation: Limit SSH (port 22) and RDP (port 3389) traffic to specific IP ranges. Egress Traffic Filtering: - Use Case: Use firewalls or endpoint security software to block unauthorized outbound traffic to prevent data exfiltration and command-and-control (C2) communications. - Implementation: Block outbound traffic to known malicious IPs or regions where communication is unexpected. Protocol-Based Filtering: - Use Case: Restrict the use of specific protocols that are commonly abused by adversaries, such as SMB, RPC, or Telnet, based on business needs. - Implementation: Disable SMBv1 on endpoints to prevent exploits like EternalBlue. Network Segmentation: - Use Case: Create network segments for critical systems and restrict communication between segments unless explicitly authorized. - Implementation: Implement VLANs to isolate IoT devices or guest networks from core business systems. Application Layer Filtering: - Use Case: Use proxy servers or Web Application Firewalls (WAFs) to inspect and block malicious HTTP/S traffic. - Implementation: Configure a WAF to block SQL injection attempts or other web application exploitation techniques.
Standard Non-Application Layer Protocol Mitigation

Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems. Also ensure hosts are only provisioned to communicate over authorized interfaces. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)
Network Segmentation

Network segmentation involves dividing a network into smaller, isolated segments to control and limit the flow of traffic between devices, systems, and applications. By segmenting networks, organizations can reduce the attack surface, restrict lateral movement by adversaries, and protect critical assets from compromise. Effective network segmentation leverages a combination of physical boundaries, logical separation through VLANs, and access control policies enforced by network appliances like firewalls, routers, and cloud-based configurations. This mitigation can be implemented through the following measures: Segment Critical Systems: - Identify and group systems based on their function, sensitivity, and risk. Examples include payment systems, HR databases, production systems, and internet-facing servers. - Use VLANs, firewalls, or routers to enforce logical separation. Implement DMZ for Public-Facing Services: - Host web servers, DNS servers, and email servers in a DMZ to limit their access to internal systems. - Apply strict firewall rules to filter traffic between the DMZ and internal networks. Use Cloud-Based Segmentation: - In cloud environments, use VPCs, subnets, and security groups to isolate applications and enforce traffic rules. - Apply AWS Transit Gateway or Azure VNet peering for controlled connectivity between cloud segments. Apply Microsegmentation for Workloads: - Use software-defined networking (SDN) tools to implement workload-level segmentation and prevent lateral movement. Restrict Traffic with ACLs and Firewalls: - Apply Access Control Lists (ACLs) to network devices to enforce "deny by default" policies. - Use firewalls to restrict both north-south (external-internal) and east-west (internal-internal) traffic. Monitor and Audit Segmented Networks: - Regularly review firewall rules, ACLs, and segmentation policies. - Monitor network flows for anomalies to ensure segmentation is effective. Test Segmentation Effectiveness: - Perform periodic penetration tests to verify that unauthorized access is blocked between network segments.

Detection

Analyze network traffic for ICMP messages or other protocols that contain abnormal data or are not normally seen within or exiting the network.(Citation: Cisco Blog Legacy Device Attacks) Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2) Monitor and investigate API calls to functions associated with enabling and/or utilizing alternative communication channels.

References

  1. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  2. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.
  3. Wikipedia. (n.d.). List of network protocols (OSI model). Retrieved December 4, 2014.
  4. Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.
  5. Microsoft. (n.d.). Internet Control Message Protocol (ICMP) Basics. Retrieved December 1, 2014.
  6. Graham Holmes. (2015, October 8). Evolution of attacks on Cisco IOS devices. Retrieved October 19, 2020.
  7. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
  8. Alexander Marvi, Brad Slaybaugh, Ron Craft, and Rufus Brown. (2023, June 13). VMware ESXi Zero-Day Used by Chinese Espionage Actor to Perform Privileged Guest Operations on Compromised Hypervisors. Retrieved March 26, 2025.
  9. fatedier. (n.d.). What is frp?. Retrieved July 10, 2024.
  10. Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023.
  11. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
  12. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  13. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
  14. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  15. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.
  16. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  17. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  18. Hartrell, Greg. (2002, August). Get a handle on cd00r: The invisible backdoor. Retrieved October 13, 2018.
  19. Black Lotus Labs. (2025, January 23). The J-Magic Show: Magic Packets and Where to find them. Retrieved February 17, 2025.
  20. Tomonaga, S.. (2019, September 18). Malware Used by BlackTech after Network Intrusion. Retrieved May 6, 2020.
  21. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
  22. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
  23. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  24. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
  25. Dutch Military Intelligence and Security Service (MIVD) & Dutch General Intelligence and Security Service (AIVD). (2024, February 6). Ministry of Defense of the Netherlands uncovers COATHANGER, a stealthy Chinese FortiGate RAT. Retrieved February 7, 2024.
  26. Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024.
  27. L-Codes. (2019). Neo-reGeorg. Retrieved December 4, 2024.
  28. Aquino, M. (2013, June 13). RARSTONE Found In Targeted Attacks. Retrieved December 17, 2015.
  29. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  30. NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.
  31. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  32. Insikt Group. (2025, January 9). Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain. Retrieved January 14, 2025.
  33. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
  34. Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020.
  35. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
  36. Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023.
  37. Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.
  38. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.
  39. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  40. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
  41. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
  42. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
  43. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
  44. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  45. Alex Marvi, Greg Blaum, and Ron Craft. (2023, June 28). Detection, Containment, and Hardening Opportunities for Privileged Guest Operations, Anomalous Behavior, and VMCI Backdoors on Compromised VMware Hosts. Retrieved March 26, 2025.
  46. Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.
  47. Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024.
  48. CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020.
  49. Thomas, C. (n.d.). Mythc Documentation. Retrieved March 25, 2022.
  50. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  51. Mandiant. (2022, May 2). UNC3524: Eye Spy on Your Email. Retrieved August 17, 2023.
  52. Check Point. (2020, November 6). Ransomware Alert: Pay2Key. Retrieved January 4, 2021.
  53. Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.
  54. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
  55. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  56. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
  57. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
  58. CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022.
  59. Black Lotus Labs. (2023, December 13). Routers Roasting On An Open Firewall: The KV-Botnet Investigation. Retrieved June 10, 2024.
  60. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.
  61. Broadcom. (2025, March 24). Configure Virtual Machine Communication Interface Firewall. Retrieved March 31, 2025.
  62. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.
  63. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  64. Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022.
  65. ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018.
  66. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved November 17, 2024.
  67. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021.
  68. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
  69. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
  70. Kohler, A. and Lopez, C. (2024, April 30). Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware. Retrieved August 20, 2024.
  71. Alex Turing. (2021, May 6). RotaJakiro, the Linux version of the OceanLotus. Retrieved June 14, 2023.
  72. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
  73. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  74. PwC Threat Intelligence. (2023, December 5). The Tortoise and The Malware. Retrieved November 20, 2024.
  75. Fernando Mercês. (2016, September 5). Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems. Retrieved March 5, 2018.
  76. Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
  77. Kaplan, D, et al. (2017, June 7). PLATINUM continues to evolve, find ways to maintain invisibility. Retrieved February 19, 2018.
  78. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  79. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved September 12, 2024.
  80. Cybereason Global SOC Team. (n.d.). THREAT ANALYSIS REPORT: Inside the LockBit Arsenal - The StealBit Exfiltration Tool. Retrieved January 29, 2025.
  81. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.
  82. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  83. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.
  84. Baumgartner, K. and Raiu, C. (2014, December 8). The ‘Penquin’ Turla. Retrieved March 11, 2021.
  85. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
  86. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.
  87. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
  88. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  89. Chen, J. (2019, October 10). Magecart Card Skimmers Injected Into Online Shops. Retrieved September 9, 2020.
  90. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
  91. Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023.
  92. Shields, W. (2024, January 18). Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware. Retrieved June 13, 2024.
  93. Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.
  94. Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
  95. Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.
  96. Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022.
  97. FortiGard Labs. (2019, March 12). ReGeorg.HTTP.Tunnel. Retrieved December 3, 2024.
  98. Black Lotus Labs. (2024, August 27). Taking The Crossroads: The Versa Director Zero-Day Exploitaiton. Retrieved August 27, 2024.
  99. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
  100. Duncan, B. (2020, April 3). GuLoader: Malspam Campaign Installing NetWire RAT. Retrieved January 7, 2021.
  101. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
  102. MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021.
  103. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  104. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
  105. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021.
  106. Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.